Thank you for this feedback. Let me share some background first.
We wanted to have a community review with a real site that people could use to better understand what is being proposed. The site (this forum) needed a name and a URL. This is why we went for the simplest and fastest route:
- Pick the most basic name we could think of: “Movement Strategy Forum”. Leave any alternative suggestions to the community review.
- Pick a domain that we can easily set up for this review and throw away if a better alternative is agreed upon during the review (or if the review ends up shutting down this forum).
One reason why we didn’t use it for this community review is that it saved us a trademark hop. If the forum is here to stay, the trademark check is not a problem.
About using [something].wikimedia.org, when we casually asked our Site Reliability Engineering colleagues, the technical discussion about the architecture of domains and security considerations ended up being more complex than I expected. This too partially depends on the community review.
Well, depends. We have discussed this idea a bit in our team. Touching the resolution might be easy but then we need to find a destiny for that wiki. URL change or archive it for good, both options mean work, also broken links that someone might complain about.
This makes things more complicated from a technical point of view. Discourse is designed to work on a subdomain (i.e.
forum.etc.org). It can work on a domain with some tweaks (
ourforum.org). Running it on a directory (as you suggest) is not supported, probably a technical pain to make it work and (I’m not a security expert but) probably a way to expose it to more vulnerabilities.
Point taken! However, note that as long as the name of this space has 23 characters, people will find ways to shorten it up. So… should we keep this name, get away with “MS Forum” for casual use, or find an alternative?
What about forum.strategy.wikimedia.org then?
Using a wikimedia.org domain involves a security trade-off - the domain hierarchy is used by web browsers as a trust boundary, so code running on e.g. strategy.wikimedia.org can to some extent interact with code running on meta.wikimedia.org (or login.wikimedia.org etc). The extent of it is relatively minor, but it does make some attacks easier. If this site is considered less trusted than our MediaWiki sites (either because we consider Discourse to be less secure than MediaWiki or because the site is administered by an external contractor), that could reduce the security of our main sites somewhat.
On the other hand, a *.wikimedia.org site makes it very clear to the user that this is an official site of the Wikimedia movement, where the usual privacy and safety/anti-harassment promises of the movement apply.
If this site is so much less secure that this was a serious consideration we should immediately add big red warning signs in the site header and follow up all invitations that have been sent with warning messages. I don’t think we should use platforms or contractors we don’t trust regardless of the domain name.
This type of structure (which yesterday I learned it is called 4th level domain) is technically possible, yes.
This is not what @Tgr said. The idea is general for web security and not specific to this site: vulnerabilities in a subdomain may extend to the domain and to other subdomains, and this is a good reason to think it twice before mixing different applications under the same domain.
Discourse is a well maintained software that releases updates basically every month and especially highlights security updates. This forum is hosted in the server of the company leading the development of Discourse, and we get the security patches and other updates as soon as they are released.
I agree, and we trust this platform and this contractor. They have gone through the security and legal review process common to all our deployments of third party software. This is explained in this topic pinned to ensure that anyone interested doesn’t miss it: User privacy considerations in this forum.
We can safely go back to the discussion about names and domains.
My (admittedly not so well-informed) assumption is that this site is somewhat less secure than Wikipedia, but then “less secure than a top 10 website” really isn’t saying much. Security is always a tradeoff between cost and risk; Wikipedia being breached is high risk (and at least somewhat high reward for the hacker given the huge readership), a discussion forum being breached is low risk (and low reward), so it’s totally fine if its security is merely high and not very high. As long as it doesn’t risk Wikipedia’s security, which would be something to consider in the case of a shared domain. The risk might be small enough to be acceptable, and I’m certainly no expert on it; all I’m trying to say is that using a *.wikimedia.org domain is not the no-brainer decision one might think it is.
I think it’s too generic.
+1 for forum.strategy.wikimedia.org
The first post contains a summary of the discussion so far. The top post is editable, and anyone can contribute to improving it. We will try to update it on a weekly basis in conjunction with the community review weekly reports.
forum.wikimedia.org is good enough in my opinion, or discourse.wikimedia.org, discuss.wikimedia.org. then you have forum.wikimedia.org/t/movement-strategy and one can subscribe to it and even use it in mailing list mode.
(too) specialized domains like “strategy.wikimedia.org” were not followed by too many persons in the past.
Offhand I also like forum.wikimedia.org, so I added it to the list at the top. Is there some reason that we would e.g. want a different forum for strategy vs any other movement-wide topic?
Current .org makes movement-strategy appears like an NGO.
For future temporary use consider less specific .INFO or similar…
and/or shortest possible
In this proposal, we are focusing on Movement Strategy because it is in this context where such a tool is clearly needed and we can make a good case for a relatively straightforward solution. Movement Strategy has been discussed mainly on Meta and Telegram in the past years, there is an active community relatively defined, it’s a relatively controlled experiment that we can check whether it is working or not.
If we remove the focus on Movement Strategy, then we fall back to Wikimedia. This can and probably would have bigger implications, the plan and its community review would turn way more complex, the discussion about Meta-Wiki and the wiki projects and the Discords etc would get way more complex…
The good thing about Movement Strategy is that the 10 recommendation already provide a wide scope that allows to bring many interesting topics. Enough to deserve a forum, really. And complex enough for starters.
Adding “2030” to a domain is like planting the seed for a future problem…
w.wiki is conceived as a redirect, right? We can always use it, but the forum still needs to be hosted on a domain-domain.
Thanks @Tgr , another thing that I have learned today.
This domain (and redirect service) is controled by WMF and it should be possible to make this domain easily and use it without much intereference, as current script generates combination of numbers and letters, but never just numbers.
Do not see why and which problem…
Do you think this strategic plan and inplementation process will slide beyond 2030, without Wikimedians making a new process and target? I sure hope not
About using a *.w.wiki combination, more opinions are welcome. While it is technically true that the Foundation has the technical means to create i.e. 2030.w.wiki, this doesn’t mean that it is a good idea. I personally think that it is better not to mix the clear function of the Wikimedia URL Shortener with other uses, but if there is a community drive for this option we will consider it, sure.
No, I think a healthy movement should always keep some stream of strategic conversations and collaboration. This is why I don’t think we should tie this forum to 2030 only to create a future problem with redirects etc. I would only user years in domains for olympic games and things like that.