Re: [Wikitech-l] Key community metrics to influence our plans
On Tue, 20 Aug 2013 00:48:09 +0200, Rob Lanphier ro...@wikimedia.org wrote: I'm personally interested in the absolute size of the Gerrit change request queue, not in relation to anything else, but just as an absolute number (over time). When this number gets large, we should all probably be interested in the following: * Breakdown by age of changeset. * Breakdown by project family (e.g. MediaWiki core, Wikimedia deployed extensions, all MediaWiki extensions hosted in Gerrit). This already exists, by the way. https://www.mediawiki.org/wiki/Gerrit/Navigation#Reports -- Matma Rex ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] 1.22wmf13 rollout — rendering of mw-customeditbut ton
Do you mean the mwCustomEditButtons array? If so, then that doesn't work anymore per bug 47872, but there's a simple fix, see https://bugzilla.wikimedia.org/show_bug.cgi?id=47872#c15 -- Matma Rex ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] Session cookie name
https://www.mediawiki.org/wiki/API:Login#Construct_cookies probably needs to be updated - perhaps by removing the 'Construct cookies manually' part entirely (since that sounds like asking for trouble!) -- Yuvi Panda T http://yuvi.in/blog ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] Session cookie name
On Tue, Aug 20, 2013 at 6:57 PM, Yuvi Panda yuvipa...@gmail.com wrote: https://www.mediawiki.org/wiki/API:Login#Construct_cookies probably needs to be updated - perhaps by removing the 'Construct cookies manually' part entirely (since that sounds like asking for trouble!) Max already implemented that idea in the time it took me to write this, apparently :) https://www.mediawiki.org/w/index.php?title=API%3ALogindiff=767549oldid=675583 -- Yuvi Panda T http://yuvi.in/blog ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] Marius Hoch concentrating on accessibility till 30 Sept
On Mon, 2013-08-19 at 17:56 -0400, Sumana Harihareswara wrote: At Wikimania I found out that Marius Hoch (hoo man) is contracting with Wikimedia Germany till September 30th and is specifically doing accessibility bugfixes. He says: I'm always open for suggestions and reviewers/ testers for my changes. So if you have a particular a11y pet peeve, or want to get his opinion on a change to https://www.mediawiki.org/wiki/Accessibility_guide_for_developers , now's a good time! On a related note, there are also numerous open bug reports with the accessibility keyword to choose from: https://bugzilla.wikimedia.org/buglist.cgi?keywords=accessibilityproduct=MediaWikiproduct=MediaWiki%20extensionsresolution=---order=priority,changeddate andre -- Andre Klapper | Wikimedia Bugwrangler http://blogs.gnome.org/aklapper/ ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st
Tyler Romeo wrote: On Mon, Aug 19, 2013 at 9:32 PM, MZMcBride z...@mzmcbride.com wrote: My understanding from https://bugzilla.wikimedia.org/29898 is that as of August 20, 2013, there is now a user preference that can toggle HTTP/HTTPS as being required. This is similar to what Gmail and others do (default to HTTPS, allow it to be disabled via a user preference). I'm not totally sure how users will be able to reach their user preferences if they can't log in, though. Just to clarify a bit: this is a moot problem, because disabling HTTPS in your user preferences does *not* disable login over HTTPS. Once this is deployed, *all* logins (as in absolutely all of them on whatever projects it is enabled on) will be over HTTPS. I'm not sure that counts as moot. People incapable of using HTTPS will simply be locked out of their accounts indefinitely? How many users will this affect? I wonder if making it possible to toggle this user preference via e-mail would make sense. Wikimedia wikis are too large and too diverse to not expect that a certain percent of users won't be able to use HTTPS. I'd really like to avoid losing these users. Of course even a toggle by e-mail option still wouldn't solve the login issue. Hmmm. (And if the user preference isn't meant to serve those who can't use HTTPS, who is it intended to serve?) MZMcBride ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st
On Tue, Aug 20, 2013 at 10:34 AM, MZMcBride z...@mzmcbride.com wrote: I'm not sure that counts as moot. People incapable of using HTTPS will simply be locked out of their accounts indefinitely? How many users will this affect? I wonder if making it possible to toggle this user preference via e-mail would make sense. Wikimedia wikis are too large and too diverse to not expect that a certain percent of users won't be able to use HTTPS. I'd really like to avoid losing these users. Of course even a toggle by e-mail option still wouldn't solve the login issue. Hmmm. (And if the user preference isn't meant to serve those who can't use HTTPS, who is it intended to serve?) My point is that it doesn't matter what your user preference is. Whether it's false or true, you still have to log in over HTTPS. In other words, the user preference has no effect on your ability to use the site. *-- * *Tyler Romeo* Stevens Institute of Technology, Class of 2016 Major in Computer Science www.whizkidztech.com | tylerro...@gmail.com ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] Key community metrics to influence our plans
On Mon, 2013-08-19 at 13:05 -0700, Quim Gil wrote: Out of code contributions, the only candidate to become a KPI that came to mind was the effectiveness responding to Bugzilla reports. Maybe you are right the priority of this one is higher than the age of code contributors. Thoughts? Refering to Bugzilla only: As listed on http://www.mediawiki.org/wiki/Talk:Community_metrics , I'd be interested in two things: Average time to resolve a ticket: Delta between creation of a report and setting the status RESOLVED. Preferably separately for real bugs and severity=enhancement. Might also make sense to have a specific one for setting the status RESOLVED resolution FIXED, to only cover code fixes. And average time to response to new tickets: Delta between creation of a report and any next change (setting priority, adding an initial comment, etc.) which is NOT done by the original reporter. If that's possible. All in all, the proposed metrics look really good to me, great work! Looking forward to seeing most of that implemented! andre -- Andre Klapper | Wikimedia Bugwrangler http://blogs.gnome.org/aklapper/ ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
[Wikitech-l] FOSDEM: main tracks and developer rooms
FOSDEM will take place on 1 and 2 February 2014 in Brussels. Now it's the time to apply for DevRooms and main track sessions. https://fosdem.org/2014/news/2013-08-06-call-for-participation/ Key dates: 15 September * deadline for developer room proposals 1 October * deadline for main track proposals * accepted developer rooms announced I think Wikimedia needs FOSDEM and FOSDEM needs Wikimedia. We could mobilize European developers and tech-friendly chapters to work on a combined outreach action. First things first: proposing a Wiki DevRoom. What do you think? Note that it's Wiki, not just Wikimedia or MediaWiki. We should also brainstorm what are the best main track session candidates. -- Quim Gil Technical Contributor Coordinator @ Wikimedia Foundation http://www.mediawiki.org/wiki/User:Qgil ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] FOSDEM: main tracks and developer rooms
We've talked in the past about hosting a Wikimedia dev room or table for FOSDEM, but never got our acts together to apply. I think we should *totally* apply for a wiki devroom this year - FOSDEM is one of the best conferences I've ever been to, and especially given our wiki-representation in Europe, there are a million reasons why we should have a strong presence there. Let's do it! On Wed, Aug 21, 2013 at 1:00 AM, Quim Gil q...@wikimedia.org wrote: FOSDEM will take place on 1 and 2 February 2014 in Brussels. Now it's the time to apply for DevRooms and main track sessions. https://fosdem.org/2014/news/**2013-08-06-call-for-**participation/https://fosdem.org/2014/news/2013-08-06-call-for-participation/ Key dates: 15 September * deadline for developer room proposals 1 October * deadline for main track proposals * accepted developer rooms announced I think Wikimedia needs FOSDEM and FOSDEM needs Wikimedia. We could mobilize European developers and tech-friendly chapters to work on a combined outreach action. First things first: proposing a Wiki DevRoom. What do you think? Note that it's Wiki, not just Wikimedia or MediaWiki. We should also brainstorm what are the best main track session candidates. -- Quim Gil Technical Contributor Coordinator @ Wikimedia Foundation http://www.mediawiki.org/wiki/**User:Qgilhttp://www.mediawiki.org/wiki/User:Qgil __**_ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/**mailman/listinfo/wikitech-lhttps://lists.wikimedia.org/mailman/listinfo/wikitech-l -- Arthur Richards Software Engineer, Mobile [[User:Awjrichards]] IRC: awjr +1-415-839-6885 x6687 ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st
quote name=Tyler Romeo date=2013-08-20 time=10:50:23 -0400 On Tue, Aug 20, 2013 at 10:34 AM, MZMcBride z...@mzmcbride.com wrote: (And if the user preference isn't meant to serve those who can't use HTTPS, who is it intended to serve?) My point is that it doesn't matter what your user preference is. Whether it's false or true, you still have to log in over HTTPS. In other words, the user preference has no effect on your ability to use the site. One group of users that is always being forgotten in this discussion is the group who use Wikipedia over really crappy connections that aren't censoring them. These users will have a hard time using an SSL connection due to the added resources/round trips and have a legitimate non-China/NSA excuse to disable HTTPS after they login (where the added roundtrips are probably worthwhile to keep their username/password safe). Greg -- | Greg GrossmeierGPG: B2FA 27B1 F7EB D327 6B8E | | identi.ca: @gregA18D 1138 8E47 FAC8 1C7D | signature.asc Description: Digital signature ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] Deployment highlights - week of August 19th
