Page MenuHomePhabricator
Create Task
Maniphest T299546

Install Lockdown in zhwiki
Closed, DeclinedPublic
Actions

Description

It is proposed to install Extension:Lockdown in zhwiki and enable it at a newly created "LTA" namespace. The namespace may be viewed by extended-confirmed users. (https://zh.wikipedia.org/wiki/Wikipedia:%E4%BA%92%E5%8A%A9%E5%AE%A2%E6%A0%88/%E6%96%B9%E9%92%88#%E7%AC%AC%E4%B8%89%E6%AC%A1%E6%8E%A8%E5%8A%A8%E8%AE%BE%E7%AB%8BLTA%E5%91%BD%E5%90%8D%E7%A9%BA%E9%97%B4)

Currently there are consensus to create a LTA namespace, but it is stalled as someone raised some security concerns (see T299545, but a workaround is available).

Creating this task for possible feedbacks from sysadmins/developers.

Related Objects
Search...

StatusSubtypeAssignedTask
 DeclinedNoneT299546 Install Lockdown in zhwiki
DeclinedNoneT126481 Security review of Extension:Lockdown
Restricted Task

Event Timeline

Bugreporter created this task.Jan 19 2022, 5:09 PM
Restricted Application added subscribers: Stang, Aklapper. · View Herald TranscriptJan 19 2022, 5:09 PM
Bugreporter changed the task status from Open to Stalled.Jan 19 2022, 5:10 PM
Bugreporter added a subtask: T126481: Security review of Extension:Lockdown.
Bugreporter added a subtask: Restricted Task.
Bugreporter reopened subtask T126481: Security review of Extension:Lockdown as Open.
Stang added a comment.Jan 19 2022, 8:35 PM
This comment was removed by Stang.
Stang added a project: Community-consensus-needed.Jan 19 2022, 8:36 PM
Stang moved this task from Backlog to Extensions/Skins on the Chinese-Sites board.
Urbanecm closed this task as Declined.Jan 19 2022, 8:59 PM
Urbanecm added subscribers: Ladsgroup, Urbanecm.

I'm sorry, but it is nearly certain Lockdown will never be installed at any Wikimedia wiki. MediaWiki is a complex application that was never written with regards to per-page or per-namespace read restrictions and there are probably a lot of ways those restrictions can be theoretically (or practically bypassed). I think we should not have any such options available, rather than relying on them (and being surprised when someone figures their way around).

To share some context, a serious security vulnerability was recently found in MediaWiki core that effectively allowed everyone to read any pages on (some) private wikis, see https://www.mediawiki.org/wiki/2021-12_security_release/FAQ for related security announcement. Reviewing all of MediaWiki (and relevant extensions) and fixing it to be certain no information can leak will unfortunately take a lot of people's time, and I don't think there's any plan to do that kind of work in foreseeable future.

Because I consider it nearly impossible for the necessary work to be finished in the foreseeable future, I'm declining this request.

Italian Wikipedia requested https://sysop-it.wikipedia.org to be created for sysop coordination (T256545), which might be a better option (and one that's more likely to have). @Ladsgroup might have an opinion on this topic.

Stang moved this task from Extensions/Skins to Closed on the Chinese-Sites board.Jan 19 2022, 9:03 PM
Bugreporter mentioned this in T299590: Create zh-maintenance-work wiki.Jan 19 2022, 9:20 PM

As an alternative I proposed T299590: Create zh-maintenance-work wiki.

Aklapper closed subtask T126481: Security review of Extension:Lockdown as Declined.Jan 19 2022, 10:15 PM
Xiplus subscribed.Jan 20 2022, 1:14 AM
Stang unsubscribed.Feb 12 2022, 4:48 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL