A few minutes ago Vogone removed my steward rights (at the logentry there is no group named "steward", because the user renamd that group before and after that action, see here), suddently, without any discussion etc. His logentry says, there were "numerous complaints". I don't understand that, because I tried to don't disturb any users testing there (except spammers), (for example I tried to optimize a abuse filter, if he gets a false positive), or help users, if they need something for testing. I used my rights too, to find security issues, for users who can see security bugs, here, so I don't think that I abused my rights at any point. So in my view, the user removed my rights without any valid reason, (I asked him at IRC, he can't explain me, what he means with "numerous complaints"), and blocked some points of my testing at the future. So I can't find new security issues, and mybe the wrong group of people take a benefit from that. Added to that I can't help at all points I proposed (see T114486#1697433), because I don't have access now to all the relevant things.
Description
Related Objects
Event Timeline
I'm told you've been evading IRC bans?
I used my rights too, to find security issues, for users who can see security bugs, here, so I don't think that I abused my rights at any point.
You really shouldn't be testing security on public wikis.
If you run into a security issue and it's clear what you did from the public logs etc., is there much point of making the resulting security bug report private? You've already exposed it to the world.
I discovered some of the bugs by the way, so unwanted, like the both bugs concerning mediawiki currently triaged as low. For the bug triaged as high you need just the right to view, so nobody can replicate this, if he just can see my logs/actions. The bug at normal priority concerning logging is just visible for people with more rights, so you can't discover the bugs I reported, if you only see my logs, so it's not discernable in this situation. But there are other issues, I found at beta, reproducilbe for production too, and I can't find them at the future without the possibility to simulate some situations there, so in this point the consequence could be, that we have more bugs, which are unknown, because no one discovered them.
Added to that, I can't help users with their testing anymore, for example, if an abusefilter interrupts a user at his testing, I can't modify this filter anymore.
No, I talked with a op at a channel at a query, and he said I can try to join this channel,, and after that, he kicked me (It's a normal public channel, were everybody can join, and I just joined, and don't do something other except this two joins), I just joined one time again, but after that I did not try this again. A time after this I tested something with my IRC-Client, but I did not join this channel anymore, or did something other, so I don't see a problem.
Perhaps indeed not in this case, but I presume this was meant to be a general comment. Generally, testing security bugs on a public wiki is a very bad idea and should be avoided. Using a local MW installation might be the better approach.
And "there are other issues […] I found at beta […] I can't find [in] the future" is not relevant at all, I assume, as long as they have been reported properly, which one normally does after having found an issue. There is no need to "re-find" it once it is known and hopefully fixed. Again, using a local MW installation might be the better approach, especially while actually working on the issues.
This is not even true, you're still able to do this, even with your current set of rights.
I am not to 100% aware of what exactly happened in the IRC-cause, but stating one has accepted a "challenge" does not sound very responsible either.
All in all, I don't think Luke081515 acts in a trustworthy manner, which is also shown by regular comments elsewhere stating things similar to "wow, I got right XXX, this is so superb, now I could manipulate YYY" without even being asked, or threats of revenge similar to what I was told concerning this case à la "I'm going to spare the revenge centralauth-lock of Vogone", which I couldn't care less about, but yet doesn't sound very… let's say professional. I believe he lacks any sense of responsibility and is unsuitable for any position of trust, though since beta is a test wiki, I agree there is little harm to do. What I suggested to him when he contacted me after the "downgrade" of rights is to come back when he indeed needs the rights, has learned not to spread his log actions across all of the cluster and learned not to test everything in public. He disagreed to the first point, because he supposedly needs the rights "spontaneously", and then went to phabricator in order "to solve this problem differently".
I would like to keep it at what I've proposed to him and not to waste any more minute on this beta cluster "meta" stuff, it's just not worth it. Therefore, this is my only and last comment on this ticket. Thanks.
As I explained above, I don't search for security issues, it's just a side effect. And you can't conclude from my logs to these security bugs, because some parts are not logged, because there are read-only actions, and for other parts of these bugs, you need steward or other rights, which normaly only a few people have.
And "there are other issues […] I found at beta […] I can't find [in] the future" is not relevant at all, I assume, as long as they have been reported properly, which one normally does after having found an issue. There is no need to "re-find" it once it is known and hopefully fixed. Again, using a local MW installation might be the better approach, especially while actually working on the issues.
I tested normal new software functions, that's one reason why we have beta, so why don't test that there?
