I must also say that I am deeply uncomfortable with the username/password. No tool labs tool or project has any business collecting usernames and passwords unless it's a local tool login completely separate login from WMF wikis. If I am interpreting this incorrectly, I apologize.
That also goes without saying the collecting Access tokens of OAuth users is completely unacceptable too. Cyberpower678 English Wikipedia Account Creation Team ACC Mailing List Moderator Global User Renamer > On Mar 8, 2016, at 04:57, Merlijn van Deen (valhallasw) > <[email protected]> wrote: > > Hi Pine, > >> On 8 March 2016 at 09:11, Pine W <[email protected]> wrote: > >> Does "username/password combination for accounts created in Labs services" >> refer to service-specific Labs passwords rather than Wikimedia login >> credentials? > Yes. It refers to e.g. the username/password combination you use on > https://phab-01.wmflabs.org/ or http://en.wikipedia.beta.wmflabs.org. > Wikimetrics uses OAuth, so it will not get to know your credentials. > >> I'm deeply uncomfortable with the idea that someone who logs into a Labs >> account could have their IP made public, and it also seems to me that any >> Labs tool owners who capture the IPs of tool users should be required to >> pass a similar level of scrutiny as is applied to Checkusers. Is this >> something that I should bring up with James Alexander and/or Michelle >> Paulson? > > > someone who logs into a Labs account could have their IP made public > Wikitech itself falls within the WMF Privacy Policy, so creating a Labs > account (and logging in to Wikitech) will not share your IP with any > projects. > > Using web tools hosted on Labs could, however, and realistically there not > much we can do about it. For example, in the case of Tool Labs, we do not > pass the IP address of the user to the tool, but a malicious tool could load > an external resource and track users using that external resource. This means > we would need to require checkuser-level scrutiny for every labs user, which > would just mean people will host their tools off labs. The requirement to > show a warning when private information is logged (cf. > https://wikitech.wikimedia.org/wiki/Wikitech:Labs_Terms_of_use#What_information_should_I_provide_to_users.3F > ) is a compromise. > > In practice, Labs projects should be considered the same as any external > resource: they might store private information. We just require labs project > to be clear about this in advance. > > Merlijn > _______________________________________________ > Labs-l mailing list > [email protected] > https://lists.wikimedia.org/mailman/listinfo/labs-l
_______________________________________________ Labs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/labs-l
