On 6/26/14, Chris Steipp <cste...@wikimedia.org> wrote:
> On Wed, Jun 25, 2014 at 5:49 PM, Alex Monk <kren...@gmail.com> wrote:
>> Chris, why don't we leave privacy policy compliance to the users posting
>> on
>> the bug? Wikimedia personal user data shouldn't be going to the security
>> product.
>
> There are a few cases where there may be legitimate private data in a
> security bug ("look, sql injection, and here are some rows from the
> user table!", "Hey, this was supposed to be suppressed, and I can see
> it", "This user circumvented the block on this IP"). But there might
> be ways to flag or categorize a report as also including private data?
> Someone with more bugzilla experience would need to comment.
>
>> Why does WMF get the right to control by access to MediaWiki security bugs
>> anyway? Could we not simply host MediaWiki stuff externally? Perhaps on
>> the
>> servers of any other major MediaWiki user.
>
> This certainly could be done. That "other major MediaWiki user" would
> have to be someone everyone trusts, and preferably with a strong track
> record of being able to keep their infrastructure secure. If there's a
> legitimate proposal to try it, let's definitely discuss.
>Personally I'd prefer that MediaWiki related support software stay hosted by WMF (at least for the foreseeable future). WMF just seems like the logical people to host it, and I don't see any harm in MediaWiki being a "Wikimedia project" in a similar sense as wikipedia is a Wikimedia project. What I would like to see though is a mediawiki world where WMF is not special. What I mean by that is that being a WMF employee/contractor wouldn't get you any special treatment - trusted people would get special access where needed because they're trusted and have demonstrated their competence. A WMF staffer would have to go through the same procedure as anyone else would have to to get any sort of special access. Much of the people who have special access would still be WMF employees, since WMF employs most senior developers, but it wouldn't be "you're a wmf employee = here's access to everything even if you don't need it", "you're not a WMF employee = have to jump through a million hoops plus sign something in blood plus bribe someone to get access to things that would be extremely helpful to your work". --bawolff _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