Thank you both, concise and clear. :) Even though they are just quick ephemeral updates they are useful so I've copied them to * https://www.mediawiki.org/wiki/Auth_systems/status#2013-08-20 and * https://www.mediawiki.org/wiki/Site_performance_and_architecture/status#2013-08-20 which appear to be the (only) pages where they fit. Nemo ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st
On Tue, Aug 20, 2013 at 1:12 PM, Greg Grossmeier g...@wikimedia.org wrote: One group of users that is always being forgotten in this discussion is the group who use Wikipedia over really crappy connections that aren't censoring them. These users will have a hard time using an SSL connection due to the added resources/round trips and have a legitimate non-China/NSA excuse to disable HTTPS after they login (where the added roundtrips are probably worthwhile to keep their username/password safe). Indeed, and in those case they just leave their HTTPS preference turned off (since the default is off anyway). *-- * *Tyler Romeo* Stevens Institute of Technology, Class of 2016 Major in Computer Science www.whizkidztech.com | tylerro...@gmail.com ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] We need to talk about AbuseFilter on mobile
MZ brings up a good point. Do we have any idea what the reject rate is for Abusefilter on desktop? Also is there any way to view the edits that triggered AbuseFilter to get an idea bout what % of them were actually vandalism? On Mon, Aug 19, 2013 at 6:25 PM, MZMcBride z...@mzmcbride.com wrote: Jon Robson wrote: Between 31st July 2013 (00:00:00) and August 19th (@ 18:53:18)... 15089 of all mobile edits resulted in an error compared to 23455 successful edits (38544 edits in total)- that's a 39% error rate which is simply unacceptable. The breakdown of these errors is as follows. The most alarming is AbuseFilter - it is accounting for 72% of all editing errors, costing all of our projects a lot of edits. [stats] These numbers don't mean a whole lot (to me, at least) without a comparison to stats for non-mobile edits. We knew when the AbuseFilter was introduced that it wasn't always going to be used to filter only abuse. People naturally use it for all kinds of crazy purposes these days. Without a bit more context, it's difficult to know what's actually a problem (in relative terms). MZMcBride ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l -- Jon Robson http://jonrobson.me.uk @rakugojon ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] We need to talk about AbuseFilter on mobile
If you can figure out what abuse rule was triggered, you can look at all the hits on Special:AbuseLog. For example 'abusefilter-warning-all-categories-removed 668' is probably rule 132, so you can see that at https://en.wikipedia.org/w/index.php?title=Special:AbuseLogwpSearchFilter=132 On Tue, Aug 20, 2013 at 10:39 AM, Jon Robson jdlrob...@gmail.com wrote: MZ brings up a good point. Do we have any idea what the reject rate is for Abusefilter on desktop? Also is there any way to view the edits that triggered AbuseFilter to get an idea bout what % of them were actually vandalism? On Mon, Aug 19, 2013 at 6:25 PM, MZMcBride z...@mzmcbride.com wrote: Jon Robson wrote: Between 31st July 2013 (00:00:00) and August 19th (@ 18:53:18)... 15089 of all mobile edits resulted in an error compared to 23455 successful edits (38544 edits in total)- that's a 39% error rate which is simply unacceptable. The breakdown of these errors is as follows. The most alarming is AbuseFilter - it is accounting for 72% of all editing errors, costing all of our projects a lot of edits. [stats] These numbers don't mean a whole lot (to me, at least) without a comparison to stats for non-mobile edits. We knew when the AbuseFilter was introduced that it wasn't always going to be used to filter only abuse. People naturally use it for all kinds of crazy purposes these days. Without a bit more context, it's difficult to know what's actually a problem (in relative terms). MZMcBride ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l -- Jon Robson http://jonrobson.me.uk @rakugojon ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st
On 20 August 2013 13:12, Greg Grossmeier g...@wikimedia.org wrote: quote name=Tyler Romeo date=2013-08-20 time=10:50:23 -0400 On Tue, Aug 20, 2013 at 10:34 AM, MZMcBride z...@mzmcbride.com wrote: (And if the user preference isn't meant to serve those who can't use HTTPS, who is it intended to serve?) My point is that it doesn't matter what your user preference is. Whether it's false or true, you still have to log in over HTTPS. In other words, the user preference has no effect on your ability to use the site. One group of users that is always being forgotten in this discussion is the group who use Wikipedia over really crappy connections that aren't censoring them. These users will have a hard time using an SSL connection due to the added resources/round trips and have a legitimate non-China/NSA excuse to disable HTTPS after they login (where the added roundtrips are probably worthwhile to keep their username/password safe). This is correct, but it is still not addressing the question of what happens to users who are completely unable to use HTTPS, and whether or not they will remain logged in if they try to reach another HTTPS-standard project if they start off from Chinese/Farsi projects. We have project-specific IPBE user-rights for users who are affected by blocked IP addresses (which include but aren't limited to TOR nodes or other blocked proxies). Is it possible to create a similar user-right for HTTPS not default for login for this users? We are talking about a non-negligible number of high-activity users on multiple projects being adversely affected here, including several stewards (cross-project issues), administrators, and high-productivity editors. It is important to find a way that is certain to allow them to log in and to move across multiple projects, and doing so should not be considered an *enhancement*, it should be considered a required feature of the new process. (It may not be a blocker, but I'd hope to see this fixed before the end of the month.) Risker ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st
To clarify, the default value for this HTTPS option is false, meaning you have to explicitly turn it on in order to force HTTPS. In other words, the only functional change being made by this deployment is that *login* on certain projects will be over HTTPS. So for those who do not have HTTPS, they will have to log in through a project that does not have secure login enabled. And once they do log in, they should be fine thereafter. *-- * *Tyler Romeo* Stevens Institute of Technology, Class of 2016 Major in Computer Science www.whizkidztech.com | tylerro...@gmail.com On Tue, Aug 20, 2013 at 1:54 PM, Risker risker...@gmail.com wrote: On 20 August 2013 13:12, Greg Grossmeier g...@wikimedia.org wrote: quote name=Tyler Romeo date=2013-08-20 time=10:50:23 -0400 On Tue, Aug 20, 2013 at 10:34 AM, MZMcBride z...@mzmcbride.com wrote: (And if the user preference isn't meant to serve those who can't use HTTPS, who is it intended to serve?) My point is that it doesn't matter what your user preference is. Whether it's false or true, you still have to log in over HTTPS. In other words, the user preference has no effect on your ability to use the site. One group of users that is always being forgotten in this discussion is the group who use Wikipedia over really crappy connections that aren't censoring them. These users will have a hard time using an SSL connection due to the added resources/round trips and have a legitimate non-China/NSA excuse to disable HTTPS after they login (where the added roundtrips are probably worthwhile to keep their username/password safe). This is correct, but it is still not addressing the question of what happens to users who are completely unable to use HTTPS, and whether or not they will remain logged in if they try to reach another HTTPS-standard project if they start off from Chinese/Farsi projects. We have project-specific IPBE user-rights for users who are affected by blocked IP addresses (which include but aren't limited to TOR nodes or other blocked proxies). Is it possible to create a similar user-right for HTTPS not default for login for this users? We are talking about a non-negligible number of high-activity users on multiple projects being adversely affected here, including several stewards (cross-project issues), administrators, and high-productivity editors. It is important to find a way that is certain to allow them to log in and to move across multiple projects, and doing so should not be considered an *enhancement*, it should be considered a required feature of the new process. (It may not be a blocker, but I'd hope to see this fixed before the end of the month.) Risker ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st
On Tue, Aug 20, 2013 at 10:58 AM, Tyler Romeo tylerro...@gmail.com wrote: To clarify, the default value for this HTTPS option is false, meaning you have to explicitly turn it on in order to force HTTPS. In other words, the only functional change being made by this deployment is that *login* on certain projects will be over HTTPS. So for those who do not have HTTPS, they will have to log in through a project that does not have secure login enabled. And once they do log in, they should be fine thereafter. *-- * Thanks Tyler, For clarification purposes I'm putting my understanding of this below, if you or someone else thinks what I'm saying is wrong please correct :): * The 'force https' preference is an option that is, by default, turned off. * However, for most wikis (not all), force https login is turned on. * Because forced https login is turned on the 'default' for those people will be to move from an https login to an https page because our normal workflow is to always keep you on https if you are already on https (if you are on page X, like a login page, in https then the next page X2 is also in https). * However, if you drop yourself down to http (for example just load the page in http by dropping the s from the address bar and pressing enter) you will not be forced back to https by default for the same reason (our normal workflow) assuming that you have not turned on the https preference. * If you login from an http (non secure) login page such as zhWiki or faWiki you will be able to remain logged in while going to a non secure wiki page (http://en.wikipedia.org ) and not be forced to https (unless you selected that in your preference). On a side note: I assume the preference is wiki based rather then global? James James Alexander Legal and Community Advocacy Wikimedia Foundation (415) 839-6885 x6716 @jamesofur ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st
