The Wikimedia Shop is going to be renamed to the Wikipedia store. Right now its URL is http://shop.wikimedia.org. I would like it to be named http://store.wikipedia.org. How can this be changed?
Description
Details
Related Objects
- Mentioned In
- T106214: Wikimedia shop branded as 'Wikipedia' store
rODNS2683027b57cb: shop/store: switch old URL to cluster for redirect
rOPUP673bc07b6ef6: shop/store: switch redirects to store.wikimedia
rOPUPb541de20f987: remove dropped shop/store redirects
rODNSe6354edf6419: shop/store: set CNAME for store c.ssl.shopify.com
rODNS6202d055269b: drop shop & store entries from most projects
T96182: Update DNS for the Wikipedia store, before May 31
rODNS0d341d3be83c: change store to a CNAME for c.ssl.shopify.com. - Mentioned Here
- T96182: Update DNS for the Wikipedia store, before May 31
Event Timeline
@Dzahn bummer! let's keep it store.wikimedia.org then. Can store.wikipedia.org be still redirected to store.wikimedia.org?
http://store.wikipedia.org/ is a working redirect, just to http://shop.wikimedia.org because that's the main shop URL.
http://store.wikimedia.org/ currently just gets us the same as https://www.wikimedia.org/ but we could just make that a redirect to shop.wikimedia.org.
Or did you mean to change the main shop URL to store.wikimedia.org? I'm afraid then we'll have to ask shopify again about changing the SSL cert.
How about we just add the additional redirect so that http://store.wikimedia.org/ also works but we leave the actual shop URL unchanged?
here are the existing redirects:
Shop redirects
funnel shop.wiktionary.org shop.wikimedia.org
funnel store.wiktionary.org shop.wikimedia.org
funnel shop.wikiquote.org shop.wikimedia.org
funnel store.wikiquote.org shop.wikimedia.org
funnel shop.wikibooks.org shop.wikimedia.org
funnel store.wikibooks.org shop.wikimedia.org
funnel shop.wikinews.org shop.wikimedia.org
funnel store.wikinews.org shop.wikimedia.org
funnel shop.wikisource.org shop.wikimedia.org
funnel store.wikisource.org shop.wikimedia.org
funnel shop.wikiversity.org shop.wikimedia.org
funnel store.wikiversity.org shop.wikimedia.org
funnel shop.mediawiki.org shop.wikimedia.org
funnel store.mediawiki.org shop.wikimedia.org
funnel shop.wikimediafoundation.org shop.wikimedia.org
funnel store.wikimediafoundation.org shop.wikimedia.org
funnel shop.wikipedia.org shop.wikimedia.org
funnel store.wikipedia.org shop.wikimedia.org
funnel shop.wikipedia.com shop.wikimedia.org
funnel store.wikipedia.com shop.wikimedia.org
@Dzahn I really prefer store.wikimedia.org, especially since we can't have store.wikipedia.org as the main URL. Any chance you could contact Shopify again?
Change 199791 had a related patch set uploaded (by Dzahn):
shop redirects: store instead of shop
Change 199796 had a related patch set uploaded (by Dzahn):
shop URL: change 'shop' to 'store'
Victoria, yes, i will contact them. Also uploaded new patches for the redirect and DNS changes. (they need to be coordinated with the other changes).
It's still completely unclear to me why any rename makes sense here. Is there some problem with "Wikimedia Shop" and shop.wikimedia.org? If so, this task should explain what the problem is so that we can evaluate it and come to a reasonable solution. Until there's clarification, I don't think this ticket should be acted upon at all.
@Victoria, could you reply to MZMcBride why it should be renamed? There seems to be no consensus here and i would like to avoid telling them to change the cert once again before there is agreement here.
