Jump to content

Wikipedia:Village pump (technical)

From Wikipedia, the free encyclopedia
(Redirected from Wikipedia:VP(T))
 Policy Technical Proposals Idea lab WMF Miscellaneous 
The technical section of the village pump is used to discuss technical issues about Wikipedia. Bug reports and feature requests should be made in Phabricator (see how to report a bug). Bugs with security implications should be reported differently (see how to report security bugs).

If you want to report a JavaScript error, please follow this guideline. Questions about MediaWiki in general should be posted at the MediaWiki support desk. Discussions are automatically archived after remaining inactive for five days.

VPNgate blocking bot

[edit]

I am seeking consensus on a proposal to develop and deploy a bot to help block VPNgate IP addresses used by a particular WP:LTA. For WP:DENY/WP:BEANS reasons, I cannot provide full details, but users familiar with the LTA in question will understand the context.

Background

[edit]

I have tested several VPNgate IPs, and very few of them are currently blocked. According to Wikipedia's policy on open proxies and VPNs (per WP:NOP), these should be blocked. Given the volume of VPNgate IPs, I propose using a bot to automate this process.

This is building off this discussion on WP:BOTREQUESTS.

I am posting here to gauge consensus needed for a WP:BRFA.

Proposal

[edit]

I propose a bot to automate blocking these VPNgate IPs using the following steps:

  1. The bot will use this list provided by VPNgate, which contains OpenVPN configuration files in Base64 format. The provided "IP" value is only the one that your computer uses to talk to the VPN (and sometimes wrong), not the one used for the VPN to talk to Wikipedia/external internet - this requires testing to uncover.
  2. The bot will iterate through each config file and use OpenVPN to test if it can connect. If successful, it will then use the VPN to send a request to this WhatIsMyIPAddress API to determine the real-world IP address used by each VPN to connect to Wikipedia. This is sometimes the same as the IP used to talk to the VPN - but sometimes completely different, see the demo edit I did using VPNgate on the Bot Requests discussion linked above and I also did one as a reply to this post. Also, testing is needed before blanket blocking because VPNgate claim to fill the list with fake IPs to prevent it from being used for blocking, again see the BR discussion.

Blocking or Reporting:

  • If the bot is approved as an admin bot, it will immediately block the identified IPs or modify block settings to disable TPA (see Yamla's recent ANI discussion per the necessity for this) and enable auto block.
  • If the bot is not approved to run as an admin bot, it will add the IPs to an interface-protected JSON file in its userspace for a bot operated by an admin to actually do the blocking.

Additional Information

[edit]
  • I have already developed and tested this bot locally using Pywikibot. I have tested it on a local MediaWiki install and it successfully prevents all VPNgate users from editing (should they not be IP block exempt).
  • I’m posting here to gauge broader community consensus beyond the original WP:BOTREQUESTS discussion.

Poll Options

[edit]
  • Oppose: Object to the bot proposal. Feel free to explain why.
  • Support options:
  1. Admin Bot (admin given code): An admin will run the bot, and I will provide the code for them to run, as well as desired environment setup etc. and will need to send any code changes or packages updates to them to perform. Admin needs to be quite technically competent.
  2. Admin Bot (admin gives me token): An admin provides me with the bot token (scoped per Anomie below) of a newly created account only for this purpose, allowing me to run the code under myself on Toolforge and fully manage environment setup (needs install and config of multiple python and brew packages not needed for standard pywikibot) as well as instantly deploy any needed code changes or dependency updates without bottlenecks. Admin only needs to know how to use Wikipedia UI and navigate to Special:BotToken, check some boxes, and then submit.
  3. Admin Bot (I run it): For this specific case I am permitted to run my own admin bot. Withdrawn per Rchard2scout and WMF viewdeleted policy.
  4. Bot without Admin Privileges: The bot will report IPs for potential blocking without admin privileges. Not recommended per large volume. Withdrawn per 98 IPs/hour volume, too much for a human admin.
  5. Non-admin bot v2 (preferred by me): My bot, User:MolecularBot is not an admin bot. It can, however, add IP addresses that it finds are the egress of open VPNgate proxies to User:MolecularBot/IP HitList.json (editable only by the bot and WP:PLIERS/interface admins). This means I can run the code for it and manage the complex environment. An admin's bot will be running the uncomplicated code (doesn't require the complex environment and OpenVPN setup for this bot) to just monitor that page for changes and block any IPs added.

Poll

[edit]
  • Oppose for now. From reading that discussion, it looks like the IPs available through the API are only the "ingress" IPs, which is what you connect to on their side when using the VPN (and even then, it seems like the VPN client might sometimes use another IP instead?). If there's actually a publicly available list of outgoing IPs available, I'd be very surprised. From an operational standpoint, those IPs don't need to be public, and if they are, that's a serious error on their side. If we do somehow get our hands on a list, I'd be in favour of option 1. There's plenty of admins available who are able to run bots. --rchard2scout (talk) 08:37, 17 December 2024 (UTC)[reply]
    Hi rchard2scout, I think you misunderstand the bot. The bot connects to each "ingress" IP and then finds out the "egress" IP that it uses by sending a request to a "what is my IP address API" (not associated with VPNGate in any way), then blocking the egress. This fully disables VPNgate on my local instance of MediaWiki. Thus, a list of egress IPs are not required, because it makes it own by connecting to each of the ingress ones and sending a request. I apologize if my documentation wasn't clear. MolecularPilot 🧪️✈️ 08:44, 17 December 2024 (UTC)[reply]
    Noting that I currently do have a complete list of "egress" IPs from my local run of the bot, so should I take your vote as a support of option 1 like you stated? Thank you. MolecularPilot 🧪️✈️ 08:45, 17 December 2024 (UTC)[reply]
    Oops, you're right, I somehow missed this. Hadn't had my first coffee yet ;). Striking, adding new vote.
    That's so fine, my brain is a little laggy in the early morning as well! My technical/documentation writing probably needs some work as well, it's not my best skill (anyone please feel free to edit this post and make it clearer, if it's wrong I'll just fix it). Thank you for your time in reviewing this even though it's still the early morning where you are! :) MolecularPilot 🧪️✈️ 09:38, 17 December 2024 (UTC)[reply]
  • Support option 1. Options 2 and 3 are probably incompatible with our local and WMF policies, because an admin bot can do anything an admin can do, and you haven't gone through RfA, so you're not allowed access to rights like viewdeleted. Or (@ anyone who know this) are OAuth permissions granular enough that an admin can generate a token that allows a bot access to block but not to other permissions? In any case, I think option 1 is the easiest and safest way, there's plenty of admins available who are able to run bots. --rchard2scout (talk) 08:59, 17 December 2024 (UTC)[reply]
    Hi Rchard2scout, thank you for your new comment and feedback. I hope your morning is going well! Ah yes viewdeleted, silly me to forget about that (I have the opposite problem as you before, it is far too late at night where I live!), I do recall it from someone else's declined proposal of admin sortion, I've struck Option 3 now per WMF legal policy. Re OAuth permissions, I know from using Huggle that when you create a bot token there's a very fine grained list of checkboxed for you to tick, and "block" is in fact one of them, so it is that granular as to avoid all other admin perms, I've expanded Option #2 above to clarify this and more circumstances. I do believe this would be my preferred option, per the reasons I've placed in my expansion, but are really happy with anything as long as we can deal with this LTA. Anyway, enjoy your morning! MolecularPilot 🧪️✈️ 11:29, 17 December 2024 (UTC)[reply]
    There's no grant allowing block but no other permissions. The minimum additional admin permissions would be block, blockemail, unreviewedpages, and unwatchedpages. Anomie 12:33, 17 December 2024 (UTC)[reply]
    Support option 5 as well, and that doesn't even need a BRFA or an RFC. We do then need consensus for the adminbot part of that proposal, so perhaps this discussion can focus on that. --rchard2scout (talk) 10:19, 18 December 2024 (UTC)[reply]
  • Option 1. I believe this is the only option allowed under policy. Admins need to run admin bots. This RFC is a bit complicated. Usually an RFC of this type would just get consensus for the task ("Is there consensus to run a bot that blocks VPNGate IP addresses?"), with implementation details to be worked out later. –Novem Linguae (talk) 12:09, 17 December 2024 (UTC)[reply]
    Option 5 is fine if the bot doesn't need to do any blocking and is just keeping a list up-to-date. Don't even need this RFC or a BRFA if you stick the page in your userspace (WP:EXEMPTBOT). –Novem Linguae (talk) 09:50, 18 December 2024 (UTC)[reply]
  • I'd like to suggest an alternative approach: Write a bot or Toolforge tool that generates a data feed of IP addresses, starting with VPN Gate egress IP addresses, perhaps including the first seen timestamp and last seen timestamp for each egress. The blocking and unblocking portion of the process is relatively simple and a number of administrators could write, maintain, and run a bot that does that. (I suspect most administrators that run bots would prefer to write their own code to do that.) Daniel Quinlan (talk) 23:04, 17 December 2024 (UTC)[reply]
    Well, I started writing this suggestion before option 5 was added. Since it looks like this is basically the same as that option, put me down as being in favor of Option 5. Daniel Quinlan (talk) 23:15, 17 December 2024 (UTC)[reply]
  • Courtesy ping for Rchard2scout and Novem Linguae notifying them of the new preferred option 5 above, which I believe makes everything easier for both myself and the admin who wishes to help me (I'll leave a note on AN asking nicely once BRFA passes for MolecularBot). Also, Skynxnex, you expressed support for option 5 below, did you mean to format that as a support !vote in this section (my apologies for the confusing layout of everything here). Thank you very much to everyone for your time in reviewing this proposal and leaving very helpful feedback. MolecularPilot 🧪️✈️ 09:33, 18 December 2024 (UTC)[reply]
    I don't feel like I've thought about the different aspects to do a bolded !vote yet. Skynxnex (talk) 15:07, 18 December 2024 (UTC)[reply]
    That's so fine, thank you anyway for your feedback! :) MolecularPilot 🧪️✈️ 23:07, 18 December 2024 (UTC)[reply]