On Tue, Aug 20, 2013 at 11:07 AM, James Alexander jalexan...@wikimedia.orgwrote: * The 'force https' preference is an option that is, by default, turned off. It is turned on by default when $wgSecureLogin is enabled. * However, for most wikis (not all), force https login is turned on. That will be the case come tomorrow, yes. * Because forced https login is turned on the 'default' for those people will be to move from an https login to an https page because our normal workflow is to always keep you on https if you are already on https (if you are on page X, like a login page, in https then the next page X2 is also in https). Yes, this is correct. * However, if you drop yourself down to http (for example just load the page in http by dropping the s from the address bar and pressing enter) you will not be forced back to https by default for the same reason (our normal workflow) assuming that you have not turned on the https preference. No, it will put you back on HTTPS as that was the default. You have to turn the preference off. * If you login from an http (non secure) login page such as zhWiki or faWiki you will be able to remain logged in while going to a non secure wiki page (http://en.wikipedia.org ) and not be forced to https (unless you selected that in your preference). Preferences are local, so unless the local preference has been set to false, you would end up on HTTPS. On a side note: I assume the preference is wiki based rather then global? Correct. I'm beginning to think there's a disconnect between what we coded and what people expect. The preference is *on* by default which I think is what's going to cause problems. We can change defaults before tomorrow so I think we should all be clear. -Chad ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st
On Tue, Aug 20, 2013 at 2:31 PM, Chad innocentkil...@gmail.com wrote: I'm beginning to think there's a disconnect between what we coded and what people expect. The preference is *on* by default which I think is what's going to cause problems. We can change defaults before tomorrow so I think we should all be clear. Oh I was not aware of this. I just knew that in MW core itself the default is off. Didn't realize WMF changed it. *-- * *Tyler Romeo* Stevens Institute of Technology, Class of 2016 Major in Computer Science www.whizkidztech.com | tylerro...@gmail.com ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st
On Tue, Aug 20, 2013 at 11:36 AM, Tyler Romeo tylerro...@gmail.com wrote: On Tue, Aug 20, 2013 at 2:31 PM, Chad innocentkil...@gmail.com wrote: I'm beginning to think there's a disconnect between what we coded and what people expect. The preference is *on* by default which I think is what's going to cause problems. We can change defaults before tomorrow so I think we should all be clear. Oh I was not aware of this. I just knew that in MW core itself the default is off. Didn't realize WMF changed it. Did you read the patch? If $wgSecureLogin is true, prefershttps is also true. This is core. -Chad ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st
On Tue, Aug 20, 2013 at 2:38 PM, Chad innocentkil...@gmail.com wrote: Did you read the patch? If $wgSecureLogin is true, prefershttps is also true. This is core. Oh, I didn't see that Demon had added that in. My bad. *-- * *Tyler Romeo* Stevens Institute of Technology, Class of 2016 Major in Computer Science www.whizkidztech.com | tylerro...@gmail.com ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st
On Tue, Aug 20, 2013 at 11:31 AM, Chad innocentkil...@gmail.com wrote: * If you login from an http (non secure) login page such as zhWiki or faWiki you will be able to remain logged in while going to a non secure wiki page (http://en.wikipedia.org ) and not be forced to https (unless you selected that in your preference). Preferences are local, so unless the local preference has been set to false, you would end up on HTTPS. On a side note: I assume the preference is wiki based rather then global? Correct. I'm beginning to think there's a disconnect between what we coded and what people expect. The preference is *on* by default which I think is what's going to cause problems. We can change defaults before tomorrow so I think we should all be clear. -Chad ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l Thanks Chad, that's a lot of help. Yeah, this seems to contradict what I thought Ryan was saying above and what I was under the impression for. The bad use case for here (as describe by Risker for example) is a mainland china user from zhWiki logging in (through http) but now not being able to visit enWiki logged in at all (because it will force them to https and https is blocked). I know Ryan used the term 'home wiki' some up in his emails. My interpretation when reading the thread was that it actually meant the wiki you were logging into (which I think is fine) and not the 'home' wiki that is marked in the CentralAuth interface (though I can't figure out where that's actually marked in the database...). If we are using that 'CentralAuth' definition we're going to have a lot of false negatives, a significant amount of people are marked off as their home being enWiki or somewhere else because it was the first place they created an account. We've never really used 'home wiki' to mean anything other then first account. James James Alexander Legal and Community Advocacy Wikimedia Foundation (415) 839-6885 x6716 @jamesofur ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st
On Aug 20, 2013, at 12:03 PM, James Alexander jalexan...@wikimedia.org wrote: Yeah, this seems to contradict what I thought Ryan was saying above and what I was under the impression for. The bad use case for here (as describe by Risker for example) is a mainland china user from zhWiki logging in (through http) but now not being able to visit enWiki logged in at all (because it will force them to https and https is blocked). Posed for sake of argument, assuming this interpretation is correct: This is unacceptable and a blocking bug to this rollout. The suggested just find an excepted project and log in there first is neither easy nor self-evident enough to be effective for those users. The silent failure mode they will encounter will effectively be a silent site outage for them. The change must be delayed until people geographically / nationally denied HTTPS can log in again. Sent from Kangphone ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st
The vast majority of people we serve with Wikipedia and friends don't have accounts and don't log in, and won't be affected in any way by this change. IMO it's simply unacceptable to leak authentication tokens or account passwords in cleartext; allowing any form of login over HTTP is dinosaur behavior and we'd be crazy to let it continue, whether for some sites only or all. We should require HTTPS for all logins on all sites in all languages all the time. Note that there are plenty of projects producing and maintaining block-circumvention tools, which is what folks who are running afoul of government censorship should be looking into if they need to log into a blocked site, or read blocked pages. It's a bit out of scope for Wikimedia to fix China's internet, though it'd be nice if we gave some recommendations on tools. Or would that just get us more blocked? -- brion On Tue, Aug 20, 2013 at 12:46 PM, George William Herbert george.herb...@gmail.com wrote: On Aug 20, 2013, at 12:03 PM, James Alexander jalexan...@wikimedia.org wrote: Yeah, this seems to contradict what I thought Ryan was saying above and what I was under the impression for. The bad use case for here (as describe by Risker for example) is a mainland china user from zhWiki logging in (through http) but now not being able to visit enWiki logged in at all (because it will force them to https and https is blocked). Posed for sake of argument, assuming this interpretation is correct: This is unacceptable and a blocking bug to this rollout. The suggested just find an excepted project and log in there first is neither easy nor self-evident enough to be effective for those users. The silent failure mode they will encounter will effectively be a silent site outage for them. The change must be delayed until people geographically / nationally denied HTTPS can log in again. Sent from Kangphone ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st
Okay, so I think there's a fair deal of confusion in a lot of minds as to how this all is going to work. So let's take a fairly simple and common use case, and work out how we're going to keep these users editing. The use case I suggest we work out is English Wikipedia editor who lives in China and wants to edit English Wikipedia using his logged-in account. So: - Can this user log in on English Wikipedia? (based on this discussion, no) - Can this user log in on an HTTPS-exempt Wikipedia (based on this discussion, any Chinese or Farsi project, yes) - How will they know that they have to go there? - When they try to go from Chinese Wikipedia to English Wikipedia, what happens? - Do they get an HTTP page, or an HTTPS one? (the latter of which is not accessible) - Do they remain logged in as HTTP? or do they get logged out because the enwp page is HTTPS by default? - If they manage to get as far as English Wikipedia, they can change their user preference to HTTP once that is enabled. Will that also allow them to log in under HTTP so they don't have to go to another project? Now, I can personally think of a dozen editors to whom this *specific* user case applies, and I know at least another dozen to whom similar user cases apply in relation to other projects - and I really don't know that many people. I get the importance and value of this action plan. At the same time, there is no benefit to the movement to de facto block existing contributors or ghettoize new ones. Essentially banning Iranian Wikimedians from editing anything but Farsi projects is contrary to the core principles of the Wikimedia movement; deliberately creating a situation where editors need to break the law of their land to participate on Commons or Meta is a significant problem. It's bad enough when that is caused by external forces outside of WMF control; it's disturbing when it is being caused by WMF itself. Risker ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] Key community metrics to influence our plans
