date:20130820

Tyler Romeo wrote:
On Mon, Aug 19, 2013 at 9:32 PM, MZMcBride z...@mzmcbride.com wrote:
 My understanding from https://bugzilla.wikimedia.org/29898 is that as
of August 20, 2013, there is now a user preference that can toggle
HTTP/HTTPS as being required. This is similar to what Gmail and others
do (default to HTTPS, allow it to be disabled via a user preference).
I'm not totally sure how users will be able to reach their user
preferences if they can't log in, though.

Just to clarify a bit: this is a moot problem, because disabling HTTPS in
your user preferences does *not* disable login over HTTPS. Once this is
deployed, *all* logins (as in absolutely all of them on whatever projects
it is enabled on) will be over HTTPS.

I'm not sure that counts as moot. People incapable of using HTTPS will
simply be locked out of their accounts indefinitely? How many users will
this affect?

I wonder if making it possible to toggle this user preference via e-mail
would make sense. Wikimedia wikis are too large and too diverse to not
expect that a certain percent of users won't be able to use HTTPS. I'd
really like to avoid losing these users. Of course even a toggle by
e-mail option still wouldn't solve the login issue. Hmmm.

(And if the user preference isn't meant to serve those who can't use
HTTPS, who is it intended to serve?)

MZMcBride



___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st

On Tue, Aug 20, 2013 at 10:34 AM, MZMcBride z...@mzmcbride.com wrote:

 I'm not sure that counts as moot. People incapable of using HTTPS will
 simply be locked out of their accounts indefinitely? How many users will
 this affect?

 I wonder if making it possible to toggle this user preference via e-mail
 would make sense. Wikimedia wikis are too large and too diverse to not
 expect that a certain percent of users won't be able to use HTTPS. I'd
 really like to avoid losing these users. Of course even a toggle by
 e-mail option still wouldn't solve the login issue. Hmmm.

 (And if the user preference isn't meant to serve those who can't use
 HTTPS, who is it intended to serve?)


My point is that it doesn't matter what your user preference is. Whether
it's false or true, you still have to log in over HTTPS. In other words,
the user preference has no effect on your ability to use the site.

*-- *
*Tyler Romeo*
Stevens Institute of Technology, Class of 2016
Major in Computer Science
www.whizkidztech.com | tylerro...@gmail.com
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Key community metrics to influence our plans

2013-08-20 Thread Andre Klapper

On Mon, 2013-08-19 at 13:05 -0700, Quim Gil wrote:
 Out of code contributions, the only candidate to become a KPI that came 
 to mind was the effectiveness responding to Bugzilla reports. Maybe you 
 are right the priority of this one is higher than the age of code 
 contributors. Thoughts?

Refering to Bugzilla only:

As listed on http://www.mediawiki.org/wiki/Talk:Community_metrics ,
I'd be interested in two things:

Average time to resolve a ticket: Delta between creation of a report and
setting the status RESOLVED.
Preferably separately for real bugs and severity=enhancement.
Might also make sense to have a specific one for setting the status
RESOLVED  resolution FIXED, to only cover code fixes.

And average time to response to new tickets: Delta between creation of a
report and any next change (setting priority, adding an initial comment,
etc.) which is NOT done by the original reporter. If that's possible.

All in all, the proposed metrics look really good to me, great work! 
Looking forward to seeing most of that implemented!

andre
-- 
Andre Klapper | Wikimedia Bugwrangler
http://blogs.gnome.org/aklapper/


___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

[Wikitech-l] FOSDEM: main tracks and developer rooms

2013-08-20 Thread Quim Gil

FOSDEM will take place on 1 and 2 February 2014 in Brussels. Now it's 
the time to apply for DevRooms and main track sessions.


https://fosdem.org/2014/news/2013-08-06-call-for-participation/

Key dates:

15 September
* deadline for developer room proposals

1 October
* deadline for main track proposals
* accepted developer rooms announced

I think Wikimedia needs FOSDEM and FOSDEM needs Wikimedia. We could 
mobilize European developers and tech-friendly chapters to work on a 
combined outreach action.


First things first: proposing a Wiki DevRoom. What do you think? Note 
that it's Wiki, not just Wikimedia or MediaWiki.


We should also brainstorm what are the best main track session candidates.

--
Quim Gil
Technical Contributor Coordinator @ Wikimedia Foundation
http://www.mediawiki.org/wiki/User:Qgil

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] FOSDEM: main tracks and developer rooms

2013-08-20 Thread Arthur Richards

We've talked in the past about hosting a Wikimedia dev room or table for
FOSDEM, but never got our acts together to apply. I think we should
*totally* apply for a wiki devroom this year - FOSDEM is one of the best
conferences I've ever been to, and especially given our wiki-representation
in Europe, there are a million reasons why we should have a strong presence
there. Let's do it!

On Wed, Aug 21, 2013 at 1:00 AM, Quim Gil q...@wikimedia.org wrote:

FOSDEM will take place on 1 and 2 February 2014 in Brussels. Now it's the
time to apply for DevRooms and main track sessions.

https://fosdem.org/2014/news/**2013-08-06-call-for-**participation/https://fosdem.org/2014/news/2013-08-06-call-for-participation/

Key dates:

15 September
* deadline for developer room proposals

1 October
* deadline for main track proposals
* accepted developer rooms announced

I think Wikimedia needs FOSDEM and FOSDEM needs Wikimedia. We could
mobilize European developers and tech-friendly chapters to work on a
combined outreach action.

First things first: proposing a Wiki DevRoom. What do you think? Note that
it's Wiki, not just Wikimedia or MediaWiki.

We should also brainstorm what are the best main track session candidates.

--
Quim Gil
Technical Contributor Coordinator @ Wikimedia Foundation
http://www.mediawiki.org/wiki/**User:Qgilhttp://www.mediawiki.org/wiki/User:Qgil

__**_
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/**mailman/listinfo/wikitech-lhttps://lists.wikimedia.org/mailman/listinfo/wikitech-l

--
Arthur Richards
Software Engineer, Mobile
[[User:Awjrichards]]
IRC: awjr
+1-415-839-6885 x6687
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st

quote name=Tyler Romeo date=2013-08-20 time=10:50:23 -0400
 On Tue, Aug 20, 2013 at 10:34 AM, MZMcBride z...@mzmcbride.com wrote:
 
  (And if the user preference isn't meant to serve those who can't use
  HTTPS, who is it intended to serve?)
 
 
 My point is that it doesn't matter what your user preference is. Whether
 it's false or true, you still have to log in over HTTPS. In other words,
 the user preference has no effect on your ability to use the site.

One group of users that is always being forgotten in this discussion is
the group who use Wikipedia over really crappy connections that aren't
censoring them. These users will have a hard time using an SSL
connection due to the added resources/round trips and have a legitimate
non-China/NSA excuse to disable HTTPS after they login (where the added
roundtrips are probably worthwhile to keep their username/password
safe).

Greg

-- 
| Greg GrossmeierGPG: B2FA 27B1 F7EB D327 6B8E |
| identi.ca: @gregA18D 1138 8E47 FAC8 1C7D |


signature.asc
Description: Digital signature
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Deployment highlights - week of August 19th

2013-08-20 Thread Federico Leva (Nemo)


Thank you both, concise and clear. :)
Even though they are just quick ephemeral updates they are useful so 
I've copied them to

* https://www.mediawiki.org/wiki/Auth_systems/status#2013-08-20 and
* 
https://www.mediawiki.org/wiki/Site_performance_and_architecture/status#2013-08-20

which appear to be the (only) pages where they fit.

Nemo

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st

On Tue, Aug 20, 2013 at 1:12 PM, Greg Grossmeier g...@wikimedia.org wrote:

 One group of users that is always being forgotten in this discussion is
 the group who use Wikipedia over really crappy connections that aren't
 censoring them. These users will have a hard time using an SSL
 connection due to the added resources/round trips and have a legitimate
 non-China/NSA excuse to disable HTTPS after they login (where the added
 roundtrips are probably worthwhile to keep their username/password
 safe).


Indeed, and in those case they just leave their HTTPS preference turned off
(since the default is off anyway).

*-- *
*Tyler Romeo*
Stevens Institute of Technology, Class of 2016
Major in Computer Science
www.whizkidztech.com | tylerro...@gmail.com
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] We need to talk about AbuseFilter on mobile

2013-08-20 Thread Jon Robson

MZ brings up a good point. Do we have any idea what the reject rate is
for Abusefilter on desktop?

Also is there any way to view the edits that triggered AbuseFilter to
get an idea bout  what % of them were actually vandalism?

On Mon, Aug 19, 2013 at 6:25 PM, MZMcBride z...@mzmcbride.com wrote:
 Jon Robson wrote:
Between 31st July 2013 (00:00:00) and August 19th (@ 18:53:18)...

