Re: [Wikitech-l] Random rant

2015-10-28 Thread Marcin Cieslak 
On 2015-10-28, Brian Wolff  wrote:
> I'm not sure how necessary that all is, especially for apps with only
> normal edit rights, or less. If an app maintainer tries to pull
> anything silly, we can just block it. Users can already be tricked
> into giving their password to someone malicious, at least this way we
> can easily keep track of what's going on.

I think the point of the approval process is that I don't install
OAuth app key in the application like Vicuña (https://github.com/yarl/vicuna).

There is no clear consensus what to do with apps like this. One idea
would be ever user needs to register it for themselves, but that
of course wouldn't work with the permission queue.

~saper


___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Random rant

2015-10-28 Thread MZMcBride 
Ricordisamoa wrote:
>ALL of my OAuth applications expired without anyone noticing. Whom am I
>supposed to lobby to get one approved?

Hi.

This rant doesn't seem very random. :-)

This sounds like  (you're
already subscribed). Also  and
.

I don't really understand why an approvals process exists. When I asked in
2014, the answer was "we weren't sure how it was going to be used, and
what way we would need to extend the protocol." It's been over a year and
I still don't really know what that means. That same note indicated a
willingness to fully re-examine the OAuth workflow, so given that it's now
late 2015, here are the options I see, in order of preference:

* kill the approvals queue altogether;
* distribute the approvals process to the Wikimedia stewards;
* distribute the approvals process to additional Wikimedia Foundation
  employees; or
* keep the status quo.

It's difficult for me to figure out how realistic option 1 (killing the
queue) is because I continue to have an incomplete understanding of OAuth
and specifically why an approvals process was ever put into place.

Given that several Wikimedians have complained about the speed of the
approvals process, it seems like option 4 (keeping the current situation)
is a no-go. That leaves us with options 2 and 3 (expanding the pool of
approvers) as the most straightforward choices.

Even if we implemented options 2 or 3 immediately, the lack of external
visibility into the queue and the lack of notifications for queue
submissions would very likely also need to be addressed. Option 1 would
obviate the need for such additional features, of course.

MZMcBride



___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Random rant

2015-10-28 Thread Brian Wolff 
On 10/28/15, MZMcBride  wrote:
> Ricordisamoa wrote:
>>ALL of my OAuth applications expired without anyone noticing. Whom am I
>>supposed to lobby to get one approved?
>
> Hi.
>
> This rant doesn't seem very random. :-)
>
> This sounds like  (you're
> already subscribed). Also  and
> .
>
> I don't really understand why an approvals process exists. When I asked in
> 2014, the answer was "we weren't sure how it was going to be used, and
> what way we would need to extend the protocol." It's been over a year and
> I still don't really know what that means. That same note indicated a
> willingness to fully re-examine the OAuth workflow, so given that it's now
> late 2015, here are the options I see, in order of preference:
>
> * kill the approvals queue altogether;
> * distribute the approvals process to the Wikimedia stewards;
> * distribute the approvals process to additional Wikimedia Foundation
>   employees; or
> * keep the status quo.
>
> It's difficult for me to figure out how realistic option 1 (killing the
> queue) is because I continue to have an incomplete understanding of OAuth
> and specifically why an approvals process was ever put into place.
>
> Given that several Wikimedians have complained about the speed of the
> approvals process, it seems like option 4 (keeping the current situation)
> is a no-go. That leaves us with options 2 and 3 (expanding the pool of
> approvers) as the most straightforward choices.
>
> Even if we implemented options 2 or 3 immediately, the lack of external
> visibility into the queue and the lack of notifications for queue
> submissions would very likely also need to be addressed. Option 1 would
> obviate the need for such additional features, of course.
>
> MZMcBride
>
>
>
> ___
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l

The response on
https://meta.wikimedia.org/wiki/Talk:Requests_for_comment/OAuth_handover
seems like meta admins don't seem thrilled about the idea of taking
this over. Although most of that seems like due to uncertainty of what
the consequences are of a bad app getting approved.