quote name=Bartosz Dziewoński date=2013-08-20 time=12:16:09 +0200 On Tue, 20 Aug 2013 00:48:09 +0200, Rob Lanphier ro...@wikimedia.org wrote: I'm personally interested in the absolute size of the Gerrit change request queue, not in relation to anything else, but just as an absolute number (over time). When this number gets large, we should all probably be interested in the following: * Breakdown by age of changeset. * Breakdown by project family (e.g. MediaWiki core, Wikimedia deployed extensions, all MediaWiki extensions hosted in Gerrit). This already exists, by the way. https://www.mediawiki.org/wiki/Gerrit/Navigation#Reports Neat. Feature request: Make a nice graph of the data that shows those numbers over time (per day I suppose?). I hear we have some analytics software we can use... ;) Greg -- | Greg GrossmeierGPG: B2FA 27B1 F7EB D327 6B8E | | identi.ca: @gregA18D 1138 8E47 FAC8 1C7D | signature.asc Description: Digital signature ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st
On Aug 20, 2013, at 12:57 PM, Brion Vibber bvib...@wikimedia.org wrote: IMO it's simply unacceptable to leak authentication tokens or account passwords in cleartext; allowing any form of login over HTTP is dinosaur behavior and we'd be crazy to let it continue, whether for some sites only or all. We should require HTTPS for all logins on all sites in all languages all the time. This is a defensible position. That is not my point. It appears that the ops team is about to kick anyone who is unfortunate enough to live in the wrong countries off the projects, without a clue what happened or obvious fallback they will realize. Without publicity or explanation or a HTTP landing pad that explains. This magnitude of change is political, not purely technical/operational. And demands both notification and a fallback that users will be reasonably able to grasp. Again, this is still a little fuzzy as to the impact. But it seems like we dump China users of en.wp without warning or immediately obvious workaround. And if that's right, the ops team should not do this. It needs wider warnings and discussion, and is not an ops decision to make. Sent from Kangphone ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st
Wikipedia was blocked ENTIRELY in China for years; people interested in *reading* as well as contributing used circumvention tools (VPNs etc) to more securely access the site, and just got generic errors if they didn't. This is an acceptable trade-off which we've allowed the Chinese government to make for us before, and here we're talking about a much smaller effect (on contributors only). Again, it's not our business to fix China. China has to fix China. -- brion On Tue, Aug 20, 2013 at 1:15 PM, George William Herbert george.herb...@gmail.com wrote: On Aug 20, 2013, at 12:57 PM, Brion Vibber bvib...@wikimedia.org wrote: IMO it's simply unacceptable to leak authentication tokens or account passwords in cleartext; allowing any form of login over HTTP is dinosaur behavior and we'd be crazy to let it continue, whether for some sites only or all. We should require HTTPS for all logins on all sites in all languages all the time. This is a defensible position. That is not my point. It appears that the ops team is about to kick anyone who is unfortunate enough to live in the wrong countries off the projects, without a clue what happened or obvious fallback they will realize. Without publicity or explanation or a HTTP landing pad that explains. This magnitude of change is political, not purely technical/operational. And demands both notification and a fallback that users will be reasonably able to grasp. Again, this is still a little fuzzy as to the impact. But it seems like we dump China users of en.wp without warning or immediately obvious workaround. And if that's right, the ops team should not do this. It needs wider warnings and discussion, and is not an ops decision to make. Sent from Kangphone ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st
+foundation-l On Aug 20, 2013, at 1:20 PM, Brion Vibber bvib...@wikimedia.org wrote: This is an acceptable trade-off which we've allowed the Chinese government to make for us before, and here we're talking about a much smaller effect (on contributors only). Again, it's not our business to fix China. China has to fix China. None of which changes that this is not properly an ops team decision, particularly without notification, warning, workaround explained to people. If the explanation as to the effects on users in those locales is correct, I would like the Ops team to voluntarily stand back and notify and allow some wider discussion and explanation of the workaround. If Ops won't do that, then I would like to request that the WMF executive intervene and direct ops to pause and allow wider notification and discussion and explanation of the workaround. If the WMF executive is not willing I would like to request that the Board review the situation promptly and direct a pause per above. The outcome is not wrong. THIS IS THE WRONG WAY TO DO IT, without warning and explanation to the community. Sent from Kangphone ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
[Wikitech-l] Wikimedia Commons mobile photo uploader app updated on iOS and Android
We have just released Commons for iOS (version 1.0.8) and Android (1.0beta11), with *major* UI and performance improvements on iOS and minor bug fixes on Android. This is our first release in a couple months on iOS -- we hoped to have one out before Wikimania but were delayed due to problems with Apple's online developer tools being offline for a while. There are huge UI improvements and lots of bug fixes, thanks to our new mobile developer Monte Hurd. Thanks Monte! We've been releasing smaller updates on Android in the meantime, so the updates have been more incremental there. Both versions now include a quick 3-screen acceptable-use tutorial on first login. iOS includes featured photos as examples as well; this will come to Android in a future version. Downloads and release notes: * Apple App Store: https://itunes.apple.com/us/app/wikimedia-commons/id630901780 * Google Play: https://play.google.com/store/apps/details?id=org.wikimedia.commons * Android direct download: http://download.wikimedia.org/android/wikimedia-commons-1.0beta11.apk -- brion vibber (brion @ pobox.com / bvibber @ wikimedia.org) ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] Wikimedia Commons mobile photo uploader app updated on iOS and Android
On 20 August 2013 16:57, Brion Vibber bvib...@wikimedia.org wrote: We have just released Commons for iOS (version 1.0.8) and Android (1.0beta11), with *major* UI and performance improvements on iOS and minor bug fixes on Android. This is our first release in a couple months on iOS -- we hoped to have one out before Wikimania but were delayed due to problems with Apple's online developer tools being offline for a while. There are huge UI improvements and lots of bug fixes, thanks to our new mobile developer Monte Hurd. Thanks Monte! We've been releasing smaller updates on Android in the meantime, so the updates have been more incremental there. Both versions now include a quick 3-screen acceptable-use tutorial on first login. iOS includes featured photos as examples as well; this will come to Android in a future version. Thanks to Monte and Brion for the work on this. I recently attended an edit-a-thon at the Royal Ontario Museum, and pointed the attendees (and ROM staff/interns) to this app - they were extremely enthusiastic, and I have a feeling we've already seen some images from them. Risker ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] Wikimedia Commons mobile photo uploader app updated on iOS and Android
Hello guys, Are you thinking to develop apps for FirefoxOS too? 2013/8/20 Risker risker...@gmail.com On 20 August 2013 16:57, Brion Vibber bvib...@wikimedia.org wrote: We have just released Commons for iOS (version 1.0.8) and Android (1.0beta11), with *major* UI and performance improvements on iOS and minor bug fixes on Android. This is our first release in a couple months on iOS -- we hoped to have one out before Wikimania but were delayed due to problems with Apple's online developer tools being offline for a while. There are huge UI improvements and lots of bug fixes, thanks to our new mobile developer Monte Hurd. Thanks Monte! We've been releasing smaller updates on Android in the meantime, so the updates have been more incremental there. Both versions now include a quick 3-screen acceptable-use tutorial on first login. iOS includes featured photos as examples as well; this will come to Android in a future version. Thanks to Monte and Brion for the work on this. I recently attended an edit-a-thon at the Royal Ontario Museum, and pointed the attendees (and ROM staff/interns) to this app - they were extremely enthusiastic, and I have a feeling we've already seen some images from them. Risker ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l -- *Rodrigo Padula Education Program Coordinator - Brazil **Consultant for the Brazilian Catalyst Program at Wikimedia Foundation** * *+55 21 9326 0558 Blog: http://www.rodrigopadula.com Twitter: @rodrigopadula* ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
[Wikitech-l] HTTPS central notice - translation needed?
