Jump to content

Wikipedia:Village pump (proposals)

From Wikipedia, the free encyclopedia
(Redirected from Wikipedia:VPR)
 Policy Technical Proposals Idea lab WMF Miscellaneous 

The proposals section of the village pump is used to offer specific changes for discussion. Before submitting:

Discussions are automatically archived after remaining inactive for nine days.

Should other groups be able to use 2FA by default?

Should other groups be able to use 2FA by default? ~/Bunnypranav:<ping> 16:13, 11 February 2025 (UTC)[reply]

Background

In Wikipedia:Village pump (proposals)/Archive 216#Allowing page movers to enable two-factor authentication, many people advocated for other advanced and even that all used should be able to use 2FA by default. This RfC clearly asks which groups should get 2fa. This is asking for them to have the permission/ability to turn 2FA on, i.e. have the oathauth-enable right, not require these group holders to use 2fA. This will allow these users to enable 2FA themselves and not have to ask stewards at meta. Feel free to choose one or more options:

~/Bunnypranav:<ping> 16:14, 11 February 2025 (UTC)[reply]

Survey (2FA for more groups)

  • Support option 2, since that adds a basic barrier of I know what I'm doing. As said by me in the previous discussion, the responsibility and accountability of protecting your account lie on you and not WMF. Yes, they can assist in recovery, but the burden should not lie on them.~/Bunnypranav:<ping> 16:13, 11 February 2025 (UTC)[reply]
  • Oppose 1 and 2 - what this really would do is allow people to enroll in 2FA without asserting that they know what they're doing, which seems bad. Weak oppose 6, since rollback doesn't really grant you the ability to do anything you couldn't already, so it shouldn't be a distinguisher here. Weak support the others, I guess. * Pppery * it has begun... 16:45, 11 February 2025 (UTC)[reply]
  • Support 2 and weak support 1. We don't need to put a barrier to make sure people know what they're doing if they choose to set up 2FA. If they activate it, we can presume that they have an idea of how it works, and any consequence for their mistakes only affects them. Only weak support for 1 as the presumption of "they have an idea of what they're doing" is a bit lower for very new editors who might not be as familiar with the interface, but we can still presume that a new user finding the 2FA setting didn't do it fully by accident. Chaotic Enby (talk · contribs) 16:54, 11 February 2025 (UTC)[reply]
  • I was the person who made the original page mover 2FA proposal. I think that out of these groups, only file movers have a significant need for 2FA access, since that right allows for the ability to make rapid changes that could affect tens of thousands of pages (similar to template editors). However, I'm not opposed to allowing all autoconfirmed users to enable 2FA, as long as they must turn on a preference where they accept the risks of using it. This is similar to how the IP Information tool works. JJPMaster (she/they) 17:02, 11 February 2025 (UTC)[reply]
    I would also be fine with encoding in PHP the current process with a preference checkbox, since that's all the stewards ask for as it stands. * Pppery * it has begun... 17:08, 11 February 2025 (UTC)[reply]
  • Oppose all until Special:Manage Two-factor authentication (MediaWiki:Oathauth-ui-general-help) is rewritten in non-technical language that clearly explains the benefits and risks of enabling 2FA and links to the detailed help at WP:2FA. Once that has been rewritten then I'll consider which if any of the above groups should have access by default. Thryduulf (talk) 17:49, 11 February 2025 (UTC)[reply]
    I written up a draft at User:Bunnypranav/Oathauth-ui-general-help, and also posted an edit request at MediaWiki talk:Oathauth-ui-general-help. I am open to anyone editing my sandbox to create a more detailed and descriptive message. ~/Bunnypranav:<ping> 12:34, 12 February 2025 (UTC)[reply]
    Thryduulf, gentle reminder if you would be willing to reconsider your decision, now that the message has been updated. Thanks! ~/Bunnypranav:<ping> 12:22, 27 February 2025 (UTC)[reply]
    Oppose all. Despite the improved message, I'm convinced by the arguments below that the whole system is still not robust enough for casual adoption. It's true that going to meta to make a request is a small, arguably tedious hurdle, but it forces turning on 2FA to be a considered, conscious action which serves to reduce the number of people who will get locked out of their account accidentally. Thryduulf (talk) 14:29, 27 February 2025 (UTC)[reply]
  • Oppose all. There is already insufficient support for those who currently must or may have the WMF 2FA. The software is not yet properly supported, the planned-for upgrades are not yet complete, the documentation for the software is incomplete and not intuitive, and the only people who can turn off 2FA in case of loss of device are the very very small number of people with shell access. None of the roles listed above have the ability to adversely affect any project any more than an average user, unlike those few roles that today are required to have 2FA. Risker (talk) 19:01, 11 February 2025 (UTC)[reply]
    This might sound a bit blunt, but why should WMF care so much about recovering account who lost 2FA. If a user with no email given loses their password, its their own fault, WMF need not take any responsibility it tediously recovering it. Then can try and help, but they are not liable. Also, as SD has said below, the most newbie and non-techie friendly version a 2FA app, at least on android, is Google Authenticator, which drastically minimizes risk of losing by automatically syncing to a google account. Other platforms also offer such easy to use solutions. ~/Bunnypranav:<ping> 12:20, 12 February 2025 (UTC)[reply]
    Because people mess this up all the time, then start using up volunteer and staff time complaining about it. — xaosflux Talk 15:41, 12 February 2025 (UTC)[reply]
