Hi all -
Although health issues have kept me inactive for most of the last year, I'm disturbed to hear that the response to what are apparently serious enough security problems (enough to call it a 'significant attack vector') is to put in to place a temporary fix that will fix some (but not all) of the security holes, and then to assign an intern to make the WikiEdu dashboard fit for international use, with tentative - but not firm plans - to get it done by the next school year through an internship program. I've known and been friends with some tech interns in past years, but I don't think it's appropriate to task an as-of-yet unknown intern with as-of-yet unknown skills with a project of this importance. Keep in mind that although the WikiEdu dashboard is actively being used, the education extension is also actively being used on many wikis still, including ENWP, our largest single project.
We should be planning to either fix all security holes in the current education extension that we are aware of as quickly as possible, or hire additional engineering staff or contractors to create an alternative to the education extension that replicates its functionality and is security vetted as soon as humanly possible. The education programs have made significant and growing contributions across many languages - it's not an accceptable outcome to leave them without a comparable tool. It's also not an acceptable outcome to leave in place a 'significant attack vector' on all wikis that have the extension installed - which include our biggest wiki, ENWP.
It's not an acceptable solution for a website as large as ours to leave in place an extension described as a 'significant attack vector' (even if the upcoming changes reduce the risk associated with it,) and equally, it's not an acceptable alternative to leave everyone who relies on the alternative high and dry, particularly with no guarantee that a tool or replacement tool with the same functionality will be available to them in future semester. This is not an issue of lack of resources - although I totally believe the current WMF engineering department lacks the bandwidth to handle this project at the moment, there are skilled Mediawiki programmers who could be brought on board on temporary contract to either fix more fully the current extension, or write a new extension from scratch and then have it security audited (there are people who do not currently work for WMF who are perfectly capable of performing initial security audits to the point that the burden on WMF's final security auditors would be minimal.)
We're not a movement that lacks in resources. We have consistently increased our fundraising ability year over year - and in the most recent financial plan are starting an endowment with 5mm and reserves that at no point dip under 59mm and have a year end goal of over 71mm. One reason to have reserves is in the case that our fundraising ability suddenly begins to fall - but that's not there only use, unexpected but necessary expenditures can also rightfully draw on the reserve. We have the money to bring in experienced devs, even if on temporary contracts, to fix this the right way. Why is the use of outside talent beyond an intern not being considered if this is too big a project for the current team to handle internally? I'm tempted to cc wikimedia-l on this, since security holes on our biggest sites effect more than just the education community.
Best, Kevin Gorman
On Tue, Sep 29, 2015 at 11:51 AM, Floor Koudijs fkoudijs@wikimedia.org wrote:
Thank you to Shani, Vojtech and Derek indicating your ideas around a long-term solution for the current Education Extension. I could not agree with you more and I am happy that you would like to be involved.
My current understanding is that unfortunately our Engineering team does not have the capacity to build and maintain a tool that can replace the Education Extension. That means we will have to think creatively about how to solve this problem, and that's what we are trying to do.
The option that we are currently considering (and I cannot yet guarantee a timeline or anything like that because we're in the middle of the planning phase) is adapting the Wiki Ed Foundation's Dashboard to make it fit for international use. See the Phabricator task here, and the related Phabricator project. We would like to make this a feature project for the next round of Outreachy, which means that we'll have a dedicated intern to work on this project full time for three months, with the support of two mentors. If this works out as I hope it will, we may have something ready before the next academic year - but again, no hard guarantees here. I am currently working on getting the project shaped up, looking into mentors and confirming with possible interns.
Two important points that were addressed in this thread:
- Have community involvement early on. I really love this idea, and I'm very
grateful you're bringing this up and keep reminding us not to forget about that. What I'd personally love to see is a group that can be involved in advice, user testing and anything else on the user end that we may need. I'm copying Quim Gil on this email to see if this fits within the scope of Outreachy, as he may have some ideas around how to organize this best. We would have to be careful not too derail the project with too ambitious ideas and suggestions, and focusing on attainable and concrete tasks for the intern to work on. That said, having several minds involved in this with different backgrounds could be hugely valuable, in my opinion.
- Think about maintenance. This is what I'm currently looking into, since
it's clear that the issue is not so much developing new tools, but also looking ahead and making sure there will be ongoing support for these tools. That's a longer discussion that wwill take place in parallel to the development of the tool itself. This may not sound reassuring, but please trust that it's foremost in all of our minds at WMF - we already have enough tools out there that don't get the proper support, and we really don't want to build more.
If for some reason the Outreachy plan does not work out, I have some ideas about what to do next, but these ideas are not well formed enough to discuss them right now. I would be happy to discuss this further if that becomes appropriate.
Vojtech, as to your point about communicating with the communities about future deployments: you are right. This all happened last week and as I was looking into it, I didn't think this would immediately affect many communities. I was also hoping a fix would be in place soon so we could continue deploying as requested, and the stall may be for only a week or so. I may have underestimated the impact on the communities, especially given the activity coming out of the CEE meeting. I apologize for that. If you feel further communication (outside of this thread) is warranted, I look forward to hearing your suggestions as to where & who it should be focused on, to make sure we are not overlooking any interested parties.
Thank you all for your passionate dedication to the Education Program and advocating for the tools we need. It is much appreciated!
Warmly,
Floor Koudijs
Senior Manager, Wikipedia Education Program
Wikimedia Foundation
+1.415.839.6885 x6806 (landline)
+1.415.692.5289 (cell phone)
fkoudijs@wikimedia.org
education.wikimedia.org
On Tue, Sep 29, 2015 at 2:34 AM, Derek V. Giroulle - WMBE derekvgiroulle@wikimedia.be wrote:
Although I understand, i do agree with Shani and Vojtech
derek
On 29-09-15 10:45, Shani wrote:
Thanks, Vojtěch. Resending this with James CCed (for some reason he was ommitted from the thread).
