From Meta, a Wikimedia project coordination wiki
Jump to: navigation, search

Developer Wishlist Survey: propose your ideas[edit]

At the Wikimedia Developer Summit, we decided to organize a Developer Wishlist Survey, and here we go:

The Wikimedia technical community seeks input from developers for developers, to create a high-profile list of desired improvements. The scope of the survey includes the MediaWiki platform (core software, APIs, developer environment, enablers for extensions, gadgets, templates, bots, dumps), the Wikimedia server infrastructure, the contribution process, and documentation.

The best part: we want to have the results published by Wednesday, February 15. Yes, in a month, to have a higher chance to influence the Wikimedia Foundation annual plan FY 2017-18.

There's no time to lose. Propose your ideas before the end of January, either by pushing existing tasks in Phabricator or by creating new ones. You can find instructions on the wiki page. Questions and feedback are welcome especially on the related Talk page.

The voting phase is expected to start on February 6 (tentative). Watch this space (or even better, the wiki page) - SSethi_(WMF) January 21st, 2017 3:07 AM (UTC)

2FA for all?[edit]

Last year in November we experienced an incident of hacked WMF/sysop accounts, which led to the rapid deployment of two-factor authentication (2FA) for sysops and some other important accounts; it was said that 2FA will become available for all users (non-sysops) as well, even “as soon as possible” (see link above). However, I am not sure whether this project is stalled, or someone has been (privately?) working in this field recently.

As a non-sysop user I am strongly interested in using 2FA with my Wikimedia account for reasons which have nothing to do with the November incident. 2FA is a standard feature in all sensitive web services today and it should be available in Wikimedia’s projects as well. Do you think it is possible to make this happen rather soon? Thanks, —MisterSynergy (talk) 06:00, 4 May 2017 (UTC)

You can ask for it at SRG. Ruslik (talk) 12:34, 12 May 2017 (UTC)
Hi MisterSynergy. How is your unprivileged wiki account sensitive? Having two-factor authentication attached to a bank account or an e-mail account is a lot different than a free wiki account, in my opinion. --MZMcBride (talk) 13:27, 12 May 2017 (UTC)
A regular wiki account that doesn't have admin or other privileged access isn't very useful to an attacker, but we can't discount any motives for why someone might try to hijack a wiki account. Spammers might try to take over a trusted account if they're blacklisted from account creation. Some trolls might hack someone's account to get them banned and cause drama. We should remember that not everyone responds to anger rationally online and some basement-dwelling hackers would hijack the account of someone who angered them to make offensive comments to get them banned and sabotage them. @r3df0x (talk) 19:51, 25 May 2017 (UTC)
We're clearly not ready for this yet, for instance Help:Two-factor authentication advertises unfree software and fails to provide usable directions to use FLOSS for the stated purpose. mw:Help:Two-factor authentication and wikitech:Help:Two-factor authentication are slightly better but don't contain complete instructions (e.g. that you need the --totp option). Nowhere we can find information on how to keep the secret key in a way that makes it safer than any password stored in a typical password manager. Accounts with 2FA get "lost" regularly, but we don't have an established process to recover them. Nemo 13:36, 12 May 2017 (UTC)
It should be noted however, that stuff like this usually doesn't get done until there is the need to do so. By pushing for this, there will be a need to solve these problems. By waiting, we will likely wait very long. We got more issues fixed in the 2 weeks after rolling out 2FA to sensitive accounts, then in the full year before and the half year since that period. —TheDJ (talkcontribs) 15:29, 12 May 2017 (UTC)
Regarding Help:Two-factor authentication and wikitech:Help:Two-factor authentication, {{sofixit}}.
Regarding password managers, I think you're missing the point. A password is a knowledge factor while a TOTP token is (intended to be) a possession factor. If someone sniffs the entered TOTP token, that won't do them much good after it expires in a few minutes. Anomie (talk) 13:34, 15 May 2017 (UTC)
I never said token. Nemo 13:45, 15 May 2017 (UTC)
I protect all my “important” accounts with 2FA, since being secretly keylogged is a significant threat when I don’t use my own machine. If 2FA is not available, I meanwhile refrain from logging on in those not-so-rare situations. 2FA can’t protect my account completely from being compromised, but I prefer to have it as secure as possible and 2FA does indeed help to some extent in my situation. I recently successfully requested oathauth-tester right at Steward requests/Global and activated 2FA for my account, and still hope that it will become available for all users soon. However, I also heard of the related issues and understand that WMF needs to elaborate some more solutions before this can actually happen. —MisterSynergy (talk) 14:47, 12 May 2017 (UTC)


Hi! I was wondering how long pages are cached before refreshed on wikipedia-servers. Some sources have said up to 90 days before the page is refreshed (parser functions and all), but looking at this phabricator issue it seems to be down to 1 day. Profoss (talk) 22:32, 14 May 2017 (UTC)

Up to 30 days, usually. --Nemo 13:47, 15 May 2017 (UTC)

Gadgets and Sandbox features for dty wiki[edit]

Moved from Steward requests/Permissions. Stryn (talk) 12:28, 20 May 2017 (UTC)

Hi, how can we got the Gadgets and Sandbox features for newly created Doteli Wikipedia(dty)? --Janak Bhatta (talk) 17:32, 19 May 2017 (UTC)

Create a page at dty:MediaWiki:Gadgets-definition like en:MediaWiki:Gadgets-definition and put some gadgets on it will enable Gadgets. Reedy (talk) 12:35, 20 May 2017 (UTC)

"Purge" button in Wikipedia's sister projects[edit]

At Wikipedia, when I clicked "Purge" button from the "More" scroll menu, the page is automatically updated and then leads to the same page. However, at sister projects, including Meta-wiki, when I clicked the "Purge" button, the page leads to the "Purge this page" page with the blue "OK" button. I had to enable the UTC clock/purge gadget, so I don't have to go to the "Purge this page" page. Any explanations about this? --George Ho (talk) 02:32, 24 May 2017 (UTC)

There are two gadgets that add purge link. The first one is a stand alone and the second one is the UTC clock gadget. Ruslik (talk) 02:42, 24 May 2017 (UTC)
Oh, yes: the stand-alone "Purge" gadget, which currently directs to that "Purge this page" screen. --George Ho (talk) 03:26, 24 May 2017 (UTC)