On Aug 20, 2013, at 12:57 PM, Brion Vibber bvibber@wikimedia.org wrote:
IMO it's simply unacceptable to leak authentication tokens or account passwords in cleartext; allowing any form of login over HTTP is dinosaur behavior and we'd be crazy to let it continue, whether for "some sites" only or all. We should require HTTPS for all logins on all sites in all languages all the time.
This is a defensible position.
That is not my point.
It appears that the ops team is about to kick anyone who is unfortunate enough to live in the wrong countries off the projects, without a clue what happened or obvious fallback they will realize. Without publicity or explanation or a HTTP landing pad that explains.
This magnitude of change is political, not purely technical/operational. And demands both notification and a fallback that users will be reasonably able to grasp.
Again, this is still a little fuzzy as to the impact. But it seems like we dump China users of en.wp without warning or immediately obvious workaround. And if that's right, the ops team should not do this. It needs wider warnings and discussion, and is not an ops decision to make.
Sent from Kangphone