15089 of all mobile edits resulted in an error compared to 23455
successful edits (38544 edits in total)- that's a 39% error rate which
is simply unacceptable. The breakdown of these errors is as follows.
The most alarming is AbuseFilter - it is accounting for 72% of all
editing errors, costing all of our projects a lot of edits.

[stats]

 These numbers don't mean a whole lot (to me, at least) without a
 comparison to stats for non-mobile edits. We knew when the AbuseFilter was
 introduced that it wasn't always going to be used to filter only abuse.
 People naturally use it for all kinds of crazy purposes these days.
 Without a bit more context, it's difficult to know what's actually a
 problem (in relative terms).

 MZMcBride



 ___
 Wikitech-l mailing list
 Wikitech-l@lists.wikimedia.org
 https://lists.wikimedia.org/mailman/listinfo/wikitech-l



-- 
Jon Robson
http://jonrobson.me.uk
@rakugojon

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] We need to talk about AbuseFilter on mobile

2013-08-20 Thread Chris Steipp

If you can figure out what abuse rule was triggered, you can look at all
the hits on Special:AbuseLog. For example
'abusefilter-warning-all-categories-removed
668' is probably rule 132, so you can see that at
https://en.wikipedia.org/w/index.php?title=Special:AbuseLogwpSearchFilter=132



On Tue, Aug 20, 2013 at 10:39 AM, Jon Robson jdlrob...@gmail.com wrote:

 MZ brings up a good point. Do we have any idea what the reject rate is
 for Abusefilter on desktop?

 Also is there any way to view the edits that triggered AbuseFilter to
 get an idea bout  what % of them were actually vandalism?

 On Mon, Aug 19, 2013 at 6:25 PM, MZMcBride z...@mzmcbride.com wrote:
  Jon Robson wrote:
 Between 31st July 2013 (00:00:00) and August 19th (@ 18:53:18)...
 
 15089 of all mobile edits resulted in an error compared to 23455
 successful edits (38544 edits in total)- that's a 39% error rate which
 is simply unacceptable. The breakdown of these errors is as follows.
 The most alarming is AbuseFilter - it is accounting for 72% of all
 editing errors, costing all of our projects a lot of edits.
 
 [stats]
 
  These numbers don't mean a whole lot (to me, at least) without a
  comparison to stats for non-mobile edits. We knew when the AbuseFilter
 was
  introduced that it wasn't always going to be used to filter only abuse.
  People naturally use it for all kinds of crazy purposes these days.
  Without a bit more context, it's difficult to know what's actually a
  problem (in relative terms).
 
  MZMcBride
 
 
 
  ___
  Wikitech-l mailing list
  Wikitech-l@lists.wikimedia.org
  https://lists.wikimedia.org/mailman/listinfo/wikitech-l



 --
 Jon Robson
 http://jonrobson.me.uk
 @rakugojon

 ___
 Wikitech-l mailing list
 Wikitech-l@lists.wikimedia.org
 https://lists.wikimedia.org/mailman/listinfo/wikitech-l

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st

On 20 August 2013 13:12, Greg Grossmeier g...@wikimedia.org wrote:

 quote name=Tyler Romeo date=2013-08-20 time=10:50:23 -0400
  On Tue, Aug 20, 2013 at 10:34 AM, MZMcBride z...@mzmcbride.com wrote:
 
   (And if the user preference isn't meant to serve those who can't use
   HTTPS, who is it intended to serve?)
  
 
  My point is that it doesn't matter what your user preference is. Whether
  it's false or true, you still have to log in over HTTPS. In other words,
  the user preference has no effect on your ability to use the site.

 One group of users that is always being forgotten in this discussion is
 the group who use Wikipedia over really crappy connections that aren't
 censoring them. These users will have a hard time using an SSL
 connection due to the added resources/round trips and have a legitimate
 non-China/NSA excuse to disable HTTPS after they login (where the added
 roundtrips are probably worthwhile to keep their username/password
 safe).


This is correct, but it is still not addressing the question of what
happens to users who are completely unable to use HTTPS, and whether or not
they will remain logged in if they try to reach another HTTPS-standard
project if they start off from Chinese/Farsi projects.

We have project-specific IPBE user-rights for users who are affected by
blocked IP addresses (which include but aren't limited to TOR nodes or
other blocked proxies).  Is it possible to create a similar user-right for
HTTPS not default for login for this users?

We are talking about a non-negligible number of high-activity users on
multiple projects being adversely affected here, including several stewards
(cross-project issues), administrators, and high-productivity editors.  It
is important to find a way that is certain to allow them to log in and to
move across multiple projects, and doing so should not be considered an
*enhancement*, it should be considered a required feature of the new
process.  (It may not be a blocker, but I'd hope to see this fixed before
the end of the month.)

Risker
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st

To clarify, the default value for this HTTPS option is false, meaning you
have to explicitly turn it on in order to force HTTPS. In other words, the
only functional change being made by this deployment is that *login* on
certain projects will be over HTTPS. So for those who do not have HTTPS,
they will have to log in through a project that does not have secure login
enabled. And once they do log in, they should be fine thereafter.

*-- *
*Tyler Romeo*
Stevens Institute of Technology, Class of 2016
Major in Computer Science
www.whizkidztech.com | tylerro...@gmail.com


On Tue, Aug 20, 2013 at 1:54 PM, Risker risker...@gmail.com wrote:

 On 20 August 2013 13:12, Greg Grossmeier g...@wikimedia.org wrote:

  quote name=Tyler Romeo date=2013-08-20 time=10:50:23 -0400
   On Tue, Aug 20, 2013 at 10:34 AM, MZMcBride z...@mzmcbride.com wrote:
  
(And if the user preference isn't meant to serve those who can't use
HTTPS, who is it intended to serve?)
   
  
   My point is that it doesn't matter what your user preference is.
 Whether
   it's false or true, you still have to log in over HTTPS. In other
 words,
   the user preference has no effect on your ability to use the site.
 
  One group of users that is always being forgotten in this discussion is
  the group who use Wikipedia over really crappy connections that aren't
  censoring them. These users will have a hard time using an SSL
  connection due to the added resources/round trips and have a legitimate
  non-China/NSA excuse to disable HTTPS after they login (where the added
  roundtrips are probably worthwhile to keep their username/password
  safe).


 This is correct, but it is still not addressing the question of what
 happens to users who are completely unable to use HTTPS, and whether or not
 they will remain logged in if they try to reach another HTTPS-standard
 project if they start off from Chinese/Farsi projects.

 We have project-specific IPBE user-rights for users who are affected by
 blocked IP addresses (which include but aren't limited to TOR nodes or
 other blocked proxies).  Is it possible to create a similar user-right for
 HTTPS not default for login for this users?

 We are talking about a non-negligible number of high-activity users on
 multiple projects being adversely affected here, including several stewards
 (cross-project issues), administrators, and high-productivity editors.  It
 is important to find a way that is certain to allow them to log in and to
 move across multiple projects, and doing so should not be considered an
 *enhancement*, it should be considered a required feature of the new
 process.  (It may not be a blocker, but I'd hope to see this fixed before
 the end of the month.)

 Risker
 ___
 Wikitech-l mailing list
 Wikitech-l@lists.wikimedia.org
 https://lists.wikimedia.org/mailman/listinfo/wikitech-l

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st

2013-08-20 Thread James Alexander

On Tue, Aug 20, 2013 at 10:58 AM, Tyler Romeo tylerro...@gmail.com wrote:

 To clarify, the default value for this HTTPS option is false, meaning you
 have to explicitly turn it on in order to force HTTPS. In other words, the
 only functional change being made by this deployment is that *login* on
 certain projects will be over HTTPS. So for those who do not have HTTPS,
 they will have to log in through a project that does not have secure login
 enabled. And once they do log in, they should be fine thereafter.

 *-- *



Thanks Tyler,

For clarification purposes I'm putting my understanding of this below, if
you or someone else thinks what I'm saying is wrong please correct :):

* The 'force https' preference is an option that is, by default, turned off.
* However, for most wikis (not all), force https login is turned on.
* Because forced https login is turned on the 'default' for those people
will be to move from an https login to an https page because our normal
workflow is to always keep you on https if you are already on https (if you
are on page X, like a login page, in https then the next page X2 is also in
https).
* However, if you drop yourself down to http (for example just load the
page in http by dropping the s from the address bar and pressing enter) you
will not be forced back to https by default for the same reason (our normal
workflow) assuming that you have not turned on the https preference.
* If you login from an http (non secure) login page such as zhWiki or
faWiki you will be able to remain logged in while going to a non secure
wiki page (http://en.wikipedia.org ) and not be forced to https (unless you
selected that in your preference).


On a side note: I assume the preference is wiki based rather then global?

