On 10/28/15, MZMcBride <[email protected]> wrote: > Ricordisamoa wrote: >>ALL of my OAuth applications expired without anyone noticing. Whom am I >>supposed to lobby to get one approved? > > Hi. > > This rant doesn't seem very random. :-) > > This sounds like <https://phabricator.wikimedia.org/T67750> (you're > already subscribed). Also <https://phabricator.wikimedia.org/T61772> and > <https://phabricator.wikimedia.org/T103587>. > > I don't really understand why an approvals process exists. When I asked in > 2014, the answer was "we weren't sure how it was going to be used, and > what way we would need to extend the protocol." It's been over a year and > I still don't really know what that means. That same note indicated a > willingness to fully re-examine the OAuth workflow, so given that it's now > late 2015, here are the options I see, in order of preference: > > * kill the approvals queue altogether; > * distribute the approvals process to the Wikimedia stewards; > * distribute the approvals process to additional Wikimedia Foundation > employees; or > * keep the status quo. > > It's difficult for me to figure out how realistic option 1 (killing the > queue) is because I continue to have an incomplete understanding of OAuth > and specifically why an approvals process was ever put into place. > > Given that several Wikimedians have complained about the speed of the > approvals process, it seems like option 4 (keeping the current situation) > is a no-go. That leaves us with options 2 and 3 (expanding the pool of > approvers) as the most straightforward choices. > > Even if we implemented options 2 or 3 immediately, the lack of external > visibility into the queue and the lack of notifications for queue > submissions would very likely also need to be addressed. Option 1 would > obviate the need for such additional features, of course. > > MZMcBride > > > > _______________________________________________ > Wikitech-l mailing list > [email protected] > https://lists.wikimedia.org/mailman/listinfo/wikitech-l
The response on https://meta.wikimedia.org/wiki/Talk:Requests_for_comment/OAuth_handover seems like meta admins don't seem thrilled about the idea of taking this over. Although most of that seems like due to uncertainty of what the consequences are of a bad app getting approved. Based on that page, the reasons for a queue seem to boil down to wanting the approver to be able to verify that the app is not malicious, the app respects privacy and the app is not a desktop client. I'm not sure how necessary that all is, especially for apps with only normal edit rights, or less. If an app maintainer tries to pull anything silly, we can just block it. Users can already be tricked into giving their password to someone malicious, at least this way we can easily keep track of what's going on. -- -bawolff _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
