On 11 August 2015 at 13:07, Mr. Stradivarius <[email protected]> wrote:
> On Wed, Aug 12, 2015 at 1:44 AM, Pine W <[email protected]> wrote: > > > Would keeping sensitive pages in wikitext format under "full protection" > > (meaning that only local administrators can edit) be sufficient? > > > > This is asking for trouble. Even if all our admins acted sensibly all the > time - and if you've been around here long enough, you know that's not true > - there is still the very real possibility of admin accounts being > compromised. I have personally fixed XSS flaws in widely used user scripts, > and a determined attacker would be highly likely to find others. This is > best kept out of the control of admins so that if an admin account is > compromised it will not affect other accounts. > _______________________________________________ > Just so we're clear here - "locking down" these kinds of pages is pretty much what the Superprotect extension does. It is (to put it mildly) not well-loved by the Wikimedia community; however, it may be possible to persuade them that there are certain key pages that must not even be altered by local admins (copyright being the primary example, but probably some others as well). This would require very diplomatic discussion. And given that this is the 'anniversary' of the introduction of Superprotect, it might be better to wait for a while to really have that conversation. Risker/Anne _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
