Page MenuHomePhabricator
Create Task
Maniphest T363009

Retire legalpad phabricator/phorge application?
Open, Stalled, LowPublic
Actions

Description

Legal nowadays uses a different process to handle NDA requests than the legalpad application which is part of Phabricator/Phorge.

In T349595: Clarify if NDAs (to access #WMF-NDA protected Phab tasks) are on paper or in Legalpad's L2 or both it has recently been decided by Legal that one of the pads inside it, L2 is now retired.

This leaves us with L3 which is used to sign the "server access responsibilities" which is a formality by SRE as part of handing out shell access to production systems.

Plus we have these remaining use cases as pointed out by @RhinosF1

L45 - VRTS users "NDA" (question is, if Legal says they don't use L2 - that probably also means L45 should be replaced the same way)

This document is also translated into many languages and the full list of documents is shown here:

https://phabricator.wikimedia.org/legalpad/query/all/

Other than that:

L36 Wiki Loves Monuments − Photo Sharing Permission (users give permission to their photos being used on social media)

L35 Commitment to the Code of Conduct for Wikimedia Technical Spaces (not used per @Urbanecm ?)

Since none of these are used by the actual legal team anymore it begs the question why we can't do the same signatures on a wiki somewhere.

If that was the cause we could get rid of this custom app that doesn't really have a maintainer and we could simplify our setup and get closer to standard upstream Phorge.

So this task would be mostly going through the list of pads and talk to people to find out.

Related Objects

Event Timeline

Dzahn created this task.Apr 19 2024, 5:57 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 19 2024, 5:57 PM
JJMC89 subscribed.Apr 19 2024, 6:19 PM

{L37} and {L45} plus their various translations are actively used and do not have another process like the replacement for L2.

  • L45 is required for VRT access and is handled by volunteers (VRT admins: acl*otrs-admins).
  • L37 is required for anyone else that agrees to the ANPDP (CheckUsers, Oversighters, Stewards, etc.) and is processed by Trust-and-Safety to list accepted ones at ANPDP/N.

why we can't do the same signatures on a wiki somewhere

I don't see how you would appropriately control access on a wiki.

RhinosF1 added projects: Trust-and-Safety, Znuny.Apr 19 2024, 6:21 PM

Adding project tags for areas affected

taavi subscribed.Apr 19 2024, 6:29 PM

Here in Phabricator/Phorge we have the legalpad application which doesn't come from upstream but has once been developed for specific needs of WMF Legal.

Huh? The upstream instance at least has the legalpad application installed.

Dzahn added a comment.EditedApr 19 2024, 6:33 PM

I was probably mistaken. It was enabled way back in T656 in the early days of Phabricator at WMF and started out on a Labs instance (T656#799769). It think WMF might have also paid Phacility for development / support back then but not sure, Quim would know. But that is what made me use that phrasing.

Dzahn added a comment.EditedApr 19 2024, 6:37 PM

Here is some archeology about that and why I had this memory.

Screenshot from 2024-04-19 11-36-20.png (292×1 px, 512 KB)

edit: It's like first there was Legalpad as a standalone service before we even used Phab for other things and then it turned into Phabricator as we use it now.

Aklapper updated the task description. (Show Details)Apr 20 2024, 3:05 PM
Aklapper awarded a token.
Izno awarded a token.Apr 20 2024, 6:53 PM
Dzahn added a subscriber: Izno.Apr 20 2024, 7:39 PM

@Izno Wanna tell me what you dislike about it? Would there really be a difference whether people sign something here or on a wiki?

Izno added a comment.Apr 20 2024, 11:18 PM
In T363009#9731654, @Dzahn wrote:

@Izno Wanna tell me what you dislike about it? Would there really be a difference whether people sign something here or on a wiki?

JJMC already pointed out the issues.

Aklapper moved this task from To Triage to Administration (UI) on the Phabricator board.Sun, Apr 21, 3:27 PM
Aklapper triaged this task as Medium priority.Sun, Apr 21, 3:33 PM
Dzahn added a comment.EditedTue, Apr 23, 6:09 PM

I don't see how you would appropriately control access on a wiki.

Given that any wiki user can login on Phabricator is there a difference I'm missing?

edit: Oh, you don't mean to prevent people from signing the doc, you mean to prevent people from changing the doc that is being signed?

Well, probably by locking down the document page so only admins or stewards can edit it while keeping the signatures on the talk page or something like that? Just like with other important templates etc?

JJMC89 added a comment.Tue, Apr 23, 10:58 PM
In T363009#9736975, @Dzahn wrote:

I don't see how you would appropriately control access on a wiki.

Given that any wiki user can login on Phabricator is there a difference I'm missing?

edit: Oh, you don't mean to prevent people from signing the doc, you mean to prevent people from changing the doc that is being signed?

Well, probably by locking down the document page so only admins or stewards can edit it while keeping the signatures on the talk page or something like that? Just like with other important templates etc?

No, not preventing edits to the agreement text. Page protection would solve that.

Legalpad creates an immutable, non-public record that can only be entered by the user that is logged in.

A signature on a wiki could be added, modified, or removed by anyone. IANAL, but I don't see how that would be acceptable.

Dzahn added a comment.Tue, Apr 23, 11:06 PM

Ah, so the point is mostly that it should not be public information who signed the agreement?

re: modifying: Sure, but they can't entirely delete/oversight an entire revision and we could just link to that. Also doesn't seem like we see this as a problem with any statement in talk page discussions.

re: IANAL - Me neither but the actual lawyers said to not go through Legalpad for their purposes.

But I hear you, thanks for the input.

Peachey88 subscribed.Tue, Apr 23, 11:55 PM
In T363009#9738629, @JJMC89 wrote:>

No, not preventing edits to the agreement text. Page protection would solve that.

Legalpad creates an immutable, non-public record that can only be entered by the user that is logged in.

A signature on a wiki could be added, modified, or removed by anyone. IANAL, but I don't see how that would be acceptable.

If a agreement requires non changing signatures when dealing with private information, It might be worth while reviewing the current method/situation with legal and see if they want to move it to the same process as NDAs using their signing system.

LSobanski assigned this task to Dzahn.Mon, Apr 29, 3:32 PM
LSobanski lowered the priority of this task from Medium to Low.
LSobanski moved this task from Incoming to Work in Progress on the collaboration-services board.
Aklapper mentioned this in T364088: Remove custom Legalpad API downstream changes.Fri, May 3, 9:29 AM
Dzahn changed the task status from Open to Stalled.Fri, May 10, 8:08 PM
Aklapper mentioned this in T607: Check easily who has signed Legalpad documents by their Wikimedia username.Mon, May 20, 12:54 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL