--- Comment #22 from James Forrester <> ---
(In reply to Isarra from comment #20)
> (In reply to James Forrester from comment #18)
> > "Other stupid decisions have been made, so we should make more!" isn't a
> > great argument. I think in this case we've got a great, useful tool
> > (user-level farm-global JS and CSS) and a suspect, unrelated tool (in terms
> > of user experience, not code).
> > 
> > Writing code that goes active on all wikis at once is a major security
> > vulnerability (and hugely disruptive to wikis). This is a major cross-wiki
> > community issue to which a proper long-term solution is already underway
> > (global gadgets), and throwing new technical toys doesn't make it easier.
> > Why don't we focus efforts on the proper solution?
> Perhaps we don't have the proper solution right now, but we do have this -
> and fear of community members does not seem like a very convincing argument
> to me why it wouldn't work well in the meantime, especially as it could well
> help folks to begin migrating away from the IMPORTS EVERYWHERE paradigm that
> is currently in place.

Except that you're going from a model where the wiki's admins (who have to
clean up the mess) have actively done the step, and can see what changed, to
one where some entirely invisible change has broken their wiki and they can't
see why, how, or where to fix it.

> Something doesn't need to be perfect to be a step in the right direction.

Indeed; I'm saying that the issue is that this is in the wrong direction, not
that it's imperfect.

> In terms of security, though, how would global gadgets even be any better in
> that respect? Wouldn't any on-by-default global gadget would do exactly that
> - go active on all wikis at once?

(a) The plan isn't for global gadgets to be on-by-default-able.
(b) The plan is to bring in some form of code review / second pair of eyes
before going live to avoid this issue.

You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
Wikibugs-l mailing list

Reply via email to