Hello, Given gerrit already works with openid I was wondering if the wiki could support the same. It seems there is an extension[1], and it also seems it's packaged for fedora[2]. Has anyone looked into this and would it be a desirable addition? [1]: http://www.mediawiki.org/wiki/Extension:OpenID [2]: http://koji.fedoraproject.org/koji/packageinfo?packageID=5922
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/24/2012 09:13 AM, Ewoud Kohl van Wijngaarden wrote:
Hello,
Given gerrit already works with openid I was wondering if the wiki could support the same. It seems there is an extension[1], and it also seems it's packaged for fedora[2]. Has anyone looked into this and would it be a desirable addition?
[1]: http://www.mediawiki.org/wiki/Extension:OpenID [2]: http://koji.fedoraproject.org/koji/packageinfo?packageID=5922
My major concern with the wiki is keeping us from having spammers ever get accounts on there. We have enough trouble gardening our own work, we'd get buried if we had to manage spam pages. I would reckon that OpenID would give a way for spammers to come in, unless we limited the OpenID servers we worked with, which would sort-of be against the reason for having OpenID in the first place. But I'm very open to other thinking, just unsure how it would be implemented. - - Karsten - -- name: Karsten 'quaid' Wade, Sr. Community Architect team: Red Hat Community Architecture & Leadership uri: http://communityleadershipteam.org http://TheOpenSourceWay.org gpg: AD0E0C41 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFPHvsZ2ZIOBq0ODEERAgiNAJ9J4gu52ZgnZkGt0WpfwQWq1aglcgCeMN+Z LDVFMxgbmvgq6G1htgd71Cs= =hf0c -----END PGP SIGNATURE-----
On Tue, Jan 24, 2012 at 10:40:25AM -0800, Karsten 'quaid' Wade wrote:
On 01/24/2012 09:13 AM, Ewoud Kohl van Wijngaarden wrote:
Given gerrit already works with openid I was wondering if the wiki could support the same. It seems there is an extension[1], and it also seems it's packaged for fedora[2]. Has anyone looked into this and would it be a desirable addition?
[1]: http://www.mediawiki.org/wiki/Extension:OpenID [2]: http://koji.fedoraproject.org/koji/packageinfo?packageID=5922
My major concern with the wiki is keeping us from having spammers ever get accounts on there. We have enough trouble gardening our own work, we'd get buried if we had to manage spam pages.
I would reckon that OpenID would give a way for spammers to come in, unless we limited the OpenID servers we worked with, which would sort-of be against the reason for having OpenID in the first place.
But I'm very open to other thinking, just unsure how it would be implemented. I have no experience with mediawiki + openid myself, but maybe giving it a go and monitor it would be good enough for now.
Possible downsides: - Spammers use openid to spam Possible upsides: - More open to new people - People can use a single account for both gerrit and the wiki Since the wiki edits are also shown on IRC I think spam would be caught fast enough and in the worst case the change could be reverted.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/24/2012 03:40 PM, Ewoud Kohl van Wijngaarden wrote:
I have no experience with mediawiki + openid myself, but maybe giving it a go and monitor it would be good enough for now.
Possible downsides: - Spammers use openid to spam
Possible upsides: - More open to new people - People can use a single account for both gerrit and the wiki
Since the wiki edits are also shown on IRC I think spam would be caught fast enough and in the worst case the change could be reverted.
That's a good point, the wiki edits are watched that way more carefully. What would our reaction be if we started to see spam edits via OpenID accounts? * Can we easily disable those accounts? * Would we revert to not using OpenID? ** Sometimes spammers seem to be doing test-spam on a wiki, so a few scattered edits might be preparation for an onslaught. Also consider all this in terms of who is taking care of the wiki. We don't (yet?) have enough individuals or a team that seem to be taking on any wiki management tasks. So a spamming situation could rally such folks, but it could also kill the energy while in the crib by overwhelming it with spam pages from incrementally more spam accounts. I'm reacting a bit here to e.g. more wiki pages being incorrectly named than not, so a lot of wiki gardening required still. OTOH, I am very much in favor of lowering barriers as much as we can. I'd like to proceed with this discussion and just figure out a way to counterbalance the risks, etc. Thanks - Karsten - -- name: Karsten 'quaid' Wade, Sr. Community Architect team: Red Hat Community Architecture & Leadership uri: http://communityleadershipteam.org http://TheOpenSourceWay.org gpg: AD0E0C41 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFPH38u2ZIOBq0ODEERAs66AKCsopk4/0ZZfXPh4ky6iOg5D6g8eACdFKET WrmeZZ7qtLYyqeZmwYr4IWk= =IreL -----END PGP SIGNATURE-----
On 01/25/2012 06:03 AM, Karsten 'quaid' Wade wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/24/2012 03:40 PM, Ewoud Kohl van Wijngaarden wrote:
I have no experience with mediawiki + openid myself, but maybe giving it a go and monitor it would be good enough for now.
