Speaking of security, I believe that all sysops and people allowed to edit JS / CSS anywhere on mediawiki sites should be required to use 2FA.
On Mon, Jun 11, 2018 at 4:53 PM, Gergo Tisza <gti...@wikimedia.org> wrote: > On Mon, Jun 11, 2018 at 3:28 PM Petr Bena <benap...@gmail.com> wrote: > >> Is there any historical evidence that sysops being able to edit JS / >> CSS caused some serious issues? Your point that "most of >> administrators don't understand JS / CSS" is kind of moot. They are >> usually trustworth and intelligent people. They don't mess up with >> something they don't understand and therefore it makes little sense to >> restrict them from being able to do that. >> > > The primary concern here is someone taking over the account by password > guessing, social engineering, phishing, exploiting some unfixed MediaWiki > vulnerability etc. The secondary concern is admins becoming malicious or > doing something stupid as a way of ragequitting, which is rare but does > happen (for example, not so long ago, someone thought it would be a good > idea to make money by installing a cryptocoin miner on Wikipedia). Admins > making a mistake and breaking the site also happens occasionally, but > that's not a security problem so it's a pretty minor issue in comparison. > > I understand your points, but do we really need it? Is it going to >> improve anything? > > > It reduces the attack surface. Less people with access means less > vulnerable passwords, less people whose system has been infected with the > latest computer virus etc. > Also there are things we might require JS editors to do which might be > inconvenient to some people (e.g. making two-factor authentication > required) so it's good to reduce the number of people who have to be > exposed to that. > _______________________________________________ > Wikitech-l mailing list > Wikitechfirstname.lastname@example.org > https://lists.wikimedia.org/mailman/listinfo/wikitech-l _______________________________________________ Wikitech-l mailing list Wikitechemail@example.com https://lists.wikimedia.org/mailman/listinfo/wikitech-l