    How many people will even take the time and effort to enable 2FA? One has to install an authenticator app (probably with cloud backup enabled by default), scan the code, and enter a verification code from the app before even turning it on. This is not something like I clicked a button and now I'm locked out account level easy to mess up; those people who manage to enable this, and lose access to it should be less than people without an email who lost the password and now did a clean start. We can advise these limited people to do the same as well (fresh start, with a CU verify if they need advanced perms early). ~/Bunnypranav:<ping> 07:29, 13 February 2025 (UTC)[reply]
    Trust me, a shockingly high number of people screw up 2FA. There are 2 solutions to this problem. Either a) we don't care. We put a big warning, and if you mess it up you are permanently locked out. Or b) we decide its acceptable to use a lower level of validation for unprivleged accounts. Something like we send an email and wait 7 days and unlock the account if nobody responds. This defeats some of the point of 2FA, as an attacker can now attack this weaker process, but perhaps is a reasonable compromise. It all comes down to what you want to protect against with 2FA. There is a certain sense that in practise the real thing 2FA protects against is people reusing passwords (credential surfing), because in essence its a fancy password that wikipedia chooses for you. Bawolff (talk) 12:51, 13 February 2025 (UTC)[reply]
    "The software is not yet properly supported, the planned-for upgrades are not yet complete" – as far as I know, and based on ACN's comment at the last discussion, 2FA is not being actively worked on. If we are waiting for upgrades, we will likely be waiting years.
    "None of the roles listed above have the ability to adversely affect any project any more than an average user" – Autopatrolled and NPP can bypass article review processes and are highly coveted by promotional scam rings like Orangemoody, which you should be very familiar with. In my opinion, these groups are, right behind governments, the largest and most organized threat to Wikipedians. Toadspike [Talk] 07:48, 18 February 2025 (UTC)[reply]
  • Oppose all per Risker above. If someone really really wants to test 2FA they can already opt-in after being warned about risks. — xaosflux Talk 19:09, 11 February 2025 (UTC)[reply]
  • Oppose I am an admin and I don't use 2FA. The reason for that is that the implementation is (as Risker says above in far more polite language that me) a pile of crap, and I don't think the devs want an ever-increasing list of people who have managed to lock themselves out. Black Kite (talk) 19:13, 11 February 2025 (UTC)[reply]
  • Support 3–6 Like I mention in the reply below to Risker, a lot of the opposition to 2FA arises out of ignorance of how 2FA works. People seem to assume that the "multitude of commercial and free 2FA software" are incompatible with Wikimedia sites when in fact, they aren't. You can very well use Google Authenticator, Authy, Ente Auth and other 2FA apps with WMF sites – all three of these apps support syncing of your tokens in the cloud, ensuring that even if you lose your device, you can still view tokens using another device. – SD0001 (talk) 12:15, 12 February 2025 (UTC)[reply]
    The real problem is the collision of two situations: (a) many end users are ignorant of how 2FA works technically, and have no idea how to properly manage their recovery codes or backup and restore anything; (b) unlike many other places you may set up 2FA, we don't have good other ways to authenticate someone to aid in helping them recover from their errors in (a), nor a support system to with cycles to do it if they could. — xaosflux Talk 23:29, 12 February 2025 (UTC)[reply]
  • Support all, but from what I understand of the conversation above is that it's not well-implemented. MFA/2FA is great for account security, which is why nearly every service does it. Google can enable it for every user, why shouldn't we? SWinxy (talk) 16:53, 13 February 2025 (UTC)[reply]
    Google can enable it for every user, why shouldn't we? The biggest difference between Google's 2FA and Wikimedia's 2FA is that Google has approaching infinitely better support for those that are locked out of their account due to 2FA than we do, both in terms of number of options and in terms of support bandwidth. Google has multiple options available to establish identity, and literal teams of customer support people who can implement and help. Wikimedia sometimes has an email address, very occasionally has personal knowledge and very little else in terms of options, and rather than dedicated customer support people only a circa single digit number of developers who can implement and help. The difference is comparable to that between a multi-lane highway and a barely used footpath through the woods - both will get you from A to B but that's about where the similarities end. Thryduulf (talk) 18:39, 13 February 2025 (UTC)[reply]
    Google also still gets criticism for permenantly locking people out of their accounts with no recourse. Bawolff (talk) 19:05, 13 February 2025 (UTC)[reply]
  • Option 2 and probably everything else. Serial (speculates here) 19:10, 13 February 2025 (UTC)[reply]
  • Support 3, 4, and 5 based on ACN's comment and ToBeFree's comment, especially "there will be page movers who wouldn't request a global permission for 2FA yet would enable it in their preferences if it was a simple option", at the pagemover discussion. Autopatrolled and NPP are the most coveted userrights to scam rings and other malicious groups targeting Wikipedians. It is ridiculous that a user wishing to use 2FA has to bother a Steward to do so. 2FA is not going to get any better anytime soon, so we may as well encourage folks to start using it now and lower the barriers to doing so.
I am neutral on 1, 2, and 6. I don't think rollbackers need extra security, and while I agree in principle that most users should have access to 2FA I strongly disagree that extended confirmed = "I know what I'm doing". On the other hand, checking a box in your Preferences to activate 2FA does mean you should know what you're doing, and (assuming the explanatory pages are well-written) it's mostly your fault if you screw up. Toadspike [Talk] 07:37, 18 February 2025 (UTC)[reply]
  • Support 2 as optional choice for EC - i see args for technical limitations and user incompetence to be strange. It should not be hard to extend a preexisting system to other users, including those seeking additional protection. Honestly, if its buried as a preference for an account, most folks won't use it. User:Bluethricecreamman (Talk·Contribs) 04:46, 19 February 2025 (UTC)[reply]
  • If you really want 2FA you can just go to Meta and get the requisite user right freely - provided you've understood the risks involved. It would be better and easier to direct users interested in 2FA to go there, IMHO, and make that venue more visible. No need to separately enable 2FA access for a large number of users here - that's redundant, at the least. JavaHurricane 23:24, 20 February 2025 (UTC)[reply]
    The main concern raised is why should people bother to go to meta and request stewards? 2FA/MFA should be allowed by default. ~/Bunnypranav:<ping> 06:44, 21 February 2025 (UTC)[reply]
    Because we actually want people to understand the problems with the current 2FA system that Risker brings up before they get it for themselves. And if it really is a big deal to have to actually click on a link, read through a documentation page and write two lines in a request: well, what do I know. I for my part see this as a solution in search of a problem, and one that may result in users not being aware of the issues by default. And your blunt reply to Risker above is poorly thought: people can lose access to their authenticator app and security codes without any fault of their own, such as purely accidental loss of device, or a change in device, etc. It definitely is the WMF's job to care about if 2FA users can get locked out of their accounts and what should be done in such circumstances. For what it's worth, I had got 2FA for myself but had to turn it off when changing devices because for whatever reason Google Authenticator wouldn't load my Wikimedia 2FA on the new device. JavaHurricane 19:30, 21 February 2025 (UTC)[reply]
    If a person is signing up for a service [MFA], I guess they should be aware of the risks involved and what they're getting into? WMF should not have the job of taking care of users who just like to turn on stuff for the sake of testing it, and then lose their account. If I have to give a comparison, this is like saying you should request someone to be able to add a password to your account, because some people do not know how to save it and lose access to their account (lost password, no email set). If we can entrust saving a password to every user, why can't the same be extended to MFA? After all, it's another password. ~/Bunnypranav:<ping> 07:18, 22 February 2025 (UTC)[reply]
    The flaw in this analogy is that there is no way to "not have a password" or some other authorization credential and still have user accounts be a thing—there must necessarily be some credential for the computer at the other end to request, for you to prove that you are actually User:Example and not, J. Q. Random, or, another computer executing a program to guess passwords and crack into people's accounts. (And of course, as-is, people can edit without any account, subject to some restrictions.)
    This in fact—no accounts—is precisely how Wikipedia was when it first began back in the primeval eons of 2001 on Usemodwiki! There are no user accounts on Usemodwiki; the site is simply world‐writable by all and sundry. "Administrative tasks" such as deleting and blocking were protected behind "the admin password": the way you originally became an admin was, you asked Jimbo on the mailing list and if he approved he emailed you the password. (Have a look at nostalgia:Wiki Administrators.)
    This is the origin of what functions were originally bundled into the "administrator" package. When what became Mediawiki was first written, it essentially just copied the functions of UseMod and that distinction between "regular user" and administrator, only now with actual individual user accounts with password authentication, hooked into the Mediawiki SQL database backend. --Slowking Man (talk) 05:33, 23 February 2025 (UTC)[reply]
    @Slowking Man The analogy seems wrong, but it is actually being done, IRC. Unless you specifically set a password, your nickname is free for anyone to use (Ofcourse I'm not ranting about IRC, it is an example). Same can be extended for my argument about widely available MFA in Wikimedia, like we have a password granted by default to users, why can't we give them the opportunity to get a second password (MFA)? ~/Bunnypranav:<ping> 06:02, 23 February 2025 (UTC)[reply]
    There is a bit of a distinction: In IRC, two clients can't both have the same nick at once. The distinction arises because IRC is a stateful protocol, while HTTP (Web) is stateless. In IRC, servers keep track of which client currently has nick X; in HTTP servers have no concept of "users" or "usernames" or "user X is currently connected to me" (a connection state), anything like that. All that, where it exists, is implemented "on top" of HTTP in the application layer via mechanisms like Web cookies. (Similarly IRC nick "ownership" and authentication are implemented "on top" of IRC—which is a very rudimentary protocol—by adding "network services" like NickServ, which are just "bot" programs that sit on the network as users with superuser powers and (in the case of nicks) kick people off a nick unless they authenticate with the password.)
    The IRC case is actually quite similar to how "anonymous" users work in Mediawiki: because of TCP being stateful and connection-oriented, and IP using globally-unique "public" addresses, two clients can't both have the same IP address at once (analogy: IRC nicks). There can't be a situation where one-half of an edit from 1.2.3.4 is from one person, and the second half of the edit is from a different person on another continent. However IP addresses can be reassigned, so from one edit to the next, 1.2.3.4 can be different people.
