For the record, no objection from CA, who has been acting as the internal "owner" for these things, in the absence of anyone else voluntteering.

Who is actually able to grant this? Does it need WMF management approval?

And for any specific site/project etc? Adding EVERY site/project combination takes a long time. If you need specific wiki(s), it'd be better to list them as such :)

In T90980#1074673, @Reedy wrote:

And for any specific site/project etc? Adding EVERY site/project combination takes a long time. If you need specific wiki(s), it'd be better to list them as such :)

Yeah, the only way to get every site that works well is to actually share the password which is what I think is what would have to happen here if he wants all mobile sites. (which for the record he said he needed in an email with me before filing the task)

It's not the only way to share the master password, it's just tedious work to add a delegated user to every single project because the UI makes you do it one by one. The password file has this readme section where it says "In order to have individual accountability, *delegate* Google Webmaster Tools access", but yea, it's a lot of clicking.

<snip>

Google account for Google Webmaster Tools

Make sure you know what you're doing when
using Google Webmaster Tools.

In order to have individual accountability,
*delegate* Google Webmaster Tools access
from the noc@wikimedia.org Google Webmaster
Tools console to an @wikimedia.org Google
Apps account, the person behind which is
a WMF employee or agent under NDA. Use that
delegated account to take Google Webmaster
Tools actions on sites defined under the
noc@wikimedia.org Google Webmaster Tools
profile. Define sites using the
noc@wikimedia.org account, but use the
delegated account for taking other actions
on the actual sites.

Only WMF employees or those with an NDA 
may be delegated Google Webmaster Tools
access from the noc@wikimedia.org Google
Webmaster Tools console.

If you believe your account delegated
Google Webmaster Tools access has been
breached, contact ops immediately to have
delegation revoked while you restore
your access. Similar logic applies to
a computer breach involving a computer
that you use to login to @wikimedia.org
Google Apps.

</snip>

In T90980#1074697, @Dzahn wrote:

<snip>
</snip>

Yeah, which is why in the past I think that for anyone who actually needed them all we gave the password (at this point we have more then 1000 sites listed, so many in fact that yesterday we got an email saying they changed their policy and we can't add more until we delete more to get below 1000) though that has still been very rare, most just get a couple delegated sites.

I'm not against giving Jon that access (or or that matter having one or multiple of us sit there and share a bunch of the wikipedias) I just think we need to ensure that we have everything recorded for posterity.

In T90980#1075177, @Jalexander wrote:

at this point we have more then 1000 sites listed, so many in fact that yesterday we got an email saying they changed their policy and we can't add more until we delete more to get below 1000

So... noc2@wikimedia.org ? :)

In T90980#1075183, @Krenair wrote:

In T90980#1075177, @Jalexander wrote:

at this point we have more then 1000 sites listed, so many in fact that yesterday we got an email saying they changed their policy and we can't add more until we delete more to get below 1000

So... noc2@wikimedia.org ? :)

if necessary yeah, I'm going to look through it at some point (maybe some night/over the weekend) because I have a stinking feeling there are a fair bit of duplicative "sites" listed (people listing a single page etc) that we can remove. Starting to do another one could be a bit of a pita because right now we are using some relatively universal verification methods.

Delegating any large (greater than a few hundred) number of sites is essentially unscalable (hours of error-prone clicking); and sharing the password to the root authority is undesirable.

Unless Jon can provide a limited subset of sites we can reasonably delegate by hand, the only realistic solution I see is to script something that will repeatedly poke at Google's web interface - which requires some dev time and testing. This becomes more obviously worthwhile if it is likely that other requests of the kind may occur in the future.

@JKatzWMF: What makes sense to you?

If it makes it easier, I would limit it to the following wikis: en.wikipedia, zh.wikipedia, de.wikipedia, es.wikipedia, fr.wikipedia, jp.wikipedia, commons.wikimedia, in desktop, mobile, and app. That's 21 total and hopefully doable.

I will mention, though, that seems a little arbitrary since I know other PM's have full access using root.

Hi - just repinging on this.

Ping - who can hand this out to Jon?

In T90980#1202529, @Aklapper wrote:

Ping - who can hand this out to Jon?

For better or worse it still seems like the best move right now is to give the password file to Jon given the bulk of wikis. We should, however, have a separate discussion about trying to make this process better and more secure without sharing the password for all mass users. Unless someone says stop I will share the password file securely with Jon Monday afternoon pacific.

FWIW, and late, but... approved from my end.

pb

Philippe Beaudette
Director, Community Advocacy
Wikimedia Foundation, Inc.

415-839-6885, x 6643

philippe@wikimedia.org