James

James Alexander
Legal and Community Advocacy
Wikimedia Foundation
(415) 839-6885 x6716 @jamesofur
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st

2013-08-20 Thread Chad

On Tue, Aug 20, 2013 at 11:07 AM, James Alexander
jalexan...@wikimedia.orgwrote:

 * The 'force https' preference is an option that is, by default, turned
 off.


It is turned on by default when $wgSecureLogin is enabled.



 * However, for most wikis (not all), force https login is turned on.


That will be the case come tomorrow, yes.


 * Because forced https login is turned on the 'default' for those people
 will be to move from an https login to an https page because our normal
 workflow is to always keep you on https if you are already on https (if you
 are on page X, like a login page, in https then the next page X2 is also in
 https).


Yes, this is correct.


 * However, if you drop yourself down to http (for example just load the
 page in http by dropping the s from the address bar and pressing enter) you
 will not be forced back to https by default for the same reason (our normal
 workflow) assuming that you have not turned on the https preference.


No, it will put you back on HTTPS as that was the default. You
have to turn the preference off.


 * If you login from an http (non secure) login page such as zhWiki or
 faWiki you will be able to remain logged in while going to a non secure
 wiki page (http://en.wikipedia.org ) and not be forced to https (unless
 you
 selected that in your preference).


Preferences are local, so unless the local preference has been
set to false, you would end up on HTTPS.



 On a side note: I assume the preference is wiki based rather then global?


Correct.

I'm beginning to think there's a disconnect between what we coded
and what people expect. The preference is *on* by default which I
think is what's going to cause problems. We can change defaults
before tomorrow so I think we should all be clear.

-Chad
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st

On Tue, Aug 20, 2013 at 2:31 PM, Chad innocentkil...@gmail.com wrote:

 I'm beginning to think there's a disconnect between what we coded
 and what people expect. The preference is *on* by default which I
 think is what's going to cause problems. We can change defaults
 before tomorrow so I think we should all be clear.


Oh I was not aware of this. I just knew that in MW core itself the default
is off. Didn't realize WMF changed it.

*-- *
*Tyler Romeo*
Stevens Institute of Technology, Class of 2016
Major in Computer Science
www.whizkidztech.com | tylerro...@gmail.com
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st

2013-08-20 Thread Chad

On Tue, Aug 20, 2013 at 11:36 AM, Tyler Romeo tylerro...@gmail.com wrote:

 On Tue, Aug 20, 2013 at 2:31 PM, Chad innocentkil...@gmail.com wrote:

  I'm beginning to think there's a disconnect between what we coded
  and what people expect. The preference is *on* by default which I
  think is what's going to cause problems. We can change defaults
  before tomorrow so I think we should all be clear.
 

 Oh I was not aware of this. I just knew that in MW core itself the default
 is off. Didn't realize WMF changed it.


Did you read the patch? If $wgSecureLogin is true, prefershttps is
also true. This is core.

-Chad
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st

On Tue, Aug 20, 2013 at 2:38 PM, Chad innocentkil...@gmail.com wrote:

 Did you read the patch? If $wgSecureLogin is true, prefershttps is
 also true. This is core.


Oh, I didn't see that Demon had added that in. My bad.

*-- *
*Tyler Romeo*
Stevens Institute of Technology, Class of 2016
Major in Computer Science
www.whizkidztech.com | tylerro...@gmail.com
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st

2013-08-20 Thread James Alexander

On Tue, Aug 20, 2013 at 11:31 AM, Chad innocentkil...@gmail.com wrote:

  * If you login from an http (non secure) login page such as zhWiki or
  faWiki you will be able to remain logged in while going to a non secure
  wiki page (http://en.wikipedia.org ) and not be forced to https (unless
  you
  selected that in your preference).
 
 
 Preferences are local, so unless the local preference has been
 set to false, you would end up on HTTPS.


 
  On a side note: I assume the preference is wiki based rather then global?
 
 
 Correct.

 I'm beginning to think there's a disconnect between what we coded
 and what people expect. The preference is *on* by default which I
 think is what's going to cause problems. We can change defaults
 before tomorrow so I think we should all be clear.

 -Chad
 ___
 Wikitech-l mailing list
 Wikitech-l@lists.wikimedia.org
 https://lists.wikimedia.org/mailman/listinfo/wikitech-l


Thanks Chad, that's a lot of help.

Yeah, this seems to contradict what I thought Ryan was saying above and
what I was under the impression for. The bad use case for here (as describe
by Risker for example) is a mainland china user from zhWiki logging in
(through http) but now not being able to visit enWiki logged in at all
(because it will force them to https and https is blocked).

I know Ryan used the term 'home wiki' some up in his emails. My
interpretation when reading the thread was that it actually meant the wiki
you were logging into (which I think is fine) and not the 'home' wiki that
is marked in the CentralAuth interface (though I can't figure out where
that's actually marked in the database...). If we are using that
'CentralAuth' definition we're going to have a lot of false negatives, a
significant amount of people are marked off as their home being enWiki or
somewhere else because it was the first place they created an account.
We've never really used 'home wiki' to mean anything other then first
account.

James

James Alexander
Legal and Community Advocacy
Wikimedia Foundation
(415) 839-6885 x6716 @jamesofur
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st



On Aug 20, 2013, at 12:03 PM, James Alexander jalexan...@wikimedia.org wrote:

 Yeah, this seems to contradict what I thought Ryan was saying above and
 what I was under the impression for. The bad use case for here (as describe
 by Risker for example) is a mainland china user from zhWiki logging in
 (through http) but now not being able to visit enWiki logged in at all
 (because it will force them to https and https is blocked).


Posed for sake of argument, assuming this interpretation is correct:


This is unacceptable and a blocking bug to this rollout.

The suggested just find an excepted project and log in there first is neither 
easy nor self-evident enough to be effective for those users.  The silent 
failure mode they will encounter will effectively be a silent site outage for 
them.

The change must be delayed until people geographically / nationally denied 
HTTPS can log in again.


Sent from Kangphone
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st

The vast majority of people we serve with Wikipedia and friends don't have
accounts and don't log in, and won't be affected in any way by this change.

IMO it's simply unacceptable to leak authentication tokens or account
passwords in cleartext; allowing any form of login over HTTP is dinosaur
behavior and we'd be crazy to let it continue, whether for some sites
only or all. We should require HTTPS for all logins on all sites in all
languages all the time.


Note that there are plenty of projects producing and maintaining
block-circumvention tools, which is what folks who are running afoul of
government censorship should be looking into if they need to log into a
blocked site, or read blocked pages.

It's a bit out of scope for Wikimedia to fix China's internet, though it'd
be nice if we gave some recommendations on tools. Or would that just get us
more blocked?

-- brion


On Tue, Aug 20, 2013 at 12:46 PM, George William Herbert 
george.herb...@gmail.com wrote:



 On Aug 20, 2013, at 12:03 PM, James Alexander jalexan...@wikimedia.org
 wrote:

  Yeah, this seems to contradict what I thought Ryan was saying above and
  what I was under the impression for. The bad use case for here (as
 describe
  by Risker for example) is a mainland china user from zhWiki logging in
  (through http) but now not being able to visit enWiki logged in at all
  (because it will force them to https and https is blocked).


 Posed for sake of argument, assuming this interpretation is correct:


 This is unacceptable and a blocking bug to this rollout.

 The suggested just find an excepted project and log in there first is
 neither easy nor self-evident enough to be effective for those users.  The
 silent failure mode they will encounter will effectively be a silent site
 outage for them.

 The change must be delayed until people geographically / nationally denied
 HTTPS can log in again.


 Sent from Kangphone
 ___
 Wikitech-l mailing list
 Wikitech-l@lists.wikimedia.org
 https://lists.wikimedia.org/mailman/listinfo/wikitech-l

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st

 Okay, so I think there's a fair deal of confusion in a lot of minds as to
how this all is going to work.  So let's take a fairly simple and common
use case, and work out how we're going to keep these users editing.

The use case I suggest we work out is English Wikipedia editor who lives
in China and wants to edit English Wikipedia using his logged-in account.

So:

   - Can this user log in on English Wikipedia? (based on this discussion,
   no)
   - Can this user log in on an HTTPS-exempt Wikipedia (based on this
   discussion, any Chinese or Farsi project, yes)
  - How will they know that they have to go there?
  - When they try to go from Chinese Wikipedia to English Wikipedia,
   what happens?
  - Do they get an HTTP page, or an HTTPS one? (the latter of which is
  not accessible)
  - Do they remain logged in as HTTP? or do they get logged out because
  the enwp page is HTTPS by default?
   - If they manage to get as far as English Wikipedia, they can change
   their user preference to HTTP once that is enabled. Will that also allow
   them to log in under HTTP so they don't have to go to another project?