Shani.
On 29 Sep 2015 11:43, "Vojtěch Dostál" vojtech.dostal@wikimedia.cz wrote:
I am with Shani on this. After WMF stopped the technical support of the extension, the old bugs remained unsolved and new [even more dangerous] ones were found. Education programs run in 70 countries worldwide and an increasing number of countries wants to employ the extension to keep track of their increasing number of students. This should be a high-priority thing for the foundation, given the importance of education programs in promoting and improving Wikipedia. The current extension should get a person responsible for developing it and fixing bugs ASAP; otherwise it is a waste of money and resources for both WMF and local communities which want to run education programs efficiently.
This doesn't mean that a new Extension cannot be a solution in the long-term. A realistic guess is that it wouldn't be ready within the next year, though. The decision should be discussed with the Wikimedia Education community and, best, coordinated by people from the Education Collab. We are a group of volunteers who often use the extension and recommend it to other program leaders. We should get regular updates on the situation so that we stay up-to-date and can inform others of the situation. The information that Education extension is not to be deployed on any new wiki was not announced at all. I understand you might not want to go into detail for security reasons, but the information itself should have been announced.
Thank for taking the situation seriously.
Vojtěch Dostál
předseda rady / chairman of the board Wikimedia Česká republika / Wikimedia Czech Republic http://www.wikimedia.cz Facebook | Twitter | Newsletter
2015-09-29 2:32 GMT+02:00 Shani shani.even@gmail.com:
James,
After reading your reply to Craig, it is important for me to make sure that members of the Wiki-EDU community are part of the discussion of exploring other tools.
This affects all of our work and some of us have put hours and hours of volunteer work into working with it and developing teaching practices with it.
While this tool has never been perfect, it's all we have. And while for you this issue might be just another technical glitch that needs fixing, for me, and for other educators, it's our wiki (and academic) life. It matters and we care.
Since we are the ones with the practical experience working with the extension thus far, and know best what's working well, what's not, what's missing, etc., I believe it would be beneficial for all parties to make sure this experience does not go into waste.
I understand the complexity of working on something like this with too many a people. So may I suggest a task force with reps. from the education team as well as volunteers with hands-on experience?
Just to be clear, I'm not trying to step on any toes here; just want to make sure the community's interests are part of the discussion and decisions that affect our day-to-day are not taken without considering us.
Sincerely, Shani.
On Tue, Sep 29, 2015 at 3:04 AM, James Alexander jalexander@wikimedia.org wrote:
Hey Craig,
We're hoping to get the stop-gap in place within the week. Longer term... it's difficult to say. It's deep enough that we're not entirely sure we can 'fix' the extension but will look into that in addition to other options and other tools.
James Alexander Manager Trust & Safety Wikimedia Foundation (415) 839-6885 x6716 @jamesofur
On Mon, Sep 28, 2015 at 4:52 PM, Craig Franklin craig.franklin@wikimedia.org.au wrote:
Hi Floor,
Is there any ETA on when we can expect this remedial work to be completed?
Regards, Craig Franklin
2015-09-29 8:09 GMT+10:00 Floor Koudijs fkoudijs@wikimedia.org: > > Dear Filip, > > I am so very sorry to hear about these frustrations with the > deployment of the Education Extension. The problem is that there have been > recent security issues with the extension. Engineering and our Trust & > Safety department are working on some stop gaps to allow the extension to > remain in place (and likely be deployed) while we determine what to do with > the recent security issues. > > Please rest assured that we are working hard both on keeping the > Education Extension going, and on thinking about a better tool to replace it > for the future. > > Feel free to follow up if you have any further questions. I've cc-ed > James Alexander here. > > Best, > > Floor Koudijs > > Senior Manager, Wikipedia Education Program > > Wikimedia Foundation > > +1.415.839.6885 x6806 (landline) > > +1.415.692.5289 (cell phone) > > fkoudijs@wikimedia.org > > education.wikimedia.org > > > On Mon, Sep 28, 2015 at 11:14 AM, Filip Maljkovic > dungodung@gmail.com wrote: >> >> Hello everyone, >> >> Recently, a security issue has been found with Education extension. >> As a result, new requests for installing the extension on Wikimedia wikis >> are being "stalled", i.e. blocked for an indeterminate period. Can someone >> from the Foundation comment on this? I don't see why we shouldn't install >> the extension to more wikis, if the current installations are still working >> as-is (i.e. they're not being uninstalled because of the security issue, as >> far as I know). >> >> While it might be a long shot, is it possible to influence this >> decision somehow? >> >> I feel thoroughly disappointed, having held community discussion and >> vote, and then waiting for a month (!) for no apparent reason, just to be >> outright told that it's unlikely to happen anytime soon. [1] >> >> [1] https://phabricator.wikimedia.org/T110619 >> >> Cheers, >> Filip Maljković >> Wikimedia Serbia >> >> _______________________________________________ >> Education mailing list >> Education@lists.wikimedia.org >> https://lists.wikimedia.org/mailman/listinfo/education > > > > _______________________________________________ > Education mailing list > Education@lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/education >
Education mailing list Education@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/education
Education mailing list Education@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/education
Education mailing list Education@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/education
Education mailing list Education@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/education
-- Kind regards, Derek V. Giroulle Wikimedia Belgium vzw. Boardmember Troonstraat 51, BE-1050 Brussels +32 494 134134
Education mailing list Education@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/education
Education mailing list Education@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/education