Usually central notice banners link to an announcement that can be viewed in many languages. The HTTPS banner that is being displayed at the moment links to a rough page[0] that has only English version. Could anyone craft an announcement suitable for translation? [0] https://meta.wikimedia.org/wiki/HTTPS -- З павагай, Павел Селіцкас/Pavel Selitskas Wizardist @ Wikimedia projects ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st
Brion Vibber wrote: Wikipedia was blocked ENTIRELY in China for years; people interested in *reading* as well as contributing used circumvention tools (VPNs etc) to more securely access the site, and just got generic errors if they didn't. This is an acceptable trade-off which we've allowed the Chinese government to make for us before, and here we're talking about a much smaller effect (on contributors only). Again, it's not our business to fix China. China has to fix China. I completely agree with China fixing China. But I think the Wikimedia community has to decide whether this trade-off is acceptable. I'm not sure it's a decision that sysadmins and developers can make alone. From my understanding, zh.wikipedia.org is currently available via HTTP in China, but not HTTPS. If we change all sites to require HTTPS for logged-in users, we'll certainly increase site security and enhance the user experience for most users, but is that worth losing every zh.wikipedia.org contributor who lives in China? Or do we expect anyone blocked from HTTPS to simply edit without an account? I think the concern here is that some projects may be decimated (in terms of number of contributors) if HTTPS is forced for all users. MZMcBride ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st
On Tue, 20 Aug 2013 23:19:22 +0200, MZMcBride z...@mzmcbride.com wrote: If we change all sites to require HTTPS for logged-in users, we'll certainly increase site security and enhance the user experience for most users, but is that worth losing every zh.wikipedia.org contributor who lives in China? Or do we expect anyone blocked from HTTPS to simply edit without an account? I think the concern here is that some projects may be decimated (in terms of number of contributors) if HTTPS is forced for all users. I think that zh and fa wikis are exempt. The concernseems to be about contributors from affected countries editing other wikis, such as Commons or Wikidata. -- Matma Rex ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] Wikimedia Commons mobile photo uploader app updated on iOS and Android
On Tue, Aug 20, 2013 at 2:05 PM, Rodrigo Padula rodrigopad...@wikimedia.org wrote: Hello guys, Are you thinking to develop apps for FirefoxOS too? Currently we're not planning a version of the Commons uploader app. Photo uploading works in Firefox via the mobile web site, though it's not quite as flexible -- eg you can't edit your photo descriptions while offline and then upload a bunch online... yet. :) There's less need for a separate app on Firefox OS, as the regular web browser actually can interact with other apps on the system (eg to launch another app, or fetch a photo from the library, etc). So in the future, we'll probably have more 'progressive enhancement' with additional uploading media features in supporting browsers, and that'll get rolled into our app entry in the Firefox Marketplace replacing the current Wikipedia reader app. (The Commons uploader apps may or may not eventually roll into the main Wikipedia app on iOS and Android too, we haven't decided for sure yet.) -- brion 2013/8/20 Risker risker...@gmail.com On 20 August 2013 16:57, Brion Vibber bvib...@wikimedia.org wrote: We have just released Commons for iOS (version 1.0.8) and Android (1.0beta11), with *major* UI and performance improvements on iOS and minor bug fixes on Android. This is our first release in a couple months on iOS -- we hoped to have one out before Wikimania but were delayed due to problems with Apple's online developer tools being offline for a while. There are huge UI improvements and lots of bug fixes, thanks to our new mobile developer Monte Hurd. Thanks Monte! We've been releasing smaller updates on Android in the meantime, so the updates have been more incremental there. Both versions now include a quick 3-screen acceptable-use tutorial on first login. iOS includes featured photos as examples as well; this will come to Android in a future version. Thanks to Monte and Brion for the work on this. I recently attended an edit-a-thon at the Royal Ontario Museum, and pointed the attendees (and ROM staff/interns) to this app - they were extremely enthusiastic, and I have a feeling we've already seen some images from them. Risker ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l -- *Rodrigo Padula Education Program Coordinator - Brazil **Consultant for the Brazilian Catalyst Program at Wikimedia Foundation** * *+55 21 9326 0558 Blog: http://www.rodrigopadula.com Twitter: @rodrigopadula* ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] Wikimedia Commons mobile photo uploader app updated on iOS and Android
2013/8/21 Brion Vibber bvib...@wikimedia.org: (The Commons uploader apps may or may not eventually roll into the main Wikipedia app on iOS and Android too, we haven't decided for sure yet.) That sound weird (read: divergent from all the stuff we read in the WMF plans and reports). Shouldn't the ultimate development goal for mobile be total feature parity with desktop? Otherwise how is wiki* supposed to tap into global south (I hate this buzzword!) editor resources? Aren't all the pundits claiming that desktop is dead and in the future we're all gonna browse the internet on small (5-10) or huge (40+) screens? Strainu ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st
On 20 aug. 2013, at 23:21, Bartosz Dziewoński matma@gmail.com wrote: On Tue, 20 Aug 2013 23:19:22 +0200, MZMcBride z...@mzmcbride.com wrote: If we change all sites to require HTTPS for logged-in users, we'll certainly increase site security and enhance the user experience for most users, but is that worth losing every zh.wikipedia.org contributor who lives in China? Or do we expect anyone blocked from HTTPS to simply edit without an account? I think the concern here is that some projects may be decimated (in terms of number of contributors) if HTTPS is forced for all users. I think that zh and fa wikis are exempt. The concernseems to be about contributors from affected countries editing other wikis, such as Commons or Wikidata. Can I just say that IF there is still this much discussion and confusion going on even at the level of the developers, that I feel really uncomfortable with this being deployed in the next 24hours. This all just feels way too rough. And it smells like this is gonna create yet another deploy shitstorm within the communities. I wouldn't like to be in the shoes of the liaisons and ambassadors tomorrow DJ ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] [Commons-l] Wikimedia Commons mobile photo uploader app updated on iOS and Android
Hey Brion, Very cool! I just downloaded Commons for iOS and uploaded a photo in minutes … it went smooth as silk :) Thanks for you fine work, which should enable many more folks to contribute multimedia content on the go. Cheers, Fabrice On Aug 20, 2013, at 1:57 PM, Brion Vibber wrote: We have just released Commons for iOS (version 1.0.8) and Android (1.0beta11), with *major* UI and performance improvements on iOS and minor bug fixes on Android. This is our first release in a couple months on iOS -- we hoped to have one out before Wikimania but were delayed due to problems with Apple's online developer tools being offline for a while. There are huge UI improvements and lots of bug fixes, thanks to our new mobile developer Monte Hurd. Thanks Monte! We've been releasing smaller updates on Android in the meantime, so the updates have been more incremental there. Both versions now include a quick 3-screen acceptable-use tutorial on first login. iOS includes featured photos as examples as well; this will come to Android in a future version. Downloads and release notes: * Apple App Store: https://itunes.apple.com/us/app/wikimedia-commons/id630901780 * Google Play: https://play.google.com/store/apps/details?id=org.wikimedia.commons * Android direct download: http://download.wikimedia.org/android/wikimedia-commons-1.0beta11.apk -- brion vibber (brion @ pobox.com / bvibber @ wikimedia.org) ___ Commons-l mailing list common...@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/commons-l ___ Fabrice Florin Product Manager Wikimedia Foundation http://en.wikipedia.org/wiki/User:Fabrice_Florin_(WMF) ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st
