date:20130820


> Thank you for sharing this data, Greg.  I am surprised to see 5 additional
> countries with more than 10% failure rates, and another 11 with more than
> 5%, although these tend to also have higher than average margins of error.
> It would be interesting to see how the numbers stabilize over time.

Yes, the stabilizing/longer term data will be really helpful here. We'll
keep our eyes on it, in addition to the other feedback channels, and
adjust our settings appropriately.

Greg

-- 
| Greg GrossmeierGPG: B2FA 27B1 F7EB D327 6B8E |
| identi.ca: @gregA18D 1138 8E47 FAC8 1C7D |


signature.asc
Description: Digital signature
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st


> Is there any chance that monitoring could track success of login if someone 
> is redirected from HTTP to HTTPS?  The redirects should be easy to spot.

I don't know, honestly. The log we were working from initially doesn't
have that data in it (we don't track our users, remember? ;)), but I'll
look more closely tomorrow.

Greg

-- 
| Greg GrossmeierGPG: B2FA 27B1 F7EB D327 6B8E |
| identi.ca: @gregA18D 1138 8E47 FAC8 1C7D |


signature.asc
Description: Digital signature
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st





On Aug 20, 2013, at 9:43 PM, Greg Grossmeier  wrote:

> Additionally, to see if any changes have a major effect on the ability
> of people to log in, we've started parsing out the successful
> centralauth autentications and will have a nice Ganglia graph tomorrow.
> We also parsed out some historical data on those going back a week or
> more to have a better idea of what "normal" is. Our numbers here are
> "successful logins per hour" which should be a decent metric to watch.

Thanks, Greg.

Is there any chance that monitoring could track success of login if someone is 
redirected from HTTP to HTTPS?  The redirects should be easy to spot.


-george


Sent from Kangphone
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st

On 21 August 2013 00:51, Greg Grossmeier  wrote:

> 
> >
> > The caveats (really important to read):
> >
> https://docs.google.com/a/wikimedia.org/document/d/1Y2vs8lpevv9PtH_dp3P5hZeKuczB4-1xDXOHCaeuhw8/edit
> > (one really important caveat is we don't even list countries which had
> > less than 100 requests total, as that would be too much noise in the
> > data.)
>
> I should reiterate: It's hard to draw stark conclusions from this data
> at this point, but we're using it as a guide along with our knowledge of
> network reliability in different parts of the world to make decisions
> about what regions will be exempted.
>
> Greg
>


Thank you for sharing this data, Greg.  I am surprised to see 5 additional
countries with more than 10% failure rates, and another 11 with more than
5%, although these tend to also have higher than average margins of error.
It would be interesting to see how the numbers stabilize over time.

Risker
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st


> 
> The caveats (really important to read):
> https://docs.google.com/a/wikimedia.org/document/d/1Y2vs8lpevv9PtH_dp3P5hZeKuczB4-1xDXOHCaeuhw8/edit
> (one really important caveat is we don't even list countries which had
> less than 100 requests total, as that would be too much noise in the
> data.)

I should reiterate: It's hard to draw stark conclusions from this data
at this point, but we're using it as a guide along with our knowledge of
network reliability in different parts of the world to make decisions
about what regions will be exempted.

Greg

-- 
| Greg GrossmeierGPG: B2FA 27B1 F7EB D327 6B8E |
| identi.ca: @gregA18D 1138 8E47 FAC8 1C7D |


signature.asc
Description: Digital signature
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] OAuth

2013-08-20 Thread Dan Andreescu

This is highly anticipated on my part and awesome.  I will integrate it
into wikimetrics asap.

Dan


On Tue, Aug 20, 2013 at 9:15 PM, Chris Steipp  wrote:

> As mentioned earlier this week, we deployed an initial version of the OAuth
> extension to the test wikis yesterday. I wanted to follow up with a few
> more details about the extension that we deployed (although if you're just
> curious about OAuth in general, I recommend starting at oauth.net, or
> https://www.mediawiki.org/wiki/Auth_systems/OAuth):
>
> * Use it: https://www.mediawiki.org/wiki/Extension:OAuth#Using_OAuthshould
> get you started towards using OAuth in your application.
>
> * Demo: Anomie setup a excellent initial app (I think counts as our first
> official, approved consumer) here
> https://tools.wmflabs.org/oauth-hello-world/. Feel free to try it out, so
> you can get a feel for the user experience as a user!
>
> * Timeline: We're hoping to get some use this week, and deploy to the rest
> of the WMF wikis next week if we don't encounter any issues.
>
> * Bugs: Please open bugzilla tickets for any issues you find, or
> enhancement requests--
>
> https://bugzilla.wikimedia.org/enter_bug.cgi?product=MediaWiki%20extensions&component=OAuth
>
>
> And some other details for the curious:
>
> * Yes, you can use this on your own wiki right now! It's meant to be used
> in a single or shared environment, so the defaults will work on a
> standalone wiki. Input and patches are welcome, if you have any issues
> setting this up on your own wiki.
>
> * TLS: Since a few of you seem to care about https... The extension
> currently implements OAuth 1.0a, which is designed to be used without https
> (except to deliver the shared secret to the app owner, when the app is
> registered). So calls to the API don't need to use https.
>
> * Logging: All edits are tagged with the consumer's id (CID), so you can
> see when OAuth was used to contribute an edit.
>
> Enjoy!
> ___
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st

> Ryan Lane wrote:
> >Maybe what we're doing is appeasement, but realistically we have no
> >political power against China. The editors from mainland China had a
> >discussion with some of us at Wikimania and they said that Wikipedia is
> >basically unknown in China because Baidupedia is what shows up in the
> >search results and Wikipedia does not. They actually spend a great deal of
> >time trying to make Wikipedia known to readers in hopes of strengthening
> >the editing community. If we were fully blocked again in China, it
> >wouldn't cause any political fuss.
> 
> Good to know, thanks. So perhaps the impact will be minimal. If stats are
> possible, they'd be great. I'm not sure how easy it is to measure users
> unable to use HTTPS.

We have some preliminary data that we collected over the weekend on the
ability of users to access an https resource (zero byte gif hosted on
upload.wikimedia). The numbers still only live in a google doc (sorry!),
and they have a lot of caveats.

The caveats (really important to read):
https://docs.google.com/a/wikimedia.org/document/d/1Y2vs8lpevv9PtH_dp3P5hZeKuczB4-1xDXOHCaeuhw8/edit
(one really important caveat is we don't even list countries which had
less than 100 requests total, as that would be too much noise in the
data.)

https://docs.google.com/a/wikimedia.org/spreadsheet/ccc?key=0Ams-fyukCIlMdFRwMWJ3czFRQ0NEeVliNklYTDhfdHc#gid=3
(Be sure not to miss the tabs at the bottom which show you a map view of
the data).

As China and Iran are the outliers there, here's a spreadsheet with them
zero'd out so you can more easily see the middle gradients:
https://docs.google.com/a/wikimedia.org/spreadsheet/ccc?key=0Agte_lJNpi-OdFJUdGJjNnVhMExvQTFSWU1oaXdpbEE#gid=12

Additionally, to see if any changes have a major effect on the ability
of people to log in, we've started parsing out the successful
centralauth autentications and will have a nice Ganglia graph tomorrow.
We also parsed out some historical data on those going back a week or
more to have a better idea of what "normal" is. Our numbers here are
"successful logins per hour" which should be a decent metric to watch.

Thanks much to Ori and Dario for working on the HTTPS capability
numbers, and Ori and Robla for getting the successful login numbers.

Greg

-- 
| Greg GrossmeierGPG: B2FA 27B1 F7EB D327 6B8E |
| identi.ca: @gregA18D 1138 8E47 FAC8 1C7D |

signature.asc
Description: Digital signature
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st

2013-08-20 Thread Erik Moeller

On Tue, Aug 20, 2013 at 9:20 PM, Risker  wrote:
> The mandatory use of HTTPS outside of a limited number of countries where
> we know the editors will be blocked is not what I am talking about.

No, but the point is that there's no apolitical choice here. Actively
suppressing a standard, long overdue security measure in order to
ensure that a country's censorship practices do not interfere with
editing and access to Wikipedia is a political choice. Not doing so in
full awareness of the consequences is a political choice. We cannot
claim ignorance or neutrality either way.

The real question is what political choices serve Wikimedia's mission
best in the short and long term, and I agree that that's a discussion
that extends beyond the technical dimension, so is somewhat OT here.