    Also, from reading others' comments, my understanding is that 2FA de facto already is available to anyone who wants it? You just have to jump through the hoop of going to Meta and asking for it. --Slowking Man (talk) 17:02, 23 February 2025 (UTC)[reply]
    Also, from reading others' comments, my understanding is that 2FA de facto already is available to anyone who wants it? You just have to jump through the hoop of going to Meta and asking for it.
    Yes, anyone who wants it and isn't in a 2FA group here just needs to:
    1. Know they need to ask at Meta
    2. Ask at Meta
    3. Convince whoever it is at Meta that does the processing of requests that they understand the risks.
    My understanding is that all that is required for 3 is:
    1. Making the request in the right place
    2. Stating that you have read the documentation and/or understand the risks
    3. Not doing/saying something that makes it obvious you don't understand the risks
    Thryduulf (talk) 18:17, 23 February 2025 (UTC)[reply]
    Apologies if I did not get it clear, IRC was just an example with no intentions to get into the nitty-gritties of the tech behind it. Since 2FA is just frame a rationale to stewards that you know what it is and what can be the risks, I proposed that everyone*(EC if option 2, autoconfirmed if option 1) have it by default, with an additional change to the 2FA interface message (MediaWiki:Oathauth-ui-general-help) to clearly indicate the risks. I believe that it should help give the opportunity to help more people to secure their accounts. ~/Bunnypranav:<ping> 12:47, 24 February 2025 (UTC)[reply]
    In re If we can entrust saving a password to every user, why can't the same be extended to MFA?
    We entrust saving a password to every user, and people do lose their accounts this way. However, the difference is that the password works the way people expect, and the 2FA software is ...maybe not quite so likely to meet people's expectations. WhatamIdoing (talk) 19:27, 26 February 2025 (UTC)[reply]
  • Support > 3 provided it is optional, tbh the current defacto granting standard for oauth-testers on meta seems to be "has a pulse and/or has eyes". We are merely going to save folks a trip down to meta with this change. Sohom (talk) 04:50, 21 February 2025 (UTC)[reply]
  • Support 3, 4, 5 and 6 per Toadspike and TBF. Users in these groups are trusted by the community to wield advanced permissions that can do damage in the wrong hands so any argument about incompetence does not convince me, especially after MediaWiki:Oathauth-ui-general-help was updated to mention the risks. If such users want to secure their accounts with 2FA, they shouldn't need to ask anyone for it. Nickps (talk) 16:18, 4 March 2025 (UTC) 6 added on 18:52, 4 March 2025 (UTC)[reply]
    On second thought, supporting 6 as well. While not as dangerous as the others, I think that a user trusted with rollback can be trusted with 2FA as well. Nickps (talk) 18:52, 4 March 2025 (UTC)[reply]
    I don't think 2FA is a trust-based permission. Whether or not someone can use it is determined more by a baseline understanding of the technical risks of using it rather than trust. JJPMaster (she/they) 13:32, 11 March 2025 (UTC)[reply]
    That's not what I'm saying. My point is that editors are expected to be competent. This is even more true for editors holding advanced permissions. Therefore, we shouldn't insult their intelligence by having them tell the stewards that they understand the risks before they gain access. We should just assume they do. Nickps (talk) 13:56, 11 March 2025 (UTC)[reply]
    We expect editors to be competent at editing the encyclopaedia, we do not require them to be competent with poorly supported technologies with risks that are significantly greater than (and significantly different to) anything else you can casually turn on in your settings. Ensuring someone is actively aware of the risks of permanently losing access to their account is not an insult to their intelligence but a proportionate precaution. Thryduulf (talk) 14:28, 11 March 2025 (UTC)[reply]
    anything else you can casually turn on in your settings There's nothing casual about enabling 2FA even if you don't have to ask the stewards for permission. It's an process with multiple steps involving at least 2 different UIs, (WP and the 2FA app). Multiple warnings are given before and during this process. If the user ignores them and gets locked out of their account because of it, it's on them to convince T&S to let them back in. Otherwise, that's a CIR global lock right there. Nickps (talk) 15:49, 11 March 2025 (UTC)[reply]
  • Oppose all, you can already get 2FA tester by just asking the stewards for it, and they'll just ask if you actually read the policy (ie: don't blame us if you screw up 2FA because you didn't read it). I don't think we should really need to make it easier, especially when the only support for being locked out is essentially to convince Trust and Safety/sysadmins that you're the legitimate owner of the account. EggRoll97 (talk) 16:34, 4 March 2025 (UTC)[reply]
  • Oppose all, as the benefits basically consist of a couple fewer requests on SRP and are far outweighed by the massive backlog for T&S/sysadmins that would result. I am not convinced that occasional non-admin compromised accounts pose a major security risk. Three Sixty! (talk, edits) 16:07, 11 March 2025 (UTC)[reply]
  • Support 2 I've been waiting for the day when more users will be able to use 2FA. This would allow more users to be able to protect their accounts even if they don't pose a greater security risk. Extended confirmed users will know what they are doing and are far less likely to cause problems in this area than autoconfirmed users. Knowledgegatherer23 (Say Hello) 17:43, 21 March 2025 (UTC)[reply]
    This would allow more users to be able to protect their accounts even if they don't pose a greater security risk. given that anybody can currently request 2FA at Meta, this won't increase the number of people able to use 2FA. Thryduulf (talk) 18:27, 21 March 2025 (UTC)[reply]
    But it'll definately make it easier to enable it and encourage more people to better secure their account. ~/Bunnypranav:<ping> 04:09, 22 March 2025 (UTC)[reply]

Discussion (2FA for more groups)

  • "with a registered email" isn't even an available option in this software. If someone wants this, I hope they are ready to write a patch to build it... — xaosflux Talk 19:11, 11 February 2025 (UTC)[reply]
  • Just noting that a lot of people already have non-WMF 2FA in one form or another. For me, it's that I need it to open my password keeper, which I need to do because I have no idea what my passwords for WMF wikis are. So I've already done a 2FA before I even log into my account. There is a multitude of commercial and free 2FA software, much of which is better supported than the WMF variant; if people are really concerned about the security of their account, they should consider that. Or not do things like use public computers or wifi in Starbucks, or choosing easy passwords; account security is ultimately the responsibility of the user. Note that I'm not kicking the WMF on this point; I know that improving this software and ensuring proper "ownership" and ongoing maintenance is very much on their radar, but there's still a lot of work to be done. We do need to keep in mind that the underlying software was created for WMF staff (at the time a much smaller and cohesive group), and it was maintained by volunteers for most of its existence. Risker (talk) 22:50, 11 February 2025 (UTC)[reply]
    There is a multitude of commercial and free 2FA software, much of which is better supported than the WMF variant Please avoid spreading FUD about 2FA. There is no WMF "variant" – Wikimedia uses the same, standard TOTP protocol like most other websites. I have been using 2FA for Wikimedia and other accounts for 5 years and have never faced any issue, nor seen any difference in Wikimedia's implementation as compared to others. – SD0001 (talk) 12:15, 12 February 2025 (UTC)[reply]
    My point is that many people are already using 2FA just to get to their WMF account. Having to then use the WMF 2FA on top of that adds zero security. The WMF requires the use of its own software (what I call the WMF variant) for certain permission types. It is in fact distinct from others, only a very limited number of WMF people are authorized to reset it. This is all well and good for English Wikipedia, but we are the exception. We speak the same language as the primary contacts to get things fixed. Most of the rest of the world doesn't. There is zero security or other benefit for those groups to use 2FA on their WMF account. The project doesn't benefit. The more people who use this particular extension, the more WMF resources are needed to support users who mess up. Given the non-existent security benefit for the websites, that is not good use of our resources. (And yes, I would call the one that I need for my password keeper a variant, just as I would the one I need for Google, and the one I need for two other apps I use. They may use the same principles, but they are all linked to specific functions and are only useful on that one site or group of sites.) Risker (talk) 19:01, 12 February 2025 (UTC)[reply]
    We don't use the term 2FA for anything other than mw:Extension:OATHAuth – doing that would be very confusing. The WMF requires the use of its own software (what I call the WMF variant) for certain permission types. It is in fact distinct from others,... Which permission types? Which software? I don't think what you are referring to has anything to do with this proposal. – SD0001 (talk) 07:23, 13 February 2025 (UTC)[reply]
    You can use any compatible client-side software for this, server-side you obviously have to use that extension. WMF only requires 2FA enrollment for these groups: meta:Category:Global user groups that require two-factor authentication. — xaosflux Talk 09:54, 13 February 2025 (UTC)[reply]
    This is a bit of a pet peeve of mind, but i think we should stop telling people not to use the wifi in starbucks. While that was good advice in 2010, its not really accurate anymore (hsts preload makes pulling off a MITM attack against Wikipedia very difficult even if you are on path). As far as what you're describing with a password manager - that is very good security practise, but would traditionally not be considered a form of 2FA (arguably though the security benefits are mostly the same). Bawolff (talk) 12:34, 13 February 2025 (UTC)[reply]
    Pure technical note: things like password managers are nice, but they don't add any "extra" security to your WMF account—besides encouraging you to use a better password. The password is the only thing that proves your identity as the account owner to WMF's computers, and anyone with it "is you" as far as the computers know and has total control over the account. This is "one-factor authentication": the password is the only thing, factor, needed to authenticate. Calling a password manager "non-WMF 2FA", while I understand where that's coming from, can mislead those not fluent with the concepts. The point of 2FA is that authenticating to the system on the other end, requires you to provide both of those two factors. Just the password by itself isn't sufficient. Hence if a malicious actor guesses or obtains the password, they still can't do anything with it without also obtaining access to that second factor. Analogy: something locked with two locks, keyed to different keys, so that both keys are required to unlock. --Slowking Man (talk) 21:57, 18 February 2025 (UTC)[reply]
  • IMO Option 1 (and maybe Option 2) should, if they gain consensus here, also require global consensus. It wouldn't make much sense for 2FA access to be automatically granted to anyone who makes a few en.wikipedia edits but restricted to advanced permission holders on every other WMF wiki. Three Sixty! (talk, edits) 15:58, 13 February 2025 (UTC)[reply]
    Basically, yup. I tried to pass an RFC on meta-wiki to enable for all there, so that you would at least have to make a trip over to a non-content project and read a centralized, translated warning - but it failed to gain consensus. The lack of support is a real problem, but once someone makes it over to metawiki 2FA access is pretty much shall-issue - we mostly only check that a requester says that they read the warning. — xaosflux Talk 16:11, 13 February 2025 (UTC)[reply]
  • A notice for this discussion has been added to Help talk:Two-factor authentication. Nickps (talk) 01:07, 7 March 2025 (UTC)[reply]

