Regarding "Mandatory code review (especially with a required waiting time) and
mandatory reauthentication are far more invasive than removing JS editing
permissions from administrators who don't want them.": I think that mandatory
code review and mandatory authentication would be far less costly
On Tue, Jun 12, 2018 at 8:56 AM Federico Leva (Nemo)
wrote:
> Personally I'd like us to explore agnostic and non-invasive solutions.
>
Mandatory code review (especially with a required waiting time) and
mandatory reauthentication are far more invasive than removing JS editing
permissions from ad
On Tue, Jun 12, 2018 at 3:26 AM Nathan wrote:
> Is the risk of an attacker taking over an account with CSS/JS edit
> permissions any more or less because that person knows how to use CSS/JS?
>
I tried to address this in the FAQ:
> * The number of accounts which can be used to compromise the site
Personally I'd like us to explore agnostic and non-invasive solutions.
The subdivision of permissions across more user groups relies on a
number of assumptions which may not hold. For instance, on thousands of
MediaWiki wikis there's only one sysop anyway.
Something I would like is the abilit
On Mon, Jun 11, 2018 at 6:26 PM, Nathan wrote:
> Is the risk of an attacker taking over an account with CSS/JS edit
> permissions any more or less because that person knows how to use CSS/JS?
> If the criteria will be that only people who know how to use CSS/JS will
> get access to make those edi
Is the risk of an attacker taking over an account with CSS/JS edit
permissions any more or less because that person knows how to use CSS/JS?
If the criteria will be that only people who know how to use CSS/JS will
get access to make those edits, I'm not sure that is perfectly tailored to
the need b
think that this option would be my first choice in the short
term.
Pine
( https://meta.wikimedia.org/wiki/User:Pine )
Original message From: Gergo Tisza
Date: 6/11/18 3:11 PM (GMT-08:00) To: Wikimedia developers
Subject: Re: [Wikitech-l] Please comment on
the
On Mon, Jun 11, 2018 at 6:02 PM Steven Walling
wrote:
> I'm definitely supportive of greater security for sitewide JS/CSS, but
> Bart's proposal is an interesting one. (Sorry for top posting, on mobile)
>
> What if we required review of edits to JS/CSS in the MediaWiki namespace
> (not in other n
: [Wikitech-l] Please comment on
the draft consultation for splitting
the admin role
Hi Gergő,
I think that your proposal makes sense and would be good for the community to
consider in an RfC.
Because this could involve complex wikilegal changes to how Wikimedia sites
assign user
message From: Gergő Tisza Date:
6/11/18 4:58 AM (GMT-08:00) To: Wikimedia developers
Subject: [Wikitech-l] Please comment on the
draft consultation for splitting
the admin role
Hi all,
per the discussion on Phabricator, I'd like to split the administrator
("sysop&qu
I'm definitely supportive of greater security for sitewide JS/CSS, but
Bart's proposal is an interesting one. (Sorry for top posting, on mobile)
What if we required review of edits to JS/CSS in the MediaWiki namespace
(not in other namespaces), ala pending changes or something similar? We
require
" I remember a situation when I posted a fix for a script in the
MediaWiki namespace
as an {{edit request}}, and a well-meaning administrator tried to "improve"
my line of code and forgot a comma, breaking all JavaScript for all
logged-in as well as not logged-in Wikipedia editors and readers for s
Speaking of security, I believe that all sysops and people allowed to
edit JS / CSS anywhere on mediawiki sites should be required to use
2FA.
On Mon, Jun 11, 2018 at 4:53 PM, Gergo Tisza wrote:
> On Mon, Jun 11, 2018 at 3:28 PM Petr Bena wrote:
>
>> Is there any historical evidence that sysops
On Mon, Jun 11, 2018 at 3:28 PM Petr Bena wrote:
> Is there any historical evidence that sysops being able to edit JS /
> CSS caused some serious issues? Your point that "most of
> administrators don't understand JS / CSS" is kind of moot. They are
> usually trustworth and intelligent people. The
OK in that case I think this should be done.
On Mon, Jun 11, 2018 at 3:40 PM, Thiemo Kreuz wrote:
>> Is there any historical evidence that sysops being able to edit JS / CSS
>> caused some serious issues?
>
> Oh yes, this happens more often than I feel it needs to. I remember a
> situation when
> Is there any historical evidence that sysops being able to edit JS / CSS
> caused some serious issues?
Oh yes, this happens more often than I feel it needs to. I remember a
situation when I posted a fix for a script in the MediaWiki:…
namespace as an {{edit request}}, and a well-meaning adminis
On 2018-06-11 15:28, Petr Bena wrote:
Is there any historical evidence that sysops being able to edit JS /
CSS caused some serious issues? Your point that "most of
administrators don't understand JS / CSS" is kind of moot. They are
usually trustworth and intelligent people. They don't mess up wit
Is there any historical evidence that sysops being able to edit JS /
CSS caused some serious issues? Your point that "most of
administrators don't understand JS / CSS" is kind of moot. They are
usually trustworth and intelligent people. They don't mess up with
something they don't understand and th
Hi all,
per the discussion on Phabricator, I'd like to split the administrator
("sysop") user group into two parts - one which can edit sitewide CSS/JS,
and one which can not. You can find the details and detailed rationale in
the task:
https://phabricator.wikimedia.org/T190015
To inform the edit
19 matches
Mail list logo