|operations/dns : master||shop/store: switch old URL to cluster for redirect|
|operations/puppet : production||shop/store: switch redirects to store.wikimedia|
|operations/puppet : production||remove dropped shop/store redirects|
|operations/dns : master||shop/store: set CNAME for store c.ssl.shopify.com|
|operations/puppet : production||shop redirects: store instead of shop|
|operations/dns : master||drop shop & store entries from most projects|
|operations/dns : master||change store to a CNAME for c.ssl.shopify.com.|
|operations/dns : master||shop URL: change 'shop' to 'store'|
|operations/puppet : production||adjust shop redirects to changed shop URL|
|operations/dns : master||switch shop name, store.wikipedia.org to shopify|
|operations/dns : master||change all shop/store to myshopify.com CNAMEs|
- Mentioned In
- T106214: Wikimedia shop branded as 'Wikipedia' store
rODNS2683027b57cb: shop/store: switch old URL to cluster for redirect
rOPUP673bc07b6ef6: shop/store: switch redirects to store.wikimedia
rOPUPb541de20f987: remove dropped shop/store redirects
rODNSe6354edf6419: shop/store: set CNAME for store c.ssl.shopify.com
rODNS6202d055269b: drop shop & store entries from most projects
T96182: Update DNS for the Wikipedia store, before May 31
rODNS0d341d3be83c: change store to a CNAME for c.ssl.shopify.com.
- Mentioned Here
- T96182: Update DNS for the Wikipedia store, before May 31
Or did you mean to change the main shop URL to store.wikimedia.org? I'm afraid then we'll have to ask shopify again about changing the SSL cert.
How about we just add the additional redirect so that http://store.wikimedia.org/ also works but we leave the actual shop URL unchanged?
here are the existing redirects:
funnel shop.wiktionary.org shop.wikimedia.org
funnel store.wiktionary.org shop.wikimedia.org
funnel shop.wikiquote.org shop.wikimedia.org
funnel store.wikiquote.org shop.wikimedia.org
funnel shop.wikibooks.org shop.wikimedia.org
funnel store.wikibooks.org shop.wikimedia.org
funnel shop.wikinews.org shop.wikimedia.org
funnel store.wikinews.org shop.wikimedia.org
funnel shop.wikisource.org shop.wikimedia.org
funnel store.wikisource.org shop.wikimedia.org
funnel shop.wikiversity.org shop.wikimedia.org
funnel store.wikiversity.org shop.wikimedia.org
funnel shop.mediawiki.org shop.wikimedia.org
funnel store.mediawiki.org shop.wikimedia.org
funnel shop.wikimediafoundation.org shop.wikimedia.org
funnel store.wikimediafoundation.org shop.wikimedia.org
funnel shop.wikipedia.org shop.wikimedia.org
funnel store.wikipedia.org shop.wikimedia.org
funnel shop.wikipedia.com shop.wikimedia.org
funnel store.wikipedia.com shop.wikimedia.org
It's still completely unclear to me why any rename makes sense here. Is there some problem with "Wikimedia Shop" and shop.wikimedia.org? If so, this task should explain what the problem is so that we can evaluate it and come to a reasonable solution. Until there's clarification, I don't think this ticket should be acted upon at all.
@Victoria, could you reply to MZMcBride why it should be renamed? There seems to be no consensus here and i would like to avoid telling them to change the cert once again before there is agreement here.
The branding has already been updated, there's a Twitter account "wikipediastore", etc., so all that remains to be done is changing the canonical URL. I can't speak for Victoria, but I'm guessing that this rename is due to the greater brand recognition of the Wikipedia brand and due to the store mainly selling Wikipedia products. In any case, it's up to the shop team to pick the name for the thing :)
They can name it whatever they want, but wikipedia.org subdomains must run Wikimedia-approved-and-changeable code on WMF-owned hardware.
