Re: [Wikitech-l] Global user pages deployed to all wikis
Yeah, thanks for your work on this Kunal! enwiki: userpage deletion requested dewiki: local userpage deleted :D Best / Freundliche Grüße Florian Schmidt -Original-Nachricht- Betreff: [Wikitech-l] Global user pages deployed to all wikis Datum: Thu, 19 Feb 2015 02:07:16 +0100 Von: Legoktm legoktm.wikipe...@gmail.com An: wikitech-l@lists.wikimedia.org, Coordination of technology deployments across languages/projects wikitech-ambassad...@lists.wikimedia.org Hello! Global user pages have now been deployed to all public wikis for users with CentralAuth accounts. Documentation on the feature is available at mediawiki.org[1], and if you notice any bugs please file them in Phabricator[2]. Thanks to all the people who helped with the creation and deployment (incomplete, and in no particular order): Jack Phoenix ShoutWiki, Isarra, MZMcBride, Nemo, Quiddity, Aaron S, Matt F, James F, and everyone who helped with testing it while it was in beta. [1] https://www.mediawiki.org/wiki/Help:Extension:GlobalUserPage [2] https://phabricator.wikimedia.org/maniphest/task/create/?projects=PHID-PROJ-j536clyie42uptgjkft7 ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] Global user pages deployed to all wikis
Now maybe create some user friendly documentation less technical than what is on extension-desc which tell users how to use this? On Thu, Feb 19, 2015 at 9:30 AM, florian.schmidt.wel...@t-online.de florian.schmidt.wel...@t-online.de wrote: Yeah, thanks for your work on this Kunal! enwiki: userpage deletion requested dewiki: local userpage deleted :D Best / Freundliche Grüße Florian Schmidt -Original-Nachricht- Betreff: [Wikitech-l] Global user pages deployed to all wikis Datum: Thu, 19 Feb 2015 02:07:16 +0100 Von: Legoktm legoktm.wikipe...@gmail.com An: wikitech-l@lists.wikimedia.org, Coordination of technology deployments across languages/projects wikitech-ambassad...@lists.wikimedia.org Hello! Global user pages have now been deployed to all public wikis for users with CentralAuth accounts. Documentation on the feature is available at mediawiki.org[1], and if you notice any bugs please file them in Phabricator[2]. Thanks to all the people who helped with the creation and deployment (incomplete, and in no particular order): Jack Phoenix ShoutWiki, Isarra, MZMcBride, Nemo, Quiddity, Aaron S, Matt F, James F, and everyone who helped with testing it while it was in beta. [1] https://www.mediawiki.org/wiki/Help:Extension:GlobalUserPage [2] https://phabricator.wikimedia.org/maniphest/task/create/?projects=PHID-PROJ-j536clyie42uptgjkft7 ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] If you hear about 'hackathon buddies'...
On Thu, Feb 19, 2015 at 4:29 PM, Petr Bena benap...@gmail.com wrote: P.S. I no have a buddy :'( no one lieks me Others have conveyed the same message in different ways. Let's proceed with the experiment: https://www.mediawiki.org/wiki/Lyon_Hackathon_2015/Buddies (The Wikimania site is still lacking a Hackathon page in the first place -- https://phabricator.wikimedia.org/T88405 ) ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
[Wikitech-l] OOjs UI 0.8.0 release
OOjs UI 0.8.0 has been released today. It will be in MW from 1.25wmf19+. *Breaking changes since last release:* - [BREAKING CHANGE] Make default distribution provide SVG with PNG fallback (Bartosz Dziewoński) We've tagged this as a breaking change, but the only breakage is renaming the stylesheet files. This will only break for systems which are responsible for importing the library. This is fixed for MediaWiki and for VisualEditor standalone; no other users should be affected. As part of this change, from MediaWiki 1.25wmf19 onwards, OOjs UI will provide raster icon fallbacks for the vector icons, which we were previously not using. *Deprecations since last major release:* - DEPRECATION: TextInputWidget: Deprecate 'icon' and 'indicator' events (Bartosz Dziewoński) The functionality they expose (user clicking on the icon/indicator) is fundamentally not accessible: the icon/indicator is not focusable (has no tabindex), has no keyboard events, doesn't have a label associated or a tooltip, and has no sensible way of fixing all of this. If something needs to be clickable separately, it should probably be a separate Widget with the appropriate mixins added. - DEPRECATION: ButtonWidget: Rename nofollow config option to noFollow (C. Scott Ananian) We're switching this feature (added just last release) to use consistent camel case. The old `nofollow` property still works for backward compatibility, but it is deprecated and will be removed in the next major release but one. If you have any further questions or need help dealing with deprecations, please let me know. General library documentation is available at mediawiki.org https://www.mediawiki.org/wiki/OOjs_UI and generated code-level documentation at doc.mediawiki.org https://doc.wikimedia.org/oojs-ui/master/#!/api. - Trevor ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] If you hear about 'hackathon buddies'...
On Thu, Feb 19, 2015 at 4:29 PM, Petr Bena benap...@gmail.com wrote: Is there any limit for a number of buddies? Let's not overcomplicate things. I suppose that one WMF employee can have more than 1 non-WMF buddy, otherwise the limit of non-WMF people at hackathon would equal number of employees :P Revise your algorithm. :) While WMF employees must find non-WMF buddies, non-WMF employees can buddy up with other non-WMF employees. Pine, the initial idea of the buddies came up in an Engineering Community team meeting around the MediaWiki Developer Summit a few weeks ago. We have discussed it a bit in a couple of Phabricator tasks, a wiki page, and (in the past 24 hours) in two mailing lists. I don't think the Wikimedia Conference in Germany or any other event currently scheduled has even heard about this concept. If you like it, please advocate for it. :) ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
[Wikitech-l] (no subject)
Hello everyone, am Angela. Am happy to be part of this mailing list. ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] If you hear about 'hackathon buddies'...
Thanks. Forwarding to Ellie for her consideration. Pine On Feb 19, 2015 11:41 AM, Quim Gil q...@wikimedia.org wrote: On Thu, Feb 19, 2015 at 4:29 PM, Petr Bena benap...@gmail.com wrote: Is there any limit for a number of buddies? Let's not overcomplicate things. I suppose that one WMF employee can have more than 1 non-WMF buddy, otherwise the limit of non-WMF people at hackathon would equal number of employees :P Revise your algorithm. :) While WMF employees must find non-WMF buddies, non-WMF employees can buddy up with other non-WMF employees. Pine, the initial idea of the buddies came up in an Engineering Community team meeting around the MediaWiki Developer Summit a few weeks ago. We have discussed it a bit in a couple of Phabricator tasks, a wiki page, and (in the past 24 hours) in two mailing lists. I don't think the Wikimedia Conference in Germany or any other event currently scheduled has even heard about this concept. If you like it, please advocate for it. :) ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
[Wikitech-l] Partial (but dramatic) labs outage on Tuesday: 2015-02-24 1500UTC-1800UTC
It is with a heavy heart that I must share the news of an upcoming Labs maintenance window. The labs NFS store (which you probably know as /data/project) is filling up rapidly and we need to add more drives. By weird coincidence the actual physical space for that server in the datacenter is ALSO filling up, so Chris Johnson has graciously agreed to spend his day re-shuffling servers in order to make space for the new diskshelf. This involves lots of unplugging and replugging and amounts to the fact that the NFS server will need to be turned off for several hours. During this window Chris will take care of another long-deferred maintenance task -- he's putting more RAM into the labs puppet master, virt1000. What will break: - Shared storage for all labs and tools instances. That includes volumes like /data/project, /public/dumps, /data/scratch, /home - Logins to all instances running ubuntu Precise. (Trusty hosts will /probably/ still support logins.) - Login to wikitech and manipulation of instances. What won't break: - Labs instances will continue to run - Tasks running on instances will continue to run; those that don't rely on shared storage should be fine. - Web proxies should keep working, if the services they support aren't relying on shared storage. What will get better: - More storage space! - Fewer problems with dumps filling up NFS (which is basically the same as 'more storage space'. - More reliable puppet runs and fewer outages with miscellaneous OpenStack services (which also run on virt1000) I apologize in advance for this downtime. Don't hesitate to contact me or Coren either here or on IRC with advice about how to harden your tool against this upcoming outage. We will also be available on IRC during and after the outage to help revive things that are angry about the timeouts. -Andrew ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] If you hear about 'hackathon buddies'...