Erik

-- 
Erik Möller
VP of Engineering and Product Development, Wikimedia Foundation

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st

Ryan Lane wrote:
>Maybe what we're doing is appeasement, but realistically we have no
>political power against China. The editors from mainland China had a
>discussion with some of us at Wikimania and they said that Wikipedia is
>basically unknown in China because Baidupedia is what shows up in the
>search results and Wikipedia does not. They actually spend a great deal of
>time trying to make Wikipedia known to readers in hopes of strengthening
>the editing community. If we were fully blocked again in China, it
>wouldn't cause any political fuss.

Good to know, thanks. So perhaps the impact will be minimal. If stats are
possible, they'd be great. I'm not sure how easy it is to measure users
unable to use HTTPS.

https://wikimedia.org/wiki/m:Requests_for_comment/Petition_of_HTTPS_default

^ Another data point. The Meta-Wiki version is frozen in time, while
people continue to sign on the Chinese Wikipedia.

MZMcBride



___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st

On 21 August 2013 00:08, Marc A. Pelletier  wrote:

> On 08/20/2013 11:05 PM, Risker wrote:
> > Perhaps then you might want to re-familiarize yourself with the WMF's
> > policy on political advocacy
>
> I'm sorry Risker, but you've got this backwards.  Making a long-overdue
> /minimal/ fix to our login process is not political advocacy.
> Compromising the security and privacy of our editors for the sake of a
> government's censorship policies, *is*.
>

The mandatory use of HTTPS outside of a limited number of countries where
we know the editors will be blocked is not what I am talking about.  I was
responding to Erik's political manifesto about censorship.  I have no
problems with the core concept here.

>
> The very idea that editors with checkuser or oversight might even be
> *able* to login in cleartext over an Internet we *know* is monitored by
> entities that are demonstrably hostile to privacy is worrying enough on
> its own without introducing additional flaws in the process.
>
> I don't even agree that an exception should be made to allow cleartext
> logins from regions which are even *more* hostile to privacy than the
> United States; and I would have advocated that no account with bits
> should be allowed to do so regardless of location.
>

Well, you're not alone there.  But that is an entirely different
discussion. You want to take up security of accounts with "bits", Chris
Stiepp is thataway.

>
> Nevertheless, engineering has been bending over backwards to accommodate
> as many editors with crippled Internet access as is possible; inventing
> bogeymen and quoting misapplied bits of policy around ("promotional
> use"? Really?) is an extraordinary show of bad faith.
>
> -
>

Again, I was not referring to the core concept here.  Read Erik's last
paragraph again: it is a political manifesto, and something I would not
have expected from the #2 of Wikimedia Foundation leadership in the middle
of a technical discussion.   I don't entirely disagree with him, but it's
not in line with the mission and vision of the Foundation itself, which is
unsupportive of using technical means to prevent good-faith contributions.

Risker
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

As mentioned earlier this week, we deployed an initial version of the OAuth
extension to the test wikis yesterday. I wanted to follow up with a few
more details about the extension that we deployed (although if you're just
curious about OAuth in general, I recommend starting at oauth.net, or
https://www.mediawiki.org/wiki/Auth_systems/OAuth):

* Use it: https://www.mediawiki.org/wiki/Extension:OAuth#Using_OAuth should
get you started towards using OAuth in your application.

* Demo: Anomie setup a excellent initial app (I think counts as our first
official, approved consumer) here
https://tools.wmflabs.org/oauth-hello-world/. Feel free to try it out, so
you can get a feel for the user experience as a user!

* Timeline: We're hoping to get some use this week, and deploy to the rest
of the WMF wikis next week if we don't encounter any issues.

* Bugs: Please open bugzilla tickets for any issues you find, or
enhancement requests--
https://bugzilla.wikimedia.org/enter_bug.cgi?product=MediaWiki%20extensions&component=OAuth

And some other details for the curious:

* Yes, you can use this on your own wiki right now! It's meant to be used
in a single or shared environment, so the defaults will work on a
standalone wiki. Input and patches are welcome, if you have any issues
setting this up on your own wiki.

* TLS: Since a few of you seem to care about https... The extension
currently implements OAuth 1.0a, which is designed to be used without https
(except to deliver the shared secret to the app owner, when the app is
registered). So calls to the API don't need to use https.

* Logging: All edits are tagged with the consumer's id (CID), so you can
see when OAuth was used to contribute an edit.

Enjoy!
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st

2013-08-20 Thread Marc A. Pelletier

On 08/20/2013 11:05 PM, Risker wrote:
> Perhaps then you might want to re-familiarize yourself with the WMF's
> policy on political advocacy

I'm sorry Risker, but you've got this backwards.  Making a long-overdue
/minimal/ fix to our login process is not political advocacy.
Compromising the security and privacy of our editors for the sake of a
government's censorship policies, *is*.

The very idea that editors with checkuser or oversight might even be
*able* to login in cleartext over an Internet we *know* is monitored by
entities that are demonstrably hostile to privacy is worrying enough on
its own without introducing additional flaws in the process.

I don't even agree that an exception should be made to allow cleartext
logins from regions which are even *more* hostile to privacy than the
United States; and I would have advocated that no account with bits
should be allowed to do so regardless of location.

Nevertheless, engineering has been bending over backwards to accommodate
as many editors with crippled Internet access as is possible; inventing
bogeymen and quoting misapplied bits of policy around ("promotional
use"? Really?) is an extraordinary show of bad faith.

-- Marc

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st

2013-08-20 Thread Ryan Lane

On Tue, Aug 20, 2013 at 8:04 PM, MZMcBride  wrote:

> Erik Moeller wrote:
> >In general, though, I'd prefer for WMF to move away from what could be
> >characterized as appeasement and towards actively resisting censorship
> >and monitoring.
>
> I agree with you and I imagine most developers would agree with you. But
> the question remains: do most Wikimedians?
>
> I think for most Wikimedians, but particularly for Wikimedians in areas
> where HTTPS access is restricted, I think there's a general view that
> having insecure access over HTTP trumps requiring HTTPS and cutting off
> access altogether. While we hope that this situation is inapplicable to
> most users, we have to recognize that it's applicable to some percent of
> our users. It'd be good to get numbers about how many users we're talking
> about and try to better understand what the Wikimedia community thinks is
> the best path forward, given the various constraints and consequences.
>
>
There's not a lot of great options for us to actively bypass censorship
methods and anything we do will likely result in us being completely
blocked by doing it.

Maybe what we're doing is appeasement, but realistically we have no
political power against China. The editors from mainland China had a
discussion with some of us at Wikimania and they said that Wikipedia is
basically unknown in China because Baidupedia is what shows up in the
search results and Wikipedia does not. They actually spend a great deal of
time trying to make Wikipedia known to readers in hopes of strengthening
the editing community. If we were fully blocked again in China, it wouldn't
cause any political fuss.

- Ryan
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st

Erik Moeller wrote:
>In general, though, I'd prefer for WMF to move away from what could be
>characterized as appeasement and towards actively resisting censorship
>and monitoring.

I agree with you and I imagine most developers would agree with you. But
the question remains: do most Wikimedians?

I think for most Wikimedians, but particularly for Wikimedians in areas
where HTTPS access is restricted, I think there's a general view that
having insecure access over HTTP trumps requiring HTTPS and cutting off
access altogether. While we hope that this situation is inapplicable to
most users, we have to recognize that it's applicable to some percent of
our users. It'd be good to get numbers about how many users we're talking
about and try to better understand what the Wikimedia community thinks is
the best path forward, given the various constraints and consequences.

MZMcBride

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st

On 20 August 2013 22:22, Erik Moeller  wrote:

> On Tue, Aug 20, 2013 at 12:46 PM, George William Herbert
>  wrote:
>
> > The change must be delayed until people geographically / nationally
> denied HTTPS can log in again.
>
> Tim's working on a patch that should make this possible:
> https://gerrit.wikimedia.org/r/#/c/80166/
>
> The plan of record right now is to not make the switch til we have
> that merged & tested. We may still be able to make the launch window
> tomorrow - RobLa will make the final call on that.
>

Very good, this is the step that needed to be taken so that users who are
unable to use HTTPS can still contribute to our knowledge base - which is
the primary focus of the WMF.


