Things like this just seem to happen to these poor blokes on a regular basis, eh?
********
From: (Steve Dunlop) Date: Sat, 27 Dec 2008 14:59:20 -0600 Subject: [Arbcom-l] Arbcom wiki showing in google
New arbs are cautioned that the MW developers, despite their considerable skills in other areas, are very poor at keeping confidential information leak-free. This sort of thing has happened before and is likely to happen again.
Steve/UC
From: (David Gerard) Date: Sat, 27 Dec 2008 21:04:31 +0000 Subject: [Arbcom-l] Arbcom wiki showing in google
2008/12/27 Steve Dunlop
> New arbs are cautioned that the MW developers, despite their > considerable skills in other areas, are very poor at keeping > confidential information leak-free. This sort of thing has happened > before and is likely to happen again.
Yes. Basically, MediaWiki isn't the place to put anything you don't want to tell the world, as that's its entire function.
There are ways to protect the entire wiki more than the usual private wiki accessible via the Internet, but they aren't implemented on our wiki farm (and they're a major PITA for all involved) - things like .htaccess files as well.
- d.
From: (Steve Dunlop) Date: Sat, 27 Dec 2008 16:59:49 -0600 Subject: [Arbcom-l] Arbcom wiki showing in google
<<<Does using the secure server help, or is that only for the "sniffing passwords" bit?
Carcharoth>>>
No. What usually happens is that the developers take site maintenance actions that affect all the 100+ wikis hosted by WMF and either don't think through the implications for sensitive wikis or screw up the implementation.
We had one episode where they included a private wiki in the public backup tarball.
We had one episode where they made a private wiki visible on the tool server.
We had one MediaWiki patch that was buggy and caused information compromise, at least potentially. I can't remember where it was, but it was some new feature that worked great but forgot to check, on a private wiki, whether there was a user logged in.
And now this.
Steve/UC
|