The branding has already been updated, there's a Twitter account "wikipediastore", etc., so all that remains to be done is changing the canonical URL. I can't speak for Victoria, but I'm guessing that this rename is due to the greater brand recognition of the Wikipedia brand and due to the store mainly selling Wikipedia products. In any case, it's up to the shop team to pick the name for the thing :)
They can name it whatever they want, but wikipedia.org subdomains must run Wikimedia-approved-and-changeable code on WMF-owned hardware.
That said, it's not a good decision to name it "Wikipedia Store" as they are not allowed to run store.wikipedia.org as a proper (canonical) site - it can only be a redirect to somewhere which they can serve (say, store.wikimedia.org) from a third-party (*.wikimedia.org is not trusted by our software like *.wikipedia.org is for SUL, as we already have other third-party-hosted stuff there, e.g. status. and to some extent wikitech-static.).
Ah, I see. So, to recap -- the concern is:
- We set user authentication cookies on the wikipedia.org domain (not its subdomains like en.*);
- We don't do the same for sites like commons.wikimedia.org (there we set the cookie on commons.*, etc.)
In this configuration, putting potentially dangerous code on store.wikipedia.org would mean that any vulnerability in said code could be exploited to steal user credentials. Have I got that right?
If so, I'm not sure there is a good option here other than 1) going back to the old name, or 2) hosting it on a completely separate domain name.
A possibly terrifying third option is to setup a cookie stripping reverse proxy that we run on shop.wikimedia.org and then have that proxy to whoever is running it...
/me runs away
Terrifying options may warrant some consideration, but I'll loop back with Victoria that this may be trickier than anticipated. @csteipp any thoughts on how security issues could be mitigated, and/or the suggestion above?
That would keep the cookie away from their server (so a compromised store wouldn't be able to sniff the cookies), but won't save us from xss on their store site (which we have no review/controls for), doing all sorts of stuff to us.
That's pretty much it.
There is probably a way we could safely setup a reverse proxy to do this. It would be a significant amount of work, and would be pretty fragile.
In addition to cookie stripping, we would need strong parameter whitelists (basically run mod_security on it) to attempt to mitigate xss vectors. We have to be ok with turning off the proxy if we find vulnerabilities on their site until they fix them. We would need an egress filter on the proxy too which does some amount of javascript parsing, to ensure that scripts on their site can't change the javascript domain. We would possibly want to inject CSP/XFO/nosniff headers into the response. We would need CORS blacklisting on all of our wikis where we already have *.wikipedia.org whitelisted. That's the stuff I can think of off the top of my head.
After all that, I would still anticipate this would be something like SVG files-- we make it pretty safe, but it's going to be a constant stream of issues that we have to deal with long term.
Until someone can find a good reason to change the domain/store name or until someone can explain a single problem we're actually solving here (as opposed to the new problems we're considering creating here...), option 1 sounds pretty good to me!
Option 2 is obviously better than the fragile horror proxy madness, but that's not really saying much. Off-hand, it looks like wikipediastore.org is available.
That said, I've repeatedly mused about the idea of using the wikis and the existing (quite robust) payment processing system that's already in place for making donations to the Wikimedia Foundation as an alternative to Shopify. This leverages existing infrastructure and solves other issues such as interface translation and content management, which we do passably well using wikis. This is to say, I'd much rather see technical resources invested in (for example) making the shop available in more languages than I would seeing additional time wasted on renaming the shop for questionable benefit.
Err, the 'name' is one thing that I guess we can keep discussing however I was under the impression that Victoria had already said she understood the problem with store.wikipedia.org and now was just asking that we switch shop.wikimedia.org to store.wikimedia.org .... I feel like we're re-hashing an argument that is no longer needed....
That said if the decision was to re-think the decision then ignore me :)
Ah, thanks for pointing that out, James. Daniel asked me about this ticket and I assumed (given the ticket description and Daniel's explanation) that the proposal is still to rename to store.wikipedia.org. If store.wikimedia.org as the canonical URL is fine, that addresses the security concern and there should be no major blockers to change from shop.wikimedia.org to store.wikimedia.org. Renames are fun :-)
In consultation with the Wikimedia community. Did I miss a discussion?