Now, I can personally think of a dozen editors to whom this *specific* user
case applies, and I know at least another dozen to whom similar user cases
apply in relation to other projects - and I really don't know that many
people.

I get the importance and value of this action plan.  At the same time,
there is no benefit to the movement to de facto block existing contributors
or ghettoize new ones. Essentially banning Iranian Wikimedians from editing
anything but Farsi projects is contrary to the core principles of the
Wikimedia movement; deliberately creating a situation where editors need to
break the law of their land to participate on Commons or Meta is a
significant problem.  It's bad enough when that is caused by external
forces outside of WMF control; it's disturbing when it is being caused by
WMF itself.


Risker
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Key community metrics to influence our plans

quote name=Bartosz Dziewoński date=2013-08-20 time=12:16:09 +0200
 On Tue, 20 Aug 2013 00:48:09 +0200, Rob Lanphier ro...@wikimedia.org wrote:
 
 
 I'm personally interested in the absolute size of the Gerrit change
 request queue, not in relation to anything else, but just as an
 absolute number (over time).  When this number gets large, we should
 all probably be interested in the following:
 *  Breakdown by age of changeset.
 *  Breakdown by project family (e.g. MediaWiki core, Wikimedia
 deployed extensions, all MediaWiki extensions hosted in Gerrit).
 
 This already exists, by the way. 
 https://www.mediawiki.org/wiki/Gerrit/Navigation#Reports

Neat.

Feature request: Make a nice graph of the data that shows those numbers
over time (per day I suppose?). I hear we have some analytics software
we can use... ;)

Greg

-- 
| Greg GrossmeierGPG: B2FA 27B1 F7EB D327 6B8E |
| identi.ca: @gregA18D 1138 8E47 FAC8 1C7D |


signature.asc
Description: Digital signature
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st



On Aug 20, 2013, at 12:57 PM, Brion Vibber bvib...@wikimedia.org wrote:

 IMO it's simply unacceptable to leak authentication tokens or account
 passwords in cleartext; allowing any form of login over HTTP is dinosaur
 behavior and we'd be crazy to let it continue, whether for some sites
 only or all. We should require HTTPS for all logins on all sites in all
 languages all the time.


This is a defensible position.

That is not my point.

It appears that the ops team is about to kick anyone who is unfortunate enough 
to live in the wrong countries off the projects, without a clue what happened 
or obvious fallback they will realize.  Without publicity or explanation or a 
HTTP landing pad that explains.

This magnitude of change is political, not purely technical/operational.  And 
demands both notification and a fallback that users will be reasonably able to 
grasp.

Again, this is still a little fuzzy as to the impact.  But it seems like we 
dump China users of en.wp without warning or immediately obvious workaround.  
And if that's right, the ops team should not do this.  It needs wider warnings 
and discussion, and is not an ops decision to make.


Sent from Kangphone


___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st

Wikipedia was blocked ENTIRELY in China for years; people interested in
*reading* as well as contributing used circumvention tools (VPNs etc) to
more securely access the site, and just got generic errors if they didn't.

This is an acceptable trade-off which we've allowed the Chinese government
to make for us before, and here we're talking about a much smaller effect
(on contributors only).

Again, it's not our business to fix China. China has to fix China.

-- brion



On Tue, Aug 20, 2013 at 1:15 PM, George William Herbert 
george.herb...@gmail.com wrote:



 On Aug 20, 2013, at 12:57 PM, Brion Vibber bvib...@wikimedia.org wrote:

  IMO it's simply unacceptable to leak authentication tokens or account
  passwords in cleartext; allowing any form of login over HTTP is dinosaur
  behavior and we'd be crazy to let it continue, whether for some sites
  only or all. We should require HTTPS for all logins on all sites in all
  languages all the time.


 This is a defensible position.

 That is not my point.

 It appears that the ops team is about to kick anyone who is unfortunate
 enough to live in the wrong countries off the projects, without a clue what
 happened or obvious fallback they will realize.  Without publicity or
 explanation or a HTTP landing pad that explains.

 This magnitude of change is political, not purely technical/operational.
  And demands both notification and a fallback that users will be reasonably
 able to grasp.

 Again, this is still a little fuzzy as to the impact.  But it seems like
 we dump China users of en.wp without warning or immediately obvious
 workaround.  And if that's right, the ops team should not do this.  It
 needs wider warnings and discussion, and is not an ops decision to make.


 Sent from Kangphone


 ___
 Wikitech-l mailing list
 Wikitech-l@lists.wikimedia.org
 https://lists.wikimedia.org/mailman/listinfo/wikitech-l

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st


+foundation-l

On Aug 20, 2013, at 1:20 PM, Brion Vibber bvib...@wikimedia.org wrote:

 This is an acceptable trade-off which we've allowed the Chinese government
 to make for us before, and here we're talking about a much smaller effect
 (on contributors only).
 
 Again, it's not our business to fix China. China has to fix China.


None of which changes that this is not properly an ops team decision, 
particularly without notification, warning, workaround explained to people.

If the explanation as to the effects on users in those locales is correct, I 
would like the Ops team to voluntarily stand back and notify and allow some 
wider discussion and explanation of the workaround.

If Ops won't do that, then I would like to request that the WMF executive 
intervene and direct ops to pause and allow wider notification and discussion 
and explanation of the workaround.

If the WMF executive is not willing I would like to request that the Board 
review the situation promptly and direct a pause per above.

The outcome is not wrong.  THIS IS THE WRONG WAY TO DO IT, without warning and 
explanation to the community.


Sent from Kangphone
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

[Wikitech-l] Wikimedia Commons mobile photo uploader app updated on iOS and Android

We have just released Commons for iOS (version 1.0.8) and Android
(1.0beta11), with *major* UI and performance improvements on iOS and minor
bug fixes on Android.

This is our first release in a couple months on iOS -- we hoped to have one
out before Wikimania but were delayed due to problems with Apple's online
developer tools being offline for a while. There are huge UI improvements
and lots of bug fixes, thanks to our new mobile developer Monte Hurd.
Thanks Monte!

We've been releasing smaller updates on Android in the meantime, so the
updates have been more incremental there.

Both versions now include a quick 3-screen acceptable-use tutorial on first
login. iOS includes featured photos as examples as well; this will come to
Android in a future version.

Downloads and release notes:
* Apple App Store:
https://itunes.apple.com/us/app/wikimedia-commons/id630901780
* Google Play:
https://play.google.com/store/apps/details?id=org.wikimedia.commons
* Android direct download:
http://download.wikimedia.org/android/wikimedia-commons-1.0beta11.apk

-- brion vibber (brion @ pobox.com / bvibber @ wikimedia.org)
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Wikimedia Commons mobile photo uploader app updated on iOS and Android

On 20 August 2013 16:57, Brion Vibber bvib...@wikimedia.org wrote:

 We have just released Commons for iOS (version 1.0.8) and Android
 (1.0beta11), with *major* UI and performance improvements on iOS and minor
 bug fixes on Android.

 This is our first release in a couple months on iOS -- we hoped to have one
 out before Wikimania but were delayed due to problems with Apple's online
 developer tools being offline for a while. There are huge UI improvements
 and lots of bug fixes, thanks to our new mobile developer Monte Hurd.
 Thanks Monte!

 We've been releasing smaller updates on Android in the meantime, so the
 updates have been more incremental there.

 Both versions now include a quick 3-screen acceptable-use tutorial on first
 login. iOS includes featured photos as examples as well; this will come to
 Android in a future version.


Thanks to Monte and Brion for the work on this.  I recently attended an
edit-a-thon at the Royal Ontario Museum, and pointed the attendees (and
ROM staff/interns) to this app - they were extremely enthusiastic, and I
have a feeling we've already seen some images from them.

Risker
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Wikimedia Commons mobile photo uploader app updated on iOS and Android

2013-08-20 Thread Rodrigo Padula

Hello guys,

Are you thinking to develop apps for FirefoxOS too?




2013/8/20 Risker risker...@gmail.com

 On 20 August 2013 16:57, Brion Vibber bvib...@wikimedia.org wrote:

  We have just released Commons for iOS (version 1.0.8) and Android
  (1.0beta11), with *major* UI and performance improvements on iOS and
 minor
  bug fixes on Android.
 
  This is our first release in a couple months on iOS -- we hoped to have
 one
  out before Wikimania but were delayed due to problems with Apple's online
  developer tools being offline for a while. There are huge UI improvements
  and lots of bug fixes, thanks to our new mobile developer Monte Hurd.
  Thanks Monte!
 
  We've been releasing smaller updates on Android in the meantime, so the
  updates have been more incremental there.
 
  Both versions now include a quick 3-screen acceptable-use tutorial on
 first
  login. iOS includes featured photos as examples as well; this will come
 to
  Android in a future version.
 
