Small wikis are, from this specific security issue, full of risks. I think this element should be taken into account.
Restricting css/js editing may be a patch for a short time, but our infrastructure is pretty vulnerable, our users can be injected with malicious js by editing thousands of pages on any among hundreds of wikis. Vito 2018-07-10 20:51 GMT+02:00 Strainu <strain...@gmail.com>: > 2018-07-10 20:38 GMT+03:00 Alex Monk <kren...@gmail.com>: > > On 10 July 2018 at 12:06, Bodhisattwa Mandal < > bodhisattwa.rg...@gmail.com> > > wrote: > > > >> 1) Not all communities have been informed about this future change ( > >> https://meta.wikimedia.org/wiki/Distribution_list/ > Technical_Village_Pumps_ > >> distribution_list > >> ) > > > > The plan appears to be to do this, maybe it just hasn't happened yet: > > https://meta.wikimedia.org/wiki/Talk:Creation_of_ > separate_user_group_for_editing_sitewide_CSS/JS#Announcement_plan > > > > 2) The comments in the meta talk page suggests that there is no intention > >> to get opinions from editor community members. Everything seems to be > >> pre-decided by the developer community and we dont have other options > but > >> to accept the proposal without proper discussion. > >> ( > >> https://meta.wikimedia.org/wiki/Talk:Creation_of_ > separate_user_group_for_ > >> editing_sitewide_CSS/JS > >> ) > >> > > It's a software security decision so editor community acceptance of this > > change is optional, but there is an attempt to get the opinions of editor > > community members (if there wasn't there wouldn't even be a page on meta > > about this). These rights should never have been bundled with sysop > rights, > > they are incredibly dangerous and more on the level of bureaucrat/steward > > than anything else in the sysop rights list. > > > > 3) Many admins from smaller wikis have expressed their concerns that this > >> decision will severely affect the workflow of those wikis, but none of > >> these concerns are addressed. > >> > > I don't see how. The current local group the rights are granted by is > > bureaucrat-grantable, and the new local group the rights will be granted > by > > will be bureaucrat-grantable. > > The problem is that smaller wikis don't have bureaucrats either and > there have been some very harsh proposals on that talk page with > regards to how the user right should be provided by stewards. Having > some kind of global policy (like the one you propose below) before > deploying would probably ease a lot of the fears. > > > > > >> 4) Many editors have expressed concern over just 2 week short notice > period > >> for this transition. But that concern is also not addressed. > >> > > > > If we were to say that stewards would be allowed to assign the rights to > > any existing local admin (without extra discussion) on the conditions > that: > > 1) they were an admin at the time of the group losing its rights and have > > not lost any local rights since > > 2) there have been no local bureaucrats active on the wiki since the > change. > > I think this would be fine. > > I agree with the proposal, but it seems rather orthogonal to the > transition period. There are all kinds of possible situations and > communities are rather responsive more than pro-active on these > subjects. As someone pointed out on the talk page, there is no real > reason to hurry the deployment so much. The fact that it was announced > in the tech news is a good first step, but it seems like a good idea > to now take the time to do thinks properly. > > Strainu > > > _______________________________________________ > > Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/ > wiki/Mailing_lists/Guidelines and https://meta.wikimedia.org/ > wiki/Wikimedia-l > > New messages to: Wikimedia-l@lists.wikimedia.org > > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, > <mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe> > > _______________________________________________ > Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/ > wiki/Mailing_lists/Guidelines and https://meta.wikimedia.org/ > wiki/Wikimedia-l > New messages to: Wikimedia-l@lists.wikimedia.org > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, > <mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe> > _______________________________________________ Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and https://meta.wikimedia.org/wiki/Wikimedia-l New messages to: Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe>