This is not even true, you're still able to do this, even with your current set of rights.
No, I can't modify global filters. Do you want a screenshot? Global filters are a big part of the active filters, and have the most false positives.
I am not to 100% aware of what exactly happened in the IRC-cause, but stating one has accepted a "challenge" does not sound very responsible either.
That was not a Challenge. You can ask dcb_ at IRC, I talked with him about the channel, and then he said something like "you try to join the channel", and then I joined the channel. After he banned me, I don't tried to rejoin, and I supose that the reason to bann me was just to annoy me, because I don't make a action or anything at the channel.
All in all, I don't think Luke081515 acts in a trustworthy manner, which is also shown by regular comments elsewhere stating things similar to "wow, I got right XXX, this is so superb, now I could manipulate YYY" without even being asked, or threats of revenge similar to what I was told concerning this case à la "I'm going to spare the revenge centralauth-lock of Vogone", which I couldn't care less about, but yet doesn't sound very… let's say professional. I believe he lacks any sense of responsibility and is unsuitable for any position of trust, though since beta is a test wiki, I agree there is little harm to do. What I suggested to him when he contacted me after the "downgrade" of rights is to come back when he indeed needs the rights, has learned not to spread his log actions across all of the cluster and learned not to test everything in public. He disagreed to the first point, because he supposedly needs the rights "spontaneously", and then went to phabricator in order "to solve this problem differently".
With the thing with global-lock I want to explain, that just because I can it, I would not do it (and I did not something simalar too).Added to that: I did not said this in a query or channel you can read, and give nobody the permission to show private querys, so at leat one of you violates the IRC policy (I looked up my logs). At beta I want to help users with planned tests, and I guess that you would not replace me in that point, so other users get disadvantages from that action. If you read querys from me to other users, you have a high chance, that you miss the context, or humerous elements, so youo can missunderstood my intention in this case, so it would be better if you don't violate the IRC policy, and now the content from private querys, this is your problem.
@Luke081515 You reopened this task. Do you have any actionables that can be carried out in doing so? I believe @Vogone has provided sufficient evidence for this case. Do you have additional evidence to justify that your rights should be reinstated?
As I sais above
- I can't modify global filters anymore, so I can't help users, if a filter matched as a false positive
- I can't run specific tests (at new features, to find normal bugs)
- I can't help users, if they need rights to test something at a local wiki
- I can't find against spam anymore, because sometimes I need to asign rights, if I don't want to delete more than 100 pages manual
- I don't make a mistake with my rights at beta, so I don't see a reason to remove them.
I am not sure how these users inform you of these false positives, and I am sure they can use Phabricator to report such issues and the others can take care of it.
- I can't run specific tests (at new features, to find normal bugs)
Please use a local installation to test such new features if necessary. I don't quite see the need for steward rights to do such tests. Even if such bugs exists, it will only affect a very small segment of the market and bugs will not be rated such a high priority. Global sysop should be sufficient for this as well.
- I can't help users, if they need rights to test something at a local wiki
Phabricator is an excellent place for them to get started on this. Also, it is the place that they should go for requesting rights instead of personally. This way, other people know exactly what is going on.
- I can't find against spam anymore, because sometimes I need to asign rights, if I don't want to delete more than 100 pages manual
Again, Phabricator can be used for this. If there is persistent spam, we should create tasks and resolve these long term issues. Deleting pages do not need steward rights, having global sysop is sufficient.
As the actual recent changes at beta says, edit global filter is very useful, there was a IP with crosswiki-spamming, spamming always the same, so this is a point, where I could easliy block the IP (or next cases at that point), if I could edit global filter, but I can't at the moment.
beta is to test MediaWiki in a production like environment, so sometimes it is useful too, to test a specific configuration, to test behaviour. In this case, you can simulate a specific config with global groups. This was not a problem before, so why this should be a problem now?
As Vogone said here above and it's my opinion, too, your irc behaviour does not show that trustworthiness, as it is needed to be a steward. Looking for almightiness in wiki world and getting phab admin last time, also your helping syndroms, are speaking the same.
You can help the users doing so many things with your rights you have now. And for global group and filter things, what is not so very frequently, you can talk very easily with one of our really trustworthy stewards.
