Regarding "Mandatory code review (especially with a required waiting time) and
mandatory reauthentication are far more invasive than removing JS editing
permissions from administrators who don't want them.": I think that mandatory
code review and mandatory authentication would be far less
On Tue, Jun 12, 2018 at 8:56 AM Federico Leva (Nemo)
wrote:
> Personally I'd like us to explore agnostic and non-invasive solutions.
>
Mandatory code review (especially with a required waiting time) and
mandatory reauthentication are far more invasive than removing JS editing
permissions from
On Tue, Jun 12, 2018 at 3:26 AM Nathan wrote:
> Is the risk of an attacker taking over an account with CSS/JS edit
> permissions any more or less because that person knows how to use CSS/JS?
>
I tried to address this in the FAQ:
> * The number of accounts which can be used to compromise the
Personally I'd like us to explore agnostic and non-invasive solutions.
The subdivision of permissions across more user groups relies on a
number of assumptions which may not hold. For instance, on thousands of
MediaWiki wikis there's only one sysop anyway.
Something I would like is the
On Mon, Jun 11, 2018 at 6:26 PM, Nathan wrote:
> Is the risk of an attacker taking over an account with CSS/JS edit
> permissions any more or less because that person knows how to use CSS/JS?
> If the criteria will be that only people who know how to use CSS/JS will
> get access to make those
Is the risk of an attacker taking over an account with CSS/JS edit
permissions any more or less because that person knows how to use CSS/JS?
If the criteria will be that only people who know how to use CSS/JS will
get access to make those edits, I'm not sure that is perfectly tailored to
the need
I tend to agree with Steven's comments. I think that requiring review would, as
he said, be less costly to implement in terms of the amount of volunteer time
spent on managing permissions. I think that there would also be less time spent
discussing and redesigning social processes than there
On Mon, Jun 11, 2018 at 6:02 PM Steven Walling
wrote:
> I'm definitely supportive of greater security for sitewide JS/CSS, but
> Bart's proposal is an interesting one. (Sorry for top posting, on mobile)
>
> What if we required review of edits to JS/CSS in the MediaWiki namespace
> (not in other
Apologies for the typos. Speaking of being thoughtful, perhaps I should be more
careful when typing on mobile devices.
Pine
( https://meta.wikimedia.org/wiki/User:Pine )
Original message From: Pine W Date:
6/11/18 1:42 PM (GMT-08:00) To: Wikimedia developers
Subject: Re:
Hi Gergő,
I think that your proposal makes sense and would be good for the community to
consider in an RfC.
Because this could involve complex wikilegal changes to how Wikimedia sites
assign user permissions, and presently unforseen side effects, I think that the
RfC should be translated into a
I'm definitely supportive of greater security for sitewide JS/CSS, but
Bart's proposal is an interesting one. (Sorry for top posting, on mobile)
What if we required review of edits to JS/CSS in the MediaWiki namespace
(not in other namespaces), ala pending changes or something similar? We
require
" I remember a situation when I posted a fix for a script in the
MediaWiki namespace
as an {{edit request}}, and a well-meaning administrator tried to "improve"
my line of code and forgot a comma, breaking all JavaScript for all
logged-in as well as not logged-in Wikipedia editors and readers for
Speaking of security, I believe that all sysops and people allowed to
edit JS / CSS anywhere on mediawiki sites should be required to use
2FA.
On Mon, Jun 11, 2018 at 4:53 PM, Gergo Tisza wrote:
> On Mon, Jun 11, 2018 at 3:28 PM Petr Bena wrote:
>
>> Is there any historical evidence that sysops
On Mon, Jun 11, 2018 at 3:28 PM Petr Bena wrote:
> Is there any historical evidence that sysops being able to edit JS /
> CSS caused some serious issues? Your point that "most of
> administrators don't understand JS / CSS" is kind of moot. They are
> usually trustworth and intelligent people.
OK in that case I think this should be done.
On Mon, Jun 11, 2018 at 3:40 PM, Thiemo Kreuz wrote:
>> Is there any historical evidence that sysops being able to edit JS / CSS
>> caused some serious issues?
>
> Oh yes, this happens more often than I feel it needs to. I remember a
> situation when
> Is there any historical evidence that sysops being able to edit JS / CSS
> caused some serious issues?
Oh yes, this happens more often than I feel it needs to. I remember a
situation when I posted a fix for a script in the MediaWiki:…
namespace as an {{edit request}}, and a well-meaning
On 2018-06-11 15:28, Petr Bena wrote:
Is there any historical evidence that sysops being able to edit JS /
CSS caused some serious issues? Your point that "most of
administrators don't understand JS / CSS" is kind of moot. They are
usually trustworth and intelligent people. They don't mess up
Is there any historical evidence that sysops being able to edit JS /
CSS caused some serious issues? Your point that "most of
administrators don't understand JS / CSS" is kind of moot. They are
usually trustworth and intelligent people. They don't mess up with
something they don't understand and
Hi all,
per the discussion on Phabricator, I'd like to split the administrator
("sysop") user group into two parts - one which can edit sitewide CSS/JS,
and one which can not. You can find the details and detailed rationale in
the task:
https://phabricator.wikimedia.org/T190015
To inform the
19 matches
Mail list logo
