On Wed, Nov 6, 2013 at 7:38 AM, Rob Lanphier <robla(a)wikimedia.org> wrote:
On Wed, Nov 6, 2013 at 5:24 AM, MZMcBride
<z(a)mzmcbride.com> wrote:
Our Bugzilla installation at
<https://bugs.wikimedia.org/> currently
restricts the capabilities of new users as a knee-jerk response to prior
Bugzilla-related vandalism. There are further details at
<https://bugzilla.wikimedia.org/40497>.
As I recall, Mark Hershberger and Ariel Glenn were the ones that dealt with
most of the aftermath of the attacks that we received that ultimately led
to it being turned off. It was not a knee jerk response. We temporarily
turned it off and turned it back on a few days later, only to have dozens
(hundreds?) of bugs altered in a way that was not easily reversed.
In consulting with the Bugzilla developers (I believe I may have sent a
public mail about this to their list), their answer was essentially that
Bugzilla was never designed for giving editbugs to untrusted users, and
that by doing so, we had what was coming to us.
We tried reversing it several times, and each time were rewarded with an
arduous cleanup task. We gave up trying after months. So, calling it
"kneejerk" is simply wrong. We had a determined vandal who may still be
among us, and will likely exploit whatever loophole we open up.
Increasingly new users are making manual requests to be assigned to bugs,
as they cannot edit others' bugs by default.
This is problematic and
disruptive to development efforts.
My suggestion is to re-add the "editbugs" user right to new users by
default (revert the old settings adjustment). Otherwise, an acceptable
workaround needs to be found.
I don't think we can pretend that the vandalism issue is solved, because it
isn't. Bugzilla doesn't have the vandalism fighting tools that MediaWiki
does.
We can certainly do something different than what we're doing, though. It
should be easy to get editbugs; just not so easy that a vandal can get it.
Anyone have any ideas how to mitigate the vandalism problem?
How about we make editbugs self-granting? That is, if you've got editbugs
you can give it to others (like we did with Coder a few years ago). It works
pretty well, scales infinitely, and tends to protect itself against abuse.
If the vandal suddenly reappears, it's pretty easy to figure out who they
are
or who let them in at that point.
-Chad