On Feb 19, 2015 2:55 PM, Pine W wiki.p...@gmail.com wrote: Thanks. Forwarding to Ellie for her consideration. Ellie doesn't seem to be mentioned on https://meta.wikimedia.org/wiki/Wikimedia_Conference_2015 or in it's edit history. So probably the wrong person. Maybe try the talk page there. But also give some reason why it would be applicable, advance a goal, etc. And it couldn't be ported directly because there's more classes of people e.g. chapters' folks. (not sure what is or isn't in scope for her job but certainly the focus is Wikimania and she'd need to focus on that while the Germany conference planning is at its peak) -Jeremy ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] (no subject)
Welcome to the list Angela! Let us know if there's anything we can help with. Also you may want to join the IRC channels #wikimedia-dev and #wikimedia-tech. Cheers! Ryan Kaldari On Thu, Feb 19, 2015 at 11:22 AM, Angela lum neh lumneh.angela...@gmail.com wrote: Hello everyone, am Angela. Am happy to be part of this mailing list. ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
[Wikitech-l] E-mail login to wiki - needs feedback
Hello, Before someone starts with a proposal for the proposed-tech-project 'Allow user login with e-mail address'[1], is there still community consensus for the same ? I personally think its a must-have for MediaWiki, as e-mail address is easy to remember than a complex username. Currently multiple users can sign-up with the same e-mail id - which would possibly be a blocker, and can be fixed. Thanks to MzMcbride, we have an RFC[2] too on the same. [1] https://phabricator.wikimedia.org/T30085 [2] https://www.mediawiki.org/wiki/Requests_for_comment/Login_via_e-mail_address Thanks, Tony Thomas http://tttwrites.wordpress.com/ FOSS@Amrita http://foss.amrita.ac.in *where there is a wifi, there is a way* ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] E-mail login to wiki - needs feedback
I described an alternate idea on how to avoid timing attacks without limiting it to one account per address. https://www.mediawiki.org/wiki/Thread:Talk:Requests_for_comment/Login_via_e-mail_address/Timing_attacks_on_emails_with_multiple_accounts ~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://danielfriesen.name/] On 2015-02-19 5:27 AM, Tyler Romeo wrote: I've said this previously, but I believe the only controversial part of this change is ensuring the security and privacy of email addresses. All this involves is constructing a process where every login, regardless of the identifier and regardless of the database state, always performs one and exactly one database query and one and exactly one password hashing. On 2/19/15 07:54, Tony Thomas wrote: Hello, Before someone starts with a proposal for the proposed-tech-project 'Allow user login with e-mail address'[1], is there still community consensus for the same ? I personally think its a must-have for MediaWiki, as e-mail address is easy to remember than a complex username. Currently multiple users can sign-up with the same e-mail id - which would possibly be a blocker, and can be fixed. Thanks to MzMcbride, we have an RFC[2] too on the same. [1] https://phabricator.wikimedia.org/T30085 [2] https://www.mediawiki.org/wiki/Requests_for_comment/Login_via_e-mail_address Thanks, Tony Thomas http://tttwrites.wordpress.com/ FOSS@Amrita http://foss.amrita.ac.in *where there is a wifi, there is a way* ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] E-mail login to wiki - needs feedback
I would rather avoid this approach, because it involves running multiple (sometimes as many as 5) password hashing operations. The idea of our current key stretching with bcrypt is that the strength parameter should be just large enough to not affect UX. But if we're running the hash many times, now we have to reduce the bcrypt strength, and as a result reduce our defenses against other attacks. If we just always check one email address, not only do we fulfill most users' use cases (a single account with their email), but we avoid adopting any complicated cryptosystem and keep our password hashing as simple as possible. -- Tyler Romeo On 2/19/15 08:36, Daniel Friesen wrote: I described