On Fri, Jun 3, 2016 at 5:40 AM, Fæ <faewik(a)gmail.com> wrote:
For anyone unaware, in 2014 I created a bot task to
maintain a page on
Meta[1] showing the special Wikimedia Projects rights being allocated
to WMF employees and contractors, without following normal community
processes. The bot mirrors data from a Google Spreadsheet maintained
by the WMF. Back in 2014, this was praised as a positive move forward
by the WMF in applying our joint commitment to transparency.
Unfortunately the spreadsheet appeared to drop off the radar last year
and fell into disuse, only being updated after public complaint. The
spreadsheet has not been updated since November 2015 (over six months
ago), includes staff who have now left and presumably excludes several
recent changes to employee rights.
While the recording is still being done it's clear the mirroring broke.
I'll go make sure it's up to date and mirrored correctly so that can be
updated over the course of today.
Could the WMF please make a positive policy decision
to ensure the
open publication of special project rights for its employees becomes a
required part of the procedure, and business as normal?
This quarter we've been putting together a more organized policy on our
staff rights so that they can be expanded to allow for rights to be granted
by someone other then just me which is an obvious bus factor and encourages
transparency and openness to slip through the cracks in favor of efficiency
and speed. That said we have certainly not been making any direct attempt
to hide changes or be less transparent about it.
Recently, for example, we created a meta specific 'local' right for the
Support and Safety team
<https://meta.wikimedia.org/wiki/Meta:WMF_Support_and_Safety> (creating
that page before it was launched) which was a direct response to Steward
requests (and others) to ensure we had global actions such as account
locks, global blocks, user rights changes etc centralized on meta rather
then spread out over 900+ wikis where there was no oversight from
volunteers for those actions. It also allowed us to remove all of those
rights from the global 'staff' right because others there didn't need them.
(which leads to below)
Failing this,
if rights are to continue to be allocated behind
closed doors, with
some rights being allocated for just a few days at a time so never
appearing on this spreadsheet, can the rationale for managing project
rights this way please be explained to the wider community so that we
might be allowed the opportunity to ask basic questions.
In general our goal is to ensure staff have the rights they need to do
their job (whether that's testing a bug, carrying out office actions and
legal process, protecting setting up grant processes and fundraising
banners or something more unique). We also strive to reduce the attack
vector as much as possible, as much as possible staff shouldn't have rights
they 'don't' need to do their job and they shouldn't have rights much
longer then they actually need them. Because of this I think short term
rights (and occasionally unique rights) are useful tools to ensure that
staff can do their job while remaining with as little access as possible.
In the past everyone having one giant 'all rights staff group' made some
sense but at the size the WMF is now I'm not sure it does.
James Alexander
Manager
Trust & Safety
Wikimedia Foundation