>
> Ideally I'd like to see the language-based blacklisting removed if the
> GeoIP-based solution works.
>
> In general, though, I'd prefer for WMF to move away from what could be
> characterized as appeasement and towards actively resisting censorship
> and monitoring. So I'd argue in favor of a deadline for this approach,
> and alignment of resources and alliances to take active measures
> against censorship and monitoring.
>
>
Perhaps then you might want to re-familiarize yourself with the WMF's
policy on political advocacy, particularly the section on "Promotional use
of website assets" and "Movement Partnerships" (although the latter is a
bit of a stretch).[1] I think that would best describe the proposal here,
to politicize the manner in which *registered contributors* are able to
contribute to the vast array of WMF projects.  I do understand why this is
important to a lot of people, and I do get that logging in under HTTPS is
more secure than logging in under HTTP. But at the same time, the WMF's
primary mission is to "empower and engage people around the world to
collect and develop educational content".[2]  Wikimedia's values include
"encouraging the development of free-content educational resources that may
be created, used, and reused by the entire human community. We believe that
this mission requires thriving open formats and open standards on the web
to allow the creation of content not subject to restrictions on creation,
use, and reuse." [3]

Note now none of them say "the WMF technical team can unilaterally take
actions that may affect the ability of users to register an account or for
registered contributors to participate in the WMF's primary mission."  For
that, you need to actively persuade the community in general that this is
necessary, and possibly even the Board of Trustees.


Risker

[1]
https://meta.wikimedia.org/wiki/Legal_and_Community_Advocacy/Foundation_Policy_and_Political_Association_Guideline#Promotional_Use_of_Website_Assets
[2] https://wikimediafoundation.org/wiki/Mission
[3] https://wikimediafoundation.org/wiki/Values
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st

2013-08-20 Thread George Herbert

On Tue, Aug 20, 2013 at 7:22 PM, Erik Moeller  wrote:

> On Tue, Aug 20, 2013 at 12:46 PM, George William Herbert
>  wrote:
>
> > The change must be delayed until people geographically / nationally
> denied HTTPS can log in again.
>
> Tim's working on a patch that should make this possible:
> https://gerrit.wikimedia.org/r/#/c/80166/
>
> The plan of record right now is to not make the switch til we have
> that merged & tested. We may still be able to make the launch window
> tomorrow - RobLa will make the final call on that.
>
> Ideally I'd like to see the language-based blacklisting removed if the
> GeoIP-based solution works.


Excellent.  Thank you.



> In general, though, I'd prefer for WMF to move away from what could be
> characterized as appeasement and towards actively resisting censorship
> and monitoring. So I'd argue in favor of a deadline for this approach,
> and alignment of resources and alliances to take active measures
> against censorship and monitoring.
>

Yes; in the medium term (past the next few days / week) the direction here
is clearly good from a user privacy / censorship and monitoring point of
view.


-- 
-george william herbert
george.herb...@gmail.com
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st

2013-08-20 Thread Erik Moeller

On Tue, Aug 20, 2013 at 12:46 PM, George William Herbert
 wrote:

> The change must be delayed until people geographically / nationally denied 
> HTTPS can log in again.

Tim's working on a patch that should make this possible:
https://gerrit.wikimedia.org/r/#/c/80166/

The plan of record right now is to not make the switch til we have
that merged & tested. We may still be able to make the launch window
tomorrow - RobLa will make the final call on that.

Ideally I'd like to see the language-based blacklisting removed if the
GeoIP-based solution works.

In general, though, I'd prefer for WMF to move away from what could be
characterized as appeasement and towards actively resisting censorship
and monitoring. So I'd argue in favor of a deadline for this approach,
and alignment of resources and alliances to take active measures
against censorship and monitoring.

Erik
-- 
Erik Möller
VP of Engineering and Product Development, Wikimedia Foundation

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

[Wikitech-l] CentralNotice Security Patch on Tin

2013-08-20 Thread Matthew Walker

Hey all,

Chris Steipp found a bug in CentralNotice yesterday and I've applied a
modified version of his patch. He has asked me not to commit it to gerrit
until Friday's security release.

I've applied that patch to wmf12 and wmf13.

Please do not git submodule update the CentralNotice extension!

In the event that the patch is causing issues; the patch file is:
tin:/home/mwalker/CentralNotice-bug53032.patch

~Matt Walker
Wikimedia Foundation
Fundraising Technology Team
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st

2013-08-20 Thread Tilman Bayer

On Tue, Aug 20, 2013 at 3:57 PM, Tyler Romeo  wrote:
> The lack of secure login on WMF wikis is a *major security issue*, and
> AFAIK is the biggest publicly known security issue in the site.

Indeed. For a Signpost article three years ago, I asked a security
researcher (who had co-authored a comparative study of user password
handling on 150 websites) about his recommendations for Wikipedia.
"Making encrypted transmission of the password the default" was his
foremost advice:
https://en.wikipedia.org/wiki/Wikipedia:Wikipedia_Signpost/2010-08-02/Technology_report#Study_of_web_passwords_includes_Wikipedia

It's excellent news that this issue is finally being resolved, even
when there are exceptions and corner cases that need to be addressed.

> All you
> need is some random checkuser to be using Wikipedia at a Starbucks, and all
> of a sudden the privacy policy of every single registered user is violated.
> There's big talk all around about "evading the NSA" and attempting to
> protect the privacy of our users, but it is literally impossible to protect
> users' privacy if we can't even protect their security in the first place.
> To re-iterate, privacy depends on security, and right now we have neither
> of them.
>
> Furthermore, secure login is not a new idea. I've been fighting to get this
> feature enabled since October 2012 when the secure login functionality in
> MW core was finally fixed. Since then, HTTPS login has been deployed
> *twice*, but reverted once due to a bug with CentralAuth and once due the
> design team concerned about the login form. This will be the third attempt
> at deploying this in the past six months, so I don't know why this
> discussion had to start right now.
>

-- 
Tilman Bayer
Senior Operations Analyst (Movement Communications)
Wikimedia Foundation
IRC (Freenode): HaeB

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st

2013-08-20 Thread George Herbert

On Tue, Aug 20, 2013 at 3:57 PM, Tyler Romeo  wrote:

> The lack of secure login on WMF wikis is a *major security issue*, and
> AFAIK is the biggest publicly known security issue in the site.
>

Time out...

We do not have a lack of secure login.  That was solved a long time ago
(many years).  I've been using it since about when it was made available
first (secure. ...).

This is going from "secure is default and available" to "you cannot access
other than secure", unless you know a non-secure exempted wiki you can log
in to first.

The people with a firewall (national, corporate, whatever) that
blocks HTTPS deserve some warning that something bad is going to happen to
them, and that they can mititate that using (X),  before it hits.

Again - it is entirely reasonable to shift the stance towards all secure.
This will affect some people (I don't know how many).  They have not been
warned and the workaround is not intuitive.

It's not a normal or reasonable to affect some number of users like that
with no warning.

This will be the third attempt at deploying this in the past six months, so
> I don't know why this discussion had to start right now.

It was not clear to me that this would have that wide an effect, or I for
one would have been saying something months ago.  I said exactly how
significant I feel it is immediately upon my understanding what the effects
will be.

I understand your frustration, but again, the impact on those users is (to
me) a blocker bug.  It being discovered and made visible this close to
deploy time is unfortunate.  We should (later) have a conversation about
feature descriptions and notifications on the tech list so that discoveries
like this aren't last minute.

That does not affect that it should be a blocker bug.  Those affected
people deserve notification and information on the workarounds.

That does not mean "don't roll this out" but "don't roll it out until it's
adequately publicized long enough that nobody is surprised and unable to
find the workaround".  A week or two weeks of adequate notice should be
fine.

-george
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st

The lack of secure login on WMF wikis is a *major security issue*, and
AFAIK is the biggest publicly known security issue in the site. All you
need is some random checkuser to be using Wikipedia at a Starbucks, and all
of a sudden the privacy policy of every single registered user is violated.
There's big talk all around about "evading the NSA" and attempting to
protect the privacy of our users, but it is literally impossible to protect
users' privacy if we can't even protect their security in the first place.
To re-iterate, privacy depends on security, and right now we have neither
of them.

Furthermore, secure login is not a new idea. I've been fighting to get this
feature enabled since October 2012 when the secure login functionality in
MW core was finally fixed. Since then, HTTPS login has been deployed
*twice*, but reverted once due to a bug with CentralAuth and once due the
design team concerned about the login form. This will be the third attempt
at deploying this in the past six months, so I don't know why this
discussion had to start right now.

In the end, what we're doing is allowing the Chinese government to
manipulate the WMF into degrading the security of its entire userbase, and
I don't think that's acceptable. There are 100 times as many active users
on enwiki than there are zhwiki, and that's assuming *all* active users on
zhwiki also edit enwiki, which is probably not true.

