On Fri, Jun 3, 2016 at 5:40 AM, Fæ faewik@gmail.com wrote:
For anyone unaware, in 2014 I created a bot task to maintain a page on Meta[1] showing the special Wikimedia Projects rights being allocated to WMF employees and contractors, without following normal community processes. The bot mirrors data from a Google Spreadsheet maintained by the WMF. Back in 2014, this was praised as a positive move forward by the WMF in applying our joint commitment to transparency.
Unfortunately the spreadsheet appeared to drop off the radar last year and fell into disuse, only being updated after public complaint. The spreadsheet has not been updated since November 2015 (over six months ago), includes staff who have now left and presumably excludes several recent changes to employee rights.
While the recording is still being done it's clear the mirroring broke. I'll go make sure it's up to date and mirrored correctly so that can be updated over the course of today.
Could the WMF please make a positive policy decision to ensure the open publication of special project rights for its employees becomes a required part of the procedure, and business as normal?
This quarter we've been putting together a more organized policy on our staff rights so that they can be expanded to allow for rights to be granted by someone other then just me which is an obvious bus factor and encourages transparency and openness to slip through the cracks in favor of efficiency and speed. That said we have certainly not been making any direct attempt to hide changes or be less transparent about it.
Recently, for example, we created a meta specific 'local' right for the Support and Safety team https://meta.wikimedia.org/wiki/Meta:WMF_Support_and_Safety (creating that page before it was launched) which was a direct response to Steward requests (and others) to ensure we had global actions such as account locks, global blocks, user rights changes etc centralized on meta rather then spread out over 900+ wikis where there was no oversight from volunteers for those actions. It also allowed us to remove all of those rights from the global 'staff' right because others there didn't need them. (which leads to below)
Failing this,
if rights are to continue to be allocated behind closed doors, with some rights being allocated for just a few days at a time so never appearing on this spreadsheet, can the rationale for managing project rights this way please be explained to the wider community so that we might be allowed the opportunity to ask basic questions.
In general our goal is to ensure staff have the rights they need to do their job (whether that's testing a bug, carrying out office actions and legal process, protecting setting up grant processes and fundraising banners or something more unique). We also strive to reduce the attack vector as much as possible, as much as possible staff shouldn't have rights they 'don't' need to do their job and they shouldn't have rights much longer then they actually need them. Because of this I think short term rights (and occasionally unique rights) are useful tools to ensure that staff can do their job while remaining with as little access as possible. In the past everyone having one giant 'all rights staff group' made some sense but at the size the WMF is now I'm not sure it does.
James Alexander Manager Trust & Safety Wikimedia Foundation