Architecture meetings/RFC review 2014-02-05

Wednesday, February 5, 2014 at 10:00 PM UTC at .

Requests for Comment to review
Propose your own RFCs:



Summary and logs

 * DataStore -> accepted, Max is tweaking
 * REST virtual service -> accepted interface with a wrapper for DataStore; needs updating on RFC from notes; Aaron has implemented most of the interface
 * Passwords
 * updating min length in DefaultSettings is pretty likely but needs a couple tweaks per RFC to avoid locking people out
 * do we have a good rationale for forcing it, other than 'everyone else does'?
 * is length of 6 enough? should we do some measuring & estimating of what entropy we require and determine an ideal min length?
 * http://pecl.php.net/package/crack <- should be considered for helping this research
 * we may need something separate that we can do in client-side for a strength meter though (deliver a small dictionary in JS)
 * note due to salting we can't check for duplicate passwords between users easily
 * note if using client-side check with a dictionary, roll own compression. not only does this help with dictionary style, but it can help avoid keyword blocking on "naughty words"
 * Requests_for_comment/Overthrow_Bugzilla
 * lots of discussion
 * maybe we don't need to
 * no rush?
 * talk about phabricator at zurich though; prep an rfc or other page for more discussion
 * test at fab.wmflabs.org
 * Config db
 * https://gerrit.wikimedia.org/r/#/c/109850/ in progress, people need to discuss approach
 * maybe consolidate the 3 potential RFCs into 1, maybe with 3 sections -- interface, backend, frontend
 * Next time:
 * HTML templating still needs focus, talk about this and narrow it down on lists
 * TitleValue -- get DanielK to poke at this next week
 * Deprecating inline styles -- brion interested in a quick checkin on this maybe, will make some notes


 * #action csteipp will research and update the rfc with estimate for online attacks to compromise accounts to get autoconfirmed access.
 * and this'll inform how to create a password strength meter
 * #info strength meter can likely be comparing against a list of popular passwords
 * #info Tim recommends DIY compression for client side dictionary
 * #info let's talk about phabricator vs bugzilla in zurich, there's some interest.
 * #action ^d put together some notes on that
 * #action ^d (& legoktm) will tidy up the RFC status for configuration: backend, frontend bits
 * #endmeeting