Jump to content

Wikipedia talk:High-risk templates/Archive 1

Page contents not supported in other languages.
From Wikipedia, the free encyclopedia
Archive 1

Protection

First, this sounds like an excellent idea. And second, this page could easily be read as a vandal's guide to DOS'ing Wikipedia. Hence, I've preemptively protected all templates with over 5000 uses, and all metas with over 100 uses. Note that at least half of those were protected already, generally for precisely the reason that they were heavily in use. I do believe that any relevant changes to those templates can be discussed on the talk pages for the time being, as they should be. Radiant_>|< 00:16, 19 December 2005 (UTC)

Agreed that these should be protected. When do we start voting? — Omegatron 02:41, 19 December 2005 (UTC)
Umm. What? Why on Earth would we need to vote? Eurgh.
I'd say that this is so eminently sensible that we can consider it essentially policy already; certainly, if consensus discussion here remains in favour of such protection...
James F. (talk) 07:43, 19 December 2005 (UTC)

I agree that this is a good idea. Just need to make sure that this list gets updated periodically, since the list of templates that could be considered "high risk" will change over time. Triona 08:45, 19 December 2005 (UTC)

I strongly oppose protection. This implies that the community is not trustworthy. --Ixfd64 20:01, 19 December 2005 (UTC)

Can someone unprotect Template:Album? It's edited frequently by participants of WP:ALBUMS. —Slicing (talk) 16:33, 20 December 2005 (UTC)

There needs to be some easy way of getting some of these temporarily unprotected. For instance, there is currently a big hubub about 'meta-templates' and the need to rewrite them... which in many cases can't actually be done by most users because they are protected. Maybe some process where a replacement template can be drawn up and copied in by an admin. --CBD 17:01, 20 December 2005 (UTC)
  • 1.Discuss on the talk page, 2.Ask your friendly neighborhood admin, or 3.WP:RPP. The whole point is that these templates are heavily in use and shouldn't be edited frivolously, so (1) should be best. Radiant_>|< 23:19, 21 December 2005 (UTC)

---

Which has been proven by precedent.

{{albumcover}} [1] has never been vandalized, and the template's ubiquity means any such effort would be reverted in a New York nanosecond. None of its siblings ({{dvdcover}}, {{bookcover}} &c.) are protected, and, again, none have ever been vandalized. Could you explain how this overprotection squares with Wikipedia:Assume good faith or the message inscribed in large friendly letters on Wikipedia's cover: "the free encyclopedia that anyone can edit"?

chocolateboy 00:21, 31 December 2005 (UTC)

Visibility

The definition of whether a template is high-risk or not should include not only how often it's used but also its visibility. A template used on articles (like {{ref}} or {{note}}) is much more visible than one used mostly on image description pages. --cesarb 00:36, 19 December 2005 (UTC)

True, because visibility determines how quickly the touched pages will be regenerated, and thus how large/immediate the impact of an edit will be on the hardware. --bainer (talk) 21:34, 19 December 2005 (UTC)

It's a hitlist

I find this page fascinating more because it is a convenient hitlist of meta-templates which should be discontinued AND templates that should be subst'd. -- Netoholic @ 02:36, 19 December 2005 (UTC)

OH NOES!!!1! ;-)
Will you just be removing meta-templates as fast as you get to them, or is there some particular date on which everything remaining will get killed with a stick? —Kirill Lokshin 14:20, 19 December 2005 (UTC)
You obviously don't understand the purpose of templates if you're suggesting these all should be subst'd. —Locke Cole 13:02, 23 December 2005 (UTC)

Semi-protection?

I know the policy for semi-protection indicates it should only be used temporarily, but given that all of these templates are suddenly getting protected (meaning a majority of users won't be able to modify them without an admins help, which is utterly un-Wiki), I think semi-protection is a much better permanent solution than full protection. —Locke Cole 13:02, 23 December 2005 (UTC)

How about turning on semi-protection for the entire Template: namespace? :D -- Netoholic @ 09:06, 25 December 2005 (UTC)
That'd work. :P —Locke Cole 09:12, 25 December 2005 (UTC)
As unlikely as it sounds, I agree with Netoholic on this. I would support semi-protection for all templates and full protection for all meta-templates. — FREAK OF NURxTURE (TALK) 09:17, Dec. 25, 2005
I strongly agree with Netoholic on this. Nice idea. Matt Yeager 05:17, 30 December 2005 (UTC)
Strongly Agree with Netaholic --Redlock 17:13, 16 December 2006 (UTC)

Meta-template list is misleading

Meta-templates don't need any kind of protection unless the templates that use them are used in a significant number of articles. More importantly, this list seems to have a lot of false positives because it counts "see also" links in the same way as inclusions. -- Beland 08:22, 25 December 2005 (UTC)

request to protect

I hereby recommend protecting or at least semi-protecting template:S-bef and template:S-aft. 14'000+ articles depend on them. They make a fine vandal vector. Ligulem 12:44, 26 December 2005 (UTC)

Done.--Patrick 14:06, 26 December 2005 (UTC)
Thanks! Ligulem 21:02, 26 December 2005 (UTC)
I added them to Wikipedia:Protected page (diff). Ligulem 21:07, 26 December 2005 (UTC)

template:book reference is protected but template:wikilink (used in book reference) is not. Ligulem 10:34, 31 December 2005 (UTC)

suggested merge

Radiant! proposes in this edit to merge this project page with Wikipedia:Protection policy or Wikipedia:Templates. I would agree to merge this into Wikipedia:Protection policy if that long statistic were not here. Is this statistic really needed? If yes, can it be kept up to date anyway? I fear no, so it would possible be better to remove that list anyway, which would then make the merge into Wikipedia:Protection policy fit nicely. Ligulem

