https://bugzilla.wikimedia.org/show_bug.cgi?id=57891
--- Comment #36 from Dan Garry <dga...@wikimedia.org> --- In its present form, this extension cannot be enabled at this time. Cluster-wide common.css and common.js pages take control away from small wikis. The possibility of some CSS or JS being placed in there that small wikis are not happy about and cannot easily override is unacceptable. This extension therefore represents a radical shift in the power structure our community. I'd be happy with this if, say, after some discussion it was agreed to limit the scope of what these pages are used for, so that that power structure does not change without prior agreement of all relevant parties. From the security and privacy side, admins on Meta are trusted, so in my opinion the probability of a wilful security attack is so unlikely that it's not worth considering. However, Chris Steipp has informed me that he regularly has to fix privacy-related issues that are caused by JS that doesn't meet standards for security due to flaws in the code that have no malicious intent. As with the above, I'd potentially be happy with this if we can come up with a social solution to this problem. The farm-wide common.js and common.css aspect of this extension need much, much more discussion between the WMF and the community before it is enabled. We need an agreement, formed by both the WMF and the community, on how these common.css and common.js files would be used. We need user stories for how and what this could be used. The onus is always on the enabler of something to show that it is needed and present use cases that show that, not on the deployments people to prove the opposite. Thus, the current request to enable it is premature. The user-specific side of this extension, on the other hand, looks great. There are clear user stories for enabling it. After it's had a security review, we could turn that on. Here's the way I'd like to see us proceed: * Puts the farm-wide common.js and common.css aspect of this extension behind a feature flag, and make the configuration change that sets whether them to being disabled on the Wikimedia cluster. * Enable the extension with the above changes merged. * Start an in-depth discussion about the common.js and common.css aspect of this extension with the Meta community and representatives from other wikis that would be affected by this change. Present user stories for this feature. Form an agreement that both the WMF, the Meta community, and the individual wikis can support. We can then consider enabling the extension. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