Possible downsides: - Spammers use openid to spam
Possible upsides: - More open to new people - People can use a single account for both gerrit and the wiki
Since the wiki edits are also shown on IRC I think spam would be caught fast enough and in the worst case the change could be reverted.
That's a good point, the wiki edits are watched that way more carefully.
What would our reaction be if we started to see spam edits via OpenID accounts?
* Can we easily disable those accounts? * Would we revert to not using OpenID? ** Sometimes spammers seem to be doing test-spam on a wiki, so a few scattered edits might be preparation for an onslaught.
Also consider all this in terms of who is taking care of the wiki. We don't (yet?) have enough individuals or a team that seem to be taking on any wiki management tasks.
So a spamming situation could rally such folks, but it could also kill the energy while in the crib by overwhelming it with spam pages from incrementally more spam accounts.
I'm reacting a bit here to e.g. more wiki pages being incorrectly named than not, so a lot of wiki gardening required still. OTOH, I am very much in favor of lowering barriers as much as we can. I'd like to proceed with this discussion and just figure out a way to counterbalance the risks, etc.
can we separate the openid support for authentication (so people can user same user/password) from authorization (can an openid account do something)? so we would still have the process of an existing user has to give edit permissions to an openid user?
On Wed, Jan 25, 2012 at 10:17:43AM +0200, Itamar Heim wrote:
On 01/25/2012 06:03 AM, Karsten 'quaid' Wade wrote:
On 01/24/2012 03:40 PM, Ewoud Kohl van Wijngaarden wrote:
I have no experience with mediawiki + openid myself, but maybe giving it a go and monitor it would be good enough for now.
Possible downsides: - Spammers use openid to spam
Possible upsides: - More open to new people - People can use a single account for both gerrit and the wiki
Since the wiki edits are also shown on IRC I think spam would be caught fast enough and in the worst case the change could be reverted.
That's a good point, the wiki edits are watched that way more carefully.
What would our reaction be if we started to see spam edits via OpenID accounts?
* Can we easily disable those accounts? * Would we revert to not using OpenID? ** Sometimes spammers seem to be doing test-spam on a wiki, so a few scattered edits might be preparation for an onslaught.
Also consider all this in terms of who is taking care of the wiki. We don't (yet?) have enough individuals or a team that seem to be taking on any wiki management tasks.
So a spamming situation could rally such folks, but it could also kill the energy while in the crib by overwhelming it with spam pages from incrementally more spam accounts.
I'm reacting a bit here to e.g. more wiki pages being incorrectly named than not, so a lot of wiki gardening required still. OTOH, I am very much in favor of lowering barriers as much as we can. I'd like to proceed with this discussion and just figure out a way to counterbalance the risks, etc.
can we separate the openid support for authentication (so people can user same user/password) from authorization (can an openid account do something)?
so we would still have the process of an existing user has to give edit permissions to an openid user? That could be a mitigation in case we do get spammers.
I'm wondering how wikipedia handles this since that's an open wiki using the same software. Using an extension for authentication makes us a non-standard target and thus harder. I think it's important, if not vital, for an open source project to have a low barrier to join. Making it easy to do small fixes on the wiki could help get people more involved. So in short I think using openid authentication and open authorization will benefit the project at an acceptable risk of spammers. If we do notice spammers we can switch to user authorization with manual approval of users or in the worst case fully disable openid and revert to the current workflow.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/25/2012 02:45 AM, Ewoud Kohl van Wijngaarden wrote:
On Wed, Jan 25, 2012 at 10:17:43AM +0200, Itamar Heim wrote:
On 01/25/2012 06:03 AM, Karsten 'quaid' Wade wrote:
On 01/24/2012 03:40 PM, Ewoud Kohl van Wijngaarden wrote:
I have no experience with mediawiki + openid myself, but maybe giving it a go and monitor it would be good enough for now.
Possible downsides: - Spammers use openid to spam
Possible upsides: - More open to new people - People can use a single account for both gerrit and the wiki
Since the wiki edits are also shown on IRC I think spam would be caught fast enough and in the worst case the change could be reverted.
That's a good point, the wiki edits are watched that way more carefully.
What would our reaction be if we started to see spam edits via OpenID accounts?
* Can we easily disable those accounts? * Would we revert to not using OpenID? ** Sometimes spammers seem to be doing test-spam on a wiki, so a few scattered edits might be preparation for an onslaught.
Also consider all this in terms of who is taking care of the wiki. We don't (yet?) have enough individuals or a team that seem to be taking on any wiki management tasks.
So a spamming situation could rally such folks, but it could also kill the energy while in the crib by overwhelming it with spam pages from incrementally more spam accounts.
I'm reacting a bit here to e.g. more wiki pages being incorrectly named than not, so a lot of wiki gardening required still. OTOH, I am very much in favor of lowering barriers as much as we can. I'd like to proceed with this discussion and just figure out a way to counterbalance the risks, etc.
can we separate the openid support for authentication (so people can user same user/password) from authorization (can an openid account do something)?
so we would still have the process of an existing user has to give edit permissions to an openid user? That could be a mitigation in case we do get spammers.
I'm wondering how wikipedia handles this since that's an open wiki using the same software. Using an extension for authentication makes us a non-standard target and thus harder.
AIUI, a large part is the legion of volunteers who revert spam edits. All of the protection tools, such as Captchas, are reportedly cracked by spammers.
I think it's important, if not vital, for an open source project to have a low barrier to join. Making it easy to do small fixes on the wiki could help get people more involved.
This I do agree with, and wrote in to The Open Source Way handbook: https://www.theopensourceway.org/wiki/How_to_loosely_organize_a_community#Us... ... and then as a project, struggle with how to handle the wiki auth. (Short URL of above: http://bit.ly/TOSWOpenTooling )
So in short I think using openid authentication and open authorization will benefit the project at an acceptable risk of spammers. If we do notice spammers we can switch to user authorization with manual approval of users or in the worst case fully disable openid and revert to the current workflow.
Are you able to volunteer to help with wiki gardening? In specific, keeping things cleaned up if we do get a spammer - reverting changes, deleting accounts, etc. If we can get enough of us to watch things with commitment, then I'm much more comfortable with the idea of rolling out OpenID. - - Karsten - -- name: Karsten 'quaid' Wade, Sr. Community Architect team: Red Hat Community Architecture & Leadership uri: http://communityleadershipteam.org http://TheOpenSourceWay.org gpg: AD0E0C41 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFPIHWI2ZIOBq0ODEERAiioAJ96Cc0ZKm7ZvnaFfQAnrHhvla0e9wCdG4c4 AIOT2IIfTrJ8qtN47c96hcw= =D3ho -----END PGP SIGNATURE-----
On Wed, Jan 25, 2012 at 01:35:04PM -0800, Karsten 'quaid' Wade wrote:
Are you able to volunteer to help with wiki gardening? In specific, keeping things cleaned up if we do get a spammer - reverting changes, deleting accounts, etc.
If we can get enough of us to watch things with commitment, then I'm much more comfortable with the idea of rolling out OpenID. I can watch the RSS feed and monitor for spam. Given the current amount of wiki edits I don't think it'll take that much time.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/26/2012 03:37 AM, Ewoud Kohl van Wijngaarden wrote:
On Wed, Jan 25, 2012 at 01:35:04PM -0800, Karsten 'quaid' Wade wrote:
Are you able to volunteer to help with wiki gardening? In specific, keeping things cleaned up if we do get a spammer - reverting changes, deleting accounts, etc.
If we can get enough of us to watch things with commitment, then I'm much more comfortable with the idea of rolling out OpenID. I can watch the RSS feed and monitor for spam. Given the current amount of wiki edits I don't think it'll take that much time.
OK, I'm game for doing this then. Can we do a quick process write-up here? That is, what do we think it's going to take in steps so far, then we can find the gaps and fill with our knowledge. In the end, I'd like to have the service up _and_ a page similar to these: http://ovirt.org/wiki/Category:Infrastructure_documentation - - Karsten - -- name: Karsten 'quaid' Wade, Sr. Community Architect team: Red Hat Community Architecture & Leadership uri: http://communityleadershipteam.org http://TheOpenSourceWay.org gpg: AD0E0C41 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFPIzKl2ZIOBq0ODEERAl09AJ9woyvf7luyxXnY19dBdvqyBeh7/wCgsc9a kDilp1hmkcNaRxhSiZk4cgk= =yAA+ -----END PGP SIGNATURE-----
OK, I'm game for doing this then.
