I tend to agree with Steven's comments. I think that requiring review would, as he said, be less costly to implement in terms of the amount of volunteer time spent on managing permissions. I think that there would also be less time spent discussing and redesigning social processes than there would be if the existing admin permissions are split and communities must decide who should get which level of admin permissions. In terms of engineering time, implementing a review process might be more costly, but given the significantly lower cost of social implementation to volunteers, I think that this option would be my first choice in the short term.
Pine ( https://meta.wikimedia.org/wiki/User:Pine ) -------- Original message --------From: Gergo Tisza <gti...@wikimedia.org> Date: 6/11/18 3:11 PM (GMT-08:00) To: Wikimedia developers <wikitech-l@lists.wikimedia.org> Subject: Re: [Wikitech-l] Please comment on the draft consultation for splitting the admin role On Mon, Jun 11, 2018 at 6:02 PM Steven Walling <steven.wall...@gmail.com> wrote: > I'm definitely supportive of greater security for sitewide JS/CSS, but > Bart's proposal is an interesting one. (Sorry for top posting, on mobile) > > What if we required review of edits to JS/CSS in the MediaWiki namespace > (not in other namespaces), ala pending changes or something similar? We > require code review in Gerrit, so why not sitewide code in the wiki? > > I propose this because if we split code editing rights into a separate > userright, this entails increased process bloat for managing who and who > doesn't get the right, the criteria for deciding that, and so on. Requiring > code review would allow for more flexibility while increasing security. It > would require less process bloat too because the community already has > mechanisms for requesting edits be confirmed via talk pages and such. > That's a good way to improve security, but orthogonal to separating permissions (it would probably mean that an attacker would have to find two vulnerable accounts, while this change will reduce the pool of accounts an attacker could target; both make attacks harder, in different ways). No reason not to do both, but separating permissions is (relatively) easy and a review system is more like something on the scale of FlaggedRevs. If you are interested, https://phabricator.wikimedia.org/T71445 has plenty of discussion on code review for gadgets; https://phabricator.wikimedia.org/T187749 is a variant of it I'm working on. _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l