On Tue, Sep 4, 2012 at 9:26 AM, Mr. Gregory Varnum <gregory.var...@gmail.com> wrote: > I use and like this extension. I know many others do as well. This debate > over its value to some and security is interesting (well - not really) but > aside from the point of this thread. > > Should the widgets be housed on MW.org rather than an outside site? Given > their wide usage and the preference towards all things MW being on MW.org, I > think they absolutely should and fully support that idea. > > Don't like the extension? Don't use it. For those of us that do, this move > would be very helpful. Arguing about the merits of the extension vs the value > of moving its components seems irrelevant. It's widely used enough and > arguing about it is unlikely to change that. Unless we're suddenly worried > about storage space on MW.org this seems like it should be more about how > than why. > > I would propose subpages to the main extension page. > > -Greg aka varnent > > ____________ > Sent from my iPhone. Apologies for any typos. A more detailed response may be > sent later. > > On Sep 4, 2012, at 8:11 AM, Jeroen De Dauw <jeroended...@gmail.com> wrote: > >> Hey, >> >> The essential problem is that people can't get stuff through the >>> gatekeepers, so they come up with a workaround. Noting that the >>> workaround is insecure and saying "just don't do that" doesn't solve >>> the original need and won't help security. It's not clear to me what >>> will, but the gatekeeping is an obvious start. >> >> I don't think this extension really affects this. It is the same as having >> widgets implemented as extensions in that: >> >> * They can only be enabled by administrative people >> * They can be obtained from verified sources or from non-trusted ones >> >> Widgets are inferior in that: >> >> * An attacker compromising an admin account can put in arbitrary JS code >> >> Widgets are superior in that: >> >> * They cannot create PHP vulnerabilities >> * Changes can be kept track of on-wiki >> * The source is clearly visible to wiki users, increasing the scrutiny of >> the code >> * They are easier to deploy for most people >> * They encourage more collaboration compared to the tons of low qualify and >> unmaintained single widget extensions >> >> It seems to me that this extension does not lose on security compared to >> regular extensions at all, and that it offers quite a few benefits for the >> kind of functionality it is intended to be used for. >> >> The problem with creating a new system that has no gatekeepers >>> is that it encourages people who have no business writing code to >>> end up doing so. >> >> This system has as much gatekeeping as regular extensions do. I think >> several people are making assumptions here without having had a decent look >> at the extension. >> >> Cheers >> >> -- >> Jeroen De Dauw >> http://www.bn2vs.com >> Don't panic. Don't be evil. >> -- >> _______________________________________________ >> Wikitech-l mailing list >> Wikitech-l@lists.wikimedia.org >> https://lists.wikimedia.org/mailman/listinfo/wikitech-l > > _______________________________________________ > Wikitech-l mailing list > Wikitech-l@lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Does MediaWikiWiki really need any more shitty/insecure addons that no one is going to maintain? I think we have enough already. Pick out the best of the bunch and nuke the rest. -- John _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