The lack of secure login on WMF wikis is a *major security issue*, and AFAIK is the biggest publicly known security issue in the site. All you need is some random checkuser to be using Wikipedia at a Starbucks, and all of a sudden the privacy policy of every single registered user is violated. There's big talk all around about evading the NSA and attempting to protect the privacy of our users, but it is literally impossible to protect users' privacy if we can't even protect their security in the first place. To re-iterate, privacy depends on security, and right now we have neither of them. Furthermore, secure login is not a new idea. I've been fighting to get this feature enabled since October 2012 when the secure login functionality in MW core was finally fixed. Since then, HTTPS login has been deployed *twice*, but reverted once due to a bug with CentralAuth and once due the design team concerned about the login form. This will be the third attempt at deploying this in the past six months, so I don't know why this discussion had to start right now. In the end, what we're doing is allowing the Chinese government to manipulate the WMF into degrading the security of its entire userbase, and I don't think that's acceptable. There are 100 times as many active users on enwiki than there are zhwiki, and that's assuming *all* active users on zhwiki also edit enwiki, which is probably not true. *-- * *Tyler Romeo* Stevens Institute of Technology, Class of 2016 Major in Computer Science www.whizkidztech.com | tylerro...@gmail.com On Tue, Aug 20, 2013 at 6:10 PM, Derk-Jan Hartman d.j.hartman+wmf...@gmail.com wrote: On 20 aug. 2013, at 23:21, Bartosz Dziewoński matma@gmail.com wrote: On Tue, 20 Aug 2013 23:19:22 +0200, MZMcBride z...@mzmcbride.com wrote: If we change all sites to require HTTPS for logged-in users, we'll certainly increase site security and enhance the user experience for most users, but is that worth losing every zh.wikipedia.org contributor who lives in China? Or do we expect anyone blocked from HTTPS to simply edit without an account? I think the concern here is that some projects may be decimated (in terms of number of contributors) if HTTPS is forced for all users. I think that zh and fa wikis are exempt. The concernseems to be about contributors from affected countries editing other wikis, such as Commons or Wikidata. Can I just say that IF there is still this much discussion and confusion going on even at the level of the developers, that I feel really uncomfortable with this being deployed in the next 24hours. This all just feels way too rough. And it smells like this is gonna create yet another deploy shitstorm within the communities. I wouldn't like to be in the shoes of the liaisons and ambassadors tomorrow DJ ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st
On Tue, Aug 20, 2013 at 3:57 PM, Tyler Romeo tylerro...@gmail.com wrote: The lack of secure login on WMF wikis is a *major security issue*, and AFAIK is the biggest publicly known security issue in the site. Time out... We do not have a lack of secure login. That was solved a long time ago (many years). I've been using it since about when it was made available first (secure. ...). This is going from secure is default and available to you cannot access other than secure, unless you know a non-secure exempted wiki you can log in to first. The people with a firewall (national, corporate, whatever) that blocks HTTPS deserve some warning that something bad is going to happen to them, and that they can mititate that using (X), before it hits. Again - it is entirely reasonable to shift the stance towards all secure. This will affect some people (I don't know how many). They have not been warned and the workaround is not intuitive. It's not a normal or reasonable to affect some number of users like that with no warning. This will be the third attempt at deploying this in the past six months, so I don't know why this discussion had to start right now. It was not clear to me that this would have that wide an effect, or I for one would have been saying something months ago. I said exactly how significant I feel it is immediately upon my understanding what the effects will be. I understand your frustration, but again, the impact on those users is (to me) a blocker bug. It being discovered and made visible this close to deploy time is unfortunate. We should (later) have a conversation about feature descriptions and notifications on the tech list so that discoveries like this aren't last minute. That does not affect that it should be a blocker bug. Those affected people deserve notification and information on the workarounds. That does not mean don't roll this out but don't roll it out until it's adequately publicized long enough that nobody is surprised and unable to find the workaround. A week or two weeks of adequate notice should be fine. -george ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st
On Tue, Aug 20, 2013 at 3:57 PM, Tyler Romeo tylerro...@gmail.com wrote: The lack of secure login on WMF wikis is a *major security issue*, and AFAIK is the biggest publicly known security issue in the site. Indeed. For a Signpost article three years ago, I asked a security researcher (who had co-authored a comparative study of user password handling on 150 websites) about his recommendations for Wikipedia. Making encrypted transmission of the password the default was his foremost advice: https://en.wikipedia.org/wiki/Wikipedia:Wikipedia_Signpost/2010-08-02/Technology_report#Study_of_web_passwords_includes_Wikipedia It's excellent news that this issue is finally being resolved, even when there are exceptions and corner cases that need to be addressed. All you need is some random checkuser to be using Wikipedia at a Starbucks, and all of a sudden the privacy policy of every single registered user is violated. There's big talk all around about evading the NSA and attempting to protect the privacy of our users, but it is literally impossible to protect users' privacy if we can't even protect their security in the first place. To re-iterate, privacy depends on security, and right now we have neither of them. Furthermore, secure login is not a new idea. I've been fighting to get this feature enabled since October 2012 when the secure login functionality in MW core was finally fixed. Since then, HTTPS login has been deployed *twice*, but reverted once due to a bug with CentralAuth and once due the design team concerned about the login form. This will be the third attempt at deploying this in the past six months, so I don't know why this discussion had to start right now. -- Tilman Bayer Senior Operations Analyst (Movement Communications) Wikimedia Foundation IRC (Freenode): HaeB ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
[Wikitech-l] CentralNotice Security Patch on Tin
Hey all, Chris Steipp found a bug in CentralNotice yesterday and I've applied a modified version of his patch. He has asked me not to commit it to gerrit until Friday's security release. I've applied that patch to wmf12 and wmf13. Please do not git submodule update the CentralNotice extension! In the event that the patch is causing issues; the patch file is: tin:/home/mwalker/CentralNotice-bug53032.patch ~Matt Walker Wikimedia Foundation Fundraising Technology Team ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st
On Tue, Aug 20, 2013 at 12:46 PM, George William Herbert george.herb...@gmail.com wrote: The change must be delayed until people geographically / nationally denied HTTPS can log in again. Tim's working on a patch that should make this possible: https://gerrit.wikimedia.org/r/#/c/80166/ The plan of record right now is to not make the switch til we have that merged tested. We may still be able to make the launch window tomorrow - RobLa will make the final call on that. Ideally I'd like to see the language-based blacklisting removed if the GeoIP-based solution works. In general, though, I'd prefer for WMF to move away from what could be characterized as appeasement and towards actively resisting censorship and monitoring. So I'd argue in favor of a deadline for this approach, and alignment of resources and alliances to take active measures against censorship and monitoring. Erik -- Erik Möller VP of Engineering and Product Development, Wikimedia Foundation ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st
On Tue, Aug 20, 2013 at 7:22 PM, Erik Moeller e...@wikimedia.org wrote: On Tue, Aug 20, 2013 at 12:46 PM, George William Herbert george.herb...@gmail.com wrote: The change must be delayed until people geographically / nationally denied HTTPS can log in again. Tim's working on a patch that should make this possible: https://gerrit.wikimedia.org/r/#/c/80166/ The plan of record right now is to not make the switch til we have that merged tested. We may still be able to make the launch window tomorrow - RobLa will make the final call on that. Ideally I'd like to see the language-based blacklisting removed if the GeoIP-based solution works. Excellent. Thank you. In general, though, I'd prefer for WMF to move away from what could be characterized as appeasement and towards actively resisting censorship and monitoring. So I'd argue in favor of a deadline for this approach, and alignment of resources and alliances to take active measures against censorship and monitoring. Yes; in the medium term (past the next few days / week) the direction here is clearly good from a user privacy / censorship and monitoring point of view. -- -george william herbert george.herb...@gmail.com ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st
On 20 August 2013 22:22, Erik Moeller e...@wikimedia.org wrote: On Tue, Aug 20, 2013 at 12:46 PM, George William Herbert george.herb...@gmail.com wrote: The change must be delayed until people geographically / nationally denied HTTPS can log in again. Tim's working on a patch that should make this possible: https://gerrit.wikimedia.org/r/#/c/80166/ The plan of record right now is to not make the switch til we have that merged tested. We may still be able to make the launch window tomorrow - RobLa will make the final call on that. Very good, this is the step that needed to be taken so that users who are unable to use HTTPS can still contribute to our knowledge base - which is the primary focus of the WMF. Ideally I'd like to see the language-based blacklisting removed if the GeoIP-based solution works. In general, though, I'd prefer for WMF to move away from what could be characterized as appeasement and towards actively resisting censorship and monitoring. So I'd argue in favor of a deadline for this approach, and alignment of resources and alliances to take active measures against censorship and monitoring. Perhaps then you might want to re-familiarize yourself with the WMF's policy on political advocacy, particularly the section on Promotional use of website assets and Movement Partnerships (although the latter is a bit of a stretch).[1] I think that would best describe the proposal here, to politicize the manner in which *registered contributors* are able to contribute to the vast array of WMF projects. I do understand why this is important to a lot of people, and I do get that logging in under HTTPS is more secure than logging in under HTTP. But at the same time, the WMF's primary mission is to empower and engage people around the world to collect and develop educational content.[2] Wikimedia's values include encouraging the development of free-content educational resources that may be created, used, and reused by the entire human community. We believe that this mission requires thriving open formats and open standards on the web to allow the creation of content not subject to restrictions on creation, use, and reuse. [3] Note now none of them say the WMF technical team can unilaterally take actions that may affect the ability of users to register an account or for registered contributors to participate in the WMF's primary mission. For that, you need to actively persuade the community in general that this is necessary, and possibly even the Board of Trustees. Risker [1] https://meta.wikimedia.org/wiki/Legal_and_Community_Advocacy/Foundation_Policy_and_Political_Association_Guideline#Promotional_Use_of_Website_Assets [2] https://wikimediafoundation.org/wiki/Mission [3] https://wikimediafoundation.org/wiki/Values ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st
Erik Moeller wrote: In general, though, I'd prefer for WMF to move away from what could be characterized as appeasement and towards actively resisting censorship and monitoring. I agree with you and I imagine most developers would agree with you. But the question remains: do most Wikimedians? I think for most Wikimedians, but particularly for Wikimedians in areas where HTTPS access is restricted, I think there's a general view that having insecure access over HTTP trumps requiring HTTPS and cutting off access altogether. While we hope that this situation is inapplicable to most users, we have to recognize that it's applicable to some percent of our users. It'd be good to get numbers about how many users we're talking about and try to better understand what the Wikimedia community thinks is the best path forward, given the various constraints and consequences. MZMcBride ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st
On Tue, Aug 20, 2013 at 8:04 PM, MZMcBride z...@mzmcbride.com wrote: Erik Moeller wrote: In general, though, I'd prefer for WMF to move away from what could be characterized as appeasement and towards actively resisting censorship and monitoring. I agree with you and I imagine most developers would agree with you. But the question remains: do most Wikimedians? I think for most Wikimedians, but particularly for Wikimedians in areas where HTTPS access is restricted, I think there's a general view that having insecure access over HTTP trumps requiring HTTPS and cutting off access altogether. While we hope that this situation is inapplicable to most users, we have to recognize that it's applicable to some percent of our users. It'd be good to get numbers about how many users we're talking about and try to better understand what the Wikimedia community thinks is the best path forward, given the various constraints and consequences. There's not a lot of great options for us to actively bypass censorship methods and anything we do will likely result in us being completely blocked by doing it. Maybe what we're doing is appeasement, but realistically we have no political power against China. The editors from mainland China had a discussion with some of us at Wikimania and they said that Wikipedia is basically unknown in China because Baidupedia is what shows up in the search results and Wikipedia does not. They actually spend a great deal of time trying to make Wikipedia known to readers in hopes of strengthening the editing community. If we were fully blocked again in China, it wouldn't cause any political fuss. - Ryan ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st
On 08/20/2013 11:05 PM, Risker wrote: Perhaps then you might want to re-familiarize yourself with the WMF's policy on political advocacy I'm sorry Risker, but you've got this backwards. Making a long-overdue /minimal/ fix to our login process is not political advocacy. Compromising the security and privacy of our editors for the sake of a government's censorship policies, *is*. The very idea that editors with checkuser or oversight might even be *able* to login in cleartext over an Internet we *know* is monitored by entities that are demonstrably hostile to privacy is worrying enough on its own without introducing additional flaws in the process. I don't even agree that an exception should be made to allow cleartext logins from regions which are even *more* hostile to privacy than the United States; and I would have advocated that no account with bits should be allowed to do so regardless of location. Nevertheless, engineering has been bending over backwards to accommodate as many editors with crippled Internet access as is possible; inventing bogeymen and quoting misapplied bits of policy around (promotional use? Really?) is an extraordinary show of bad faith. -- Marc ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
[Wikitech-l] OAuth
As mentioned earlier this week, we deployed an initial version of the OAuth extension to the test wikis yesterday. I wanted to follow up with a few more details about the extension that we deployed (although if you're just curious about OAuth in general, I recommend starting at oauth.net, or https://www.mediawiki.org/wiki/Auth_systems/OAuth): * Use it: https://www.mediawiki.org/wiki/Extension:OAuth#Using_OAuth should get you started towards using OAuth in your application. * Demo: Anomie setup a excellent initial app (I think counts as our first official, approved consumer) here https://tools.wmflabs.org/oauth-hello-world/. Feel free to try it out, so you can get a feel for the user experience as a user! * Timeline: We're hoping to get some use this week, and deploy to the rest of the WMF wikis next week if we don't encounter any issues. * Bugs: Please open bugzilla tickets for any issues you find, or enhancement requests-- https://bugzilla.wikimedia.org/enter_bug.cgi?product=MediaWiki%20extensionscomponent=OAuth And some other details for the curious: * Yes, you can use this on your own wiki right now! It's meant to be used in a single or shared environment, so the defaults will work on a standalone wiki. Input and patches are welcome, if you have any issues setting this up on your own wiki. * TLS: Since a few of you seem to care about https... The extension currently implements OAuth 1.0a, which is designed to be used without https (except to deliver the shared secret to the app owner, when the app is registered). So calls to the API don't need to use https. * Logging: All edits are tagged with the consumer's id (CID), so you can see when OAuth was used to contribute an edit. Enjoy! ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st
On 21 August 2013 00:08, Marc A. Pelletier m...@uberbox.org wrote: On 08/20/2013 11:05 PM, Risker wrote: Perhaps then you might want to re-familiarize yourself with the WMF's policy on political advocacy I'm sorry Risker, but you've got this backwards. Making a long-overdue /minimal/ fix to our login process is not political advocacy. Compromising the security and privacy of our editors for the sake of a government's censorship policies, *is*. The mandatory use of HTTPS outside of a limited number of countries where we know the editors will be blocked is not what I am talking about. I was responding to Erik's political manifesto about censorship. I have no problems with the core concept here. The very idea that editors with checkuser or oversight might even be *able* to login in cleartext over an Internet we *know* is monitored by entities that are demonstrably hostile to privacy is worrying enough on its own without introducing additional flaws in the process. I don't even agree that an exception should be made to allow cleartext logins from regions which are even *more* hostile to privacy than the United States; and I would have advocated that no account with bits should be allowed to do so regardless of location. Well, you're not alone there. But that is an entirely different discussion. You want to take up security of accounts with bits, Chris Stiepp is thataway. Nevertheless, engineering has been bending over backwards to accommodate as many editors with crippled Internet access as is possible; inventing bogeymen and quoting misapplied bits of policy around (promotional use? Really?) is an extraordinary show of bad faith. - Again, I was not referring to the core concept here. Read Erik's last paragraph again: it is a political manifesto, and something I would not have expected from the #2 of Wikimedia Foundation leadership in the middle of a technical discussion. I don't entirely disagree with him, but it's not in line with the mission and vision of the Foundation itself, which is unsupportive of using technical means to prevent good-faith contributions. Risker ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st