*-- *
*Tyler Romeo*
Stevens Institute of Technology, Class of 2016
Major in Computer Science
www.whizkidztech.com | tylerro...@gmail.com

On Tue, Aug 20, 2013 at 6:10 PM, Derk-Jan Hartman <
d.j.hartman+wmf...@gmail.com> wrote:

>
> On 20 aug. 2013, at 23:21, Bartosz Dziewoński  wrote:
>
> > On Tue, 20 Aug 2013 23:19:22 +0200, MZMcBride  wrote:
> >
> >> If we change all sites to require HTTPS for
> >> logged-in users, we'll certainly increase site security and enhance the
> >> user experience for most users, but is that worth losing every
> >> zh.wikipedia.org contributor who lives in China? Or do we expect anyone
> >> blocked from HTTPS to simply edit without an account?
> >> I think the concern here is that some projects may be decimated (in
> terms
> >> of number of contributors) if HTTPS is forced for all users.
> >
> > I think that zh and fa wikis are "exempt". The concernseems to be about
> contributors from affected countries editing other wikis, such as Commons
> or Wikidata.
>
> Can I just say that IF there is still this much discussion and confusion
> going on even at the level of the developers, that I feel really
> uncomfortable with this being deployed in the next 24hours.
>
> This all just feels way too rough. And it smells like this is gonna create
> yet another deploy shitstorm within the communities. I wouldn't like to be
> in the shoes of the liaisons and ambassadors tomorrow
>
> DJ
> ___
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] [Commons-l] Wikimedia Commons mobile photo uploader app updated on iOS and Android

2013-08-20 Thread Fabrice Florin

Hey Brion,

Very cool!

I just downloaded Commons for iOS and uploaded a photo in minutes … it went 
smooth as silk :)

Thanks for you fine work, which should enable many more folks to contribute 
multimedia content on the go.

Cheers,


Fabrice


On Aug 20, 2013, at 1:57 PM, Brion Vibber wrote:

> We have just released Commons for iOS (version 1.0.8) and Android 
> (1.0beta11), with *major* UI and performance improvements on iOS and minor 
> bug fixes on Android.
> 
> This is our first release in a couple months on iOS -- we hoped to have one 
> out before Wikimania but were delayed due to problems with Apple's online 
> developer tools being offline for a while. There are huge UI improvements and 
> lots of bug fixes, thanks to our new mobile developer Monte Hurd. Thanks 
> Monte!
> 
> We've been releasing smaller updates on Android in the meantime, so the 
> updates have been more incremental there.
> 
> Both versions now include a quick 3-screen acceptable-use tutorial on first 
> login. iOS includes featured photos as examples as well; this will come to 
> Android in a future version.
> 
> Downloads and release notes:
> * Apple App Store: 
> https://itunes.apple.com/us/app/wikimedia-commons/id630901780
> * Google Play: 
> https://play.google.com/store/apps/details?id=org.wikimedia.commons
> * Android direct download: 
> http://download.wikimedia.org/android/wikimedia-commons-1.0beta11.apk
> 
> -- brion vibber (brion @ pobox.com / bvibber @ wikimedia.org)
> ___
> Commons-l mailing list
> common...@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/commons-l

___

Fabrice Florin
Product Manager
Wikimedia Foundation

http://en.wikipedia.org/wiki/User:Fabrice_Florin_(WMF)



___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st

2013-08-20 Thread Derk-Jan Hartman

On 20 aug. 2013, at 23:21, Bartosz Dziewoński  wrote:

> On Tue, 20 Aug 2013 23:19:22 +0200, MZMcBride  wrote:
> 
>> If we change all sites to require HTTPS for
>> logged-in users, we'll certainly increase site security and enhance the
>> user experience for most users, but is that worth losing every
>> zh.wikipedia.org contributor who lives in China? Or do we expect anyone
>> blocked from HTTPS to simply edit without an account?
>> I think the concern here is that some projects may be decimated (in terms
>> of number of contributors) if HTTPS is forced for all users.
> 
> I think that zh and fa wikis are "exempt". The concernseems to be about 
> contributors from affected countries editing other wikis, such as Commons or 
> Wikidata.

Can I just say that IF there is still this much discussion and confusion going 
on even at the level of the developers, that I feel really uncomfortable with 
this being deployed in the next 24hours.

This all just feels way too rough. And it smells like this is gonna create yet 
another deploy shitstorm within the communities. I wouldn't like to be in the 
shoes of the liaisons and ambassadors tomorrow

DJ
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Wikimedia Commons mobile photo uploader app updated on iOS and Android

2013-08-20 Thread Strainu

2013/8/21 Brion Vibber :
> (The Commons uploader apps may or may not eventually roll into the main
> Wikipedia app on iOS and Android too, we haven't decided for sure yet.)

That sound weird (read: divergent from all the stuff we read in the
WMF plans and reports). Shouldn't the ultimate development goal for
mobile be total feature parity with desktop? Otherwise how is wiki*
supposed to tap into "global south" (I hate this buzzword!) editor
resources? Aren't all the pundits claiming that desktop is dead and in
the future we're all gonna browse the internet on small (5-10") or
huge (40"+) screens?

Strainu

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Wikimedia Commons mobile photo uploader app updated on iOS and Android

On Tue, Aug 20, 2013 at 2:05 PM, Rodrigo Padula  wrote:

> Hello guys,
>
> Are you thinking to develop apps for FirefoxOS too?
>

Currently we're not planning a version of the Commons uploader app. Photo
uploading works in Firefox via the mobile web site, though it's not quite
as flexible -- eg you can't edit your photo descriptions while offline and
then upload a bunch online... yet. :)

There's less need for a separate app on Firefox OS, as the regular web
browser actually can interact with other apps on the system (eg to launch
another app, or fetch a photo from the library, etc). So in the future,
we'll probably have more 'progressive enhancement' with additional
uploading & media features in supporting browsers, and that'll get rolled
into our "app" entry in the Firefox Marketplace replacing the current
Wikipedia reader app.

(The Commons uploader apps may or may not eventually roll into the main
Wikipedia app on iOS and Android too, we haven't decided for sure yet.)

-- brion


>
>
>
> 2013/8/20 Risker 
>
> > On 20 August 2013 16:57, Brion Vibber  wrote:
> >
> > > We have just released Commons for iOS (version 1.0.8) and Android
> > > (1.0beta11), with *major* UI and performance improvements on iOS and
> > minor
> > > bug fixes on Android.
> > >
> > > This is our first release in a couple months on iOS -- we hoped to have
> > one
> > > out before Wikimania but were delayed due to problems with Apple's
> online
> > > developer tools being offline for a while. There are huge UI
> improvements
> > > and lots of bug fixes, thanks to our new mobile developer Monte Hurd.
> > > Thanks Monte!
> > >
> > > We've been releasing smaller updates on Android in the meantime, so the
> > > updates have been more incremental there.
> > >
> > > Both versions now include a quick 3-screen acceptable-use tutorial on
> > first
> > > login. iOS includes featured photos as examples as well; this will come
> > to
> > > Android in a future version.
> > >
> > >
> > Thanks to Monte and Brion for the work on this.  I recently attended an
> > "edit-a-thon" at the Royal Ontario Museum, and pointed the attendees (and
> > ROM staff/interns) to this app - they were extremely enthusiastic, and I
> > have a feeling we've already seen some images from them.
> >
> > Risker
> > ___
> > Wikitech-l mailing list
> > Wikitech-l@lists.wikimedia.org
> > https://lists.wikimedia.org/mailman/listinfo/wikitech-l
> >
>
>
>
> --
> *Rodrigo Padula
> Education Program Coordinator - Brazil
> **Consultant for the Brazilian Catalyst Program at Wikimedia Foundation**
> *
> *+55 21 9326 0558
> Blog: http://www.rodrigopadula.com
> Twitter: @rodrigopadula*
> ___
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st

2013-08-20 Thread Bartosz Dziewoński


On Tue, 20 Aug 2013 23:19:22 +0200, MZMcBride  wrote:


If we change all sites to require HTTPS for
logged-in users, we'll certainly increase site security and enhance the
user experience for most users, but is that worth losing every
zh.wikipedia.org contributor who lives in China? Or do we expect anyone
blocked from HTTPS to simply edit without an account?
I think the concern here is that some projects may be decimated (in terms
of number of contributors) if HTTPS is forced for all users.


I think that zh and fa wikis are "exempt". The concernseems to be about 
contributors from affected countries editing other wikis, such as Commons or Wikidata.


--
Matma Rex

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st

Brion Vibber wrote:
>Wikipedia was blocked ENTIRELY in China for years; people interested in
>*reading* as well as contributing used circumvention tools (VPNs etc) to
>more securely access the site, and just got generic errors if they didn't.
>
>This is an acceptable trade-off which we've allowed the Chinese government
>to make for us before, and here we're talking about a much smaller effect
>(on contributors only).
>
>Again, it's not our business to fix China. China has to fix China.

I completely agree with China fixing China.

But I think the Wikimedia community has to decide whether this trade-off
is acceptable. I'm not sure it's a decision that sysadmins and developers
can make alone.

From my understanding, zh.wikipedia.org is currently available via HTTP in
China, but not HTTPS. If we change all sites to require HTTPS for
logged-in users, we'll certainly increase site security and enhance the
user experience for most users, but is that worth losing every
zh.wikipedia.org contributor who lives in China? Or do we expect anyone
blocked from HTTPS to simply edit without an account?

I think the concern here is that some projects may be decimated (in terms
of number of contributors) if HTTPS is forced for all users.

MZMcBride

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

[Wikitech-l] HTTPS central notice - translation needed?

2013-08-20 Thread Paul Selitskas

Usually central notice banners link to an announcement that can be
viewed in many languages.

The HTTPS banner that is being displayed at the moment links to a
rough page[0] that has only English version. Could anyone craft an
announcement suitable for translation?


[0] https://meta.wikimedia.org/wiki/HTTPS

-- 
З павагай,
Павел Селіцкас/Pavel Selitskas
Wizardist @ Wikimedia projects

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Wikimedia Commons mobile photo uploader app updated on iOS and Android

2013-08-20 Thread Rodrigo Padula

Hello guys,

Are you thinking to develop apps for FirefoxOS too?




2013/8/20 Risker 

> On 20 August 2013 16:57, Brion Vibber  wrote:
>
> > We have just released Commons for iOS (version 1.0.8) and Android
> > (1.0beta11), with *major* UI and performance improvements on iOS and
> minor
> > bug fixes on Android.
> >
> > This is our first release in a couple months on iOS -- we hoped to have
> one
> > out before Wikimania but were delayed due to problems with Apple's online
> > developer tools being offline for a while. There are huge UI improvements
> > and lots of bug fixes, thanks to our new mobile developer Monte Hurd.
> > Thanks Monte!
> >
> > We've been releasing smaller updates on Android in the meantime, so the
> > updates have been more incremental there.
> >
> > Both versions now include a quick 3-screen acceptable-use tutorial on
> first
> > login. iOS includes featured photos as examples as well; this will come
> to
> > Android in a future version.
> >
> >
> Thanks to Monte and Brion for the work on this.  I recently attended an
> "edit-a-thon" at the Royal Ontario Museum, and pointed the attendees (and
> ROM staff/interns) to this app - they were extremely enthusiastic, and I
> have a feeling we've already seen some images from them.
>
> Risker
> ___
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>



-- 
*Rodrigo Padula
Education Program Coordinator - Brazil
**Consultant for the Brazilian Catalyst Program at Wikimedia Foundation**
*
*+55 21 9326 0558
Blog: http://www.rodrigopadula.com
Twitter: @rodrigopadula*
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Wikimedia Commons mobile photo uploader app updated on iOS and Android

On 20 August 2013 16:57, Brion Vibber  wrote:

> We have just released Commons for iOS (version 1.0.8) and Android
> (1.0beta11), with *major* UI and performance improvements on iOS and minor
> bug fixes on Android.
>
> This is our first release in a couple months on iOS -- we hoped to have one
> out before Wikimania but were delayed due to problems with Apple's online
> developer tools being offline for a while. There are huge UI improvements
> and lots of bug fixes, thanks to our new mobile developer Monte Hurd.
> Thanks Monte!
>
> We've been releasing smaller updates on Android in the meantime, so the
> updates have been more incremental there.
>
> Both versions now include a quick 3-screen acceptable-use tutorial on first
> login. iOS includes featured photos as examples as well; this will come to
> Android in a future version.
>
>
Thanks to Monte and Brion for the work on this.  I recently attended an
"edit-a-thon" at the Royal Ontario Museum, and pointed the attendees (and
ROM staff/interns) to this app - they were extremely enthusiastic, and I
have a feeling we've already seen some images from them.

Risker
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

[Wikitech-l] Wikimedia Commons mobile photo uploader app updated on iOS and Android

We have just released Commons for iOS (version 1.0.8) and Android
(1.0beta11), with *major* UI and performance improvements on iOS and minor
bug fixes on Android.

This is our first release in a couple months on iOS -- we hoped to have one
out before Wikimania but were delayed due to problems with Apple's online
developer tools being offline for a while. There are huge UI improvements
and lots of bug fixes, thanks to our new mobile developer Monte Hurd.
Thanks Monte!

We've been releasing smaller updates on Android in the meantime, so the
updates have been more incremental there.

Both versions now include a quick 3-screen acceptable-use tutorial on first
login. iOS includes featured photos as examples as well; this will come to
Android in a future version.

Downloads and release notes:
* Apple App Store:
https://itunes.apple.com/us/app/wikimedia-commons/id630901780
* Google Play:
https://play.google.com/store/apps/details?id=org.wikimedia.commons
* Android direct download:
http://download.wikimedia.org/android/wikimedia-commons-1.0beta11.apk

-- brion vibber (brion @ pobox.com / bvibber @ wikimedia.org)
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st

+foundation-l

On Aug 20, 2013, at 1:20 PM, Brion Vibber  wrote:

> This is an acceptable trade-off which we've allowed the Chinese government
> to make for us before, and here we're talking about a much smaller effect
> (on contributors only).
> 
> Again, it's not our business to fix China. China has to fix China.

None of which changes that this is not properly an ops team decision, 
particularly without notification, warning, workaround explained to people.

If the explanation as to the effects on users in those locales is correct, I 
would like the Ops team to voluntarily stand back and notify and allow some 
wider discussion and explanation of the workaround.

If Ops won't do that, then I would like to request that the WMF executive 
intervene and direct ops to pause and allow wider notification and discussion 
and explanation of the workaround.

If the WMF executive is not willing I would like to request that the Board 
review the situation promptly and direct a pause per above.

The outcome is not wrong.  THIS IS THE WRONG WAY TO DO IT, without warning and 
explanation to the community.

Sent from Kangphone
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st

Wikipedia was blocked ENTIRELY in China for years; people interested in
*reading* as well as contributing used circumvention tools (VPNs etc) to
more securely access the site, and just got generic errors if they didn't.

This is an acceptable trade-off which we've allowed the Chinese government
to make for us before, and here we're talking about a much smaller effect
(on contributors only).

Again, it's not our business to fix China. China has to fix China.

-- brion



On Tue, Aug 20, 2013 at 1:15 PM, George William Herbert <
george.herb...@gmail.com> wrote:

>
>
> On Aug 20, 2013, at 12:57 PM, Brion Vibber  wrote:
>
> > IMO it's simply unacceptable to leak authentication tokens or account
> > passwords in cleartext; allowing any form of login over HTTP is dinosaur
> > behavior and we'd be crazy to let it continue, whether for "some sites"
> > only or all. We should require HTTPS for all logins on all sites in all
> > languages all the time.
>
>
> This is a defensible position.
>
> That is not my point.
>
> It appears that the ops team is about to kick anyone who is unfortunate
> enough to live in the wrong countries off the projects, without a clue what
> happened or obvious fallback they will realize.  Without publicity or
> explanation or a HTTP landing pad that explains.
>
> This magnitude of change is political, not purely technical/operational.
>  And demands both notification and a fallback that users will be reasonably
> able to grasp.
>
> Again, this is still a little fuzzy as to the impact.  But it seems like
> we dump China users of en.wp without warning or immediately obvious
> workaround.  And if that's right, the ops team should not do this.  It
> needs wider warnings and discussion, and is not an ops decision to make.
>
>
> Sent from Kangphone
>
>
> ___
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st

On Aug 20, 2013, at 12:57 PM, Brion Vibber  wrote:

> IMO it's simply unacceptable to leak authentication tokens or account
> passwords in cleartext; allowing any form of login over HTTP is dinosaur
> behavior and we'd be crazy to let it continue, whether for "some sites"
> only or all. We should require HTTPS for all logins on all sites in all
> languages all the time.

This is a defensible position.

That is not my point.

It appears that the ops team is about to kick anyone who is unfortunate enough 
to live in the wrong countries off the projects, without a clue what happened 
or obvious fallback they will realize.  Without publicity or explanation or a 
HTTP landing pad that explains.

This magnitude of change is political, not purely technical/operational.  And 
demands both notification and a fallback that users will be reasonably able to 
grasp.