Proposal for something

Original heading: "Good Night". ―Mandruss  IMO. 06:24, 24 March 2025 (UTC)[reply]

We could put a table of acknowledgments of edits also comparing with the page, would that be good? Exxxtrasmall (talk) 05:41, 12 March 2025 (UTC)[reply]

Isn't that what the page history is for? Chaotic Enby (talk · contribs) 09:42, 12 March 2025 (UTC)[reply]
I can't. I prefer to compare non-editor articles with this parameter and not users. Exxxtrasmall (talk) 13:02, 12 March 2025 (UTC)[reply]
Sorry, Exxxtrasmall, but I can't make sense of either your original post or the reply above. Could you elaborate a bit, or say what you want to say in your native language and let the reader translate? Phil Bridger (talk) 13:40, 12 March 2025 (UTC)[reply]
Prefiro a segunda opção como falante nativo de português. Exxxtrasmall (talk) 18:45, 12 March 2025 (UTC)[reply]
I don't know much Portuguese (only a few words I have learnt from friends, mostly Brazilian), but I think that translates to "I prefer the second option as a native Portuguese speaker". Phil Bridger (talk) 19:10, 12 March 2025 (UTC)[reply]
Podia criar uma tabela atualizada por um bot "ranqueando" (ranking) as 5000 páginas do domínio principal com mais "thanks log" (agradecimentos em português). Exxxtrasmall (talk) 19:16, 12 March 2025 (UTC)[reply]
You're saying that you'd find it useful to have a way to see a compact list of distinct contributors to an article instead of combing through every one of the thousands of contributions from a few contributors in order to get their names? If you want to get a list of who's contributed to an article instead of a list of every contribution, that's not currently easy to do AFAIK.
Now I'm trying to think of what that might be used for. If I understand your message correctly, your use case is to thank everyone who contributed to an article? (Sorry, I don't speak Portuguese either; just attempting to understand based on French and Latin cognates.) -- Avocado (talk) 22:31, 12 March 2025 (UTC)[reply]
When viewing an article click history, then page statistics, which brings you to something like this that lists contributors. ScottishFinnishRadish (talk) 22:35, 12 March 2025 (UTC)[reply]
TIL -- thank you! -- Avocado (talk) 22:35, 12 March 2025 (UTC)[reply]
Tipo, uma página assim ranqueando os artigos e não os usuários. Exxxtrasmall (talk) 15:57, 13 March 2025 (UTC)[reply]
It's there for articles, too. Use "View History" -> "Page Statistics". Here's an example: https://https://xtools.wmcloud.org/articleinfo/en.wikipedia.org/Portuguese_language#top-editors . And then a link at the bottom of that table to view "3,238 others". -- Avocado (talk) 16:10, 13 March 2025 (UTC)[reply]
Mas usando como eixo/vetor cartesiano da tabela principal os artigos do domínio principal, não do domínio usuário Exxxtrasmall (talk) 16:21, 13 March 2025 (UTC)[reply]
Google Translation: "But using articles from the main domain, not the user domain, as the Cartesian axis/vector of the main table". ―Mandruss  IMO. 05:57, 24 March 2025 (UTC)[reply]
Maybe a "top contributors" section of the would be possible (omit reverted edits)? Thehistorianisaac (talk) 19:07, 22 March 2025 (UTC)[reply]
Mas não quero estatísticas de top- contribuintes e sim de top bibliografias citadas e/ou de top artigos com mais bibliografias. Calvice feminina (talk) 02:41, 23 March 2025 (UTC)[reply]
I'm sorry, I can't understand what you are saying(even with the help of google translate, because it is a bit confusing). May I ask if you could please use english instead? This is english wikipedia after all. there is portguese wikipedia in case you need it. Thehistorianisaac (talk) 05:58, 23 March 2025 (UTC)[reply]
But I don't want statistics on the top contributors, I want statistics on the top bibliographies cited and/or the top articles with the most bibliographies. Calvice feminina (talk) 20:23, 23 March 2025 (UTC)[reply]
So you want to know where the sources came from?
Simply scroll down to the references section, and you may see references that are used multiple times. Thehistorianisaac (talk) 23:43, 23 March 2025 (UTC)[reply]
In addition to what others have said, if you're looking for the most used reference within a given article you can check the number of pointers used in the references section, though that can vary based on citation style. If instead you're curious about the most times a single reference is used in any one article, at present that would be Smith's sea fishes in List of marine bony fishes of South Africa. 184.152.65.118 (talk) 20:06, 25 March 2025 (UTC)[reply]
@Calvice feminina, are you looking for Wikipedia:Articles with the most references or https://diff.wikimedia.org/2018/04/05/ten-most-cited-sources-wikipedia/ ? WhatamIdoing (talk) 03:41, 24 March 2025 (UTC)[reply]
Or the number of times citation |title= links are followed? I doubt that would be technically possible, as Wikipedia software is not involved in the processing of clicks on links. I detect a bit of a language barrier, and Google isn't helping much. ―Mandruss  IMO. 06:15, 24 March 2025 (UTC)[reply]
We actually do have the answer to that, at the whole-site level. It's doi:10.1145/3366423.3380300. The answer is about once for every 300 page views. WhatamIdoing (talk) 02:41, 30 March 2025 (UTC)[reply]

Bibliography

There could be a table of articles with more bibliographies; collecting data from ISSN, ISBN, ASIN and others for example. Exxxtrasmall (talk) 21:41, 18 March 2025 (UTC)[reply]

This could be an intriguing idea, but you will have to give a little more context and explain what you're talking about. What is meant by "more" bibliographies?, and are you referring to Bibliography sections in articles or list articles like this one? Thanks, Cremastra (talk) 23:44, 18 March 2025 (UTC)[reply]
Like this one, but per books. Exxxtrasmall (talk) 03:48, 19 March 2025 (UTC)[reply]
I know that there are articles like that in Wikipedia, but I am not convinced that they belong. I feel that they fall afoul of Wikipedia:What Wikipedia is not#Wikipedia is not a directory. Donald Albury 13:48, 19 March 2025 (UTC)[reply]
I wholly agree. I once nominated a Bibliography article for deletion, with a similar rationale, not knowing that it was actually a type of article. Needless to say, it was kept, but I'm still not convinced they're encylcopedic. Cremastra (talk) 21:06, 19 March 2025 (UTC)[reply]
I do also agree, although I believe bibliographies can be useful – just not necessarily as article themselves. It is true that we do have non-articles in the article namespace: lists, disambiguation pages, etc. However, bibliographies can be a bit more problematic as they may easily fall under WP:INDISCRIMINATE. Some other Wikipedia editions have a separate "Annex" namespace from which we might take inspiration, so these bibliographies can still be used as resources without necessarily being under the same status as mainspace. Chaotic Enby (talk · contribs) 21:15, 19 March 2025 (UTC)[reply]
That's actually a cool idea. (Maybe WP:RA should also be in Annex?) Cremastra (talk) 21:17, 19 March 2025 (UTC)[reply]
Citizendium has a Bibliography sub-page for articles that includes all sources used in the article and Further reading. Personally, I want to keep cited sources in the article, but a Bibliography sub-page would be nice for an expanded Further reading section. Donald Albury 22:48, 19 March 2025 (UTC)[reply]
I do agree with that! Chaotic Enby (talk · contribs) 00:00, 20 March 2025 (UTC)[reply]
Standalone lists are technically a kind of article, but your point still stands with disambiguation pages. jlwoodwa (talk) 23:02, 25 March 2025 (UTC)[reply]
I previously proposed to Wikimedia the creation of a new page titled "Library" to be placed alongside the talk page. This page would serve as a dedicated space for listing the essential bibliographies. Given the impracticality of including an extensive list of references in a single article. Riad Salih (talk) 21:22, 19 March 2025 (UTC)[reply]
That's a great idea, and could be an implementation of the "Annex" namespace I suggested earlier! Looking at other Wikipedia editions, Spanish Wikipedia has a very broad view of what goes in annexes, including a lot of list material which we would most likely prefer to keep in mainspace (Portuguese Wikipedia also used to have it, although it has been deprecated due to its subjectivity/vagueness in scope). On the opposite side, French Wikipedia has a Reference namespace, which only stores different editions of a single work.
I do believe that a middle ground aiming at covering bibliographies and lists of reference materials (including "Further reading" sections and {{refideas}}) could be a helpful namespace to have. Chaotic Enby (talk · contribs) 21:52, 19 March 2025 (UTC)[reply]

Hotcat for stub-sorting?

