19:32:02 <papoteur> #startmeeting 19:32:02 <Inigo_Montoya> Meeting started Mon Sep 4 19:32:02 2017 UTC. The chair is papoteur. Information about MeetBot at http://wiki.debian.org/MeetBot. 19:32:02 <Inigo_Montoya> Useful Commands: #action #agreed #help #info #idea #link #topic. 19:32:22 <papoteur> [21:31] <stormi> I obtained bureaucrat rights, gave them to neoclust and am about to give them to you and lebarhon 19:32:58 <papoteur> #topic wiki credentials 19:33:09 <lebarhon> what are these rights about ? 19:33:29 <papoteur> stormi: for me, the question is to know how new users can get credentials 19:34:05 <stormi> bureaucrat is the right to give other users more rights 19:34:33 <stormi> I just made you bureaucrats so you can now give admin rights to people you trust 19:34:36 <papoteur> it's a good start 19:34:52 <stormi> Make sure to never give the bureaucrat rights to someone else, though 19:35:23 <lebarhon> We have to decide what trusty means 19:35:25 <stormi> #info bureaucrat rights given to docteam leaders so they can appoint trusted team members administrators 19:35:44 <stormi> It is you to decide, but not too many people if possible :) 19:36:46 <lebarhon> Do we need bureaucrat rights to write into the wiki? 19:37:07 <stormi> No, why would you? 19:37:26 <stormi> bureaucrat just means you can manage rights 19:37:40 <stormi> Any user can write into the wiki 19:37:49 <stormi> For now 19:38:04 <papoteur> stormi: and new users? 19:38:31 <stormi> marja disabled account creation for new users but that's temporary 19:38:56 <lebarhon> So, nothing changed 19:39:15 <papoteur> stormi: but if we restore automatic rights, how do we stop spammers? 19:39:53 <stormi> well, I'd like to tell what I did, first, but you've not let me finish. The bureaucrat rights are not the only thing. 19:40:23 <stormi> As team leaders you probably already have read https://www.mediawiki.org/wiki/Manual:Combating_spam 19:40:25 <papoteur> :) 19:40:54 <papoteur> sorry, not yet 19:41:00 <stormi> I activated 3 extensions listed there that can help us in the following days. 19:41:07 <stormi> (well, it's an interesting read) 19:41:27 <stormi> First extension that has been activated: Nuke 19:41:31 <lebarhon> I can't understand most of it :( 19:42:40 <stormi> Wiki admins like you can go to https://wiki.mageia.org/en/Special:Nuke and mass delete pages based on IP or user 19:42:54 <stormi> Be extremely careful with this tool, though 19:43:31 <papoteur> OK 19:43:33 <lebarhon> good point but we would prefer not to need it 19:44:00 <stormi> Second extension: TitleBlacklist 19:44:31 <papoteur> stormi: is there a confirmation step, with list of prevised deletions? 19:44:52 <stormi> papoteur: I don't know, but the extension's documentation on mediawiki.org probably tells 19:46:03 <stormi> Documentation for Nuke: https://www.mediawiki.org/wiki/Extension:Nuke 19:46:59 <stormi> Documentation for TitleBlacklist: https://www.mediawiki.org/wiki/Extension:TitleBlacklist 19:47:26 <stormi> The way it works: it forbids the creation of new pages that match the blacklist regexps 19:49:19 <stormi> Those regexps, we simply have to add them to a special wiki page: https://wiki.mageia.org/en/MediaWiki:Titleblacklist 19:49:57 <stormi> There's also a whitelist to allow specific pages to be created even when blocked by the blacklist: https://wiki.mageia.org/en/MediaWiki:Titlewhitelist 19:50:32 <stormi> Here's an example of a blacklist: https://www.mediawiki.org/wiki/MediaWiki:Titleblacklist 19:51:05 <stormi> The reason why I chose those extensions is simply because they were already on the servers (part of mediawiki standard distribution), but not active 19:51:40 <lebarhon> All that doesn't prevent spam, the spammer has only to choose the title 19:51:50 <stormi> Third extension, similar: SpamBlacklist. https://www.mediawiki.org/wiki/Extension:SpamBlacklist 19:52:30 <stormi> But this one only blocks URLs. 19:53:58 <papoteur> stormi: ? 19:54:22 <papoteur> what does mean block URLs 19:54:25 <papoteur> ? 19:54:45 <stormi> lebarhon: Well I spend my entired saturday afternoon on mediawiki and neoclust gave some of his time to help me too so if your only comments are "this is not enough", well first I know it already and secondly I'd rather play the newest Zelda that the postman brought today. 19:55:24 <stormi> papoteur: it means that for each URL added to a page, it will forbid it if it's blacklisted 19:56:04 <lebarhon> I thought it would be more simple to give credentials manually 19:56:22 <lebarhon> we have one or two newcomers a month 19:56:45 <lebarhon> it would be less work for you too 19:57:16 <papoteur> stormi: I'm very happy that we have a new sysadmin to work on our tools, be sure we appreciate your effort. 19:58:31 <papoteur> we try only to figure out how these extension can be good for us. 20:00:38 <stormi> The title blacklist would probably allow to stop the last spam attack we got, since it was probably from a bot given the number of pages 20:01:19 <stormi> but it's not 100% efficient, far from it 20:02:28 <papoteur> At least, for now, we have tools for counter-attack. 