Again, this is still a little fuzzy as to the impact.  But it seems like we 
dump China users of en.wp without warning or immediately obvious workaround.  
And if that's right, the ops team should not do this.  It needs wider warnings 
and discussion, and is not an ops decision to make.

Sent from Kangphone

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Key community metrics to influence our plans


> On Tue, 20 Aug 2013 00:48:09 +0200, Rob Lanphier  wrote:
> 
> >
> >I'm personally interested in the absolute size of the Gerrit change
> >request queue, not in relation to anything else, but just as an
> >absolute number (over time).  When this number gets large, we should
> >all probably be interested in the following:
> >*  Breakdown by age of changeset.
> >*  Breakdown by project family (e.g. MediaWiki core, Wikimedia
> >deployed extensions, all MediaWiki extensions hosted in Gerrit).
> 
> This already exists, by the way. 
> https://www.mediawiki.org/wiki/Gerrit/Navigation#Reports

Neat.

Feature request: Make a nice graph of the data that shows those numbers
over time (per day I suppose?). I hear we have some analytics software
we can use... ;)

Greg

-- 
| Greg GrossmeierGPG: B2FA 27B1 F7EB D327 6B8E |
| identi.ca: @gregA18D 1138 8E47 FAC8 1C7D |


signature.asc
Description: Digital signature
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st

> Okay, so I think there's a fair deal of confusion in a lot of minds as to
how this all is going to work.  So let's take a fairly simple and common
use case, and work out how we're going to keep these users editing.

The use case I suggest we work out is "English Wikipedia editor who lives
in China and wants to edit English Wikipedia using his logged-in account."

So:

   - Can this user log in on English Wikipedia? (based on this discussion,
   no)
   - Can this user log in on an HTTPS-exempt Wikipedia (based on this
   discussion, any Chinese or Farsi project, yes)
  - How will they know that they have to go there?
  - When they try to go from Chinese Wikipedia to English Wikipedia,
   what happens?
  - Do they get an HTTP page, or an HTTPS one? (the latter of which is
  not accessible)
  - Do they remain logged in as HTTP? or do they get logged out because
  the enwp page is HTTPS by default?
   - If they manage to get as far as English Wikipedia, they can change
   their user preference to HTTP once that is enabled. Will that also allow
   them to log in under HTTP so they don't have to go to another project?

Now, I can personally think of a dozen editors to whom this *specific* user
case applies, and I know at least another dozen to whom similar user cases
apply in relation to other projects - and I really don't know that many
people.

I get the importance and value of this action plan.  At the same time,
there is no benefit to the movement to de facto block existing contributors
or ghettoize new ones. Essentially banning Iranian Wikimedians from editing
anything but Farsi projects is contrary to the core principles of the
Wikimedia movement; deliberately creating a situation where editors need to
break the law of their land to participate on Commons or Meta is a
significant problem.  It's bad enough when that is caused by external
forces outside of WMF control; it's disturbing when it is being caused by
WMF itself.


Risker
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st

The vast majority of people we serve with Wikipedia and friends don't have
accounts and don't log in, and won't be affected in any way by this change.

IMO it's simply unacceptable to leak authentication tokens or account
passwords in cleartext; allowing any form of login over HTTP is dinosaur
behavior and we'd be crazy to let it continue, whether for "some sites"
only or all. We should require HTTPS for all logins on all sites in all
languages all the time.

Note that there are plenty of projects producing and maintaining
block-circumvention tools, which is what folks who are running afoul of
government censorship should be looking into if they need to log into a
blocked site, or read blocked pages.

It's a bit out of scope for Wikimedia to fix China's internet, though it'd
be nice if we gave some recommendations on tools. Or would that just get us
more blocked?

-- brion

On Tue, Aug 20, 2013 at 12:46 PM, George William Herbert <
george.herb...@gmail.com> wrote:

>
>
> On Aug 20, 2013, at 12:03 PM, James Alexander 
> wrote:
>
> > Yeah, this seems to contradict what I thought Ryan was saying above and
> > what I was under the impression for. The bad use case for here (as
> describe
> > by Risker for example) is a mainland china user from zhWiki logging in
> > (through http) but now not being able to visit enWiki logged in at all
> > (because it will force them to https and https is blocked).
>
>
> Posed for sake of argument, assuming this interpretation is correct:
>
>
> This is unacceptable and a blocking bug to this rollout.
>
> The suggested "just find an excepted project and log in there first" is
> neither easy nor self-evident enough to be effective for those users.  The
> silent failure mode they will encounter will effectively be a silent site
> outage for them.
>
> The change must be delayed until people geographically / nationally denied
> HTTPS can log in again.
>
>
> Sent from Kangphone
> ___
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st

On Aug 20, 2013, at 12:03 PM, James Alexander  wrote:

> Yeah, this seems to contradict what I thought Ryan was saying above and
> what I was under the impression for. The bad use case for here (as describe
> by Risker for example) is a mainland china user from zhWiki logging in
> (through http) but now not being able to visit enWiki logged in at all
> (because it will force them to https and https is blocked).

Posed for sake of argument, assuming this interpretation is correct:

This is unacceptable and a blocking bug to this rollout.

The suggested "just find an excepted project and log in there first" is neither 
easy nor self-evident enough to be effective for those users.  The silent 
failure mode they will encounter will effectively be a silent site outage for 
them.

The change must be delayed until people geographically / nationally denied 
HTTPS can log in again.

Sent from Kangphone
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st

2013-08-20 Thread James Alexander

On Tue, Aug 20, 2013 at 11:31 AM, Chad  wrote:

> > * If you login from an http (non secure) login page such as zhWiki or
> > faWiki you will be able to remain logged in while going to a non secure
> > wiki page (http://en.wikipedia.org ) and not be forced to https (unless
> > you
> > selected that in your preference).
> >
> >
> Preferences are local, so unless the local preference has been
> set to false, you would end up on HTTPS.
>
>
> >
> > On a side note: I assume the preference is wiki based rather then global?
> >
> >
> Correct.
>
> I'm beginning to think there's a disconnect between what we coded
> and what people expect. The preference is *on* by default which I
> think is what's going to cause problems. We can change defaults
> before tomorrow so I think we should all be clear.
>
> -Chad
> ___
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>

Thanks Chad, that's a lot of help.

Yeah, this seems to contradict what I thought Ryan was saying above and
what I was under the impression for. The bad use case for here (as describe
by Risker for example) is a mainland china user from zhWiki logging in
(through http) but now not being able to visit enWiki logged in at all
(because it will force them to https and https is blocked).

I know Ryan used the term 'home wiki' some up in his emails. My
interpretation when reading the thread was that it actually meant the wiki
you were logging into (which I think is fine) and not the 'home' wiki that
is marked in the CentralAuth interface (though I can't figure out where
that's actually marked in the database...). If we are using that
'CentralAuth' definition we're going to have a lot of false negatives, a
significant amount of people are marked off as their home being enWiki or
somewhere else because it was the first place they created an account.
We've never really used 'home wiki' to mean anything other then first
account.

James

James Alexander
Legal and Community Advocacy
Wikimedia Foundation
(415) 839-6885 x6716 @jamesofur
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st

On Tue, Aug 20, 2013 at 2:38 PM, Chad  wrote:

> Did you read the patch? If $wgSecureLogin is true, prefershttps is
> also true. This is core.
>

Oh, I didn't see that Demon had added that in. My bad.

*-- *
*Tyler Romeo*
Stevens Institute of Technology, Class of 2016
Major in Computer Science
www.whizkidztech.com | tylerro...@gmail.com
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st

2013-08-20 Thread Chad

On Tue, Aug 20, 2013 at 11:36 AM, Tyler Romeo  wrote:

> On Tue, Aug 20, 2013 at 2:31 PM, Chad  wrote:
>
> > I'm beginning to think there's a disconnect between what we coded
> > and what people expect. The preference is *on* by default which I
> > think is what's going to cause problems. We can change defaults
> > before tomorrow so I think we should all be clear.
> >
>
> Oh I was not aware of this. I just knew that in MW core itself the default
> is off. Didn't realize WMF changed it.
>
>
Did you read the patch? If $wgSecureLogin is true, prefershttps is
also true. This is core.

-Chad
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st

On Tue, Aug 20, 2013 at 2:31 PM, Chad  wrote:

> I'm beginning to think there's a disconnect between what we coded
> and what people expect. The preference is *on* by default which I
> think is what's going to cause problems. We can change defaults
> before tomorrow so I think we should all be clear.
>

Oh I was not aware of this. I just knew that in MW core itself the default
is off. Didn't realize WMF changed it.