I don't know whether this is the right village pump but anyway: Hotcat is a pretty useful gadget that makes categorizing articles a lot intuitive and easier by recommending potential categories. And stub-sorting is a pretty important task too in categorizing different stubs on different subjects. So it seems weird to me that a Hotcat analogue designed to stub-sort isn't a thing. The basic principle is the same for both in that you categorize articles. Ofr how it could work, it's basically like Hotcat: Whenever this "StubCat" detects that you're on a stub page, it automatically at the end of the page but before the category list gives an option to easily add stub templates and suggest them. Seems like a pretty useful gadget to me, though I might be wrong since I'm by no means an experienced user yet. Yelps :) talk 11:51, 20 March 2025 (UTC)[reply]

What you are asking for is a gadget, they start out as user scripts. There doesn't seem to be a venue dedicated to requesting them, with Wikipedia talk:User scripts and Wikipedia:Village pump (technical) suggested in different places. Thryduulf (talk) 13:03, 20 March 2025 (UTC)[reply]
We have User:Danski454/stubsearch, which is pretty close to that! (the only difference with what you suggest being that it is at the top and not at the bottom) Chaotic Enby (talk · contribs) 13:48, 20 March 2025 (UTC)[reply]
Requests for user scripts can be made at WP:User scripts/Requests BugGhost 🦗👻 15:27, 20 March 2025 (UTC)[reply]
We also have User:SD0001/StubSorterGhostInTheMachine talk to me 23:04, 21 March 2025 (UTC)[reply]

Captions

Hi, I started a discussion about some texts I found unclear, at least for me, regarding when we don't have to add captions. Those who are interested, please share your opinion here. Regards Riad Salih (talk) 23:59, 24 March 2025 (UTC)[reply]

Consistency in coverage of Jeffrey Epstein ties

I had brought up this issue in individual discussion pages, but the argument generally ran afoul of WP:OSE, so I was advised to take the issue up to a community level. I hope this is an appropriate venue for it.

Currently, the articles for Bill Clinton, Bill Gates, Peter Mandelson, Lawrence Krauss, Nathan Myhrvold, Steven Hoffenberg and Jes Staley have detailed sections accounting their relationships with sex offender Jeffrey Epstein. The article on Donald Trump, who also had a well-documented relationship with Epstein, has no such section. This strikes me as a clear double standard. I had suggested adding an equivalent section to Trump's article, but got shot down on the grounds of it lending undue weight to the matter and assigning guilt by association to Trump.

That may be, but if that is the case, the sections in the other articles I mentioned shouldn't have such a section either. There simply is no valid reason to treat the Epstein connection as worth reporting on for all these other people, but not in Donald Trump's article. Either an equivalent section should be added, or the sections should be removed from the other articles where it's not essential.

The double standard seems especially galling due to the inclusion of Epstein info in Clinton and Gates' articles. By mentioning the matter in their pages, but omitting in in Trump's article, Wikipedia seems to be replicating Trumpian propaganda where the Epstein associations are treated as being of huge importance for Trump's political foes, but are minimized and treated as unimportant for Trump himself. I see this as an effective breach of Wikipedia's neutrality rules, and one that needs to be corrected. TKSnaevarr (talk) 23:20, 26 March 2025 (UTC)[reply]

If you want to bring it to community level, the appropriate venue is probably an RFC, I think -- the Trump article has a lot of those -- unless you're proposing something more general than just for Trump's article, which is probably unnecessary. Mrfoogles (talk) 16:07, 27 March 2025 (UTC)[reply]
Concur with Mrgoogles. WP:OCON. Wehwalt (talk) 16:26, 27 March 2025 (UTC)[reply]
My bad, then, since I'm the one who sent the OP in this direction. But I think an RfC should be here, not at the Trump article, since it will potentially impact at least three articles (Trump, Clinton, Gates). Pardon my pesky, obsessive need for organization. ―Mandruss  IMO. 17:02, 27 March 2025 (UTC)[reply]
Another possible location to discuss it is WP:NPOVN or WP:BLPN (but it should be in one location, not several.) That said, my experience is that weighing articles directly against each other rarely goes anywhere constructive - even aside from WP:OCON, there's too many individual differences, both in the articles and their subjects. A more useful discussion might be to take a step back and ask what the general threshold should be for including Epstein file stuff on BLPs, at various levels of granularity (no mention / brief sentence / paragraph / subsection / full section, hopefully based on coverage levels) Making the discussion general and limiting specific focus on individuals (although some will obviously come up as examples) is more likely to produce useful results. Then, once those guidelines have been hammered out, you can turn around, figure out which articles are out of line with them, and raise that issue on their talk pages. --Aquillion (talk) 20:19, 27 March 2025 (UTC)[reply]
Is there really anything to discuss at a general level other than "follow WP:DUE" and assess whether content at issue complies with the policy? signed, Rosguill talk 23:36, 27 March 2025 (UTC)[reply]
Yes, there is - we could establish clear guidelines on what the threshold ought to be for each. For example, a devoted section could require WP:SUSTAINED coverage (eg. over the course of several months) in high-quality sources devoted solely to the subject's connection to Epstein (as opposed to just sources that mention them in passing as one of many people connected to them), or actual legal processes that sources treat as placing them in genuine jeopardy, or dedicated high-quality sourcing outside of the news media, or something of that nature. If there's sparse coverage dedicated to the figure specifically but none of the other things, it might get a paragraph rather than a section. If no coverage is dedicated to the figure specifically, and they're just mentioned in passing in larger articles, they might get a sentence or nothing. Part of the issue is that the conspiratorial thinking surrounding Epstein and many related figures makes it hard to judge due weight objectively; it also attracts many editors who are inexperienced with our processes and who therefore may feel that the simple fact that coverage exists makes a section due. Having guidelines we can point to saying "roughly this threshold" will make it easier to either decrease excessive weight where it doesn't belong, or increase it where we need more focus. And it'll give us at least something vaguely objective to use as a yardstick - otherwise WP:DUE can become highly subjective, which is a problem when dealing with so many highly controversial political figures. If you look at the figures mentioned here - Bill Clinton, Bill Gates, Peter Mandelson, Lawrence Krauss, Nathan Myhrvold, Steven Hoffenberg, Jes Staley, Donald Trump, etc - they differ wildly in how much weight the article gives them, for reasons that are simply unclear; establishing guidelines would avoid that problem. --Aquillion (talk) 13:55, 29 March 2025 (UTC)[reply]
I suspect the question, for all the Myhrholds there may be, and however responses would be phrased, would come down to Donald Trump, as if often does, whether there should be such a section on his page. Thus, my view is having another discussion elsewhere, when the Trump talk page has extensively discussed this matter, would be WP:FORUMSHOP.--Wehwalt (talk) 14:09, 29 March 2025 (UTC)[reply]
Trump is certainly an outlier, but the point is partially to avoid getting bogged down in people's opinions on highly-divisive individuals like that, and partially to escalate to a broader consensus on how to handle Epstein-related stuff about individuals due to concerns about inconsistency - it is not forum-shopping to escalate a potential problem that affects multiple articles to seek a broader consensus, which would (obviously) override any local consensuses on the affected articles per WP:CONLOCAL, and which is therefore clearly not duplicitive. That said, depending on where we set the threshold, it could just eg. result in less coverage on other articles (or more). If the problem is that we're doing it inconsistently, though (and I think there's a fair case for it), talking about broad guidelines might make people approach it more objectively and produce more constructive discussions. (Truthfully, my honest expectation is that the main thing such a review would discover is that we're probably significantly over-emphasizing Epstein stuff on a wide range of articles - for many of the listed articles it's just really hard to justify the level we have with the sources that are present. But that's an easier argument to make if we can determine rough guidelines first.) --Aquillion (talk) 14:15, 29 March 2025 (UTC)[reply]
  • Regarding WP:OCON, it's often cited without reading it; While consistency with other pages is not a good argument by itself, comparisons between pages are often made in order to illustrate a more substantial argument; as such, comparative statements should not be dismissed out of hand unless they lack any deeper reasoning. While relying on comparisons to other articles is generally unconvincing, articles that have been through some form of quality review—such as featured articles, good articles, or articles that have achieved a WikiProject A-class rating—are often the way they are for good reasons informed by site policy. If such articles have remained current with policy since their promotion, they are often more compelling examples to illustrate arguments. Many of the articles in question have undergone feature review, and a lot of the discussion has emphasized commonalities in sourcing that are not accurately reflected in our level of coverage, so there's an obvious deeper reasoning here. This shows that, yes, there is probably an underlying problem, which is best resolved by the sort of centralized discussion I outlined above that at least attempts to avoid getting bogged down in people's opinions about individual article subjects and instead tries to determine rough guidelines that can be used to then look back at the list of articles and confirm in a more systematic way whether WP:DUE is being properly applied. --Aquillion (talk) 14:22, 29 March 2025 (UTC)[reply]
I see that our article on Prince Andrew also has such a section. Phil Bridger (talk) 22:51, 27 March 2025 (UTC)[reply]
It seems more clearly pertinent in his case, since he faced pretty substantial consequences over his Epstein accusations and was personally accused by one of Epstein's victims of complicity, which is why I didn't include his article when I wrote the OP. TKSnaevarr (talk) 22:01, 29 March 2025 (UTC)[reply]

Will an infobox have ... a collapse button?

Original heading: "Will an ibox have ... a collapse button?" ―Mandruss  IMO. 06:31, 27 March 2025 (UTC)[reply]

In some articles, the infobox visually may have disregarded the cause of squeezing text with a left image, as per MOS:SANDWICH. One explanation of the disadvantage of the longing information of ibox is pushing down the image. Removing the whole short information in an ibox is a shortcut solution but MOS:INFOBOXPURPOSE mentions the purpose of providing information, or expanding too much lead in order to push down the body's text, aligning a little bit of space below the infobox, but MOS:LEAD is meant to summarize the article's body entirely, not explaining it in a superfluous way. For example, the featured article Hydrogen has a longer infobox, pushing down to two or three subsections in a section. The previous two probably worked with the 2010 Vector preference, but what about the 2020 Vector preference?

To be short, will each infobox have a collapse button, so whenever readers don't want to read the longing page, they can easily tap on the collapse button, providing a much more short summary? I was hoping this is a proposal to change the feature of an infobox in some many Wikipedia's preferences. Hopefully this is the right place to ask. Dedhert.Jr (talk) 05:13, 27 March 2025 (UTC)[reply]

Doesn't seem unreasonable, and it would solve the headache of editing in V10 and having everything look nice and then looking at your article in V22 and being horrified. Of course, this could also be remedied by the WMF not dictatorially insisting on V22 here and on more and more other projects, but we all know that isn't going to happen.
I don't know about "will", but this is certainly a "could", maybe even a "should" – and should be relatively easy to implement, given some changes to the meta-template {{infobox}}. Cremastra talk 22:10, 27 March 2025 (UTC)[reply]
I would rather say now, that "all infobox should have a collapse button". I would rather hear more opinions from the others. Dedhert.Jr (talk) 02:53, 28 March 2025 (UTC)[reply]

RFC on immigration terminology in Wikipedia articles

RCraig09 has begun an RFC about which of the terms "illegal immigrant" or "undocumented immigrant" should be used in Wikipedia articles. Please comment at Talk:Illegal immigration to the United States#Terminology: "Illegal" immigrant vs "Undocumented" immigrant in article mainspace. Jc3s5h (talk) 11:01, 28 March 2025 (UTC)[reply]