That said, it's not a good decision to name it "Wikipedia Store" as they are not allowed to run store.wikipedia.org as a proper (canonical) site - it can only be a redirect to somewhere which they can serve (say, store.wikimedia.org) from a third-party (*.wikimedia.org is not trusted by our software like *.wikipedia.org is for SUL, as we already have other third-party-hosted stuff there, e.g. status. and to some extent wikitech-static.).
Ah, I see. So, to recap -- the concern is:
- We set user authentication cookies on the wikipedia.org domain (not its subdomains like en.*);
- We don't do the same for sites like commons.wikimedia.org (there we set the cookie on commons.*, etc.)
In this configuration, putting potentially dangerous code on store.wikipedia.org would mean that any vulnerability in said code could be exploited to steal user credentials. Have I got that right?
If so, I'm not sure there is a good option here other than 1) going back to the old name, or 2) hosting it on a completely separate domain name.
That would keep the cookie away from their server (so a compromised store wouldn't be able to sniff the cookies), but won't save us from xss on their store site (which we have no review/controls for), doing all sorts of stuff to us.
That's pretty much it.
There is probably a way we could safely setup a reverse proxy to do this. It would be a significant amount of work, and would be pretty fragile.
After all that, I would still anticipate this would be something like SVG files-- we make it pretty safe, but it's going to be a constant stream of issues that we have to deal with long term.
Until someone can find a good reason to change the domain/store name or until someone can explain a single problem we're actually solving here (as opposed to the new problems we're considering creating here...), option 1 sounds pretty good to me!
Option 2 is obviously better than the fragile horror proxy madness, but that's not really saying much. Off-hand, it looks like wikipediastore.org is available.
That said, I've repeatedly mused about the idea of using the wikis and the existing (quite robust) payment processing system that's already in place for making donations to the Wikimedia Foundation as an alternative to Shopify. This leverages existing infrastructure and solves other issues such as interface translation and content management, which we do passably well using wikis. This is to say, I'd much rather see technical resources invested in (for example) making the shop available in more languages than I would seeing additional time wasted on renaming the shop for questionable benefit.
Err, the 'name' is one thing that I guess we can keep discussing however I was under the impression that Victoria had already said she understood the problem with store.wikipedia.org and now was just asking that we switch shop.wikimedia.org to store.wikimedia.org .... I feel like we're re-hashing an argument that is no longer needed....
That said if the decision was to re-think the decision then ignore me :)
Ah, thanks for pointing that out, James. Daniel asked me about this ticket and I assumed (given the ticket description and Daniel's explanation) that the proposal is still to rename to store.wikipedia.org. If store.wikimedia.org as the canonical URL is fine, that addresses the security concern and there should be no major blockers to change from shop.wikimedia.org to store.wikimedia.org. Renames are fun :-)
In consultation with the Wikimedia community. Did I miss a discussion?
The Wikimedia Shop was co-owned by the Wikimedia Foundation and the Wikimedia community. This has been made clear many times, but if you need a concrete example, here's an easy one: https://meta.wikimedia.org/wiki/Talk:Wikimedia_merchandise#Shop_Advisory_Committee.
Your comment seems to suggest that because the person has changed on the Wikimedia Foundation side of the relationship, the Wikimedia community side's opinion no longer matters. Respectfully, that view is crazy and isn't aligned with Wikimedia's values of shared ownership and responsibility.
And so I'm left wondering, yet again, what the motivation for rebranding the Wikimedia Shop as the Wikipedia Store is.
James is correct: We understand that we cannot use store.wikipedia.org, and we are OK with that. Now we are just asking we switch from shop.wikimedia.org to store.wikimedia.org, as we think Store sounds more consistent with the idea of a more complete brand.
*Can we have an ETA for this change?*
@MZMcBride: Sorry if this was unclear: The reason for a name change is visibility and branding. The rename is part of a bigger revamp the Store is going through, including new merchandise, new social media efforts, new community engagement projects and a brand new website.