Based on that page, the reasons for a queue seem to boil down to
wanting the approver to be able to verify that the app is not
malicious, the app respects privacy and the app is not a desktop
client.

I'm not sure how necessary that all is, especially for apps with only
normal edit rights, or less. If an app maintainer tries to pull
anything silly, we can just block it. Users can already be tricked
into giving their password to someone malicious, at least this way we
can easily keep track of what's going on.

--
-bawolff

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Random rant

2015-10-28 Thread Aaron Halfaker 
> I think the point of the approval process is that I don't install OAuth
app key in the application like Vicuña (https://github.com/yarl/vicuna).

This is the only argument I have heard in favor of keeping the review
queue, and yet, I don't see how such an issue would be caught in review of
a consumer application.

Is there a clearly good reason that we need to continue this review
process?  If not, I find it very frustrating that we're slowing things down
so much because of imagined boogie-men.  The idea of
permission-just-in-case-someone-does-a-bad-thing is opposed to the wiki
model of keeping things as open as possible and addressing problems as they
happen.  In the meantime, we're encouraging bad behavior by making the
OAuth system such a pain to work with.  I understand that you're doing this
in your free time csteipp, but the pain of delays is still inflicted on
tool developers all the same.  Maybe it is inappropriate that such a key
infrastructure (and official requirement for Labs-based tools) is left up
to volunteer time of someone who is apparently overworked.

   1. How long is this transition process supposed to take?
   2. Should I start making my argument to the Stewards now?
   3. Is there a public conversation about this transition that I can
   participate in?

-Aaron

On Wed, Oct 28, 2015 at 10:50 AM, Chris Steipp 
wrote:

> On Tue, Oct 27, 2015 at 11:23 PM, Brian Wolff  wrote:
>
> > On 10/27/15, Ricordisamoa  wrote:
> > > ALL of my OAuth applications expired without anyone noticing. Whom am I
> > > supposed to lobby to get one approved?
> > >
> > > ___
> > > Wikitech-l mailing list
> > > Wikitech-l@lists.wikimedia.org
> > > https://lists.wikimedia.org/mailman/listinfo/wikitech-l
> >
> > I suppose these people:
> >
> >
> https://meta.wikimedia.org/w/index.php?title=Special%3AListUsers==oauthadmin=50
>
>
> Yes, bug one of us for now. I talked with the Stewards about taking on the
> process last week, and we're in the process of making that transition.
> ___
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Random rant

2015-10-28 Thread Aaron Halfaker 
Sorry, I know about that RFC Bryan.  I was referring to the conversation
with the Stewards about "taking on the process" that Chris referred to.

On Wed, Oct 28, 2015 at 11:39 AM, Bryan Davis  wrote:

> On Wed, Oct 28, 2015 at 10:10 AM, Aaron Halfaker
>  wrote:
> >3. Is there a public conversation about this transition that I can
> >participate in?
>
> Yes! https://meta.wikimedia.org/wiki/Requests_for_comment/OAuth_handover
>
>
> Bryan
> --
> Bryan Davis  Wikimedia Foundation
> [[m:User:BDavis_(WMF)]]  Sr Software EngineerBoise, ID USA
> irc: bd808v:415.839.6885 x6855
>
> ___
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Random rant

2015-10-28 Thread Bryan Davis 
On Wed, Oct 28, 2015 at 10:10 AM, Aaron Halfaker
 wrote:
>3. Is there a public conversation about this transition that I can
>participate in?