It's a bit useless without the statistics, though—how will we know what needs to be protected? —Kirill Lokshin 18:17, 30 December 2005 (UTC)
Using the "What links here" I propose? "What links here" lists all articles that depend directly or indirectly on a template — as I understand it. Click on 500. If there are more than 500 articles directly or indirectly depending on a template, then that would probably make that template a good candidate for a protect. Ligulem 19:14, 30 December 2005 (UTC)
But that would require using Special:Allpages over the template namespace, wouldn't it? The problem isn't in determining whether a given template is highly used, but in finding all such templates by hand. —Kirill Lokshin 19:29, 30 December 2005 (UTC)
Mmm. I have nothing against that statistic. Just thought that adding that long thing into Wikipedia:Protection policy might be a bit a misfit. You are right that finding the high-used templates is not that simple and as such this table adds value. But interestingly the lemma of that section says "This is also before {{if}} et al really took off, so they are under-represented in this count" :-). So that statistic actually already is out of date, because qif is the most used now (32'000+ articles at my last count on What Links Here). What about moving only that statistic out to a separate page and put the rest into Wikipedia:Protection policy? Ligulem 20:52, 30 December 2005 (UTC)
That would work; maybe a separate Wikipedia:List of templates by usage? —Kirill Lokshin 21:02, 30 December 2005 (UTC)
Question: where should we put requests to protect an unprotected high-use template? (See also [2]). Ligulem 10:36, 31 December 2005 (UTC)
  • I have done that and it was largely ignored for days. I then got more and more explicit but nowbody took notice. Then I thought I removed that vandal invitation ("hello come here this template is a vandal vector"). I had done this after having contacted an admin by wiki-email to protect a template. He asked me to use WP:RPP in the future. Which I then did. This whole protection stuff just fits badly with the normal wiki going and people do not understand it. I have still such a template which is not protected on which I simply gave up. Ligulem 21:47, 4 January 2006 (UTC)
Not ATM. Thanks! Can I send you a wiki-mail next time or should I post here? Ligulem 23:26, 4 January 2006 (UTC)

When I added the proposal, I specifically left out any test or rule to determine which templates are high-risk and ought to be protected. I included the statistics to possibly illustrate which templates might be risky. If people think that a one-by-one approach is best, then this page can be merged into WP:PP, no problems. But if having lists like these might be useful, then a separate page might also be useful. This would be to define "high-risk", in the same way that there is a separate page to define "vandalism". Also, the statistics can be updated by anyone with query access, or anyone with a more recent dump on a local wiki. --bainer (talk) 08:59, 14 January 2006 (UTC)

I think we shouldn't merge this to any other project page for now. Wikipedia:Protection policy is a policy and this project page here is now a guideline, which is a good thing. Guidelines should not be merged into a policy. Wikipedia:Templates redirecs to Wikipedia:Template messages which fits badly either to receive this here. So leave it where it is. --Ligulem 10:32, 14 January 2006 (UTC)

Faulty Basis?

According to Brion Vibber the primary stated rationale for this guideline is inherently false... these widely used templates do not place Wikipedia in 'signifcant risk' of heavy server load or 'denial of service' attacks. As such, I'd suggest that this page should be mothballed and many of these templates unprotected. Some could still be protected due to 'visibility' concerns, but the supposed dangers to the servers apparently do not exist.

For those who dispute Brion's claims... I say let's test it. Take the top ten templates (or whatever) on the list, edit them, and then revert them right back. If the statements on this page are true that should cause a massive surge in server load which will make Wikipedia unusable for some period of time. If the lead developer is correct then nothing significant will happen. This would be along the same lines as the 'breaching experiments' with deliberate vandalism to test how quickly it would be reverted. Any potential risks could be mitigated by performing the test during a lower usage time of day (e.g. 5am EST on Sunday) and/or having a developer standing by. I've seen a few of these 'high risk' templates edited without any noticable effect, so I feel confident that Brion is correct... but let's settle the matter once and for all. Find out whether this is a serious issue or not. If there is an issue then I'm all for protecting the servers. However, if there really isn't then I'm for removing unneccessary restrictions. --CBD 19:31, 3 February 2006 (UTC)

I don't think anyone needs to test anything. I think we should set a fairly high threshold for protection and see how it goes from there. Something on the order of 5000 usages would work for me, since that is fairly easy to check with Whatlinkshere, since that's the maximum you can see on one page. -- Netoholic @ 20:22, 3 February 2006 (UTC)
Please refrain from doing tests. We just get some more bad reputation. Last time when snow blanked good'ole {{if}} he complained that the database was locked briefly (but who said he should change it?). At least please keep the conditionals and booleans protected until we have them replaced by MediaWiki functions (and yes Neto, I know you hate them). --Ligulem 20:31, 3 February 2006 (UTC)
Hrrrmmm... if we don't test it then this is all just so much smoke and mirrors. Protect at 5,000 transclusions thresh-hold? Why not 50? Or 500,000? It is a totally arbitrary limit. If the servers can take edits to pages which are transcluded into 4,999 others then I have to think that this is pretty much a non-issue even for the few templates larger than that. As to 'if' having 'locked the database'... how long is 'briefly'? Five seconds? I could live with that. Could a brief lag not have been something else entirely? I get them all the time. People keep arguing about this issue... there are edit wars on numerous pages... nasty comments... hurt feelings... and it is all phantoms. Let's get some facts on which to make reasoned decisions. --CBD 20:46, 3 February 2006 (UTC)
Such tests are usually not done on a live system. If you want to do that, do your tests on a test system and measure there. And we are definitely not the ones that should do such tests. If at all the devs can do that. I think the devs have bigger problems than our ridiculous AUM fight. Brion already said that we should not care about server load caused by templates. If we start testing Brions statements he will probably apply technical mesaures to stop us. --Ligulem 20:59, 3 February 2006 (UTC)
Fun mode: This reminds me of a somewhat tragic story in a local bar in my area (I hope I get this right, sorry for my bad English): An official fire inspector visited said bar and complained about the fire safety of the decoration. The bar owner said that there isn't any problem and took out his lighter to demonstrate it. The bar burned to ashes. Q.E.D. (This is a true story). --Ligulem 21:15, 3 February 2006 (UTC)
As Brion said - forget about server load concerns. He wants to own that issue, all we should do is report problems. Let's focus WP:HRT by balancing the impact of vandalism vs. the frequency that the template actually needs to be changed. Taking a look at the list on Wikipedia:List of templates by usage (which is out-of-date), the "5000" threshold seems a reasonable first cut. It represents only a couple dozen templates which don't need frequent updates. We can add and remove on a case-by-case basis after discussing. -- Netoholic @ 21:12, 3 February 2006 (UTC)
I'm shure I'm shooting myself in my book ref foot: but I agree with Neto on this. --Ligulem 21:28, 3 February 2006 (UTC)
  • CBD - IIRC the "brief database lock" was related to us by a dev. At any rate, the issue isn't really server load; the main issue is that (1) if something weird happens to a template, the average editor doesn't know how to fix it; (2) if frequently-used templates are frequently changed, that's bad for consistency (and yes, this does happen); and (3) just because we haven't had a "template vandal" yet... so some kind of preemptive protection is useful. 5000 is arbitrary but sounds reasonable. >Radiant< 01:02, 4 February 2006 (UTC)
    • The 'non server load' issues you mention are reasonable concerns for some of the extremely widely transcluded templates, but note that the project page currently focuses primarily on 'server load'. Since those concerns have been downgraded (Brion says they will be handled on the developer side when/if they become significant) we should probably update the stated reasons for permanently protecting some templates. --CBD 01:30, 4 February 2006 (UTC)