an alternate idea on how to avoid timing attacks without limiting it to one account per address. https://www.mediawiki.org/wiki/Thread:Talk:Requests_for_comment/Login_via_e-mail_address/Timing_attacks_on_emails_with_multiple_accounts ~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://danielfriesen.name/] On 2015-02-19 5:27 AM, Tyler Romeo wrote: I've said this previously, but I believe the only controversial part of this change is ensuring the security and privacy of email addresses. All this involves is constructing a process where every login, regardless of the identifier and regardless of the database state, always performs one and exactly one database query and one and exactly one password hashing. On 2/19/15 07:54, Tony Thomas wrote: Hello, Before someone starts with a proposal for the proposed-tech-project 'Allow user login with e-mail address'[1], is there still community consensus for the same ? I personally think its a must-have for MediaWiki, as e-mail address is easy to remember than a complex username. Currently multiple users can sign-up with the same e-mail id - which would possibly be a blocker, and can be fixed. Thanks to MzMcbride, we have an RFC[2] too on the same. [1] https://phabricator.wikimedia.org/T30085 [2] https://www.mediawiki.org/wiki/Requests_for_comment/Login_via_e-mail_address Thanks, Tony Thomas http://tttwrites.wordpress.com/ FOSS@Amrita http://foss.amrita.ac.in *where there is a wifi, there is a way* ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l signature.asc Description: OpenPGP digital signature ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] E-mail login to wiki - needs feedback
I've said this previously, but I believe the only controversial part of this change is ensuring the security and privacy of email addresses. All this involves is constructing a process where every login, regardless of the identifier and regardless of the database state, always performs one and exactly one database query and one and exactly one password hashing. On 2/19/15 07:54, Tony Thomas wrote: Hello, Before someone starts with a proposal for the proposed-tech-project 'Allow user login with e-mail address'[1], is there still community consensus for the same ? I personally think its a must-have for MediaWiki, as e-mail address is easy to remember than a complex username. Currently multiple users can sign-up with the same e-mail id - which would possibly be a blocker, and can be fixed. Thanks to MzMcbride, we have an RFC[2] too on the same. [1] https://phabricator.wikimedia.org/T30085 [2] https://www.mediawiki.org/wiki/Requests_for_comment/Login_via_e-mail_address Thanks, Tony Thomas http://tttwrites.wordpress.com/ FOSS@Amrita http://foss.amrita.ac.in *where there is a wifi, there is a way* ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l signature.asc Description: OpenPGP digital signature ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] E-mail login to wiki - needs feedback
Bináris wrote: 2015-02-19 13:54 GMT+01:00 Tony Thomas 01tonytho...@gmail.com: I personally think its a must-have for MediaWiki, as e-mail address is easy to remember than a complex username. I think everybody has the chance to choose as simple username as they can remember. It's not nuclear physics or cerebral surgery. Where am I wrong? It's not a matter of choosing a single, simple user name, per se, it's choosing a user name on Wikimedia wikis, on Twitter, on Facebook, on Gmail, on GitHub, and on a million other sites on the Web. Yes, users should choose memorable user names and secure passwords on each site and never forget them, but that isn't the world we live in. We dramatically reduce our barrier to entry by allowing login via e-mail address as users can typically remember their own e-mail address. Do you disagree? MediaWiki not only currently disallows login via e-mail address, login is case-sensitive (e.g., MZ and Mz can be different users). In your experience, is MediaWiki's current authentication architecture following common or best practices? I personally think there's a lot of work needed. MZMcBride ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] If you hear about 'hackathon buddies'...