Discussion

[edit]
  • Hey, it's me, User:MolecularPilot on VPNgate. This VPN is listed as 112.187.104.70 on VPNgate cause that's what my PC talks to. But, this VPN when talking to Wikipedia, uses 121.179.23.53 as shown which is completely different and not listed anywhere on VPNgate, showing the need for actually testing the VPNs and figuring out the output IPs are my bot does. Can this IP please be WP:OPP blocked? 121.179.23.53 (talk) 06:22, 17 December 2024 (UTC)[reply]
  • There is a relevant Phabricator ticket: T380917. – DreamRimmer (talk) 12:02, 17 December 2024 (UTC)[reply]
  • I don't think non-admins can run admin bots. Perhaps you would like to publicly post your source code, then ask an admin to run it? cc Daniel Quinlan. –Novem Linguae (talk) 12:05, 17 December 2024 (UTC)[reply]
  • I don't think blocking a single VPN provider will have the effect people want it to have. It's easy for a disruptive editor to switch VPNs. This is really a problem that needs to be solved by WMF. Daniel Quinlan (talk) 15:45, 17 December 2024 (UTC)[reply]
    Hi Daniel Quinlan, I guess I didn't make this clear enough in the post but this is designed to work with existing WMF proposals that are being worked on. Both T380917 and T354599 block/give higher edit filter scrutiny based on existing lists of "bad" IPs, this is the same as the old ST47ProxyBot (which actually does scanning but doesn't monitor "egress" IPs, it only attempts to connect to the "ingress" and then blocks it if successfully). This is great for a wide variety of proxy services because ingress/egress is the same, but for modern, more advanced services like VPNgate (and perhaps some services that because a problem for us in future) the ingress IP address is often not the same as the one used to edit Wikipedia, and so requires this solution (this bot). I'll admit that blocking VPNgate won't fully stop this LTA or all proxy vandals but VPNgate is quite a large and widely used network (claiming a total of 18,810,237,498 lifetime connections) that is currently almost fully permitted to edit Wikipedia, and by blocking it this significantly reduces the surface area for proxy attacks. This also creates the infrastructure for easily blocking any future VPN services that use different ingress/egress IPs - the bot can be easily expanded to use new lists. MolecularPilot 🧪️✈️ 21:14, 17 December 2024 (UTC)[reply]
  • What is the actual expected volume per day of new IPs to block? It looks like the current list has 98 ingress IPs (if I'm understanding the configuration blocks correctly). I'll also say I have pretty strong concerns about sharing "personal" tokens of any kind between users, particularly admin permission ones with non-admins. Skynxnex (talk) 19:48, 17 December 2024 (UTC)[reply]
    The list available through this API frequently rotates. It only provides 98 ingress IPs at a time, as you stated and refetching the list without [some duration of time, from my estimates it's around 1 hour] passing returns the same 98 IPs. After 1 hour (estimated) passes, a new 98 IPs are randomly selected to be provided to all users - but these may include some of the same IPs as before because they are picked by random selection from the whole list of 6057 (not available to the public), this has happened a couple times during my data gathering. Therefore re volume per hour, the maximum number of IPs to be blocked is 98, but it could be less due to already blocked IPs being included in that given hour's sample of 98, I hope this makes sense if there's anything that needs clarifying please don't hesitate to ask. MolecularPilot 🧪️✈️ 21:34, 17 December 2024 (UTC)[reply]