I'm not that confident that we even need this page anymore, in light of Brion's assertions. If we go with a "5000" threshold, let's just add a paragraph to the main protection policy explaining the rationale. -- Netoholic @ 01:46, 4 February 2006 (UTC)

Looks like an apparently accidental edit to this template causes the most recent outage. I've preemptively protected it as a high-risk template. --cesarb 22:44, 5 March 2006 (UTC)

More detail: if I understood the conversations on #wikipedia-tech correctly, the cause was that changing the template to remove the image caused the problem while updating the file links for the image. --cesarb 23:14, 5 March 2006 (UTC)

question

Are there any frequently-used templates that aren't protected? Which ones are they? --128.192.246.198 21:15, 25 April 2006 (UTC)

See WP:BEANS. Abeg92contribs 16:12, 10 February 2007 (UTC)

Definition

These guidelines basically say when and where to use this. But what exactly is a High-risk template? Is it one that is frequently vandalised? Simply south 20:57, 10 August 2006 (UTC)

None of the templates were ever 'frequently vandalized'. For a long time vandals just didn't understand templates at all and left them alone. When a few finally caught on and edited some heavily used templates to get their vandalism displayed on thousands of pages this guideline was implemented to deal with it. Thus 'high risk' templates are really just 'high use' templates and those which are displayed in prominent places (like the main page). --CBD 12:02, 20 August 2006 (UTC)
When I drafted this I purposely left the definiton unwritten, although I did gather some statistics about high-use templates (available here, although they are wildly out of date). In practice, it has come to apply mainly to high volume templates and high visibility templates, as CBD said, although protection could be applied for any stable template where the community thinks it appropriate.
On a related note, the situation with respect to the way MediaWiki deals with templates has changed since this was first proposed, so perhaps an update to reflect that would be in order. --bainer (talk) 14:07, 20 August 2006 (UTC)

Proposal to keep new user messages semi-protected only

While I support semi-protection of any and all templates, I would like to propose that the new warnings at Wikipedia:Template messages/User talk namespace not become permanently fully protected. I do not agree with the current full protection of {{test}}, etc., and here’s why:

  1. Unlike article templates such as {{unreferenced}}, which are transcluded, user page warnings are substituted; see WP:SUB#Templates that should be substituted. Because of this, the potential for instantaneous large scale vandalism is quite low. The HRT guidelines here refer only to transcluded templates.
  2. These templates are on the watch list of almost all of the active members of WikiProject User Warnings, as well as many other editors and admins. We can handle the rare non-IP vandalism.
  3. There are many valuable editors such as Khukri who do not yet have the mop, but are nonetheless doing great work with these new templates. This should not be barred at some point by a preemptive full protection.

I know there has been some disagreement on this (see the protection log for Template:Test), so it would be helpful to reach consensus here before the new templates “officially” roll out. -- Satori Son 02:59, 24 January 2007 (UTC)

The trouble is people often subst: them into place quickly and move on without reading everything they left. Thus, you could end up with subtle vandalism injected into dozens or hundreds or more userpages and require individual action on each page to fix. Night Gyr (talk/Oy) 03:32, 24 January 2007 (UTC)
  • I would prefer to see these templates semi-protected, it was the fact that they were fully protected in the first place that got me interested in harmonising them, when I had to hunt for an admin to do some minor mods. In the same way that we wouldn't fully protect the George Bush article I think the same should apply to the templates. I and many others as was mentioned above would still like to have access to these templates in the future, and it would be a shame after months of work to have them locked away from us. It's going to be some weeks until the majority are happy with the wording and the tweaking edits stop, and it would be certainly premature to fully protect them now. I have all the templates in my watchlist as do other editors on the project and can keep an eye on them. In some part I also feel the onus is on the issuing editor to read what he has left and report or correct any problems. We are seeing this at the moment with the minor syntax bugs that are being reported, that they are looking at what is being issued, and leaving message in the project page. BradBeattie has offered to semi protect the templates in the short term, and I would like to see this continue to the long term, whilst we keep an eye and see what level of vandalism these templates attract. Lets not block all because one or two are targetted. Khukri (talk . contribs) 09:11, 24 January 2007 (UTC)
  • Sprotect at first, until we get all the bugs and typos worked out (I found one a few days ago). Eventually, after the templates stabilize and become more widely used, I think full protection makes sense. We can always use the template usage notes to point people to the correct place to suggest changes. Dave6 20:33, 31 January 2007 (UTC)
  • Do something - I just told a user they'd be shot if they continued to vandalize. Not that that would be a bad thing... I requested semiprotect on uw-vandalism4, but they should all have SOME level of protection... and soon! Mdwyer 20:05, 2 February 2007 (UTC)
And that, friends, is why you write your own templates. Remember, don't rely on wikis for accuracy! – Qxz 17:47, 21 March 2007 (UTC)

Reworked 2007-10-31

The guideline seemed to be a little out of date. Practice about protecting templates has become well-established, so it seems reasonable to describe which templates are protected in practice: highly used one and highly-visible ones.

The rationale had issues with WP:BEANS. The point of the examples, I think, was that the vandalism was reverted very quickly. The exact nature of the vandalism isn't needed here and just encourages people to repeat it. The risk of a DOS attack is mostly an inconvenience. The devs could turn off the job queue if they wanted, and the site would just keep on running, with null edits needed to update pages. — Carl (CBM · talk) 13:33, 31 October 2007 (UTC)

As you can see from the first version of this page things were alot different when it was first written. Problems back then were things like meta-templates, which were starting to get really popular, and templates like {{if}}, which essentially mimicked functionality we now have via ParserFunctions. So yes, it's a good idea to update it :) --bainer (talk) 15:35, 31 October 2007 (UTC)

Blanket protection of large number of templates

User:East718 has blanket protected a great number of templates, e.g. Template:Country data Frøya, that obviously do not fall within the criteria set forth in the protection guidelines. I am strongly critical of this sort of low-threshold pre-emptive protection, and it also appears to me that this is against current guidelines. __meco (talk) 17:23, 12 December 2007 (UTC)

High-risk templates and biographies of living people

I've just added a section I felt necessary to be added... High-risk templates and biographies of living people. Please feel free to copy edit or comment. -- FayssalF - Wiki me up® 06:24, 4 June 2008 (UTC)

Hi FassaylF, I made a minor change in a couple of spots for what I felt was better grammar and tone: you had the construction "administrators would usually change...", and I made it "administrators may change..." (emphasis here only) - it seemed to me, as this is a guideline, that "may" would be the better expression to use. Best, umrguy42 18:10, 5 June 2008 (UTC)
Thanks Umrguy42. Much appreciated. -- FayssalF - Wiki me up® 09:42, 4 July 2008 (UTC)

Semiprotection vs full protection

After reading through this page it is still not clear why high risk templates should be protected instead of semiprotected. The server load rationale is described as an "inconvenience" and there are posts on this page (#Faulty Basis?) that contract this rationale completely. The vandalism rationale should not be an issue for established users and semiprotection should take care of concerns regarding unregistered vandals. The permanent protection policy only mentions heavily transcluded templates and the section regarding the protection policy in response to vandalism specifically notes it should not be a preemptive reason for full protection. I agree that heavily transcluded templates might require a higher level of protection but other "high risk" templates should not be automatically protected unless there is an established history of vandalism. It is contradictory to existing policy and protecting pages without good reason is against wiki principals and the assume good faith guideline. In addition, it makes editing and improving protected templates burdensome and frustrating. I think this convention should be reviewed and at the very least the rationale needs to be much stronger.  ~ PaulT+/C 06:08, 15 December 2008 (UTC)

There have been several notable cases of autoconfirmed vandals adding penises to templates, or using CSS vandalism, and there are some templates which would be a valued prize for them, which, due to our knowledge of how they think and the damage they could do should be fully protected. Imagine a penis on 10,000 widely viewed pages and only a handful of individuals who know how to remove it. This type of vandalism has caused a lot of problems in the past, so such protection is not necessarily pre-emptive. We know there are vandals who target any template with over a certain number of transclusions, or who target the most heavily viewed pages. I agree that most templates should not exceed semi-protection, but there are quite a few which should. -- zzuuzz (talk) 15:26, 15 December 2008 (UTC)
What are the consequences for vandalism to a semi-protected page? Is it any more or less severe than vandalism to a semi-protected template? ~ PaulT+/C 07:46, 16 December 2008 (UTC)
Template vandalism usually signifies knowledge and intent, as well as block evasion and sockpuppetry in most cases, and almost always results in an immediate block. Such vandals would be treated no differently if they were vandalising articles. -- zzuuzz (talk) 11:13, 16 December 2008 (UTC)
Re Paul: vandalism is only one of the two reasons (but it is worse than you may think - there are a couple people who make it a hobby to find ways to vandalize templates). The other reason is the job queue. Highly used templates need to be edited differently than regular templates. Instead of a sequence of small edits, changes to a highly used template should be compressed into a single edit, to keep from inflating the job queue. A long job queue doesn't slow down the site but it does slow down other editors who have to wait longer for changes to other templates to become visible. Most editors are not familiar with these things, and they don't need to be, because the templates that are used often enough for this to be an issue are protected. — Carl (CBM · talk) 14:17, 16 December 2008 (UTC)
Re Vandalism: Shouldn't vandalism by autoconfirmed users to semiprotected pages be treated more severely than normal? Also, shouldn't template vandalism be treated more severely than article vandalism since the changes are propagated to multiple pages? And, the combination of these two, shouldn't template vandalism by autoconfirmed users to semiprotected templates be considered most egregious of all? Isn't there a more severe punishment that could be used in these cases?
Re The job queue: I appreciate that concern and I generally try to compress my changes into as few edits as possible regardless of the page I'm editing. However, full protection can actually make it harder to apply major changes to templates in one edit since the admin making the change will want to easily understand what the changes are. Often making more than one change at a time will be harder to explain and make it less likely for the changes to be made. The job queue issue really is only an inconvenience and if the issue is documented properly I don't see why it couldn't be an additional guideline (with severe penalties for misuse) instead of assuming that editors can't be trusted to make appropriate changes to highly used templates. ~ PaulT+/C 15:41, 16 December 2008 (UTC)

I'd like to bring this topic up again as there was never any solid response around why high risk templates are automatically fully protected rather than put under semiprotection first. There are many editors that do not have admin rights and I have not read a good argument for why we should be prevented from editing these templates. ~ PaulT+/C 00:43, 11 September 2009 (UTC)

Well, it's simple: Take a template like the {{ambox}}. At the time I write this it is transcluded on 720,000 articles. Since it is so widely used many editors are aware of it and constantly ask us to add features to it, change the images it uses, change the colours it uses and so on. If it were just semi-protected then it would be constantly edited by those well meaning users. But as we see from the requests and code suggestions people add to the talk page, then most of the edits would be contrary to consensus, most of those edits would bloat it with unneeded functions, and many of those edits would break it. That means the template would most of the time be more or less broken, or ugly. And that would be visible on 720,000 articles... And that's just what the well meaning editors would cause.
And that is not just assumptions based on the suggestions on the talk pages of such templates, we have seen it happen when we have had high-risk templates just semi-protected.
Also, our template vandals would edit that template, so it would every now and then display a penis-image on those 720,000 articles.
We already spend a lot of time cleaning up after well meaning edits by clumsy admins and explaining to them to first test in the /sandbox and then discuss on the talk page before they edit high-use templates.
And regarding making one change at a time and explaining the changes: Well, for testing and demonstration we use the unprotected /sandbox and /testcases of the template. For more permanent demonstration we often add /test1 and /test2 subpages to the template. And for explaining and discussing changes we use the talk page. Then when we have consensus and have tested the code we add it to the template. All those subpages and the talk page are unprotected and can be edited by any user. So the coding and testing of high-risk templates can be and often is done by non-admins. Just the deploying of the finished code is done by an admin.
But I agree that templates that are only semi-widely used should just be semi-protected. After all, we admins can't take care of everything so we need regular editors to manage most of the templates. So I for one have often just semi-protected templates, already back when other admins said templates should only be unprotected or fully protected.
--David Göthberg (talk) 10:33, 31 December 2009 (UTC)