Is there any limit for a number of buddies? I suppose that one WMF employee can have more than 1 non-WMF buddy, otherwise the limit of non-WMF people at hackathon would equal number of employees :P P.S. I no have a buddy :'( no one lieks me On Thu, Feb 19, 2015 at 3:57 PM, Quim Gil q...@wikimedia.org wrote: Yesterday we opened the travel request process for Wikimedia Foundation employees in Engineering and Product willing to participate at the Wikimedia Hackathon or Wikimania. There is no public link, but you can follow this task at https://phabricator.wikimedia.org/T89355 In this process, we are asking WMF employees to find a hackathon buddy with the sole requirement of not being another WMF employee. In fact, in the registration for the hackathons we will request the same to all participants. https://www.mediawiki.org/wiki/Hackathons#Pairing_buddies This means that non-WMF contributors might receive a request from a WMF employee to be hackathon buddies. This also means that if you are planning to participate in any of these events (and especially if you plan to request travel sponsorship to Lyon) you will be encouraged to find a buddy as well. It's going to be fun. :) And no worries, we will help making connections to whoever needs that help. -- Quim Gil Engineering Community Manager @ Wikimedia Foundation http://www.mediawiki.org/wiki/User:Qgil ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] E-mail login to wiki - needs feedback
On 15-02-19 09:27 AM, MZMcBride wrote: n a second or third iteration, we'd ideally have an intermediate post-login screen that allows the user to select an account to use. That would be a catastrophe, from a privacy standpoint; even if we restrict this to verified email addresses, there is no possible guarantee that the person who controled email address x@y in the past is the person who controls it today. It would also have horrid security implication if you allow further creation of accounts sharing an email (which would be necessary to make that feature useful): create an account with the email of someone you want to find the Wikimedia account of, log in, be presented with the accounts. -- Marc ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] E-mail login to wiki - needs feedback
2015-02-19 13:54 GMT+01:00 Tony Thomas 01tonytho...@gmail.com: I personally think its a must-have for MediaWiki, as e-mail address is easy to remember than a complex username. I think everybody has the chance to choose as simple username as they can remember. It's not nuclear physics or cerebral surgery. Where am I wrong? ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] E-mail login to wiki - needs feedback
On Thursday, February 19, 2015, Tony Thomas 01tonytho...@gmail.com wrote: I personally think its a must-have for MediaWiki, as e-mail address is easy to remember than a complex username. It's also important because users of mobile devices are very used to this design pattern for logging in to apps, and having it in the mobile apps is blocked by not having it in MediaWiki. Currently multiple users can sign-up with the same e-mail id - which would possibly be a blocker, and can be fixed. I wouldn't even try to tackle that problem for a first pass at this. If we can get login with username working for the case where there is a one-to-one match between email and password, that's a *huge* step forwards. The many-to-one case can follow afterwards. Dan -- Dan Garry Associate Product Manager, Mobile Apps Wikimedia Foundation ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] E-mail login to wiki - needs feedback
Hi all, I'm the one who started that bug-now-task a while back, and for context, it was based directly on user feedback. What MzM says above is right. I was working with a casual (but quite good) editor who said to me well, I'd edit that Wikipedia page, but I don't edit very often and I can never remember what my login is, since my usual login was taken. But if I could enter my email address, it would be a lot easier and I'd be more likely to just do it. Struck by the idea that this was a barrier to editing, I asked around and got similar feedback from other people, for both public and private mediawikis. So I submitted the bug for consideration. I know it's difficult and there's been a lot of discussion on how to technically do it, but I think the underlying need definitely still exists. thanks, Phoebe On Thu, Feb 19, 2015 at 4:54 AM, Tony Thomas 01tonytho...@gmail.com wrote: Hello, Before someone starts with a proposal for the proposed-tech-project 'Allow user login with e-mail address'[1], is there still community consensus for the same ? I personally think its a must-have for MediaWiki, as e-mail address is easy to remember than a complex username. Currently multiple users can sign-up with the same e-mail id - which would possibly be a blocker, and can be fixed. Thanks to MzMcbride, we have an RFC[2] too on the same. [1] https://phabricator.wikimedia.org/T30085 [2] https://www.mediawiki.org/wiki/Requests_for_comment/Login_via_e-mail_address Thanks, Tony Thomas http://tttwrites.wordpress.com/ FOSS@Amrita http://foss.amrita.ac.in *where there is a wifi, there is a way* ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l -- * I use this address for lists; send personal messages to phoebe.ayers at gmail.com * ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] E-mail login to wiki - needs feedback