 
 Thanks to Monte and Brion for the work on this.  I recently attended an
 edit-a-thon at the Royal Ontario Museum, and pointed the attendees (and
 ROM staff/interns) to this app - they were extremely enthusiastic, and I
 have a feeling we've already seen some images from them.

 Risker
 ___
 Wikitech-l mailing list
 Wikitech-l@lists.wikimedia.org
 https://lists.wikimedia.org/mailman/listinfo/wikitech-l




-- 
*Rodrigo Padula
Education Program Coordinator - Brazil
**Consultant for the Brazilian Catalyst Program at Wikimedia Foundation**
*
*+55 21 9326 0558
Blog: http://www.rodrigopadula.com
Twitter: @rodrigopadula*
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

[Wikitech-l] HTTPS central notice - translation needed?

2013-08-20 Thread Paul Selitskas

Usually central notice banners link to an announcement that can be
viewed in many languages.

The HTTPS banner that is being displayed at the moment links to a
rough page[0] that has only English version. Could anyone craft an
announcement suitable for translation?


[0] https://meta.wikimedia.org/wiki/HTTPS

-- 
З павагай,
Павел Селіцкас/Pavel Selitskas
Wizardist @ Wikimedia projects

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st

Brion Vibber wrote:
Wikipedia was blocked ENTIRELY in China for years; people interested in
*reading* as well as contributing used circumvention tools (VPNs etc) to
more securely access the site, and just got generic errors if they didn't.

This is an acceptable trade-off which we've allowed the Chinese government
to make for us before, and here we're talking about a much smaller effect
(on contributors only).

Again, it's not our business to fix China. China has to fix China.

I completely agree with China fixing China.

But I think the Wikimedia community has to decide whether this trade-off
is acceptable. I'm not sure it's a decision that sysadmins and developers
can make alone.

From my understanding, zh.wikipedia.org is currently available via HTTP in
China, but not HTTPS. If we change all sites to require HTTPS for
logged-in users, we'll certainly increase site security and enhance the
user experience for most users, but is that worth losing every
zh.wikipedia.org contributor who lives in China? Or do we expect anyone
blocked from HTTPS to simply edit without an account?

I think the concern here is that some projects may be decimated (in terms
of number of contributors) if HTTPS is forced for all users.

MZMcBride



___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st

2013-08-20 Thread Bartosz Dziewoński


On Tue, 20 Aug 2013 23:19:22 +0200, MZMcBride z...@mzmcbride.com wrote:


If we change all sites to require HTTPS for
logged-in users, we'll certainly increase site security and enhance the
user experience for most users, but is that worth losing every
zh.wikipedia.org contributor who lives in China? Or do we expect anyone
blocked from HTTPS to simply edit without an account?
I think the concern here is that some projects may be decimated (in terms
of number of contributors) if HTTPS is forced for all users.


I think that zh and fa wikis are exempt. The concernseems to be about 
contributors from affected countries editing other wikis, such as Commons or Wikidata.


--
Matma Rex

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Wikimedia Commons mobile photo uploader app updated on iOS and Android

On Tue, Aug 20, 2013 at 2:05 PM, Rodrigo Padula rodrigopad...@wikimedia.org
 wrote:

 Hello guys,

 Are you thinking to develop apps for FirefoxOS too?


Currently we're not planning a version of the Commons uploader app. Photo
uploading works in Firefox via the mobile web site, though it's not quite
as flexible -- eg you can't edit your photo descriptions while offline and
then upload a bunch online... yet. :)

There's less need for a separate app on Firefox OS, as the regular web
browser actually can interact with other apps on the system (eg to launch
another app, or fetch a photo from the library, etc). So in the future,
we'll probably have more 'progressive enhancement' with additional
uploading  media features in supporting browsers, and that'll get rolled
into our app entry in the Firefox Marketplace replacing the current
Wikipedia reader app.

(The Commons uploader apps may or may not eventually roll into the main
Wikipedia app on iOS and Android too, we haven't decided for sure yet.)

-- brion





 2013/8/20 Risker risker...@gmail.com

  On 20 August 2013 16:57, Brion Vibber bvib...@wikimedia.org wrote:
 
   We have just released Commons for iOS (version 1.0.8) and Android
   (1.0beta11), with *major* UI and performance improvements on iOS and
  minor
   bug fixes on Android.
  
   This is our first release in a couple months on iOS -- we hoped to have
  one
   out before Wikimania but were delayed due to problems with Apple's
 online
   developer tools being offline for a while. There are huge UI
 improvements
   and lots of bug fixes, thanks to our new mobile developer Monte Hurd.
   Thanks Monte!
  
   We've been releasing smaller updates on Android in the meantime, so the
   updates have been more incremental there.
  
   Both versions now include a quick 3-screen acceptable-use tutorial on
  first
   login. iOS includes featured photos as examples as well; this will come
  to
   Android in a future version.
  
  
  Thanks to Monte and Brion for the work on this.  I recently attended an
  edit-a-thon at the Royal Ontario Museum, and pointed the attendees (and
  ROM staff/interns) to this app - they were extremely enthusiastic, and I
  have a feeling we've already seen some images from them.
 
  Risker
  ___
  Wikitech-l mailing list
  Wikitech-l@lists.wikimedia.org
  https://lists.wikimedia.org/mailman/listinfo/wikitech-l
 



 --
 *Rodrigo Padula
 Education Program Coordinator - Brazil
 **Consultant for the Brazilian Catalyst Program at Wikimedia Foundation**
 *
 *+55 21 9326 0558
 Blog: http://www.rodrigopadula.com
 Twitter: @rodrigopadula*
 ___
 Wikitech-l mailing list
 Wikitech-l@lists.wikimedia.org
 https://lists.wikimedia.org/mailman/listinfo/wikitech-l

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Wikimedia Commons mobile photo uploader app updated on iOS and Android

2013-08-20 Thread Strainu

2013/8/21 Brion Vibber bvib...@wikimedia.org:
 (The Commons uploader apps may or may not eventually roll into the main
 Wikipedia app on iOS and Android too, we haven't decided for sure yet.)

That sound weird (read: divergent from all the stuff we read in the
WMF plans and reports). Shouldn't the ultimate development goal for
mobile be total feature parity with desktop? Otherwise how is wiki*
supposed to tap into global south (I hate this buzzword!) editor
resources? Aren't all the pundits claiming that desktop is dead and in
the future we're all gonna browse the internet on small (5-10) or
huge (40+) screens?

Strainu

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st

2013-08-20 Thread Derk-Jan Hartman


On 20 aug. 2013, at 23:21, Bartosz Dziewoński matma@gmail.com wrote:

 On Tue, 20 Aug 2013 23:19:22 +0200, MZMcBride z...@mzmcbride.com wrote:
 
 If we change all sites to require HTTPS for
 logged-in users, we'll certainly increase site security and enhance the
 user experience for most users, but is that worth losing every
 zh.wikipedia.org contributor who lives in China? Or do we expect anyone
 blocked from HTTPS to simply edit without an account?
 I think the concern here is that some projects may be decimated (in terms
 of number of contributors) if HTTPS is forced for all users.
 
 I think that zh and fa wikis are exempt. The concernseems to be about 
 contributors from affected countries editing other wikis, such as Commons or 
 Wikidata.

Can I just say that IF there is still this much discussion and confusion going 
on even at the level of the developers, that I feel really uncomfortable with 
this being deployed in the next 24hours.

This all just feels way too rough. And it smells like this is gonna create yet 
another deploy shitstorm within the communities. I wouldn't like to be in the 
shoes of the liaisons and ambassadors tomorrow

DJ
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] [Commons-l] Wikimedia Commons mobile photo uploader app updated on iOS and Android

2013-08-20 Thread Fabrice Florin

Hey Brion,

Very cool!

I just downloaded Commons for iOS and uploaded a photo in minutes … it went 
smooth as silk :)

Thanks for you fine work, which should enable many more folks to contribute 
multimedia content on the go.

Cheers,


Fabrice


On Aug 20, 2013, at 1:57 PM, Brion Vibber wrote:

 We have just released Commons for iOS (version 1.0.8) and Android 
 (1.0beta11), with *major* UI and performance improvements on iOS and minor 
 bug fixes on Android.
 
 This is our first release in a couple months on iOS -- we hoped to have one 
 out before Wikimania but were delayed due to problems with Apple's online 
 developer tools being offline for a while. There are huge UI improvements and 
 lots of bug fixes, thanks to our new mobile developer Monte Hurd. Thanks 
 Monte!
 
 We've been releasing smaller updates on Android in the meantime, so the 
 updates have been more incremental there.
 
 Both versions now include a quick 3-screen acceptable-use tutorial on first 
 login. iOS includes featured photos as examples as well; this will come to 
 Android in a future version.
 
