Regarding "Mandatory code review (especially with a required waiting time) and mandatory reauthentication are far more invasive than removing JS editing permissions from administrators who don't want them.": I think that mandatory code review and mandatory authentication would be far less costly and far faster to implement in terms of volunteer time spent redesigning social processes and managing permissions. These options both sound good to me.
In the longer term, I am thinking about how to implement a new permission as you suggest. The more that I think about it, the more that I believe that it could be done with less time cost to volunteers than I originally was dreading. For example, the new permission could be locally assignable by stewards upon community request, similar to bureaucrat permissions. A month-long RFC with adequate translations would likely be sufficient to surface most major unintended side effects and to surface suggestions for design modifications. Regarding "I feel most people don't appreciate how *extremely* scary the current situation is. The public backlash around the Seigenthaler affair was sparked by Wikipedia carelessly causing harm to a single individual. It would be child's play compared to what would happen if a few ten thousand people had their bank accounts cleaned, or a few dozen opposition members arrested by the secret police, or something like that, because Wikipedians decided security improvements were not worth the effort of moving users from one group to another.": unless I have overlooked something, there seems to be consensus in this thread that changes are worth considering, and people are discussing which changes to make and in what order. People are trying to be helpful, and please keep that in mind. Pine ( https://meta.wikimedia.org/wiki/User:Pine ) null _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l