Page MenuHomePhabricator

Examine which extensions are installed on login.wikimedia.org (loginwiki) and vote.wikimedia.org (votewiki)
Open, LowPublic

Details

Reference
bz59702

Event Timeline

bzimport raised the priority of this task from to Normal.Nov 22 2014, 2:21 AM
bzimport set Reference to bz59702.
bzimport added a subscriber: Unknown Object (MLST).

needs to be disabled?

  • TemplateData
  • CentralNotice
  • UniversalLanguageSelector
  • ParserFunctions
  • Disambiguator
  • PagedTiffHandler

needs to be disabled?

  • TemplateData
  • CentralNotice
  • UniversalLanguageSelector
  • ParserFunctions
  • Disambiguator
  • PagedTiffHandler

None of those should be needed

<Glaisher> Krenair: disabling Parsoid at loginwiki won't break anything, right?
<Krenair> Glaisher, I can't think of why it would...

Glaisher lowered the priority of this task from Normal to Low.Mar 10 2015, 5:39 PM
Glaisher updated the task description. (Show Details)
Glaisher set Security to None.

Change 225840 had a related patch set uploaded (by Alex Monk):
Disable a bunch of extensions on loginwiki/votewiki

https://gerrit.wikimedia.org/r/225840

Restricted Application added subscribers: Matanya, Aklapper. · View Herald TranscriptJul 20 2015, 2:56 AM
Krenair renamed this task from Examine which extensions are installed on login.wikimedia.org (loginwiki) to Examine which extensions are installed on login.wikimedia.org (loginwiki) and vote.wikimedia.org (votewiki).Jul 20 2015, 2:57 AM
Krenair updated the task description. (Show Details)

Also, probably don't need these

  • Interwiki
  • OAIRepository
  • Random root page
  • SiteMatrix
  • UserMerge
  • Abuse Filter
  • ConfirmEdit, FancyCaptcha
  • SpamBlacklist
  • TitleBlacklist
  • AccountAudit
  • Disambiguator
  • Graph

Not sure about these:

  • GlobalRenameQueue
  • GlobalRenameRequest
  • MergeAccount
  • Renameuser
  • Renameuser for CentralAuth
  • CharInsert?
  • TorBlock?

It feels like I've just listed like all of Special:Version on loginwiki. Chris, do you think we need any of these?

  • UserMerge

Necessary for global user merge.

  • Abuse Filter
  • ConfirmEdit, FancyCaptcha
  • SpamBlacklist
  • TitleBlacklist
  • TorBlock?

Do we allow people to directly create accounts on loginwiki? If so, these are necessary.

  • AccountAudit

Being undeployed in T105894: Disable, undeploy, and drop tables for AccountAudit, lets take care of it as part of that.

  • GlobalRenameQueue
  • GlobalRenameRequest

Can be disabled.

  • MergeAccount

Part of CentralAuth, which is necessary.

  • Renameuser
  • Renameuser for CentralAuth

Both necessary for GlobalRename to work properly.

Change 225840 merged by jenkins-bot:
Disable a bunch of extensions on loginwiki/votewiki

https://gerrit.wikimedia.org/r/225840

  • Abuse Filter
  • ConfirmEdit, FancyCaptcha
  • SpamBlacklist
  • TitleBlacklist
  • TorBlock?

Do we allow people to directly create accounts on loginwiki? If so, these are necessary.

No, only administrators can create accounts directly on loginwiki.

So that leaves me with this list:

  • GlobalRenameQueue
  • GlobalRenameRequest
  • Interwiki
  • OAIRepository
  • SiteMatrix
  • Disambiguator
  • Graph
  • CharInsert
  • Abuse Filter
  • ConfirmEdit, FancyCaptcha
  • SpamBlacklist
  • TitleBlacklist
  • TorBlock

So that leaves me with this list:
[...]

So next step is that someone takes a closer look if those remaining extensions are actually needed?

greg added a comment.Sep 16 2015, 3:09 PM

So next step is that someone takes a closer look if those remaining extensions are actually needed?

Lego did wrt centralauth/SUL/etc.

I'd love if @csteipp could do the next round of review/give +1/-1 to removing them.

No major rush, afaict.

csteipp moved this task from Backlog to Ready on the Security-Team board.
demon added a subscriber: demon.Sep 23 2015, 5:37 PM
  • OAIRepository

That's being deprecated via T70867, so I wouldn't worry about it here.

So that leaves me with this list:

  • GlobalRenameQueue
  • GlobalRenameRequest
  • Interwiki
  • OAIRepository
  • SiteMatrix
  • Disambiguator
  • Graph
  • CharInsert
  • Abuse Filter
  • ConfirmEdit, FancyCaptcha
  • SpamBlacklist
  • TitleBlacklist
  • TorBlock

We can get rid of all of these. The anti-abuse ones aren't needed because users can't actually do anything on loginwiki.

Restricted Application added a subscriber: JEumerus. · View Herald TranscriptMar 11 2016, 8:03 PM

Regarding TitleBlacklist and AbuseFilter, are they needed to block account creations?

Regarding TitleBlacklist and AbuseFilter, are they needed to block account creations?

Accounts cannot be directly created by IPs at loginwiki and autocreations are not disallowed by TBL on Wikimedia wikis so it doesn't really change anything there.

Deskana removed a subscriber: Deskana.Mar 12 2016, 8:54 PM

We need to keep confirmedit so the login form shows captchas after 3 failed attempts to log in.

So that leaves me with this list:
[..]

I'd keep Interwiki and SiteMatrix. These seem useful entry points to have. Especially because votewiki and loginwiki are themselves listed in SiteMatrix (e.g. when queried on metawiki).

demon added a comment.Jun 30 2016, 5:47 PM

Graph and Disambiguator can go away right now.

Krinkle removed a subscriber: Krinkle.Feb 14 2017, 7:07 PM