*-- *
*Tyler Romeo*
Stevens Institute of Technology, Class of 2016
Major in Computer Science
www.whizkidztech.com | tylerro...@gmail.com
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st

2013-08-20 Thread Chad

On Tue, Aug 20, 2013 at 11:07 AM, James Alexander
wrote:

> * The 'force https' preference is an option that is, by default, turned
> off.
>

It is turned on by default when $wgSecureLogin is enabled.


>
> * However, for most wikis (not all), force https login is turned on.
>

That will be the case come tomorrow, yes.


> * Because forced https login is turned on the 'default' for those people
> will be to move from an https login to an https page because our normal
> workflow is to always keep you on https if you are already on https (if you
> are on page X, like a login page, in https then the next page X2 is also in
> https).
>

Yes, this is correct.


> * However, if you drop yourself down to http (for example just load the
> page in http by dropping the s from the address bar and pressing enter) you
> will not be forced back to https by default for the same reason (our normal
> workflow) assuming that you have not turned on the https preference.
>

No, it will put you back on HTTPS as that was the default. You
have to turn the preference off.


> * If you login from an http (non secure) login page such as zhWiki or
> faWiki you will be able to remain logged in while going to a non secure
> wiki page (http://en.wikipedia.org ) and not be forced to https (unless
> you
> selected that in your preference).
>
>
Preferences are local, so unless the local preference has been
set to false, you would end up on HTTPS.


>
> On a side note: I assume the preference is wiki based rather then global?
>
>
Correct.

I'm beginning to think there's a disconnect between what we coded
and what people expect. The preference is *on* by default which I
think is what's going to cause problems. We can change defaults
before tomorrow so I think we should all be clear.

-Chad
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st

2013-08-20 Thread James Alexander

On Tue, Aug 20, 2013 at 10:58 AM, Tyler Romeo  wrote:

> To clarify, the default value for this HTTPS option is false, meaning you
> have to explicitly turn it on in order to force HTTPS. In other words, the
> only functional change being made by this deployment is that *login* on
> certain projects will be over HTTPS. So for those who do not have HTTPS,
> they will have to log in through a project that does not have secure login
> enabled. And once they do log in, they should be fine thereafter.
>
> *-- *
>

Thanks Tyler,

For clarification purposes I'm putting my understanding of this below, if
you or someone else thinks what I'm saying is wrong please correct :):

* The 'force https' preference is an option that is, by default, turned off.
* However, for most wikis (not all), force https login is turned on.
* Because forced https login is turned on the 'default' for those people
will be to move from an https login to an https page because our normal
workflow is to always keep you on https if you are already on https (if you
are on page X, like a login page, in https then the next page X2 is also in
https).
* However, if you drop yourself down to http (for example just load the
page in http by dropping the s from the address bar and pressing enter) you
will not be forced back to https by default for the same reason (our normal
workflow) assuming that you have not turned on the https preference.
* If you login from an http (non secure) login page such as zhWiki or
faWiki you will be able to remain logged in while going to a non secure
wiki page (http://en.wikipedia.org ) and not be forced to https (unless you
selected that in your preference).

On a side note: I assume the preference is wiki based rather then global?

James

James Alexander
Legal and Community Advocacy
Wikimedia Foundation
(415) 839-6885 x6716 @jamesofur
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st

To clarify, the default value for this HTTPS option is false, meaning you
have to explicitly turn it on in order to force HTTPS. In other words, the
only functional change being made by this deployment is that *login* on
certain projects will be over HTTPS. So for those who do not have HTTPS,
they will have to log in through a project that does not have secure login
enabled. And once they do log in, they should be fine thereafter.

*-- *
*Tyler Romeo*
Stevens Institute of Technology, Class of 2016
Major in Computer Science
www.whizkidztech.com | tylerro...@gmail.com


On Tue, Aug 20, 2013 at 1:54 PM, Risker  wrote:

> On 20 August 2013 13:12, Greg Grossmeier  wrote:
>
> > 
> > > On Tue, Aug 20, 2013 at 10:34 AM, MZMcBride  wrote:
> > >
> > > > (And if the user preference isn't meant to serve those who can't use
> > > > HTTPS, who is it intended to serve?)
> > > >
> > >
> > > My point is that it doesn't matter what your user preference is.
> Whether
> > > it's false or true, you still have to log in over HTTPS. In other
> words,
> > > the user preference has no effect on your ability to use the site.
> >
> > One group of users that is always being forgotten in this discussion is
> > the group who use Wikipedia over really crappy connections that aren't
> > censoring them. These users will have a hard time using an SSL
> > connection due to the added resources/round trips and have a legitimate
> > non-China/NSA excuse to disable HTTPS after they login (where the added
> > roundtrips are probably worthwhile to keep their username/password
> > safe).
>
>
> This is correct, but it is still not addressing the question of what
> happens to users who are completely unable to use HTTPS, and whether or not
> they will remain logged in if they try to reach another HTTPS-standard
> project if they start off from Chinese/Farsi projects.
>
> We have project-specific IPBE user-rights for users who are affected by
> blocked IP addresses (which include but aren't limited to TOR nodes or
> other blocked proxies).  Is it possible to create a similar user-right for
> "HTTPS not default for login" for this users?
>
> We are talking about a non-negligible number of high-activity users on
> multiple projects being adversely affected here, including several stewards
> (cross-project issues), administrators, and high-productivity editors.  It
> is important to find a way that is certain to allow them to log in and to
> move across multiple projects, and doing so should not be considered an
> *enhancement*, it should be considered a required feature of the new
> process.  (It may not be a blocker, but I'd hope to see this "fixed" before
> the end of the month.)
>
> Risker
> ___
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st

On 20 August 2013 13:12, Greg Grossmeier  wrote:

> 
> > On Tue, Aug 20, 2013 at 10:34 AM, MZMcBride  wrote:
> >
> > > (And if the user preference isn't meant to serve those who can't use
> > > HTTPS, who is it intended to serve?)
> > >
> >
> > My point is that it doesn't matter what your user preference is. Whether
> > it's false or true, you still have to log in over HTTPS. In other words,
> > the user preference has no effect on your ability to use the site.
>
> One group of users that is always being forgotten in this discussion is
> the group who use Wikipedia over really crappy connections that aren't
> censoring them. These users will have a hard time using an SSL
> connection due to the added resources/round trips and have a legitimate
> non-China/NSA excuse to disable HTTPS after they login (where the added
> roundtrips are probably worthwhile to keep their username/password
> safe).

This is correct, but it is still not addressing the question of what
happens to users who are completely unable to use HTTPS, and whether or not
they will remain logged in if they try to reach another HTTPS-standard
project if they start off from Chinese/Farsi projects.

We have project-specific IPBE user-rights for users who are affected by
blocked IP addresses (which include but aren't limited to TOR nodes or
other blocked proxies).  Is it possible to create a similar user-right for
"HTTPS not default for login" for this users?

We are talking about a non-negligible number of high-activity users on
multiple projects being adversely affected here, including several stewards
(cross-project issues), administrators, and high-productivity editors.  It
is important to find a way that is certain to allow them to log in and to
move across multiple projects, and doing so should not be considered an
*enhancement*, it should be considered a required feature of the new
process.  (It may not be a blocker, but I'd hope to see this "fixed" before
the end of the month.)

Risker
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] We need to talk about AbuseFilter on mobile

2013-08-20 Thread Chris Steipp

If you can figure out what abuse rule was triggered, you can look at all
the hits on Special:AbuseLog. For example
'abusefilter-warning-all-categories-removed
668' is probably rule 132, so you can see that at
https://en.wikipedia.org/w/index.php?title=Special:AbuseLog&wpSearchFilter=132



On Tue, Aug 20, 2013 at 10:39 AM, Jon Robson  wrote:

> MZ brings up a good point. Do we have any idea what the reject rate is
> for Abusefilter on desktop?
>
> Also is there any way to view the edits that triggered AbuseFilter to
> get an idea bout  what % of them were actually vandalism?
>
> On Mon, Aug 19, 2013 at 6:25 PM, MZMcBride  wrote:
> > Jon Robson wrote:
> >>Between 31st July 2013 (00:00:00) and August 19th (@ 18:53:18)...
> >>
> >>15089 of all mobile edits resulted in an error compared to 23455
> >>successful edits (38544 edits in total)- that's a 39% error rate which
> >>is simply unacceptable. The breakdown of these errors is as follows.
> >>The most alarming is AbuseFilter - it is accounting for 72% of all
> >>editing errors, costing all of our projects a lot of edits.
> >>
> >>[stats]
> >
> > These numbers don't mean a whole lot (to me, at least) without a
> > comparison to stats for non-mobile edits. We knew when the AbuseFilter
> was
> > introduced that it wasn't always going to be used to filter only abuse.
> > People naturally use it for all kinds of crazy purposes these days.
> > Without a bit more context, it's difficult to know what's actually a
> > problem (in relative terms).
> >
> > MZMcBride
> >
> >
> >
> > ___
> > Wikitech-l mailing list
> > Wikitech-l@lists.wikimedia.org
> > https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
>
>
> --
> Jon Robson
> http://jonrobson.me.uk
> @rakugojon
>
> ___
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] We need to talk about AbuseFilter on mobile

2013-08-20 Thread Jon Robson

MZ brings up a good point. Do we have any idea what the reject rate is
for Abusefilter on desktop?