No, sometimes it take to long time, till someone is reachable. If you look at the RC at deployment, sometimes their is something urgently, like today, there was crosswiki-spam by one IP. I reverted edits at more than 5 projects, and in this situation you it's very annoying, and not useful. Concerning IRC: I solved this personla conlict with the user now, so I don't see a problem there. And, I'm not a admin at phab here, and don't want "almightiness in wiki world", or did you see a request for GS at prod or something simalar? No! The thing at beta, that I need is to modify global groups. It's not easy to enable a own cluster with centralauth, so it's more useful, to test some configurations at beta. That was not a problem at any time there, no one feel disrupted, and if you don't want this, you changed your opinion were beta is for: for testing, so why test something? My test are useful tests, I explored a few bugs, and so other benefit from that too, so nobody feels disrupted, but benefits from that situation, so why change this? As long as we don't disrupt other users (I try it, every time to not disrupt others), what's the problem? Right, there is no problem.
No, there are more trustworthy stewards in beta cluster, you can contact really fast. You don't need wait so long. And you can test in beta, too, without to be a steward.
Two questions:
- Why do you need to modify global groups? If there is a need, a task in Phabricator is preferred so discussion can take place.
- Testing? Do you really need steward rights for doing "tests" that global sysop isn't sufficient?
Judging from your comments, I am inclined towards just allowing global sysops to modify global abusefilter rules on beta to fit your use case.
Modifing a global group must be nothing permanent. You can create a temp testgroup, were you can test a right config, for tests at one wiki. After you made the tests, you can remove all the rights from the group, and the group stops existing. This was useful, to detect some bugs, and you can tests new features (add the flow-create right to a group). For short temp tests I think it's not useful, to create a tasks every time. Other users may only see these tests if they look at the RC, so they don't feel disrupted, but the ability to create this temp groups helps to find software bugs, or bugs at new features. Asking another user every time is annoying for both, and takes a lot of time.
But now Luke081515 misuses his channel and user rights in irc to let me part the channel due to autojoin. During this discussion here he's demonstrating again, how to play intentionally with user rights and making other users angry. But user rights, both in irc and in beta cluster ARE NO TOYS TO PLAY WITH!
Till Luke081515 does understand how to use user rights, he should not work (or play) with 'em.
This whole thing seems like a tempest in a teacup really. We're talking about beta here. It's meant for people to experiment, try out new things, and that includes having access to things they might not have in production. Telling people to test things locally isn't always easy too, especially when you're talking about Global/Central/AnythingElseThatRequiresAWikiFarm.
People make mistakes. That's cool too. Again, it's beta, it's not like there's any important data there anyway.
For the record, from my perspective as the manager of the team that owns the Beta Cluster (where these wikis live, which is used for pre-production deployment testing by bots and people), @Luke081515 has been immensely helpful with task triage, task/issue reporting, and general cleanup along the way. I appreciate and welcome his contributions more.
There is, as I sayed above. I don't abused my rights, so in my opinion there is no reason for removal. If you said "he not need them at the moment", you can remove near to all rights at beta, there are not much active users, but I am. I look up beta a least once a day, if there was spam, or something other. If there was a personal clonflict at IRC (solved now, as I wrote above), why set consequences at beta? This is not useful. For example if a GS at prod is annoying at IRC, you won't desysop him at prod. This is not useful, it's makes just the following discussion harder. You just punished somebody, who is active at beta, looks for spam, cleans up spam (I deleted more than 5000 pages of spam in 2015). This is not like "Never change a running system".
Yes, but he has enough rights to do that up to now. He needs not to be a steward, though he can become a global admin or anything similar, to work on in a similar manner ...
You don't read that, what I wrote above? As I said it is very useful for tests to modify global group rights.
counterquestion: Why were the rights removed? You can't remove rights and say "they don't needed". I showed enough consequences from that removal. So read that, before you wrote something like that again:
I don't think any behaivour in private channel is subject in this task, to be honest.
I actually think the beta-cluster is a famous place to do some tests for things in production like environments, which can be really useful in different situations, for example to explain someone something unclear about a brand-new feature or find bugs that only are detectable in production environment. For what else the Beta Cluster should be used?
@Luke081515 Your counterquestion is already answered in Vogone's long comment above ...
No. He don't said something about the temp global groups, needed for testing a specific situation.
I don't want to say it again. Why not, you can read here: T121168#1873268.
The second point is, that your logic is not right. Image somebody removed your sysop bit at dewiki, and say "you can ask another sysop, if you want to do it". How would YOU
perceive that?
I could manage a talk with Luke081515 and Vogone these days to find a solution for the problems ourselves.
So it's my opinion to stall this task up to now, temporarily at least.