The Wikimedia Shop was co-owned by the Wikimedia Foundation and the Wikimedia community. This has been made clear many times, but if you need a concrete example, here's an easy one: https://meta.wikimedia.org/wiki/Talk:Wikimedia_merchandise#Shop_Advisory_Committee.
Your comment seems to suggest that because the person has changed on the Wikimedia Foundation side of the relationship, the Wikimedia community side's opinion no longer matters. Respectfully, that view is crazy and isn't aligned with Wikimedia's values of shared ownership and responsibility.
And so I'm left wondering, yet again, what the motivation for rebranding the Wikimedia Shop as the Wikipedia Store is.
James is correct: We understand that we cannot use store.wikipedia.org, and we are OK with that. Now we are just asking we switch from shop.wikimedia.org to store.wikimedia.org, as we think Store sounds more consistent with the idea of a more complete brand.
*Can we have an ETA for this change?*
@MZMcBride: Sorry if this was unclear: The reason for a name change is visibility and branding. The rename is part of a bigger revamp the Store is going through, including new merchandise, new social media efforts, new community engagement projects and a brand new website.
In order for the Store to be successful and provide rewards to the community it needs to actually be able to reach supporters and promote sales. The name Wikipedia has a greater brand recognition, and we believed it would help with promoting the Store in many different channels. Rest assured that the impact and goal of the Store will not change: it remains supporting contributors of all sister projects :) This is just meant to be a cosmetic change so that we could be found more easily by supporters and wouldn't cause confusion because they don't recognize the name Wikimedia. Does that make sense? What we hoped the new name would improve is the visibility amongst the readers who are not familiar with Wikimedia but want to support our mission.
Also, we do look forward to collaborating more with the community, and actually need a lot of help! We have received a few merchandise suggestions, but we could really benefit from some technical support and other operational help to take the Store to the next level. We will post requests in a few village pumps and on meta soon.
I have resumed the process with shopify, this time asking to add 'store.wikimedia.org' to the cert. I will update here as events warrant.
I've confirmed the change with digicert. Shopify says:
"We'll add in store.wikimedia.org, but you'll need to confirm it one more time. It'll likely be done next week since the batches are sent out on Tuesdays and Thursdays."
Unfortunately they're not allowing us to overlap the names, so shop.wikimedia.org will start throwing cert warnings as soon as the change happens.
Shopify said "You can point your CNAME for store to c.ssl.shopify.com.."
but we have not used this before, the CNAME we have is for "shopwikipedia.myshopify.com."
so it seemed odd that would change and we asked.
The response is:
Thanks for the clarification. Andrew confirmed store.wikimedia.org earlier this week, so we associated the checkout SSL with c.ssl.shopify.com. There are a few CNAMEs for the custom SSL, where as, on the general plans you point your CNAME to your .myshopify.com. Doing this would move you to checkout.shopify.com for checkout though.
Whenever you're ready point your CNAME for store to c.ssl.shopify.com. We're going to be keeping the checkout SSL on both store.wikimedia.org and shop.wikimedia.org so you can go back and forth if you would like :).
Change 203497 had a related patch set uploaded (by Dzahn):
change store to a CNAME for c.ssl.shopify.com.
so shopify said "whenever you're ready point your CNAME for store to c.ssl.shopify.com." and that we should use the _new_ CNAME for store.wm and we can have both without certificate errors, which is cool.
since that meant not having to touch the existing shop.wm i just did it and changed the entry for store as instruced. unfortunately this gave me a page saying "Sorry, this shop is currently unavailable" and i didn't want to leave it like this over the weekend, so i reverted that and mailed shopify.
now, also see T96182, which says " A Record to point to our new IP address: 23.227.38.32" in contradiction to what Andrew and myself have been told before by Shopify. an A record wasn't mentioned at all before, instead a CNAME and a new CNAME different from the existing one.
