On Tue, Sep 4, 2012 at 9:26 AM, Mr. Gregory Varnum gregory.varnum@gmail.com wrote:
I use and like this extension. I know many others do as well. This debate over its value to some and security is interesting (well - not really) but aside from the point of this thread.
Should the widgets be housed on MW.org rather than an outside site? Given their wide usage and the preference towards all things MW being on MW.org, I think they absolutely should and fully support that idea.
Don't like the extension? Don't use it. For those of us that do, this move would be very helpful. Arguing about the merits of the extension vs the value of moving its components seems irrelevant. It's widely used enough and arguing about it is unlikely to change that. Unless we're suddenly worried about storage space on MW.org this seems like it should be more about how than why.
I would propose subpages to the main extension page.
-Greg aka varnent
Sent from my iPhone. Apologies for any typos. A more detailed response may be sent later.
On Sep 4, 2012, at 8:11 AM, Jeroen De Dauw jeroendedauw@gmail.com wrote:
Hey,
The essential problem is that people can't get stuff through the
gatekeepers, so they come up with a workaround. Noting that the workaround is insecure and saying "just don't do that" doesn't solve the original need and won't help security. It's not clear to me what will, but the gatekeeping is an obvious start.
I don't think this extension really affects this. It is the same as having widgets implemented as extensions in that:
- They can only be enabled by administrative people
- They can be obtained from verified sources or from non-trusted ones
Widgets are inferior in that:
- An attacker compromising an admin account can put in arbitrary JS code
Widgets are superior in that:
- They cannot create PHP vulnerabilities
- Changes can be kept track of on-wiki
- The source is clearly visible to wiki users, increasing the scrutiny of
the code
- They are easier to deploy for most people
- They encourage more collaboration compared to the tons of low qualify and
unmaintained single widget extensions
It seems to me that this extension does not lose on security compared to regular extensions at all, and that it offers quite a few benefits for the kind of functionality it is intended to be used for.
The problem with creating a new system that has no gatekeepers
is that it encourages people who have no business writing code to end up doing so.
This system has as much gatekeeping as regular extensions do. I think several people are making assumptions here without having had a decent look at the extension.
Cheers
-- Jeroen De Dauw http://www.bn2vs.com Don't panic. Don't be evil. -- _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Does MediaWikiWiki really need any more shitty/insecure addons that no one is going to maintain? I think we have enough already.
Pick out the best of the bunch and nuke the rest.