Superfluous section

IMHO the whole High-risk templates and biographies of living people section is superfluous, and could be substituted by a simple "If a template relates to a biography of a living person that would strengthen any arguments in favor of (preemtive) protection of said template". Or something like that. That sentence should just be added to the previous section, and does not warrant a section or even subsection of its own. Debresser (talk) 20:19, 9 September 2009 (UTC)

I agree, that section is far to large. It could be condensed down to 2-3 sentences and as you say then added to the section above it. Although there are some useful stuff at the top and bottom of that section that is not specific to BLP templates, and could be reused somewhere else.
--David Göthberg (talk) 10:40, 31 December 2009 (UTC)
checkY Done - And I moved some of the links down to the "See also" section.
--David Göthberg (talk) 05:18, 13 February 2010 (UTC)

Documentation and padlock

I intend to add something like this to this guideline:

Documentation and padlock
Both semi and fully protected templates should always have the {{documentation}} template. That template loads the unprotected /doc page, so that non-admins and IP-users can edit the documentation, add categories and add interwiki links.
After a template has been protected {{pp-template}} should be added to it, so it displays a padlock and gets categorised as protected. Admins usually add {{pp-template}} at the bottom of the template page itself, in the <noinclude> area. If the {{pp-template}} is missing then non-admins can add it to the bottom of the /doc page of the template, in the <includeonly> area.
Thus, the bottom of a protected template should usually look like this:
<!--Last line of your template code--><noinclude>

{{pp-template}}
{{documentation}}
<!-- Add categories and interwikis to the /doc subpage, not here! -->
</noinclude>

The above text is just documenting and explaining a long standing praxis. One of the reasons I want to add that text to this guideline is so we can link to it from Wikipedia:Protection policy#Templates, thus keeping the "Templates" section short in the policy page. See also the discussion at Wikipedia talk:Protection policy#Template protection.

--David Göthberg (talk) 11:01, 31 December 2009 (UTC)

We have now updated the {{documentation}} template so it automatically adds {{pp-template}} on protected and semi-protected templates. So I added a simpler version of the above text.
--David Göthberg (talk) 04:07, 13 February 2010 (UTC)

Protection of signpost

The following discussion is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.


Resolved

Background: One of the things Wikipedians do here is have a signpost - a weekly "newsletter" which can either be "distributed" to one's user talk page, or transcluded in a userspace page to always show just the current one. The signpost is implemented using headline pages for the specific editions (such as Wikipedia:Wikipedia Signpost/2010-04-19), and its articles are the subpages (such as Wikipedia:Wikipedia Signpost/2010-04-19/News and notes). The current headline page is designated using Wikipedia:Wikipedia Signpost/Templates/Issue, and transcluded on thousands of pages using {{Signpost-subscription}}.

The problem: While {{Signpost-subscription}} and Wikipedia:Wikipedia Signpost/Templates/Issue are both fully protected, this protection doesn't extend to the signpost headline page, which is a high risk template. This makes edits like this cause lots of disruption on Wikipedia. The user doing this clearly knows what (s)he's doing; anyone else would have trouble knowing about the signpost, finding it, and using the {{#ifeq: to hide the location of the edit. This isn't the first time this happenned; however, it appears that each time the user is getting better at hiding the action. The first instance I know of was this, causing a backlog of hundreds of pages at CAT:CSD before it was reverted.

The solution: We need to protect the current signpost. I can come up with 4 ways to do it:

  1. Protect (or semi-protect) each new signpost as part of the publishing process.
  2. Re-instate the cascade protection of Wikipedia:Wikipedia Signpost/Protection.
  3. Create some edit filter to prevent edits from new or unregistered users to any signpost (not just the current one).
  4. Add a regex to MediaWiki:Titleblacklist preventing new users from editing the signposts.

How should we handle the situation? עוד מישהו Od Mishehu 08:33, 22 April 2010 (UTC)

I say Option 1 is best - isn't SOP with high-risk templates semi-protection anyways? —Jeremy (v^_^v Dittobori) 08:47, 22 April 2010 (UTC)
Whilst I am personally unsure what solution would be most effective here, I think that something does need to be done. In a similar scenario within the last 24 hours, pages with the signpost on them were put into the category for Unblock Requests which swamped it. Although most pages were quickly fixed by a revert and purge, some oddity occured in which a handful of user pages were stuck in the category despite being purged, although I eventually managed to clean that up by doing dummy edits to the affected pages. (Or by blanking and restoring them). All in all, I think some form of protection should be used to avoid disrupting some of our administrative processes. --Taelus (talk) 10:50, 22 April 2010 (UTC)
Actually I'm surprised nothing like this has happened before. The Signpost isn't like anything else on WP, I don't think the normal rules apply. Unless I am mistaken, it is not ok for just anyone to come in and start altering it. I don't see any problem with adding protection to it, since we have now seen the widespread harm, or at least big pain in the ass, that can be caused by someone monkeying around with it. Are the comment sections on their own subpages? We don't want to block the ability to leave comments. Beeblebrox (talk) 16:52, 22 April 2010 (UTC)
Nor would we want to block the ability of non-admin signpost contributors (anyone can contribute, by the way) like me to work on stuff, so definitely not full protection...there have been a couple of cases where I have fixed typos after publication had already occurred, and that's something constructive full protection would prevent for non-administrators. Ks0stm (TCG) 19:09, 22 April 2010 (UTC)
I'd support a semiprot or similar solution, but not full protection. ɔ 01:33, 23 April 2010 (UTC)

I edit the Signpost regularly without an account to fix errors. It is foolish to disbar competent editors from contributing in order to save your poxy (and, given the watchlist function, unnecessary) subscription service. Whatever about the merits of page protection for readers of the encyclopaedia, the insider target audience of the Signpost is well aware of and impervious to fleeting vandalistic edits – vandalised versions will be immediately recognised and reverted without any need for protection. What actually useful purpose does your proposal hope to achieve that would counter the loss of unregistered contributors? 86.41.54.80 (talk) 12:01, 23 April 2010 (UTC)

I don't think vandalism is a regular problem on Signpost articles, and definitely individual articles should be left open to editing by unregistered users, who have done more good than harm overall. There is a case for semi-protecting the headline pages, and if there was cascading semi-protection, that would make thinks a lot easier. I can semi-protect the new headline page each week when it gets created from now on.--ragesoss (talk) 14:27, 23 April 2010 (UTC)

The discussion above is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.

