Project:Requests/RfC/Removal of inactive bureaucrats and interface admins

Proposal to remove long-term inactive bureaucrats and interface admins

 * [//www.mediawiki.org/w/index.php?title=Project:Requests/RfC/Removal_of_inactive_sysops_(2020)&action=edit Edit]


 * Related: Project:Requests/RfC/Removal of inactive sysops & Project:Requests/RfC/Removal of inactive sysops (2018)
 * Current IA/'crat statistics: https://tools.wmflabs.org/meta/stewardry/mediawikiwiki?bureaucrat=1&interface-admin=1

From the previous 2 RfCs, it seems clear that admin rights can be held indefinitely. However, neither of them mentioned about the crat and IA flag which are fairly sensitive as both (in a way) can edit the site interface and I believe that they should be subject to the admin activity review.

This is solely due to security reasons and if the user decides to come back, they can have the flag back. Minorax (talk) 10:49, 23 February 2020 (UTC)
 * 1) I propose the removal of the crat flag and IA flag if the user is inactive for more than 2 years and 1 year respectively. Affected users are listed above.
 * 2) To ensure that inactive crats and IAs will have their rights removed, I am also proposing a yearly review, probably in April?. Affected users will be notified on their talk page and emails (if possible) on April 1 and if there isn't any reply to keep the flag:
 * 3) crats: A request will be posted on meta to remove the flag a week later (April 8).
 * 4) IAs: A local request for a crat to remove the flag a week later (April 8)
 * About to log off, but just a note: Stewardry is wrong. Remember the dot's last edit given is from before interface admins were a thing - used the permissions in august. MZMcBride last edited in December 2019, not 2007, and Midom last edited in 2010 (a while ago, yes, but after 2005). The chard above isn't an accurate list of who would be affected under the proposal. --DannyS712 (talk) 10:59, 23 February 2020 (UTC)
 * Ah yes my bad for this sloppy work. However, the main point of this proposal would be the new policy on removing inactive right holders. The affected users will be re-checked again if this proposal passes. Thanks for your note :) Minorax (talk) 11:13, 23 February 2020 (UTC)

Does inactive mean "doesn't edit in general" or "doesn't have recent entries making use of their rights?" I ask because this wiki is fairly low-traffic in terms of rights requests, such that 1-3 crats largely handle every request for permissions. Just because I (or another crat) mostly handle that area doesn't necessarily mean the other crats are inactive. That being said, I am largely in support of a policy to remove rights from inactive accounts so long as we can get a good enough qualification of what activity means in the somewhat unique context of mediawiki.org. I know in the recent RfC about removing inactive sysops, it was brought up by that some users are still very active on IRC, phabricator, gerrit, etc. I personally think that measuring off-wiki activity is not useful for whether or not on-wiki rights should be kept, because those users can still do everything they need to do on IRC, phabricator, gerrit, etc. without needing elevated privileges on-wiki. Should they wish to retain such privileges however, we need a process to alert the users in question on their talk pages so they can affirmatively say they'd like to hold onto it (if we define "activity" as "any edits" this would also flag them as active again). If they lose it and need it back in the future, I feel it would be pretty uncontroversial to re-grant such permissions. -- Skiz zerz  20:31, 24 February 2020 (UTC)
 * I'd generally prefer going with total inactivity, no edits, no actions. To add on with removing inactive sysops, I'll also support in removing the inactive sysops (we have too many (212) here). Perhaps maybe have the same criteria as proposed above for crats (2 years)? Minorax (talk) 09:10, 25 February 2020 (UTC)
 * Note, User:Amusso (WMF) more commonly edits as User:Hashar. Both User:Emufarmers and User:MZMcBride are still around (I see them on irc a lot) even if they don't have all that many actions here. I support them keeping their rights. Leaning to remove for the others, unless they write a comment saying they want to keep the rights. Also, have all these users in question been notified of this request? Bawolff (talk) 05:15, 27 February 2020 (UTC)
 * This is a proposal on the policy so there isn't a need to notify those mentioned above as their rights won't be immediately removed if this RFC passes. Minorax (talk) 05:24, 27 February 2020 (UTC)
 * that's pretty unclear given its on the request for adminship page. Regardless, i still think policy proposals that disproportionately affect certain users should notify those users. Bawolff (talk) 09:38, 27 February 2020 (UTC)

+1 throw these bums out. —Emufarmers(T 05:30, 27 February 2020 (UTC)