In order for the Store to be successful and provide rewards to the community it needs to actually be able to reach supporters and promote sales. The name Wikipedia has a greater brand recognition, and we believed it would help with promoting the Store in many different channels. Rest assured that the impact and goal of the Store will not change: it remains supporting contributors of all sister projects :) This is just meant to be a cosmetic change so that we could be found more easily by supporters and wouldn't cause confusion because they don't recognize the name Wikimedia. Does that make sense? What we hoped the new name would improve is the visibility amongst the readers who are not familiar with Wikimedia but want to support our mission.
Also, we do look forward to collaborating more with the community, and actually need a lot of help! We have received a few merchandise suggestions, but we could really benefit from some technical support and other operational help to take the Store to the next level. We will post requests in a few village pumps and on meta soon.
I've confirmed the change with digicert. Shopify says:
"We'll add in store.wikimedia.org, but you'll need to confirm it one more time. It'll likely be done next week since the batches are sent out on Tuesdays and Thursdays."
Unfortunately they're not allowing us to overlap the names, so shop.wikimedia.org will start throwing cert warnings as soon as the change happens.
Shopify said "You can point your CNAME for store to c.ssl.shopify.com.."
but we have not used this before, the CNAME we have is for "shopwikipedia.myshopify.com."
so it seemed odd that would change and we asked.
The response is:
Thanks for the clarification. Andrew confirmed store.wikimedia.org earlier this week, so we associated the checkout SSL with c.ssl.shopify.com. There are a few CNAMEs for the custom SSL, where as, on the general plans you point your CNAME to your .myshopify.com. Doing this would move you to checkout.shopify.com for checkout though.
Whenever you're ready point your CNAME for store to c.ssl.shopify.com. We're going to be keeping the checkout SSL on both store.wikimedia.org and shop.wikimedia.org so you can go back and forth if you would like :).
so shopify said "whenever you're ready point your CNAME for store to c.ssl.shopify.com." and that we should use the _new_ CNAME for store.wm and we can have both without certificate errors, which is cool.
since that meant not having to touch the existing shop.wm i just did it and changed the entry for store as instruced. unfortunately this gave me a page saying "Sorry, this shop is currently unavailable" and i didn't want to leave it like this over the weekend, so i reverted that and mailed shopify.
for your new domain store.wikimedia.org, you'll need to change your CNAME for store to c.ssl.shopify.com. Currently it's an A record, which is 220.127.116.11. You need to change this to a CNAME not an A record. So CNAME for store to c.ssl.shopify.com. Once you've done this we can enable it properly on our end.
actually shopify said not to change the CNAME for the old shop URL. to make it a redirect we would have to. i'm inclined to not do them and call it resolved for now, realizing that tickets can be reopened if needed. ok?
yes, it is on the deployment calendar for today now. in a 14:00–15:00 PDT slot.
i'll update after that
[tin:~] $ apache-fast-test T92438 mw1022 testing 7 urls on 1 servers, totalling 7 requests spawning threads.. http://shop.wikimedia.org * 301 Moved Permanently http://store.wikimedia.org/ http://shop.wikipedia.org * 301 Moved Permanently http://store.wikimedia.org/ http://store.wikimedia.org * 200 OK 6136
deploying, tagged puppet run on appservers is now changing the config across all appservers
curl -vvv http://shop.wikimedia.org <h1>Moved Permanently</h1> <p>The document has moved <a href="http://store.wikimedia.org/">here</a>.</p>
@vshchepakina it's done. we made the switch for the redirect. it might be cached in some places but soon the redirect should work. i tested it on a server and locally on my laptop.
Oh! So this was a setting in the shop admin ui, right? I did not make any changes there, i only focused on the redirect on our servers. I assumed that the necessary shop config changes were made by shopify when they said to switch DNS over "any time".
Is everything ok now?