Note: As the assignee of T30085 and also as main contributor of RfC, I'll create a patch when proper consensus completed. ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] Global user pages deployed to all wikis
Erik Moeller wrote: Thanks for all _your_ work seeing this through the finish line as well, Kunal. This is a great first step towards better user profile support, and brings all Wikimedia wikis closer together. Absolutely. I'm so proud of the work Legoktm has done and I'm very grateful that he has chosen to devote his time and talents to improving Wikimedia. I also think there's a whole lot to be learned from the smoothness and near banality of these feature deployments. They're a showcase of how all deployments should ideally be, in my opinion. Petr Bena wrote: Now maybe create some user friendly documentation less technical than what is on extension-desc which tell users how to use this? We have https://meta.wikimedia.org/wiki/Global_user_pages for Wikimedia wikis. Patches welcome. ;-) There has also been some great discussion recently on the Wikimedia Forum about global user pages (cf. https://meta.wikimedia.org/wiki/Wikimedia_Forum and https://meta.wikimedia.org/w/index.php?oldid=11317230), which includes trying to figure out where and how to better document this new feature. MZMcBride ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] E-mail login to wiki - needs feedback
Marc A. Pelletier wrote: On 15-02-19 09:27 AM, MZMcBride wrote: In a second or third iteration, we'd ideally have an intermediate post-login screen that allows the user to select an account to use. That would be a catastrophe, from a privacy standpoint; even if we restrict this to verified email addresses, there is no possible guarantee that the person who controled email address x@y in the past is the person who controls it today. My understanding is that this intermediate screen would only trigger if an account is using both the same verified e-mail address _and_ the same password. I don't believe there's any privilege escalation or privacy concern to allow users to login to multiple accounts that share an e-mail address (considered private/secret) and that share a password, which are the two inputs we'd be accepting during user login. It's checking multiple passwords that starts to introduce a lot more concerns about timing attacks, as I understand it. This is a hard problem, as we typically want password verification to be relatively slow. That said, these types of concerns that you're raising are fantastic to consider and discuss (thank you!). I think we need a lot of scrutiny in this area to ensure that we implement a sane, secure solution. It would also have horrid security implication if you allow further creation of accounts sharing an email (which would be necessary to make that feature useful): create an account with the email of someone you want to find the Wikimedia account of, log in, be presented with the accounts. Same as above, I think. :-) MZMcBride ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] E-mail login to wiki - needs feedback
Tony Thomas wrote: Before someone starts with a proposal for the proposed-tech-project 'Allow user login with e-mail address'[1], is there still community consensus for the same ? I personally think its a must-have for MediaWiki, as e-mail address is easy to remember than a complex username. [...] [1] https://phabricator.wikimedia.org/T30085 Hi. Yes, I believe there's consensus to implement this feature. It's incredibly common practice on the Web to allow login via e-mail address. MediaWiki fortunately already supports storing and authenticating e-mail addresses, so the work to allow login via e-mail address hopefully shouldn't be too difficult. The tricky parts are that e-mail addresses are considered private information and there's no requirement that e-mail addresses be unique in the user table. As you mention, there are many instances of multiple users using the same e-mail address. As part of a first iteration, we'd likely simply disallow login via e-mail address for the ambiguous cases. In a second or third iteration, we'd ideally have an intermediate post-login screen that allows the user to select an account to use. This account selector may also one day tie in with the idea of having an account switcher (i.e., the ability to easily switch between multiple accounts without needing to log out and re-authenticate). However, these are tangential features that quickly start to get a lot more complicated when you consider single user login and its cross-domain magic, login sessions, cookies, etc. MZMcBride ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
[Wikitech-l] If you hear about 'hackathon buddies'...