Ryan Lane wrote: Maybe what we're doing is appeasement, but realistically we have no political power against China. The editors from mainland China had a discussion with some of us at Wikimania and they said that Wikipedia is basically unknown in China because Baidupedia is what shows up in the search results and Wikipedia does not. They actually spend a great deal of time trying to make Wikipedia known to readers in hopes of strengthening the editing community. If we were fully blocked again in China, it wouldn't cause any political fuss. Good to know, thanks. So perhaps the impact will be minimal. If stats are possible, they'd be great. I'm not sure how easy it is to measure users unable to use HTTPS. https://wikimedia.org/wiki/m:Requests_for_comment/Petition_of_HTTPS_default ^ Another data point. The Meta-Wiki version is frozen in time, while people continue to sign on the Chinese Wikipedia. MZMcBride ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st
On Tue, Aug 20, 2013 at 9:20 PM, Risker risker...@gmail.com wrote: The mandatory use of HTTPS outside of a limited number of countries where we know the editors will be blocked is not what I am talking about. No, but the point is that there's no apolitical choice here. Actively suppressing a standard, long overdue security measure in order to ensure that a country's censorship practices do not interfere with editing and access to Wikipedia is a political choice. Not doing so in full awareness of the consequences is a political choice. We cannot claim ignorance or neutrality either way. The real question is what political choices serve Wikimedia's mission best in the short and long term, and I agree that that's a discussion that extends beyond the technical dimension, so is somewhat OT here. Erik -- Erik Möller VP of Engineering and Product Development, Wikimedia Foundation ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st
quote name=MZMcBride date=2013-08-21 time=00:23:04 -0400 Ryan Lane wrote: Maybe what we're doing is appeasement, but realistically we have no political power against China. The editors from mainland China had a discussion with some of us at Wikimania and they said that Wikipedia is basically unknown in China because Baidupedia is what shows up in the search results and Wikipedia does not. They actually spend a great deal of time trying to make Wikipedia known to readers in hopes of strengthening the editing community. If we were fully blocked again in China, it wouldn't cause any political fuss. Good to know, thanks. So perhaps the impact will be minimal. If stats are possible, they'd be great. I'm not sure how easy it is to measure users unable to use HTTPS. We have some preliminary data that we collected over the weekend on the ability of users to access an https resource (zero byte gif hosted on upload.wikimedia). The numbers still only live in a google doc (sorry!), and they have a lot of caveats. The caveats (really important to read): https://docs.google.com/a/wikimedia.org/document/d/1Y2vs8lpevv9PtH_dp3P5hZeKuczB4-1xDXOHCaeuhw8/edit (one really important caveat is we don't even list countries which had less than 100 requests total, as that would be too much noise in the data.) https://docs.google.com/a/wikimedia.org/spreadsheet/ccc?key=0Ams-fyukCIlMdFRwMWJ3czFRQ0NEeVliNklYTDhfdHc#gid=3 (Be sure not to miss the tabs at the bottom which show you a map view of the data). As China and Iran are the outliers there, here's a spreadsheet with them zero'd out so you can more easily see the middle gradients: https://docs.google.com/a/wikimedia.org/spreadsheet/ccc?key=0Agte_lJNpi-OdFJUdGJjNnVhMExvQTFSWU1oaXdpbEE#gid=12 Additionally, to see if any changes have a major effect on the ability of people to log in, we've started parsing out the successful centralauth autentications and will have a nice Ganglia graph tomorrow. We also parsed out some historical data on those going back a week or more to have a better idea of what normal is. Our numbers here are successful logins per hour which should be a decent metric to watch. Thanks much to Ori and Dario for working on the HTTPS capability numbers, and Ori and Robla for getting the successful login numbers. Greg -- | Greg GrossmeierGPG: B2FA 27B1 F7EB D327 6B8E | | identi.ca: @gregA18D 1138 8E47 FAC8 1C7D | signature.asc Description: Digital signature ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] OAuth
This is highly anticipated on my part and awesome. I will integrate it into wikimetrics asap. Dan On Tue, Aug 20, 2013 at 9:15 PM, Chris Steipp cste...@wikimedia.org wrote: As mentioned earlier this week, we deployed an initial version of the OAuth extension to the test wikis yesterday. I wanted to follow up with a few more details about the extension that we deployed (although if you're just curious about OAuth in general, I recommend starting at oauth.net, or https://www.mediawiki.org/wiki/Auth_systems/OAuth): * Use it: https://www.mediawiki.org/wiki/Extension:OAuth#Using_OAuthshould get you started towards using OAuth in your application. * Demo: Anomie setup a excellent initial app (I think counts as our first official, approved consumer) here https://tools.wmflabs.org/oauth-hello-world/. Feel free to try it out, so you can get a feel for the user experience as a user! * Timeline: We're hoping to get some use this week, and deploy to the rest of the WMF wikis next week if we don't encounter any issues. * Bugs: Please open bugzilla tickets for any issues you find, or enhancement requests-- https://bugzilla.wikimedia.org/enter_bug.cgi?product=MediaWiki%20extensionscomponent=OAuth And some other details for the curious: * Yes, you can use this on your own wiki right now! It's meant to be used in a single or shared environment, so the defaults will work on a standalone wiki. Input and patches are welcome, if you have any issues setting this up on your own wiki. * TLS: Since a few of you seem to care about https... The extension currently implements OAuth 1.0a, which is designed to be used without https (except to deliver the shared secret to the app owner, when the app is registered). So calls to the API don't need to use https. * Logging: All edits are tagged with the consumer's id (CID), so you can see when OAuth was used to contribute an edit. Enjoy! ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st
quote name=Greg Grossmeier date=2013-08-20 time=21:43:55 -0700 The caveats (really important to read): https://docs.google.com/a/wikimedia.org/document/d/1Y2vs8lpevv9PtH_dp3P5hZeKuczB4-1xDXOHCaeuhw8/edit (one really important caveat is we don't even list countries which had less than 100 requests total, as that would be too much noise in the data.) I should reiterate: It's hard to draw stark conclusions from this data at this point, but we're using it as a guide along with our knowledge of network reliability in different parts of the world to make decisions about what regions will be exempted. Greg -- | Greg GrossmeierGPG: B2FA 27B1 F7EB D327 6B8E | | identi.ca: @gregA18D 1138 8E47 FAC8 1C7D | signature.asc Description: Digital signature ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st
On 21 August 2013 00:51, Greg Grossmeier g...@wikimedia.org wrote: quote name=Greg Grossmeier date=2013-08-20 time=21:43:55 -0700 The caveats (really important to read): https://docs.google.com/a/wikimedia.org/document/d/1Y2vs8lpevv9PtH_dp3P5hZeKuczB4-1xDXOHCaeuhw8/edit (one really important caveat is we don't even list countries which had less than 100 requests total, as that would be too much noise in the data.) I should reiterate: It's hard to draw stark conclusions from this data at this point, but we're using it as a guide along with our knowledge of network reliability in different parts of the world to make decisions about what regions will be exempted. Greg Thank you for sharing this data, Greg. I am surprised to see 5 additional countries with more than 10% failure rates, and another 11 with more than 5%, although these tend to also have higher than average margins of error. It would be interesting to see how the numbers stabilize over time. Risker ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st
On Aug 20, 2013, at 9:43 PM, Greg Grossmeier g...@wikimedia.org wrote: Additionally, to see if any changes have a major effect on the ability of people to log in, we've started parsing out the successful centralauth autentications and will have a nice Ganglia graph tomorrow. We also parsed out some historical data on those going back a week or more to have a better idea of what normal is. Our numbers here are successful logins per hour which should be a decent metric to watch. Thanks, Greg. Is there any chance that monitoring could track success of login if someone is redirected from HTTP to HTTPS? The redirects should be easy to spot. -george Sent from Kangphone ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st
quote name=George William Herbert date=2013-08-20 time=22:09:41 -0700 Is there any chance that monitoring could track success of login if someone is redirected from HTTP to HTTPS? The redirects should be easy to spot. I don't know, honestly. The log we were working from initially doesn't have that data in it (we don't track our users, remember? ;)), but I'll look more closely tomorrow. Greg -- | Greg GrossmeierGPG: B2FA 27B1 F7EB D327 6B8E | | identi.ca: @gregA18D 1138 8E47 FAC8 1C7D | signature.asc Description: Digital signature ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st
quote name=Risker date=2013-08-21 time=01:03:51 -0400 Thank you for sharing this data, Greg. I am surprised to see 5 additional countries with more than 10% failure rates, and another 11 with more than 5%, although these tend to also have higher than average margins of error. It would be interesting to see how the numbers stabilize over time. Yes, the stabilizing/longer term data will be really helpful here. We'll keep our eyes on it, in addition to the other feedback channels, and adjust our settings appropriately. Greg -- | Greg GrossmeierGPG: B2FA 27B1 F7EB D327 6B8E | | identi.ca: @gregA18D 1138 8E47 FAC8 1C7D | signature.asc Description: Digital signature ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l