[Foundation-l] Internal wiki(s) and confidential committee communications

[Erik Moeller]

Brion-

you raise excellent technical points. Of course, there are also security 
issues with the existing implementation, such as file uploads, which are 
openly accessible (don't know if they have been specially secured on 
internal).

The fact that people keep asking for better access control functionality 
may be a good reason to start thinking seriously about it, and it seems 
to me that namespaces provide the best existing structural element for 
this. They are relatively easily checked against, and already basically 
considered by lots of special pages, including search.

Yes, it's going to be a PITA to make sure the system is secure in all 
places. Since we will also start out with a smaller number of people 
initially, the gradual implementation approach could be one with a 
fairly steady risk. Also don't forget that it's always possible to 
resort to hacks, such as simply starting out with two-level 
functionality, where most special pages are entirely unavailable to 
people who have only limited namespace access.

There are always different levels of confidentiality. If we're about to 
sign a major deal with a major company, the terms of that deal being 
leaked prematurely could kill it, and cost the foundation hundreds of 
thousands of dollars. If we're working on a confidential response to an 
accusation of libel in Wikipedia, said response being leaked would be 
embarrassing and potentially cause minor legal issues, but not nearly as 
bad.

If there are different levels of confidentiality, then it follows 
logically that it makes sense to have different levels of trust, and 
therefore different levels of access to information, because otherwise 
your only option will be to go with the lowest common denominator. We do 
not, for example, say that you either have full access to the servers, 
or you don't have access at all. We have the toolserver, we have shell 
access, we have root database access, and we have full root access.

It's not just about trust - it's also about competence and willingness 
to do work in certain areas. Ultimately, why should someone who only 
ever handles libel cases as part of some subcommittee need to know about 
confidential deals which are being negotiated? It creates only risk and 
no benefit.

The only remaining question then is whether it is easier and more 
practical to have multiple confidential places (from which information 
will have to be aggregated), or to modify our software to allow multiple 
levels of access in a single installation. I would argue that a gradual 
implementation of the latter strategy is more promising and scalable in 
the long run. However, if you say that it cannot be done, it is pretty 
much a no-go.

Erik