Numerical transclusion-count guidelines for full protection of templates

As incidents like Wikipedia:Administrators'_noticeboard/Incidents#HJ_Mitchell_mass_fully_protecting_templates show, there are often disputes regarding exactly which templates qualify as "high risk", and should be fully protected even in the absence of significant prior vandalism. Much future conflict would be avoided if this guideline provided numerical thresholds for protection, depending on the namespaces in which templates appear -- > x for articles, > y for talk, etc. These wouldn't be hard limits to be imposed in all cases, but guidance in the absence of any particular reasons to treat specific templates differently. Suggestions? Peter Karlsen (talk) 04:58, 15 September 2010 (UTC)

As a possible starting point, when this guideline was created five years ago, Radiant! "protected all templates with over 5000 uses, and all metas with over 100 uses."[3] Peter Karlsen (talk) 05:15, 15 September 2010 (UTC)
For this discussion to make sense, I'd like to know how many significant incidents of actual template vandalism have happened the past. If none have happened, we're just giving the vandals ideas. We're super-careful with templates transcluded into the main page at any given time (that's why cascade protection was invented) and those are protected as part of the main page update process. What about vandalism of other templates? Does anyone know of any templates that have become protected due to a history of vandalism? I'm not saying none exist, but in the past couple days (as part of the mass-protection rollback that got us here), I've looked at a number of templates that had semi-protected and I didn't see a single instance of actual vandalism in any of them. 75.62.2.105 (talk) 05:27, 15 September 2010 (UTC)
Yes, it has happened. For instance, Template:Ed, which I believe used to appear in hundreds of thousands of pages, received vandalism like [4] -- this was one of the templates initially protected as "high risk" [5]]. Actually, it seems that this guideline was created in response to something of a vandalism spree on extremely heavily-used templates five years ago. Template:! appears on over four million pages: do we really want to create the prospect of penis vandalism on all of them? Peter Karlsen (talk) 05:38, 15 September 2010 (UTC)
I don't think many people would support unprotecting {{!}} ... even admins aren't supposed to edit it unless it's really important, since every edit would slow down the whole wiki as the change propagates to the caches of the 5000000 pages that it's transcluded on. Soap 16:55, 16 September 2010 (UTC)
As a side-note, if a template is really "high-risk", then semi-protection isn't enough, since vandals will simply bypass it. There is, perhaps, some "intermediate-risk" category to which semi-protection may be applied to avoid casual vandalism, even though it won't stop determined malefactors. If so, numerical guidance should also be provided. What I'm unsure about is whether pending-changes level two protection can be effectively applied to templates. If so, then it might provide substantially more security than the fig-leaf of semi-protection, while avoiding the restriction of editing inherent in full protection. Peter Karlsen (talk) 05:50, 15 September 2010 (UTC)
We're not even sure if pending changes is going to survive; I agree this is a good idea though. Soap 16:55, 16 September 2010 (UTC)
I made the argument on ANI that it almost never makes sense to semi-protect a template, since a vandal sophisticated enough to attack templates can figure out autoconfirmation. Pending changes on templates is an interesting idea. 75.62.2.105 (talk) 06:20, 15 September 2010 (UTC)
I don't see numerical guidance doing much good except in extreme cases. Otherwise it matters more what the transclusion targets are. If a template is in particularly high-visibility pages that themselves are protected (the main page is the archetypal example) then protection is warranted. Highly topical protected BLP's might also deserve that treatment. If it's on 1000's of obscure pages it may not matter as long as the template has enough watchers to revert stuff quickly. If the Recent Changes irc feed has a way to flag particularly sensitive pages, maybe templates included in them could also be flagged. 75.62.2.105 (talk) 06:41, 15 September 2010 (UTC)
No recent changes patrol tools that I've used provide special flagging for edits to particular templates. Lupin's Anti-Vandal Tool actually provides an option to ignore the template namespace entirely. This appears to be based on the assumption that vandalism of very heavily used templates is no longer possible due to the implementation of full protection as described in this guideline. For templates with > 20,000 transclusions, this is probably accurate, though there are a few exceptions. However, a large number of templates with only a couple thousand transclusions, especially outside of articles, aren't fully protected, and the community won't tolerate having such protection implemented -- hence the recent controversy. For these templates, vandalism is either caught along with malicious edits to articles, or else noticed when thousands of pages go bad. Fortunately, this isn't a daily occurrence. Numerical guidance based on namespaces would help to distinguish these cases at the boundaries, and avoid further conflict. Peter Karlsen (talk) 07:16, 15 September 2010 (UTC)
Also, it would be safe to assume that any template used in the article namespace could appear in BLPs -- only talk page templates, etc, present no BLP concerns. Due to cascading protection, transcluding unprotected local content onto the main page is impossible. Images on commons are the only component of the main page that need to be protected manually. Peter Karlsen (talk) 07:24, 15 September 2010 (UTC)

The important thing is that any thresholds are used as a basis for discussing protection, rather than limits which require protection when passed. That preserves both the concept of "high-risk" and the consensus that preemptive protection should not be issued lightly. As for exactly where the thresholds lie, it would be best to draw that from current practice: at roughly what level of transclusion count do all templates presently seem to get fully protected? Chris Cunningham (user:thumperward: not at work) - talk 11:32, 15 September 2010 (UTC)