meanwhile i have done this part and dropped the shop AND store entries from most domains, of course except wikimedia.org and wikipedia.org
Change 204558 had a related patch set uploaded (by Dzahn):
remove dropped shop/store redirects
Change 204559 had a related patch set uploaded (by Dzahn):
shop/store: switch redirects to store.wikimedia
Change 204629 had a related patch set uploaded (by Dzahn):
shop/store: set CNAME for store c.ssl.shopify.com
for your new domain store.wikimedia.org, you'll need to change your CNAME for store to c.ssl.shopify.com. Currently it's an A record, which is 208.80.154.224. You need to change this to a CNAME not an A record. So CNAME for store to c.ssl.shopify.com. Once you've done this we can enable it properly on our end.
We have made the switch above per instructions from shopify. I have mailed Effie so that they can properly enable it on their end now.
The existing http://shop.wikimedia.org is untouched.
@vshchepakina It works for me now! Check out http://store.wikimedia.org/ it is not a redirect anymore but i can see the shop, yay. The old URL also still works. Should we redirect from the old to the new URL already?
@Dzahn yay!! Thank you so much everyone for making it happen!!!! I really appreciate all of your help!!!!!
@vshchepakina, both URLs work now. neither is a redirect to the other.
Dzahn wanted to know about what to do with the old URL. can we redirect it
already or is there some reason to wait?
@Dzahn @Krenair @jeremyb sorry about that! Yes, could the old URL be redirected to the new http://store.wikimedia.org/ please?
actually shopify said not to change the CNAME for the old shop URL. to make it a redirect we would have to. i'm inclined to not do them and call it resolved for now, realizing that tickets can be reopened if needed. ok?
Change 204810 had a related patch set uploaded (by Dzahn):
shop/store: switch old URL to cluster for redirect
They are waiting in code review now and need Apache deployment. Robh said to put it on the Deployment Calendar and we should probably not do it on a Friday unless emergency.
@Dzahn I am doing the store announcement tomorrow and I was hoping to have a proper URL by now. Is there any chance it can be done by tomorrow?
yes, it is on the deployment calendar for today now. in a 14:00–15:00 PDT slot.
https://wikitech.wikimedia.org/wiki/Deployments#Monday.2C.C2.A0April.C2.A020
i'll update after that
[tin:~] $ apache-fast-test T92438 mw1022 testing 7 urls on 1 servers, totalling 7 requests spawning threads.. http://shop.wikimedia.org * 301 Moved Permanently http://store.wikimedia.org/ http://shop.wikipedia.org * 301 Moved Permanently http://store.wikimedia.org/ http://store.wikimedia.org * 200 OK 6136
deploying, tagged puppet run on appservers is now changing the config across all appservers
curl -vvv http://shop.wikimedia.org <h1>Moved Permanently</h1> <p>The document has moved <a href="http://store.wikimedia.org/">here</a>.</p>
@vshchepakina it's done. we made the switch for the redirect. it might be cached in some places but soon the redirect should work. i tested it on a server and locally on my laptop.
@Dzahn there is a domain problem!!! Go to the store, add items to the cart, click checkout and it redirects you to the main page. What is going on?!:(((
Hey @vshchepakina! I just added items and clicked checkout, and it's taking me to a checkout.shopify.com URL.
@Dzahn shop.wikimedia.org just kept pulling the website back to that url so I had to delete it.
@jeremyb We deleted the url (shop.wikimedia.org) that was redirecting the cart page back to itself. It was creating a loop.
Who deleted it from where? your web browser?
Were you able to replicate this behavior on multiple devices?
We deleted it from the Shopify admin. And yes, I can replicate this behavior on multiple devices.
Oh! So this was a setting in the shop admin ui, right? I did not make any changes there, i only focused on the redirect on our servers. I assumed that the necessary shop config changes were made by shopify when they said to switch DNS over "any time".
Is everything ok now?