Yes! https://meta.wikimedia.org/wiki/Requests_for_comment/OAuth_handover


Bryan
-- 
Bryan Davis  Wikimedia Foundation
[[m:User:BDavis_(WMF)]]  Sr Software EngineerBoise, ID USA
irc: bd808v:415.839.6885 x6855

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Random rant

2015-10-28 Thread Chris Steipp 
On Wed, Oct 28, 2015 at 9:10 AM, Aaron Halfaker 
wrote:

> Is there a clearly good reason that we need to continue this review
> process?  If not, I find it very frustrating that we're slowing things down
> so much because of imagined boogie-men.  The idea of
> permission-just-in-case-someone-does-a-bad-thing is opposed to the wiki
> model of keeping things as open as possible and addressing problems as they
> happen.  In the meantime, we're encouraging bad behavior by making the
> OAuth system such a pain to work with.  I understand that you're doing this
> in your free time csteipp, but the pain of delays is still inflicted on
> tool developers all the same.  Maybe it is inappropriate that such a key
> infrastructure (and official requirement for Labs-based tools) is left up
> to volunteer time of someone who is apparently overworked.
>
>
I'm very happy for other people to join this process. I believe there's an
open bug about making approvals automatic for non-controversial rights.
Patches welcome.


>1. How long is this transition process supposed to take?
>

Not defined yet.


>2. Should I start making my argument to the Stewards now?
>

About what? If you have something that's not controversial, ping one of the
admins, and I'm sure you can get your Consumer approved today.


>3. Is there a public conversation about this transition that I can
>participate in?
>
>
The RFC is the correct place. The Stewards are just getting back from
travelling so I don't think we've started updating it to account for our
conversations last week, but that is where we will work out the details.
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Random rant

2015-10-28 Thread Aaron Halfaker 
Indeed.  That was good-faith "apparently" as in "the evidence suggests".
Thank you for your explicit assumption of good-faith.  I'm sorry I came off
badly.

The argument I'd like to make to the Stewards is that (short of a good
argument about why we should have a gate here) there should be no process
for them to adopt.

-Aaron

On Wed, Oct 28, 2015 at 12:01 PM, Chris Steipp 
wrote:

> On Wed, Oct 28, 2015 at 9:10 AM, Aaron Halfaker 
> wrote:
>
> > Is there a clearly good reason that we need to continue this review
> > process?  If not, I find it very frustrating that we're slowing things
> down
> > so much because of imagined boogie-men.  The idea of
> > permission-just-in-case-someone-does-a-bad-thing is opposed to the wiki
> > model of keeping things as open as possible and addressing problems as
> they
> > happen.  In the meantime, we're encouraging bad behavior by making the
> > OAuth system such a pain to work with.  I understand that you're doing
> this
> > in your free time csteipp, but the pain of delays is still inflicted on
> > tool developers all the same.  Maybe it is inappropriate that such a key
> > infrastructure (and official requirement for Labs-based tools) is left up
> > to volunteer time of someone who is apparently overworked.
> >
> >
> I'm very happy for other people to join this process. I believe there's an
> open bug about making approvals automatic for non-controversial rights.
> Patches welcome.
>
>
> >1. How long is this transition process supposed to take?
> >
>
> Not defined yet.
>
>
> >2. Should I start making my argument to the Stewards now?
> >
>
> About what? If you have something that's not controversial, ping one of the
> admins, and I'm sure you can get your Consumer approved today.
>
>
> >3. Is there a public conversation about this transition that I can
> >participate in?
> >
> >
> The RFC is the correct place. The Stewards are just getting back from
> travelling so I don't think we've started updating it to account for our
> conversations last week, but that is where we will work out the details.
> ___
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Random rant

2015-10-28 Thread Gergo Tisza 
On Tue, Oct 27, 2015 at 11:33 PM, MZMcBride  wrote:

> Even if we implemented options 2 or 3 immediately, the lack of external
> visibility into the queue and the lack of notifications for queue
> submissions would very likely also need to be addressed.


The queue is public (
https://meta.wikimedia.org/wiki/Special:OAuthListConsumers?name===0
) although some sort of notification or watchlist feature would be nice.
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l