I agree. Setting arbitrary numerical limits isn't a good idea because it will inevitably depend on what the template is doing, and discourages seeking consensus in cases where a protection for that may be disputed. Anything over around 10,000 transclusions should be protected in some way, but what about 3,500 transclusions for a template that, when changed, could cause massive collateral damage to how other templates work with each other? Discussion should be used in many cases, and a general limit would be the status quo. fetch·comms 12:50, 15 September 2010 (UTC)
I don't have any strong opinion on numerical thresholds but I sympathise with the point that semi-protection of high-risk templates may be less effective. Template vandalism is likely to be attempted by a vandal with substantial wikipedia skills - it's not just adding naughty words to a lede. Semi-protection is good at stopping the large volume of drive-by, low-tech vandalism, but provides less protection against skilled vandals, as they're more likely to figure out how to set up a few accounts and get them autoconfirmed. So, full protection may be more appropriate. (Or pending changes? ;-) )
Anybody got some numbers on template vandalism? Statistics trump anecdote...
bobrayner (talk) 10:31, 16 September 2010 (UTC)
  • If we were to alter the policy, it would be good to try and aim the wording to aim for the in article templates primarily and to try and not to protect talk page templates unless they actually show a pattern of vandalism compared to possible vandalism (or a very high use limit), because since they are on a talk page they are less of a target and less visible to the public so the effects wont been seen as much so they shouldn't need to be protected using the same guidelines compared to in article templates, afterall we a are a project that aims for everyone can edit where possible. Peachey88 (T · C) 00:23, 16 September 2010 (UTC)

There are still templates that are (batch) full-protected that I don't think even need to be semi-protected, such as Template:Serotonergics, which has fewer than 500 transclusions, and doesn't strike me as a likely vandalism target. Also many (batch) semi-protected; Template:Zoos, for example (and dozens, if not hundreds, more), probably has more transclusions (still less than 1,000), but was only on page 4 of the datadump, so probably doesn't need preemptive semi-protection, either. I don't think it should be a simple numbers game--subject matter and type of visibility, etc. should also be taken into consideration. 76.121.3.85 (talk) 01:36, 19 September 2010 (UTC)

To be honest, for templates, I'd say full or nothing - vandalism to a template is much more likely to be deliberately malicious (obscenity, racism, etc) rather than just playful ("joe is gay hee hee" and gibberish), and that's a good sign that semiprotection is just going to get evaded if push comes to shove. (I say this as someone who normally likes semiprotection...)
The interesting thing is that, in my experience, the types of templates which get hit are pretty unpredictable. Infoboxes, article "header box" notices - you expect them. Parts of colour swatch tables, specialised types of stubs - less so. We can make a fair distinction based on use in "reader facing" vs. "back-end" namespaces (if it's used in mainspace it's more 'important' than something only used on image discussion pages), but I'm not sure there's a useful line to be drawn based on what kind of template it is, especially given that you can make quite dramatic changes to the position and appearance of a template with a bit of ingenuity.
One approach that might work is to prioritise based on "eyeball exposure" - rather than raw transclusion numbers, a method that looks at the pages it's transcluded into and their readership levels. If that's over a certain number - goodness knows what - then lean towards presumptive protection. It is, after all, safe to say that a navbox template on ten articles with 10,000 pageviews each a day is "riskier" than a stub template with a thousand transclusions on trivial articles which get maybe half a dozen each. Working out how to implement this, of course, is left as an exercise for the reader! ;-) Shimgray | talk | 01:34, 20 September 2010 (UTC)

As a template editor who's not an admin, I strongly urge commonsense liberalization of the policy by adopting a reasonable numerical guideline and urging individual review. Right now, as I write, there is a backlog of 22 requests to edit protected templates, some now six days old. There seem to be plenty of administrators involved in protecting templates, but hardly any in dealing with the consequences. The situation is very frustrating. --Bsherr (talk) 22:11, 19 September 2010 (UTC)

I have a proposal below to resolve this problem. Peter Karlsen (talk) 21:25, 20 September 2010 (UTC)

MediaWiki namespace templates

Templates in the MediaWiki: namespace should always be fully-protected, since many MediaWiki messages allow full and unrestricted use of HTML, CSS, and Javascript (among other technologies); JS, at least, can be exploited to launch attacks on users, and HTML and CSS are certainly not above use to attack users. In addition, there are several MW messages which are highly sensitive to formatting, so even edits to fix typos have the potential to break the interface, meaning there is no "non-controversial" edit possible in regards to the interface, or templates used in it. ダイノガイ千?!? · Talk⇒Dinoguy1000 16:17, 8 October 2010 (UTC)

Server load - Rational

I think this section should be removed. The wisdom is Don't worry about performance. To quote the nutshell: Server performance is very important, but it's taken care of by the sysadmins, who know what they're doing. Try not to make policy decisions based on your (probably limited) understanding of performance issues. Regards, SunCreator (talk) 22:47, 19 September 2010 (UTC)

Unless of course it's the sysadmins asking for this in which case a reference to that effect should be given. Regards, SunCreator (talk) 23:03, 19 September 2010 (UTC)

Proposal: Replace full protection with listing at MediaWiki:Titleblacklist

Existing pages listed at MediaWiki:Titleblacklist can only be edited by administrators or account creators; this facility is used to protect editnotices from vandalism. Likewise, using the title blacklist instead of full protection will allow non-administrators entrusted with the account creator privilege to edit high-risk templates, while maintaining a near-zero risk of vandalism, provided the user right is assigned judiciously. In these circumstances, account creator rights should be assigned to any sufficiently trusted editors who requested them, regardless of their activity in the account creation process.

Benefits: More editors can edit high-risk templates. Since some restriction on the editing of templates with an extremely large number of transclusions is necessary to prevent vandalism affecting many pages simultaneously, it's worthwhile to minimize the level of restriction, consistent with security requirements.