 Downloads and release notes:
 * Apple App Store: 
 https://itunes.apple.com/us/app/wikimedia-commons/id630901780
 * Google Play: 
 https://play.google.com/store/apps/details?id=org.wikimedia.commons
 * Android direct download: 
 http://download.wikimedia.org/android/wikimedia-commons-1.0beta11.apk
 
 -- brion vibber (brion @ pobox.com / bvibber @ wikimedia.org)
 ___
 Commons-l mailing list
 common...@lists.wikimedia.org
 https://lists.wikimedia.org/mailman/listinfo/commons-l

___

Fabrice Florin
Product Manager
Wikimedia Foundation

http://en.wikipedia.org/wiki/User:Fabrice_Florin_(WMF)



___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st

The lack of secure login on WMF wikis is a *major security issue*, and
AFAIK is the biggest publicly known security issue in the site. All you
need is some random checkuser to be using Wikipedia at a Starbucks, and all
of a sudden the privacy policy of every single registered user is violated.
There's big talk all around about evading the NSA and attempting to
protect the privacy of our users, but it is literally impossible to protect
users' privacy if we can't even protect their security in the first place.
To re-iterate, privacy depends on security, and right now we have neither
of them.

Furthermore, secure login is not a new idea. I've been fighting to get this
feature enabled since October 2012 when the secure login functionality in
MW core was finally fixed. Since then, HTTPS login has been deployed
*twice*, but reverted once due to a bug with CentralAuth and once due the
design team concerned about the login form. This will be the third attempt
at deploying this in the past six months, so I don't know why this
discussion had to start right now.

In the end, what we're doing is allowing the Chinese government to
manipulate the WMF into degrading the security of its entire userbase, and
I don't think that's acceptable. There are 100 times as many active users
on enwiki than there are zhwiki, and that's assuming *all* active users on
zhwiki also edit enwiki, which is probably not true.

*-- *
*Tyler Romeo*
Stevens Institute of Technology, Class of 2016
Major in Computer Science
www.whizkidztech.com | tylerro...@gmail.com


On Tue, Aug 20, 2013 at 6:10 PM, Derk-Jan Hartman 
d.j.hartman+wmf...@gmail.com wrote:


 On 20 aug. 2013, at 23:21, Bartosz Dziewoński matma@gmail.com wrote:

  On Tue, 20 Aug 2013 23:19:22 +0200, MZMcBride z...@mzmcbride.com wrote:
 
  If we change all sites to require HTTPS for
  logged-in users, we'll certainly increase site security and enhance the
  user experience for most users, but is that worth losing every
  zh.wikipedia.org contributor who lives in China? Or do we expect anyone
  blocked from HTTPS to simply edit without an account?
  I think the concern here is that some projects may be decimated (in
 terms
  of number of contributors) if HTTPS is forced for all users.
 
  I think that zh and fa wikis are exempt. The concernseems to be about
 contributors from affected countries editing other wikis, such as Commons
 or Wikidata.

 Can I just say that IF there is still this much discussion and confusion
 going on even at the level of the developers, that I feel really
 uncomfortable with this being deployed in the next 24hours.

 This all just feels way too rough. And it smells like this is gonna create
 yet another deploy shitstorm within the communities. I wouldn't like to be
 in the shoes of the liaisons and ambassadors tomorrow

 DJ
 ___
 Wikitech-l mailing list
 Wikitech-l@lists.wikimedia.org
 https://lists.wikimedia.org/mailman/listinfo/wikitech-l

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st

2013-08-20 Thread George Herbert

On Tue, Aug 20, 2013 at 3:57 PM, Tyler Romeo tylerro...@gmail.com wrote:


 The lack of secure login on WMF wikis is a *major security issue*, and
 AFAIK is the biggest publicly known security issue in the site.



Time out...

We do not have a lack of secure login.  That was solved a long time ago
(many years).  I've been using it since about when it was made available
first (secure. ...).

This is going from secure is default and available to you cannot access
other than secure, unless you know a non-secure exempted wiki you can log
in to first.

The people with a firewall (national, corporate, whatever) that
blocks HTTPS deserve some warning that something bad is going to happen to
them, and that they can mititate that using (X),  before it hits.

Again - it is entirely reasonable to shift the stance towards all secure.
This will affect some people (I don't know how many).  They have not been
warned and the workaround is not intuitive.

It's not a normal or reasonable to affect some number of users like that
with no warning.


This will be the third attempt at deploying this in the past six months, so
 I don't know why this discussion had to start right now.


It was not clear to me that this would have that wide an effect, or I for
one would have been saying something months ago.  I said exactly how
significant I feel it is immediately upon my understanding what the effects
will be.

I understand your frustration, but again, the impact on those users is (to
me) a blocker bug.  It being discovered and made visible this close to
deploy time is unfortunate.  We should (later) have a conversation about
feature descriptions and notifications on the tech list so that discoveries
like this aren't last minute.

That does not affect that it should be a blocker bug.  Those affected
people deserve notification and information on the workarounds.

That does not mean don't roll this out but don't roll it out until it's
adequately publicized long enough that nobody is surprised and unable to
find the workaround.  A week or two weeks of adequate notice should be
fine.


-george
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st

2013-08-20 Thread Tilman Bayer

On Tue, Aug 20, 2013 at 3:57 PM, Tyler Romeo tylerro...@gmail.com wrote:
The lack of secure login on WMF wikis is a *major security issue*, and
AFAIK is the biggest publicly known security issue in the site.

Indeed. For a Signpost article three years ago, I asked a security
researcher (who had co-authored a comparative study of user password
handling on 150 websites) about his recommendations for Wikipedia.
Making encrypted transmission of the password the default was his
foremost advice:
https://en.wikipedia.org/wiki/Wikipedia:Wikipedia_Signpost/2010-08-02/Technology_report#Study_of_web_passwords_includes_Wikipedia

It's excellent news that this issue is finally being resolved, even
when there are exceptions and corner cases that need to be addressed.

All you
need is some random checkuser to be using Wikipedia at a Starbucks, and all
of a sudden the privacy policy of every single registered user is violated.
There's big talk all around about evading the NSA and attempting to
protect the privacy of our users, but it is literally impossible to protect
users' privacy if we can't even protect their security in the first place.
To re-iterate, privacy depends on security, and right now we have neither
of them.

Furthermore, secure login is not a new idea. I've been fighting to get this
feature enabled since October 2012 when the secure login functionality in
MW core was finally fixed. Since then, HTTPS login has been deployed
*twice*, but reverted once due to a bug with CentralAuth and once due the
design team concerned about the login form. This will be the third attempt
at deploying this in the past six months, so I don't know why this
discussion had to start right now.

--
Tilman Bayer
Senior Operations Analyst (Movement Communications)
Wikimedia Foundation
IRC (Freenode): HaeB

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

[Wikitech-l] CentralNotice Security Patch on Tin

2013-08-20 Thread Matthew Walker

Hey all,

Chris Steipp found a bug in CentralNotice yesterday and I've applied a
modified version of his patch. He has asked me not to commit it to gerrit
until Friday's security release.

I've applied that patch to wmf12 and wmf13.

Please do not git submodule update the CentralNotice extension!

In the event that the patch is causing issues; the patch file is:
tin:/home/mwalker/CentralNotice-bug53032.patch

~Matt Walker
Wikimedia Foundation
Fundraising Technology Team
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st

2013-08-20 Thread Erik Moeller

On Tue, Aug 20, 2013 at 12:46 PM, George William Herbert
george.herb...@gmail.com wrote:

 The change must be delayed until people geographically / nationally denied 
 HTTPS can log in again.

Tim's working on a patch that should make this possible:
https://gerrit.wikimedia.org/r/#/c/80166/

The plan of record right now is to not make the switch til we have
that merged  tested. We may still be able to make the launch window
tomorrow - RobLa will make the final call on that.

Ideally I'd like to see the language-based blacklisting removed if the
GeoIP-based solution works.

In general, though, I'd prefer for WMF to move away from what could be
characterized as appeasement and towards actively resisting censorship
and monitoring. So I'd argue in favor of a deadline for this approach,
and alignment of resources and alliances to take active measures
against censorship and monitoring.

Erik
-- 
Erik Möller
VP of Engineering and Product Development, Wikimedia Foundation

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st

2013-08-20 Thread George Herbert

On Tue, Aug 20, 2013 at 7:22 PM, Erik Moeller e...@wikimedia.org wrote:

 On Tue, Aug 20, 2013 at 12:46 PM, George William Herbert
 george.herb...@gmail.com wrote:

  The change must be delayed until people geographically / nationally
 denied HTTPS can log in again.

 Tim's working on a patch that should make this possible:
 https://gerrit.wikimedia.org/r/#/c/80166/

 The plan of record right now is to not make the switch til we have
 that merged  tested. We may still be able to make the launch window
 tomorrow - RobLa will make the final call on that.