Also is there any way to view the edits that triggered AbuseFilter to
get an idea bout  what % of them were actually vandalism?

On Mon, Aug 19, 2013 at 6:25 PM, MZMcBride  wrote:
> Jon Robson wrote:
>>Between 31st July 2013 (00:00:00) and August 19th (@ 18:53:18)...
>>
>>15089 of all mobile edits resulted in an error compared to 23455
>>successful edits (38544 edits in total)- that's a 39% error rate which
>>is simply unacceptable. The breakdown of these errors is as follows.
>>The most alarming is AbuseFilter - it is accounting for 72% of all
>>editing errors, costing all of our projects a lot of edits.
>>
>>[stats]
>
> These numbers don't mean a whole lot (to me, at least) without a
> comparison to stats for non-mobile edits. We knew when the AbuseFilter was
> introduced that it wasn't always going to be used to filter only abuse.
> People naturally use it for all kinds of crazy purposes these days.
> Without a bit more context, it's difficult to know what's actually a
> problem (in relative terms).
>
> MZMcBride
>
>
>
> ___
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l



-- 
Jon Robson
http://jonrobson.me.uk
@rakugojon

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st

On Tue, Aug 20, 2013 at 1:12 PM, Greg Grossmeier  wrote:

> One group of users that is always being forgotten in this discussion is
> the group who use Wikipedia over really crappy connections that aren't
> censoring them. These users will have a hard time using an SSL
> connection due to the added resources/round trips and have a legitimate
> non-China/NSA excuse to disable HTTPS after they login (where the added
> roundtrips are probably worthwhile to keep their username/password
> safe).
>

Indeed, and in those case they just leave their HTTPS preference turned off
(since the default is off anyway).

*-- *
*Tyler Romeo*
Stevens Institute of Technology, Class of 2016
Major in Computer Science
www.whizkidztech.com | tylerro...@gmail.com
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Deployment highlights - week of August 19th

2013-08-20 Thread Federico Leva (Nemo)


Thank you both, concise and clear. :)
Even though they are just quick ephemeral updates they are useful so 
I've copied them to

*  and
* 


which appear to be the (only) pages where they fit.

Nemo

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st

> On Tue, Aug 20, 2013 at 10:34 AM, MZMcBride  wrote:
> 
> > (And if the user preference isn't meant to serve those who can't use
> > HTTPS, who is it intended to serve?)
> >
> 
> My point is that it doesn't matter what your user preference is. Whether
> it's false or true, you still have to log in over HTTPS. In other words,
> the user preference has no effect on your ability to use the site.

One group of users that is always being forgotten in this discussion is
the group who use Wikipedia over really crappy connections that aren't
censoring them. These users will have a hard time using an SSL
connection due to the added resources/round trips and have a legitimate
non-China/NSA excuse to disable HTTPS after they login (where the added
roundtrips are probably worthwhile to keep their username/password
safe).

Greg

-- 
| Greg GrossmeierGPG: B2FA 27B1 F7EB D327 6B8E |
| identi.ca: @gregA18D 1138 8E47 FAC8 1C7D |

signature.asc
Description: Digital signature
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] FOSDEM: main tracks and developer rooms

2013-08-20 Thread Arthur Richards

We've talked in the past about hosting a Wikimedia dev room or table for
FOSDEM, but never got our acts together to apply. I think we should
*totally* apply for a wiki devroom this year - FOSDEM is one of the best
conferences I've ever been to, and especially given our wiki-representation
in Europe, there are a million reasons why we should have a strong presence
there. Let's do it!


On Wed, Aug 21, 2013 at 1:00 AM, Quim Gil  wrote:

> FOSDEM will take place on 1 and 2 February 2014 in Brussels. Now it's the
> time to apply for DevRooms and main track sessions.
>
> https://fosdem.org/2014/news/**2013-08-06-call-for-**participation/
>
> Key dates:
>
> 15 September
> * deadline for developer room proposals
>
> 1 October
> * deadline for main track proposals
> * accepted developer rooms announced
>
> I think Wikimedia needs FOSDEM and FOSDEM needs Wikimedia. We could
> mobilize European developers and tech-friendly chapters to work on a
> combined outreach action.
>
> First things first: proposing a Wiki DevRoom. What do you think? Note that
> it's "Wiki", not just Wikimedia or MediaWiki.
>
> We should also brainstorm what are the best main track session candidates.
>
> --
> Quim Gil
> Technical Contributor Coordinator @ Wikimedia Foundation
> http://www.mediawiki.org/wiki/**User:Qgil
>
> __**_
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/**mailman/listinfo/wikitech-l




-- 
Arthur Richards
Software Engineer, Mobile
[[User:Awjrichards]]
IRC: awjr
+1-415-839-6885 x6687
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

[Wikitech-l] FOSDEM: main tracks and developer rooms

2013-08-20 Thread Quim Gil

FOSDEM will take place on 1 and 2 February 2014 in Brussels. Now it's 
the time to apply for DevRooms and main track sessions.


https://fosdem.org/2014/news/2013-08-06-call-for-participation/

Key dates:

15 September
* deadline for developer room proposals

1 October
* deadline for main track proposals
* accepted developer rooms announced

I think Wikimedia needs FOSDEM and FOSDEM needs Wikimedia. We could 
mobilize European developers and tech-friendly chapters to work on a 
combined outreach action.


First things first: proposing a Wiki DevRoom. What do you think? Note 
that it's "Wiki", not just Wikimedia or MediaWiki.


We should also brainstorm what are the best main track session candidates.

--
Quim Gil
Technical Contributor Coordinator @ Wikimedia Foundation
http://www.mediawiki.org/wiki/User:Qgil

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Key community metrics to influence our plans

2013-08-20 Thread Andre Klapper

On Mon, 2013-08-19 at 13:05 -0700, Quim Gil wrote:
> Out of code contributions, the only candidate to become a KPI that came 
> to mind was the effectiveness responding to Bugzilla reports. Maybe you 
> are right the priority of this one is higher than the age of code 
> contributors. Thoughts?

Refering to Bugzilla only:

As listed on http://www.mediawiki.org/wiki/Talk:Community_metrics ,
I'd be interested in two things:

Average time to resolve a ticket: Delta between creation of a report and
setting the status RESOLVED.
Preferably separately for "real" bugs and severity=enhancement.
Might also make sense to have a specific one for setting the status
RESOLVED && resolution FIXED, to only cover code fixes.

And average time to response to new tickets: Delta between creation of a
report and any next change (setting priority, adding an initial comment,
etc.) which is NOT done by the original reporter. If that's possible.

All in all, the proposed metrics look really good to me, great work! 
Looking forward to seeing most of that implemented!

andre
-- 
Andre Klapper | Wikimedia Bugwrangler
http://blogs.gnome.org/aklapper/

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st

On Tue, Aug 20, 2013 at 10:34 AM, MZMcBride  wrote:

> I'm not sure that counts as moot. People incapable of using HTTPS will
> simply be locked out of their accounts indefinitely? How many users will
> this affect?
>
> I wonder if making it possible to toggle this user preference via e-mail
> would make sense. Wikimedia wikis are too large and too diverse to not
> expect that a certain percent of users won't be able to use HTTPS. I'd
> really like to avoid losing these users. Of course even a "toggle by
> e-mail" option still wouldn't solve the login issue. Hmmm.
>
> (And if the user preference isn't meant to serve those who can't use
> HTTPS, who is it intended to serve?)
>

My point is that it doesn't matter what your user preference is. Whether
it's false or true, you still have to log in over HTTPS. In other words,
the user preference has no effect on your ability to use the site.

*-- *
*Tyler Romeo*
Stevens Institute of Technology, Class of 2016
Major in Computer Science
www.whizkidztech.com | tylerro...@gmail.com
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] HTTPS for logged in users on Wednesday August 21st