Drawbacks: A marginally increased risk of vandalism. However, this should be quite minimal since it's unlikely that someone would make enough legitimate contributions to acquire the account creator user right, just to vandalize some high-risk templates. To the best of my knowledge, editnotices have never been vandalized by an account creator. Peter Karlsen (talk) 21:08, 20 September 2010 (UTC)

If there is a need to have a intermediate category of editors between administrators and autoconfirmed (and I'm not convinced about that), then I think that neither the account creator group nor title blacklist should be (ab)used for this. Instead, new right could be created and a new group too. Svick (talk) 21:58, 20 September 2010 (UTC)
Admittedly, tacking "create/modify pages on the title blacklist" onto the account creator group is something of a dirty hack, but it's what the developers have given us. Since it's already working well for editnotices, we "have a intermediate category of editors between administrators and autoconfirmed" now. The only question is whether to extend editing of high-risk templates to this new category of editors, or continue the present practice of limiting editing to administrators through full protection. Under the theory that greater freedom in editing is better, I support the first approach. While we have a reviewer permission that's designed to permit trusted editors to be recognized by technical means, pending changes level two protection isn't usable here, since transclusions of templates always display "the most recent revision, reviewed or not."[6] Peter Karlsen (talk) 23:41, 20 September 2010 (UTC)
I understand that it would open editing to more users, but it's arbitrary to do so only for editors that have to create more than six accounts in a given day. --Bsherr (talk) 23:46, 20 September 2010 (UTC)
If we're going to protect high-risk templates through the title blacklist, then account creator rights would be assigned to any sufficiently trusted editors who requested them, regardless of their activity in the account creation process. Peter Karlsen (talk) 23:49, 20 September 2010 (UTC)
This seems like a really terrible abuse of something that's already a really terrible abuse of a permission that was meant for a very specific purpose: allowing dedicated users to help with account creation. If we want one more level in the protection/editing rights scale, then we should propose to have one more level - not a terrible ugly hack that might well cause the developers to remove the accountcreator group due to misuse. Gavia immer (talk) 00:02, 21 September 2010 (UTC)
Since the ability of account creators to create/edit title blacklisted pages is obviously a feature implemented by the developers, there's little danger of them removing the group altogether because the feature is utilized. My reference to "something of a dirty hack" relates to actions taken by the developers in tacking creation and editing of blacklisted pages onto an unrelated permission. Unless there's a major effort, as there was to get pending changes implemented, we generally must take the design of the software as we find it. Peter Karlsen (talk) 00:15, 21 September 2010 (UTC)
It wasn't ever meant for editnotices, though, just for the purpose of creating userpages at locations that are otherwise blacklisted. The editnotice thing is already an abuse of that. Gavia immer (talk) 00:30, 21 September 2010 (UTC)
I implemented parts of the current editnotice system used here on the English Wikipedia, so I should probably comment on this. That accountcreators can edit editnotices is a side effect, we didn't make it so on purpose. However, since accountcreators are trusted users it isn't a problem, so we haven't bothered to fix that bug.
--David Göthberg (talk) 19:24, 3 October 2011 (UTC)
  • This is pretty clever - it's like the old hack we had for protecting empty pages by transcluding them onto a cascade-protected page. How well would it scale, though? I mean, if we had 10,000 templates we want to mark as "sensitive" - which is not entirely implausible in the long run - would the title blacklist cope with that sort of number? Shimgray | talk | 00:24, 21 September 2010 (UTC)
  • I can't be the only one who clicked on this when they saw it listed at WP:CENT because they wondered what possible connection there was between article protection and account creation. The idea of any kind of "partial admin" has been repeatedly rejected by the community and I'm not aware of any pressing need for more users being able to edit high risk templates. Half the point of protecting them is that there is little reason to edit most of them. In short, this seems rather pointless and contrary to consensus. The partial admin idea was re-floated and shot down within the last few weeks at WT:RFA so the idea has been rejected fairly recently. Beeblebrox (talk) 00:54, 21 September 2010 (UTC)
  • Accountcreator is for creating accounts. Its "side effects" should not be taken advantage of in such hacks. If there's no interim right, propose one, not lump on more abilities to unrelated usergroups. /ƒETCHCOMMS/ 01:11, 21 September 2010 (UTC)

A few comments if I may:

  • I'm not exactly liking the idea of a hack or a bug being able to allow or disallow what we can do (as Fetchcomms pointed out above). However, with something like MediaWiki, perhaps this is more of a by-product of a large, advanced program.
  • Giving out account creator for reasons like these defeat the purpose of calling the user right as such. If this hack will not be fixed per my first point, then perhaps a changing of the name of "account creator" is in order so as not to mislead people into what this user right really entails?
  • (shameless plug) I got mixed reactions on the mailing list on a possible "bundling" of rollback, reviewer, autopatrolled, and account creator into one "uberuser" right. This would simplify how user rights are distributed as well as serve as a more solid step in rights between non-sysops and sysops.

MuZemike 01:13, 21 September 2010 (UTC)

On the subject of a "bundled rights group", take a look also at User talk:Xeno/Archive 22#bundled rights (question for tps'ers). –xenotalk 23:30, 21 September 2010 (UTC)
  • What a weird proposal. If anything, the proposal should be to fix accountcreator to only allow the creation of accounts once more, not to further reinforce a bad design decision. Gigs (talk)
  • Very clever, but moving in the wrong direction. Specifc account rights should be narrow and technical. ACC is not a super-user, neither is rollback. If we want to deal seriously with editing protected templates, we should revive the proposal to disaggregate admin rights. Protonk (talk) 17:56, 21 September 2010 (UTC)
  • Nah. Don't add jewels to crowns; account creators create accounts. Do something else.  ono  23:30, 22 September 2010 (UTC)
  • Oppose, solution looking for a problem. Additionally, the accountcreator right isn't supposed to be used for hacky tricks like this. Judicious flagged protection can be used if there is really a serious delay on admins editing protected templates. Stifle (talk) 14:24, 23 September 2010 (UTC)
  • Oppose, agree with rationale as given by Stifle (talk · contribs) - namely, this particular userright was not intended for this type of specific usage. As such, it would lead to confusion. -- Cirt (talk) 03:08, 24 September 2010 (UTC)
  • Oppose - if it ain't broke, don't fix it: and I'm not persuaded the existing system is broke. All protected templates have an "edit request" button baked into the "view source" tab for users without the relevant editing rights. In the absence of a massive backlog for that, I don't really see a problem. Rd232 talk 11:14, 24 September 2010 (UTC)
  • Oppose per Gigs and Stifle. Account creators shouldn't be given additional rights simply because it's an easy hack. Specific rights should be restricted to specific categories of user. Jimmy Pitt talk 19:46, 24 September 2010 (UTC)
  • Oppose per Jimmy Pitt. If we feel the need for a new user right, let's ask the developers for it now so we have it available when a detailed proposal for this comes up in the future. —UncleDouggie (talk) 01:17, 26 September 2010 (UTC)