I'm boggling at the table a bit. It has inaccurate data, but at least it's noted(???). And someone has already pointed out the plainly wrong last edit for my account, and someone else just shrugged it off. And it's a table of 11 users, not hundreds... baffling. I looked at Project:Requests just now and there's a single request that appears to have been declined. I believe local bureaucrats are no longer doing user renames, so I'm curious if there's some work I should be doing that's getting missed? --MZMcBride (talk) 02:11, 28 February 2020 (UTC)
 * I've notified all except Emufarmers & MZMcBride since they know the RfC exists and already replied here. As for the staff account, I decided to not notify them. Minorax (talk) 04:08, 29 February 2020 (UTC)
 * can you work on getting a more accurate table? While this request is aimed at setting a general activity policy in general, having an accurate representation of who it would impact would be nice to avoid confusion and angst. there's nothing you're missing, demand for local crats is incredibly low here. We may get like 2-3 new requests for permissions a month, and that's about it.
 * The reason I'm in support of a general policy (i.e. a set of criteria that will be applied going forwards, not just narrowly scoped to the users in some table generated via questionable means) is that it reduces the wiki's attack surface in the event of a compromised account. Ideally, all crats and interface admins will have 2FA enabled, but not all sysops will. I know this particular RfC is scoped for just crats and interface admins, but it is something I'd like to extend to all privileged access (whether now or in the future). However, given the low amount of work here that privileged access is actually needed for (at least on the crat side), I also want the criteria for being "active" to not rely on requiring the use of such rights. It would not be fair to MZMcBride (for example) if they were to lose crat simply because someone else jumped in faster to handle those 2-3 permissions requests a month. In the same vein, I'd be fine with waiving any activity requirements for accounts with 2FA enabled, because the barrier to compromising such accounts is significantly higher. -- Skiz zerz  17:52, 29 February 2020 (UTC)
 * I'll do it later and will only include the last edit for the user, probably taking 1 year as a bench mark and we'll see how this goes. Minorax (talk) 01:44, 1 March 2020 (UTC)
 * Updated to include all sysops that did not edit in the past 2 years. Minorax (talk) 03:19, 1 March 2020 (UTC)

AAR
Let's see if we can get momentum on this again. I've been looking at the past (unsuccessful) attempts to impose activity requirements, and the AAR was brought up in that. Since that mechanism already exists (and we need stewards to handle removal of the rights anyway), I think opting our wiki into that would be a good idea. The requirements in AAR are pretty lax, you don't get deflagged unless you have no edits or log actions in the past 2 years, and you get a notice before any deflagging happens. If you do get your access removed but do end up needing them, it would likely not be a difficult task to succeed in a rights request to get them back. Going to start a straw poll below to gauge the community's level of support on opting us into AAR. As the review is conducted by the stewards at regular intervals, the table above won't be used as any sort of basis to determine who would potentially lose flags. -- Skiz zerz  19:58, 4 July 2020 (UTC)
 * I support having AAR for this wiki. -- Skiz zerz  19:58, 4 July 2020 (UTC)
 * using AAR --DannyS712 (talk) 20:10, 4 July 2020 (UTC)
 * as suggested previously. &mdash;MarcoAurelio (talk) 09:20, 5 July 2020 (UTC)
 * --Minorax (talk) 15:49, 5 July 2020 (UTC)
 * . We can easily re-grant rights if they are needed. – Majavah talk &middot; edits 08:39, 6 July 2020 (UTC)
 * -- 94rain  Talk  10:28, 6 July 2020 (UTC)
 * I understand the security benefits and on that basis I'm generally in favor, but I think "activity" should measure actions in more MediaWiki technical spaces, specifically Gerrit and Phabricator. I also think those who are active using other accounts (e.g. had sysop on volunteer account, now primarily edits using a (WMF) one) shouldn't lose their rights on the basis that the person behind it is still active. Even with those two additional requirements, I expect we'd still be removing a significant amount of the above table for people who are actually inactive. Legoktm (talk) 23:08, 7 July 2020 (UTC)
 * I mostly disagree on expanding the activity scope, because having or lacking advanced permissions on mediawiki.org has no bearing on what you are or are not able to do on other technical spaces such as Phabricator or Gerrit. If you have literally never edited mediawiki.org for 2 years, you clearly are not using your advanced permissions here, so in my opinion I see very little reason why they need to be kept. If at a future point you do start contributing to the wiki itself again and find yourself in need of advanced permissions, it should be a pretty trivial matter to get them back. I for one am inclined to very quickly approve requests to get back any access lost due to AAR/inactivity. -- Skiz zerz  00:31, 8 July 2020 (UTC)
 * And as long as they're active in general and haven't disabled all notifications, they'll probably get the email/notification about a talkpage edit if they're notified there regardless of whether or not they're actually editing normally here, and can just pop by and reply 'nope I'm still here' and not have their rights removed regardless, right? And if they do have all notifications off/aren't checking them at all, well... there really probably wasn't much point in them keeping the rights, and they can request them back later if they change their mind... -— Isarra ༆ 16:09, 8 July 2020 (UTC)
 * Being an administrator is more than just the technical rights it grants though. It's about being part of a community, a trusted member that is often looked up to and respected by others. While it may be good opsec to only have the rights you need, I don't think that's good community building. If we had a rash of admin account compromises (I believe mine was the last one : or confusion in where users are going to inactive admins for help, I'd be more inclined to support this, but I don't think we have either of those problems in a significant way. While yes, it should be straightforward to get rights back, I've also seen people, including multiple members of this community, express unhappiness about not having rights they should've had, whether it was by accident or intentional. Then we also have what's happening on the English Wikipedia lately, in which when administrators come back and ask for their rights again, they get interrogated by everyone to ascertain whether they "actually need" the rights or "are you sure it's really them?". I don't think this will happen here, but I don't think it's as easy as "it should be a pretty trivial matter to get them back". Legoktm (talk) 11:40, 9 July 2020 (UTC)