Adoption request for jarbot (jarbot, jarbot-ii, jarbot-iii) & jarallah (jarallah, jarallah-ii)
Closed, ResolvedPublicSecurity
Actions

Description

I request being added as a co-maintainer of:

I do not believe this request is covered by the Adoption policy, however the bot/tool operator (https://wikitech.wikimedia.org/wiki/User:Jarbot & https://wikitech.wikimedia.org/wiki/User:Jarallah c/o https://meta.wikimedia.org/wiki/Special:CentralAuth/جار_الله) has been globally banned.

The bot tasks are listed at https://meta.wikimedia.org/wiki/User:JarBot.

Please could the TFSC :

check the tool's home directory for obvious secret information, following the Adoption policy instructions

Related Objects

Mentioned In: T325705: Toolforge makes requests on behalf of User:JarBot
Mentioned Here: T271712: Require tools to host a valid toolinfo.json file (e.g. while upgrading from one Debian version to another)
T311293: Set up MOTD on Toolforge for ssh'ing maintainers whose tools lack toolinfo.json

Event Timeline

TheresNoTime created this task.Dec 6 2022, 7:12 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 6 2022, 7:12 PM

AntiCompositeNumber subscribed.Dec 6 2022, 7:17 PM

TheresNoTime set Security to Software security bug.Dec 6 2022, 7:18 PM

TheresNoTime added projects: Security, Security-Team.

TheresNoTime changed the visibility from "Public (No Login Required)" to "Custom Policy".

TheresNoTime changed the subtype of this task from "Task" to "Security Issue".

Set as security due to the risk of tool deletion by the banned user — there are multiple accounts still active, i.e.,

Blocked 6 more accounts which shared the same email in LDAP.

Not sure whatt to do about the adoption request, however. None of the tools seem to have a license specified.

(when possible, please make this task public)

Urbanecm changed the visibility from "Custom Policy" to "Public (No Login Required)".Dec 6 2022, 7:35 PM

AntiCompositeNumber added a project: Stewards-and-global-tools.Dec 6 2022, 7:36 PM

In T324607#8448313, @TheresNoTime wrote:

(when possible, please make this task public)

Done, as the accounts listed above are now disabled as well.

sbassett moved this task from Incoming to Watching on the Security-Team board.Dec 6 2022, 7:41 PM

sbassett added a project: SecTeam-Processed.

In T324607#8448306, @taavi wrote:

Not sure what to do about the adoption request, however. None of the tools seem to have a license specified.

For the records, a few weeks ago a coworker contacted its maintainer about license and source code. The maintainer's reply was that they have not made their code public yet or put it under any license yet.

Do we know where the code is located?

In T324607#8449324, @jrbs wrote:

Do we know where the code is located?

https://admin.toolforge.org/tool/jarbot has over 200 custom pywikibot scripts in /data/project/jarbot/pyvenv/core/scripts/userscripts. 3 include license comments.
https://admin.toolforge.org/tool/jarbot-ii has about 125 custom pywikibot scripts in /data/project/jarbot-ii/pyvenv/core/scripts/userscripts. 3 include license comments.
https://admin.toolforge.org/tool/jarbot-iii has over 150 custom pywikibot scripts in /data/project/jarbot-iii/pyvenv/core/scripts/userscripts. 4 include license comments.
https://admin.toolforge.org/tool/jarallah has over 200 custom pywikibot scripts in /data/project/jarallah/pyvenv/core/scripts/userscripts. 3 include license comments.
https://admin.toolforge.org/tool/jarallah-ii has over 100 custom pywikibot scripts in /data/project/jarallah-ii/pyvenv/core/scripts/userscripts. None include license comments.

None of these tool accounts include a Striker toolinfo declaring a default license. I think all of the scripts that do include license comments were copied from elsewhere.

In T324607#8448715, @Aklapper wrote:

For the records, among this year's nominations for the Coolest Tool Award (CTA) was also a nomination for JarBot. Thus the CTA committee reviewed the nomination and contacted its maintainer about license and source code. The maintainer's reply was that they have not made their code public yet or put it under any license yet.

Technically, that was an confession to violating the Toolforge's Rules (second point, "All code in the Tools project must be published under an OSI approved open source license"). Perhaps it would make sense to remind maintainers that use Toolforge about that when CTA committee asks for the license?

@Urbanecm: T271712 or T311293 might scale better for trying to encourage Toolforge rules (but someone needs to do it). :)

Wonderful :( Based on T324607#8449385, I'd recommend we just mark the tools for deletion. And maybe in 2023 do some kind of Toolforge-wide audit of licensing compliance...🤔

Peachey88 mentioned this in T325705: Toolforge makes requests on behalf of User:JarBot.Dec 21 2022, 8:03 AM

Peachey88 added a project: Software-Licensing.Dec 21 2022, 8:10 AM

Peachey88 moved this task from Backlog to Missing/unspecified license on the Software-Licensing board.

Marked all of those tools for deletion. I don't think there's anything more remaining that can be done here, unfortunately.

sbassett moved this task from Watching to Our Part Is Done on the Security-Team board.Dec 21 2022, 3:08 PM

Adoption request for jarbot (jarbot, jarbot-ii, jarbot-iii) & jarallah (jarallah, jarallah-ii)Closed, ResolvedPublicSecurityActions

Description

Related Objects

Event Timeline

Adoption request for jarbot (jarbot, jarbot-ii, jarbot-iii) & jarallah (jarallah, jarallah-ii)
Closed, ResolvedPublicSecurity
Actions