20:02:48 <lebarhon> what is the problem to give credentials manually? 20:02:54 <stormi> I don't feel we get enough spam attacks to warrant resorting to manual rights management, but if it is your team's decision that you want this solution to fight spam, they I'll try to implement it. 20:03:22 <stormi> Technically, there's no problem except that it needs some work 20:03:34 <stormi> Like any change 20:03:46 <lebarhon> Good to know it is possible 20:05:26 <lebarhon> Do we have to fill the lists? 20:05:30 <papoteur> What I think is go a try with these tools for now. 20:07:04 <lebarhon> To have the best tools, we need the best lists, I think (blacklist and whitelist) 20:08:01 <stormi> We can use lists that are available on the net, but to be honest what I thought is we could target first the very kind of spam we are receiving. 20:08:29 <stormi> If I remember correctly, we only get a few spammers each year 20:08:55 <lebarhon> a few attacks but a lot of different users 20:09:09 <stormi> What I'm more worried of, though, is about spammers that would not just add pages but change all the existing pages. We have no tool to fight this at the moment. 20:09:23 <stormi> So we still have to improve things. 20:10:17 <stormi> I think we should read https://www.mediawiki.org/wiki/Manual:Combating_vandalism and https://www.mediawiki.org/wiki/Manual:Combating_spam and choose the appropriate solutions for the future 20:10:28 <papoteur> does Nuke delete only page, or just modifications? 20:10:38 <stormi> only pages if I understand correctly 20:10:51 <stormi> so perfect for the last attack but not for every kind of attack 20:11:06 <papoteur> hmm 20:12:40 <marja> stormi: thx for all your work! Which ip addresses did last attack come from? 20:12:46 <papoteur> stormi: what do think about the hypothesis that we deliver right on demand? 20:12:53 <stormi> marja: I don't know :) 20:13:16 <marja> stormi: np 20:13:55 <stormi> papoteur: it is not my preferred option but I'm not against if it is considered the best solution and it does not prevent user contribution 20:14:33 <papoteur> What would needed ? 20:15:26 <papoteur> *be 20:17:52 <stormi> I suppose we need to create a new user group in mediawiki, move existing users to it, and then let bureaucrats give rights to new users on-demand (but "bureaucrat" is a dangerous right so only some people can be allowed to give rights to others) + add, I don't know how for now, a message when a user tries to edit a page, redirecting them to the forum thread (or threads, one per language?) 20:22:33 <papoteur> OK. 20:23:28 <stormi> But maybe mediawiki's online doc will give a better way of achieving on-demand rights attribution 20:23:58 <papoteur> lebarhon: do you mean that we can give a try with the 3 tools stormi activated? 20:24:01 <marja> yeah, I haven't really read it yet, either 20:24:38 <marja> lebarhon: if it goes wrong, we can disable auto-account-creation again 20:25:05 <lebarhon> of course, now we have them we must to use them 20:25:53 <stormi> nobody forces anybody to use them :) 20:27:13 <lebarhon> they aren't the tools I would have chosen (not sure if it is correct) but we can't always redo things again 20:28:47 <lebarhon> We must have a look on this and think about it 20:28:54 <stormi> lebarhon: as I said, they were already installed so I just activated them waiting for better 20:29:35 <marja> it's good to try them, it might be enough and else we'll find out what's missing and needs to be added or done differently 20:29:51 <papoteur> Thus a go or a wait? 20:29:54 <marja> go 20:30:04 <lebarhon> go 20:30:28 <papoteur> OK, go. 20:30:33 <marja> :-) 20:31:15 <stormi> Then maybe we should populate the title blacklist with words from the recent spam wave 20:31:17 <papoteur> I propose to stop now. 20:32:07 <stormi> From what I see, just "microsoft" could be a good start 20:32:08 <marja> stormi: so not yet enable auto-account-creation until that's done? 20:32:13 <papoteur> stormi: I have them 20:32:37 <papoteur> I think phone number could be a good filter. 20:33:03 <stormi> hmm, the problem is the blacklist page is public so in a way we'd still publish the phone number :) 20:33:10 <stormi> or maybe it's not public actually 20:33:32 * marja hopes it isn't 20:33:47 <stormi> Ok, it is public :) 20:34:10 <stormi> But we probably can make it private 20:35:15 <papoteur> sorry, Connection problem. 20:35:23 <marja> stormi: and we don't need any phone numbers in a title, so blacklist any long numbers in titles 20:35:33 <marja> papoteur: np 20:36:42 <papoteur> However, I have to leave. 20:37:02 <lebarhon> do we have a new meeting on thursday? 20:37:02 <stormi> marja: I blacklisted microsoft: https://wiki.mageia.org/en/MediaWiki:Titleblacklist 20:37:08 <stormi> papoteur: good night 20:37:36 <lebarhon> papoteur: think to end the meeting 20:37:37 <marja> stormi: great 20:37:42 <papoteur> lebarhon: I'm not availble. 20:38:01 <marja> papoteur: can you end the meeting, please 20:38:13 <papoteur> #endmeeting