Yesterday we opened the travel request process for Wikimedia Foundation employees in Engineering and Product willing to participate at the Wikimedia Hackathon or Wikimania. There is no public link, but you can follow this task at https://phabricator.wikimedia.org/T89355 In this process, we are asking WMF employees to find a hackathon buddy with the sole requirement of not being another WMF employee. In fact, in the registration for the hackathons we will request the same to all participants. https://www.mediawiki.org/wiki/Hackathons#Pairing_buddies This means that non-WMF contributors might receive a request from a WMF employee to be hackathon buddies. This also means that if you are planning to participate in any of these events (and especially if you plan to request travel sponsorship to Lyon) you will be encouraged to find a buddy as well. It's going to be fun. :) And no worries, we will help making connections to whoever needs that help. -- Quim Gil Engineering Community Manager @ Wikimedia Foundation http://www.mediawiki.org/wiki/User:Qgil ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] If you hear about 'hackathon buddies'...
This is a great idea, Quim. Will the same concept apply to the Wikimedia Conference in Germany? Pine On Feb 19, 2015 6:57 AM, Quim Gil q...@wikimedia.org wrote: Yesterday we opened the travel request process for Wikimedia Foundation employees in Engineering and Product willing to participate at the Wikimedia Hackathon or Wikimania. There is no public link, but you can follow this task at https://phabricator.wikimedia.org/T89355 In this process, we are asking WMF employees to find a hackathon buddy with the sole requirement of not being another WMF employee. In fact, in the registration for the hackathons we will request the same to all participants. https://www.mediawiki.org/wiki/Hackathons#Pairing_buddies This means that non-WMF contributors might receive a request from a WMF employee to be hackathon buddies. This also means that if you are planning to participate in any of these events (and especially if you plan to request travel sponsorship to Lyon) you will be encouraged to find a buddy as well. It's going to be fun. :) And no worries, we will help making connections to whoever needs that help. -- Quim Gil Engineering Community Manager @ Wikimedia Foundation http://www.mediawiki.org/wiki/User:Qgil ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] E-mail login to wiki - needs feedback
On Thu, Feb 19, 2015 at 6:44 AM, Marc A. Pelletier m...@uberbox.org wrote: That would be a catastrophe, from a privacy standpoint; even if we restrict this to verified email addresses, there is no possible guarantee that the person who controled email address x@y in the past is the person who controls it today. Not that precedent makes it right, but this is possible already with password reset. We assume that if you control x@y, you are entitled to control any accounts with a confirmed email of x@y. It would also have horrid security implication if you allow further creation of accounts sharing an email (which would be necessary to make that feature useful): create an account with the email of someone you want to find the Wikimedia account of, log in, be presented with the accounts. If it's limited to accounts with a confirmed email, and the passwords all match, then this isn't an issue (unless I'm misunderstanding your concern). As an attacker, I can't confirm the email of my victim for my account, and it's unlikely that I can set the same password (otherwise I'd just login as them). But those requirements do require hashing the password per user, which does leak timing information when we run this in php with our current password system-- maybe we can find a service to do all the hashing in parallel. But to start, just not allowing that case would cover the 90% (99.9% probably) use case. ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l