Can we do a quick process write-up here? That is, what do we think it's going to take in steps so far, then we can find the gaps and fill with our knowledge. In the end, I'd like to have the service up _and_ a page similar to these:
http://ovirt.org/wiki/Category:Infrastructure_documentation Are you by any chance at FOSDEM this weekend? Maybe we could look at
On Fri, Jan 27, 2012 at 03:26:29PM -0800, Karsten 'quaid' Wade wrote: this in person.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/31/2012 09:48 AM, Ewoud Kohl van Wijngaarden wrote:
On Fri, Jan 27, 2012 at 03:26:29PM -0800, Karsten 'quaid' Wade wrote:
OK, I'm game for doing this then.
Can we do a quick process write-up here? That is, what do we think it's going to take in steps so far, then we can find the gaps and fill with our knowledge. In the end, I'd like to have the service up _and_ a page similar to these:
Are you by any chance at FOSDEM this weekend? Maybe we could look at this in person.
Nope, I'll be blissfully at home. (I also never seem to find time to do those sorts of things at conferences.) But if some others want to get together to talk about this or other infrastructure topics, I can be available remotely. - - Karsten - -- name: Karsten 'quaid' Wade, Sr. Community Architect team: Red Hat Community Architecture & Leadership uri: http://communityleadershipteam.org http://TheOpenSourceWay.org gpg: AD0E0C41 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFPKCua2ZIOBq0ODEERApRUAKDiLGhRw78D5xVU+Ba5r6smrKlf/gCg5isT WOU8pklHUTgPl0EVaK9mFxI= =8pwZ -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 (Separating topics in this thread.) On 01/25/2012 02:45 AM, Ewoud Kohl van Wijngaarden wrote:
On Wed, Jan 25, 2012 at 10:17:43AM +0200, Itamar Heim wrote:
can we separate the openid support for authentication (so people can user same user/password) from authorization (can an openid account do something)?
so we would still have the process of an existing user has to give edit permissions to an openid user?
That could be a mitigation in case we do get spammers.
That's a rather nice idea - it would save us from losing the investment in getting OpenID working if we didn't have to roll all the way back, and if we had to fall-back to manual-initial authorization, at least we'd be helping contributors reduce account complexity. - - Karsten - -- name: Karsten 'quaid' Wade, Sr. Community Architect team: Red Hat Community Architecture & Leadership uri: http://communityleadershipteam.org http://TheOpenSourceWay.org gpg: AD0E0C41 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFPIHYO2ZIOBq0ODEERAkt7AJ9ZuqPFFW/qEHgSItBqB2QgJ/xLOwCdGcpf VS6cFPMJ+rupMepGmA5peZc= =7FWL -----END PGP SIGNATURE-----
On 01/24/2012 08:03 PM, Karsten 'quaid' Wade wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/24/2012 03:40 PM, Ewoud Kohl van Wijngaarden wrote:
I have no experience with mediawiki + openid myself, but maybe giving it a go and monitor it would be good enough for now.
I'm a fan of openid -- many is the time I've chosen not to engage somewhere because I don't want to create a new user name / password. Jason
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/25/2012 09:06 AM, Jason Brooks wrote:
On 01/24/2012 08:03 PM, Karsten 'quaid' Wade wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/24/2012 03:40 PM, Ewoud Kohl van Wijngaarden wrote:
I have no experience with mediawiki + openid myself, but maybe giving it a go and monitor it would be good enough for now.
I'm a fan of openid -- many is the time I've chosen not to engage somewhere because I don't want to create a new user name / password.
Careful or I'll recruit you to the wiki gardening crew. :) - - Karsten - -- name: Karsten 'quaid' Wade, Sr. Community Architect team: Red Hat Community Architecture & Leadership uri: http://communityleadershipteam.org http://TheOpenSourceWay.org gpg: AD0E0C41 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFPIHRw2ZIOBq0ODEERAmekAJ9qcw4maZFlYeakixacyAYhg+ZlKQCdEgfW VcuuywX956TcAKPFJiYs+HE= =MTdt -----END PGP SIGNATURE-----
participants (4)
-
Ewoud Kohl van Wijngaarden -
Itamar Heim -
Jason Brooks -
Karsten 'quaid' Wade