Extension:Graph/Plans/fr

Cette page est un lieu de collecte et de partage d'information et d'idées entre Wikimédiens·nes destiné à éclairer l'action à mener par Wikimédia pour s'assurer que les besoins en réponse auxquels l'extension a été créée continuent à être pourvus.



Décisions à prendre
Les Questions en délibération énumérées ci-dessous sont destinées à faire émerger et agréger les informations dont Wikimédia aura besoin pour prendre les décisions suivantes:


 * 1) À quels besoins chacune des propositions de voie à suivre exprimées ici devront-t-elles apporter une réponse ?
 * 2) Quel devra être le rôle de la Fondation Wikimédia pour garantir la satisfaction de ces besoins ? 

Proposition
Afin de rétablir en toute sécurité l'accès aux informations et aux fonctionnalités dont la désactivation de l'extension Graph a privé les Wikimédiens·nes, et pour promouvoir la collaboration nécessaire à cela entre les bénévoles et le personnel de Wikimédia, nous, Fondation Wikimédia, nous engageons à :

Re-enable the Graph Extension in a sandboxed iFrame with a restrictive content security policy.
 * 1) Once the Graph Extension is reenabled, it will continue to work with Vega 2 for a yet-to-be defined period of time. Note: we'll need to define this window together.
 * 2) After that "yet-to-be defined period of time," Vega 2 support will be discontinued and use of the Graph Extension will require volunteers to make graphs with Vega 5.
 * 3) As soon as possible, make the sandboxed Graph extension available on the beta cluster for testing. See: T346292.
 * 4) Investigate the viability of adding logging to increase our awareness of instances where people are exploiting the security vulnerabilities inherent with restoring support for Vega on our platform. See T346414.
 * 5) Publish the technical documentation needed for developers across the Movement to understand how we implemented the sandboxed CSP approach
 * 6) Publish a clear timeline for when you all can expect all of the above to happen
 * 7) Note: exploratory work to redeploy the Graph Extension in a sandboxed iframe has started. See T222807.
 * 8) Share regular updates about the progress we're making on the commitments named above on Phabricator and MediaWiki.
 * 9) Support volunteers with code and processes that will ease the transition from Vega 2 to Vega 5 when the time for this transition comes.

In support of the above, we'd need to depend on ya'll (volunteers) to:


 * 1) Spread awareness of this proposal and the updates that will come as we start implementation, assuming this proposal moves forward.
 * 2) Manually migrate some proportion of Vega 2-based graphs to be compatible with Vega 5. See the "Vega 2 → Vega 5 transition" section below.
 * 3) Potentially, fix/port graphs that attempted to fetch live data using methods that the sandboxing approach inhibits.
 * 4) Note: the need for the above will become clear once we decide on whether we will restore the pseudo-protocols that were used to fetch data live from the action API, the REST API, WDQS etc, and the precise sandbox parameters we select (domains/ports/http methods allowed). This decision will be made in T346291.

Vega 2 → Vega 5 Transition

 * Why do we think it's worthwhile to migrate from Vega 2 to Vega 5?
 * Vega 2 has been superseded by Vega 3, 4, then 5 upstream.  Upstream and third-party documentation exclusively refers to syntax in “Vega version 3.0 and later”, and it is difficult for new contributors to find documentation relevant to Vega 2.  The last upstream release (bugfix or security) of Vega 2.x was in January 2017.  Vega 5 was released in March 2019 and is still under active maintenance and development, with the latest 5.25.0 release in April 2023.
 * Volunteers have reported issues with Vega 2's accessibility, syntax, and overall functionality, per this 2023 wish.
 * Vega 5 has made improvements to the library's expression layer that harden it from a security perspective compared to Vega 2.  It is not perfect, but by introducing a parsed expression grammar it offers a more robust foundation for additional security hardening in the future if it proves necessary.
 * Maintaining multiple versions of Vega concurrently is unsustainable in the long run. The wiki community is taxed in the attempt to independently support software which is not being maintained upstream. Our efforts are best spent working in cooperation with upstream and third-party developers, and to do this we need to be working from the upstream Vega 5 code base.
 * What might be required to migrate graphs from Vega 2 to Vega 5?
 * Create a converter that would migrate Vega 2-based graphs to be compatible with Vega 5. @Jdlrobson started work on an initial approach in T335048#8794138.  The initial work needs to be restructured slightly to refocus it on being an aid to manual porting, instead of the automatic translator which was its original goal.  Note: We estimate this converter currently works for ~80% of graphs, with diminishing returns on additional engineering effort to cover more.  We do not plan on continuing to invest significant additional engineering resources here, but instead to simply repurpose the existing codebase as an aid to manual porting.
 * Volunteers would need to update  syntax on a case-by-case basis, aided by (1) the ability to run the existing Vega 2 and new Vega 5 specification side-by-side, (2) the partial Vega2-to-5 porting tool which handles 80% of the “obvious” keyword changes and other mechanical conversions, (3) the upstream Vega2 porting guide, and (4) additional documentation or tools which might be created by the wiki community.
 * Update the limited number of Scribunto templates on-wiki which generate  output in Vega 2 format to instead output Vega 5.  This requires both lua and Vega expertise, but fixes a larger number of Vega 2 uses on wiki at once.

Research
The research that informed the for safely and securely restoring access to the information and capabilities  has left people without.