 Ideally I'd like to see the language-based blacklisting removed if the
 GeoIP-based solution works.


Excellent.  Thank you.



 In general, though, I'd prefer for WMF to move away from what could be
 characterized as appeasement and towards actively resisting censorship
 and monitoring. So I'd argue in favor of a deadline for this approach,
 and alignment of resources and alliances to take active measures
 against censorship and monitoring.


Yes; in the medium term (past the next few days / week) the direction here
is clearly good from a user privacy / censorship and monitoring point of
view.


-- 
-george william herbert
george.herb...@gmail.com
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st

On 20 August 2013 22:22, Erik Moeller e...@wikimedia.org wrote:

 On Tue, Aug 20, 2013 at 12:46 PM, George William Herbert
 george.herb...@gmail.com wrote:

  The change must be delayed until people geographically / nationally
 denied HTTPS can log in again.

 Tim's working on a patch that should make this possible:
 https://gerrit.wikimedia.org/r/#/c/80166/

 The plan of record right now is to not make the switch til we have
 that merged  tested. We may still be able to make the launch window
 tomorrow - RobLa will make the final call on that.


Very good, this is the step that needed to be taken so that users who are
unable to use HTTPS can still contribute to our knowledge base - which is
the primary focus of the WMF.



 Ideally I'd like to see the language-based blacklisting removed if the
 GeoIP-based solution works.

 In general, though, I'd prefer for WMF to move away from what could be
 characterized as appeasement and towards actively resisting censorship
 and monitoring. So I'd argue in favor of a deadline for this approach,
 and alignment of resources and alliances to take active measures
 against censorship and monitoring.


Perhaps then you might want to re-familiarize yourself with the WMF's
policy on political advocacy, particularly the section on Promotional use
of website assets and Movement Partnerships (although the latter is a
bit of a stretch).[1] I think that would best describe the proposal here,
to politicize the manner in which *registered contributors* are able to
contribute to the vast array of WMF projects.  I do understand why this is
important to a lot of people, and I do get that logging in under HTTPS is
more secure than logging in under HTTP. But at the same time, the WMF's
primary mission is to empower and engage people around the world to
collect and develop educational content.[2]  Wikimedia's values include
encouraging the development of free-content educational resources that may
be created, used, and reused by the entire human community. We believe that
this mission requires thriving open formats and open standards on the web
to allow the creation of content not subject to restrictions on creation,
use, and reuse. [3]

Note now none of them say the WMF technical team can unilaterally take
actions that may affect the ability of users to register an account or for
registered contributors to participate in the WMF's primary mission.  For
that, you need to actively persuade the community in general that this is
necessary, and possibly even the Board of Trustees.


Risker

[1]
https://meta.wikimedia.org/wiki/Legal_and_Community_Advocacy/Foundation_Policy_and_Political_Association_Guideline#Promotional_Use_of_Website_Assets
[2] https://wikimediafoundation.org/wiki/Mission
[3] https://wikimediafoundation.org/wiki/Values
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st

Erik Moeller wrote:
In general, though, I'd prefer for WMF to move away from what could be
characterized as appeasement and towards actively resisting censorship
and monitoring.

I agree with you and I imagine most developers would agree with you. But
the question remains: do most Wikimedians?

I think for most Wikimedians, but particularly for Wikimedians in areas
where HTTPS access is restricted, I think there's a general view that
having insecure access over HTTP trumps requiring HTTPS and cutting off
access altogether. While we hope that this situation is inapplicable to
most users, we have to recognize that it's applicable to some percent of
our users. It'd be good to get numbers about how many users we're talking
about and try to better understand what the Wikimedia community thinks is
the best path forward, given the various constraints and consequences.

MZMcBride



___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st

2013-08-20 Thread Ryan Lane

On Tue, Aug 20, 2013 at 8:04 PM, MZMcBride z...@mzmcbride.com wrote:

 Erik Moeller wrote:
 In general, though, I'd prefer for WMF to move away from what could be
 characterized as appeasement and towards actively resisting censorship
 and monitoring.

 I agree with you and I imagine most developers would agree with you. But
 the question remains: do most Wikimedians?

 I think for most Wikimedians, but particularly for Wikimedians in areas
 where HTTPS access is restricted, I think there's a general view that
 having insecure access over HTTP trumps requiring HTTPS and cutting off
 access altogether. While we hope that this situation is inapplicable to
 most users, we have to recognize that it's applicable to some percent of
 our users. It'd be good to get numbers about how many users we're talking
 about and try to better understand what the Wikimedia community thinks is
 the best path forward, given the various constraints and consequences.


There's not a lot of great options for us to actively bypass censorship
methods and anything we do will likely result in us being completely
blocked by doing it.

Maybe what we're doing is appeasement, but realistically we have no
political power against China. The editors from mainland China had a
discussion with some of us at Wikimania and they said that Wikipedia is
basically unknown in China because Baidupedia is what shows up in the
search results and Wikipedia does not. They actually spend a great deal of
time trying to make Wikipedia known to readers in hopes of strengthening
the editing community. If we were fully blocked again in China, it wouldn't
cause any political fuss.

- Ryan
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st

2013-08-20 Thread Marc A. Pelletier

On 08/20/2013 11:05 PM, Risker wrote:
 Perhaps then you might want to re-familiarize yourself with the WMF's
 policy on political advocacy

I'm sorry Risker, but you've got this backwards.  Making a long-overdue
/minimal/ fix to our login process is not political advocacy.
Compromising the security and privacy of our editors for the sake of a
government's censorship policies, *is*.

The very idea that editors with checkuser or oversight might even be
*able* to login in cleartext over an Internet we *know* is monitored by
entities that are demonstrably hostile to privacy is worrying enough on
its own without introducing additional flaws in the process.

I don't even agree that an exception should be made to allow cleartext
logins from regions which are even *more* hostile to privacy than the
United States; and I would have advocated that no account with bits
should be allowed to do so regardless of location.

Nevertheless, engineering has been bending over backwards to accommodate
as many editors with crippled Internet access as is possible; inventing
bogeymen and quoting misapplied bits of policy around (promotional
use? Really?) is an extraordinary show of bad faith.

-- Marc


___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

[Wikitech-l] OAuth

2013-08-20 Thread Chris Steipp

As mentioned earlier this week, we deployed an initial version of the OAuth
extension to the test wikis yesterday. I wanted to follow up with a few
more details about the extension that we deployed (although if you're just
curious about OAuth in general, I recommend starting at oauth.net, or
https://www.mediawiki.org/wiki/Auth_systems/OAuth):

* Use it: https://www.mediawiki.org/wiki/Extension:OAuth#Using_OAuth should
get you started towards using OAuth in your application.

* Demo: Anomie setup a excellent initial app (I think counts as our first
official, approved consumer) here
https://tools.wmflabs.org/oauth-hello-world/. Feel free to try it out, so
you can get a feel for the user experience as a user!

* Timeline: We're hoping to get some use this week, and deploy to the rest
of the WMF wikis next week if we don't encounter any issues.

* Bugs: Please open bugzilla tickets for any issues you find, or
enhancement requests--
https://bugzilla.wikimedia.org/enter_bug.cgi?product=MediaWiki%20extensionscomponent=OAuth

And some other details for the curious:

* Yes, you can use this on your own wiki right now! It's meant to be used
in a single or shared environment, so the defaults will work on a
standalone wiki. Input and patches are welcome, if you have any issues
setting this up on your own wiki.

* TLS: Since a few of you seem to care about https... The extension
currently implements OAuth 1.0a, which is designed to be used without https
(except to deliver the shared secret to the app owner, when the app is
registered). So calls to the API don't need to use https.

* Logging: All edits are tagged with the consumer's id (CID), so you can
see when OAuth was used to contribute an edit.

Enjoy!
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st

On 21 August 2013 00:08, Marc A. Pelletier m...@uberbox.org wrote:

 On 08/20/2013 11:05 PM, Risker wrote:
  Perhaps then you might want to re-familiarize yourself with the WMF's
  policy on political advocacy

 I'm sorry Risker, but you've got this backwards.  Making a long-overdue
 /minimal/ fix to our login process is not political advocacy.
 Compromising the security and privacy of our editors for the sake of a
 government's censorship policies, *is*.



The mandatory use of HTTPS outside of a limited number of countries where
we know the editors will be blocked is not what I am talking about.  I was
responding to Erik's political manifesto about censorship.  I have no
problems with the core concept here.



 The very idea that editors with checkuser or oversight might even be
 *able* to login in cleartext over an Internet we *know* is monitored by
 entities that are demonstrably hostile to privacy is worrying enough on
 its own without introducing additional flaws in the process.

 I don't even agree that an exception should be made to allow cleartext
 logins from regions which are even *more* hostile to privacy than the
 United States; and I would have advocated that no account with bits
 should be allowed to do so regardless of location.


Well, you're not alone there.  But that is an entirely different
discussion. You want to take up security of accounts with bits, Chris
Stiepp is thataway.



 Nevertheless, engineering has been bending over backwards to accommodate
 as many editors with crippled Internet access as is possible; inventing
 bogeymen and quoting misapplied bits of policy around (promotional
 use? Really?) is an extraordinary show of bad faith.

 -


Again, I was not referring to the core concept here.  Read Erik's last
paragraph again: it is a political manifesto, and something I would not
have expected from the #2 of Wikimedia Foundation leadership in the middle
of a technical discussion.   I don't entirely disagree with him, but it's
not in line with the mission and vision of the Foundation itself, which is
unsupportive of using technical means to prevent good-faith contributions.

Risker
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st

Ryan Lane wrote:
Maybe what we're doing is appeasement, but realistically we have no
political power against China. The editors from mainland China had a
discussion with some of us at Wikimania and they said that Wikipedia is
basically unknown in China because Baidupedia is what shows up in the
search results and Wikipedia does not. They actually spend a great deal of
time trying to make Wikipedia known to readers in hopes of strengthening
the editing community. If we were fully blocked again in China, it
wouldn't cause any political fuss.

Good to know, thanks. So perhaps the impact will be minimal. If stats are
possible, they'd be great. I'm not sure how easy it is to measure users
unable to use HTTPS.

https://wikimedia.org/wiki/m:Requests_for_comment/Petition_of_HTTPS_default

^ Another data point. The Meta-Wiki version is frozen in time, while
people continue to sign on the Chinese Wikipedia.

MZMcBride



___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st

2013-08-20 Thread Erik Moeller

On Tue, Aug 20, 2013 at 9:20 PM, Risker risker...@gmail.com wrote:
 The mandatory use of HTTPS outside of a limited number of countries where
 we know the editors will be blocked is not what I am talking about.

No, but the point is that there's no apolitical choice here. Actively
suppressing a standard, long overdue security measure in order to
ensure that a country's censorship practices do not interfere with
editing and access to Wikipedia is a political choice. Not doing so in
full awareness of the consequences is a political choice. We cannot
claim ignorance or neutrality either way.

The real question is what political choices serve Wikimedia's mission
best in the short and long term, and I agree that that's a discussion
that extends beyond the technical dimension, so is somewhat OT here.

Erik

-- 
Erik Möller
VP of Engineering and Product Development, Wikimedia Foundation

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st

quote name=MZMcBride date=2013-08-21 time=00:23:04 -0400
Ryan Lane wrote:
Maybe what we're doing is appeasement, but realistically we have no
political power against China. The editors from mainland China had a
discussion with some of us at Wikimania and they said that Wikipedia is
basically unknown in China because Baidupedia is what shows up in the
search results and Wikipedia does not. They actually spend a great deal of
time trying to make Wikipedia known to readers in hopes of strengthening
the editing community. If we were fully blocked again in China, it
wouldn't cause any political fuss.

Good to know, thanks. So perhaps the impact will be minimal. If stats are
possible, they'd be great. I'm not sure how easy it is to measure users
unable to use HTTPS.

We have some preliminary data that we collected over the weekend on the
ability of users to access an https resource (zero byte gif hosted on
upload.wikimedia). The numbers still only live in a google doc (sorry!),
and they have a lot of caveats.

The caveats (really important to read):
https://docs.google.com/a/wikimedia.org/document/d/1Y2vs8lpevv9PtH_dp3P5hZeKuczB4-1xDXOHCaeuhw8/edit
(one really important caveat is we don't even list countries which had
less than 100 requests total, as that would be too much noise in the
data.)

https://docs.google.com/a/wikimedia.org/spreadsheet/ccc?key=0Ams-fyukCIlMdFRwMWJ3czFRQ0NEeVliNklYTDhfdHc#gid=3
(Be sure not to miss the tabs at the bottom which show you a map view of
the data).

As China and Iran are the outliers there, here's a spreadsheet with them
zero'd out so you can more easily see the middle gradients:
https://docs.google.com/a/wikimedia.org/spreadsheet/ccc?key=0Agte_lJNpi-OdFJUdGJjNnVhMExvQTFSWU1oaXdpbEE#gid=12

Additionally, to see if any changes have a major effect on the ability
of people to log in, we've started parsing out the successful
centralauth autentications and will have a nice Ganglia graph tomorrow.
We also parsed out some historical data on those going back a week or
more to have a better idea of what normal is. Our numbers here are
successful logins per hour which should be a decent metric to watch.

Thanks much to Ori and Dario for working on the HTTPS capability
numbers, and Ori and Robla for getting the successful login numbers.

Greg

--
| Greg GrossmeierGPG: B2FA 27B1 F7EB D327 6B8E |
| identi.ca: @gregA18D 1138 8E47 FAC8 1C7D |

signature.asc
Description: Digital signature
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] OAuth

2013-08-20 Thread Dan Andreescu

This is highly anticipated on my part and awesome. I will integrate it
into wikimetrics asap.

Dan

On Tue, Aug 20, 2013 at 9:15 PM, Chris Steipp cste...@wikimedia.org wrote:

* Use it: https://www.mediawiki.org/wiki/Extension:OAuth#Using_OAuthshould
get you started towards using OAuth in your application.

* Timeline: We're hoping to get some use this week, and deploy to the rest
of the WMF wikis next week if we don't encounter any issues.

* Bugs: Please open bugzilla tickets for any issues you find, or
enhancement requests--

https://bugzilla.wikimedia.org/enter_bug.cgi?product=MediaWiki%20extensionscomponent=OAuth

And some other details for the curious:

* Logging: All edits are tagged with the consumer's id (CID), so you can
see when OAuth was used to contribute an edit.

Enjoy!
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st

quote name=Greg Grossmeier date=2013-08-20 time=21:43:55 -0700
 
 The caveats (really important to read):
 https://docs.google.com/a/wikimedia.org/document/d/1Y2vs8lpevv9PtH_dp3P5hZeKuczB4-1xDXOHCaeuhw8/edit
 (one really important caveat is we don't even list countries which had
 less than 100 requests total, as that would be too much noise in the
 data.)

I should reiterate: It's hard to draw stark conclusions from this data
at this point, but we're using it as a guide along with our knowledge of
network reliability in different parts of the world to make decisions
about what regions will be exempted.

Greg

-- 
| Greg GrossmeierGPG: B2FA 27B1 F7EB D327 6B8E |
| identi.ca: @gregA18D 1138 8E47 FAC8 1C7D |


signature.asc
Description: Digital signature
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st

On 21 August 2013 00:51, Greg Grossmeier g...@wikimedia.org wrote:

 quote name=Greg Grossmeier date=2013-08-20 time=21:43:55 -0700
 
  The caveats (really important to read):
 
 https://docs.google.com/a/wikimedia.org/document/d/1Y2vs8lpevv9PtH_dp3P5hZeKuczB4-1xDXOHCaeuhw8/edit
  (one really important caveat is we don't even list countries which had
  less than 100 requests total, as that would be too much noise in the
  data.)

 I should reiterate: It's hard to draw stark conclusions from this data
 at this point, but we're using it as a guide along with our knowledge of
 network reliability in different parts of the world to make decisions
 about what regions will be exempted.

 Greg



Thank you for sharing this data, Greg.  I am surprised to see 5 additional
countries with more than 10% failure rates, and another 11 with more than
5%, although these tend to also have higher than average margins of error.
It would be interesting to see how the numbers stabilize over time.

Risker
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st





On Aug 20, 2013, at 9:43 PM, Greg Grossmeier g...@wikimedia.org wrote:

 Additionally, to see if any changes have a major effect on the ability
 of people to log in, we've started parsing out the successful
 centralauth autentications and will have a nice Ganglia graph tomorrow.
 We also parsed out some historical data on those going back a week or
 more to have a better idea of what normal is. Our numbers here are
 successful logins per hour which should be a decent metric to watch.

Thanks, Greg.

Is there any chance that monitoring could track success of login if someone is 
redirected from HTTP to HTTPS?  The redirects should be easy to spot.


-george


Sent from Kangphone
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st

quote name=George William Herbert date=2013-08-20 time=22:09:41 -0700
 Is there any chance that monitoring could track success of login if someone 
 is redirected from HTTP to HTTPS?  The redirects should be easy to spot.

I don't know, honestly. The log we were working from initially doesn't
have that data in it (we don't track our users, remember? ;)), but I'll
look more closely tomorrow.

Greg

-- 
| Greg GrossmeierGPG: B2FA 27B1 F7EB D327 6B8E |
| identi.ca: @gregA18D 1138 8E47 FAC8 1C7D |


signature.asc
Description: Digital signature
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st