    Re "personal" tokens it's actually not a "personal" token to the admin's account, it would be (in theory) a token to an adminbot account with the only things it can be used for being those helpfully specified by Anomie above. However, regardless I see the concerns so I've added a proposal 5 which hopefully is a decent compromise above and ensures that I don't have access to any admin perms/tokens, but that there aren't any bottlenecks and that admins don't need to setup a complex running environment. Thank you for your time in commenting, Skynxnex. MolecularPilot 🧪️✈️ 22:23, 17 December 2024 (UTC)[reply]
    I see bot tokens as fairly similar to personal tokens since bots are associated with an operator. I think proposal 5 has promise. Skynxnex (talk) 23:08, 17 December 2024 (UTC)[reply]
    VPN Gate claims they have about 6,000 servers which is fairly close to my own estimate of how many IPs they are using. If we block each IP for six months, we'd end up averaging about 33 blocks per day. There would be a pretty large influx at the start, but I would want to spread that out over at least several weeks to avoid flooding the block log as badly as ST47ProxyBot did. Daniel Quinlan (talk) 23:10, 17 December 2024 (UTC)[reply]
    It's worth noting that an unknown amount of 'servers' are user computers that people have volunteered cpu time for (this information is somewhere on the website), so, like we see often with IP users, the IP that each server uses can and likely will change with time. This doesn't mean that an effort like this bot won't help, of course, but it's unknown how effective (as a percentage) it would be with just 33 blocks a day. – 2804:F1...33:D1A2 (::/32) (talk) 23:47, 17 December 2024 (UTC)[reply]
    33 blocks per day is a rough estimate, not a limit. Certainly there will be some delay when adding entries to any list generated as proposed above so the block rate will never reach 100%, but the egress IPs don't seem to change that much over time based on what I've seen. Daniel Quinlan (talk) 00:09, 18 December 2024 (UTC)[reply]
    So, I'm posting this anonymously through VPNGate because I don't want people to start suspecting me of things just because I admit to having used a VPN service some others are abusing to make disruptive edits here. Due to its strong base in Japan, I've used VPNGate many times in order to shop at Japanese web stores that block purchases from outside Japan (they typically don't want to offer international support and see this as the easiest solution for avoiding that), and I know a number of other people who've used it for similar reasons (also for Korea, which often has even more hosts available than Japan).
    In any case, while I've personally never enabled this on my PC, I can confirm what IP 2804: said: there's definitely a swarm of short-term volunteer IPs associated with this service who aren't part of VPNGate proper. The overlap between such people and good faith Wikipedia editors may not be large, but it's unlikely to be zero. Unless you have a good mechanism to avoid excessively punishing such users for popping up on your list for the short period of time they themselves use the VPN, maybe it's better to wait for and official WMF solution, which (based on the phabs) seems to intend to take "IP reputation" into account and would thus likely exclude such ephemerals, or at least give them very short term blocks compared to the main servers. Because getting blocked here for several months for having been part of VPNGate for a few hours hardly seems fair.
    Actually, now that I think about it: if you're going to connect to VPNGate servers for the express purpose of determining and blocking their exit IPs, you'd probably be in violation of their TOS. While you might consider this an "ends justifying the means" situation, are you sure you want to associate the WMF with such unauthorized usage? There's a difference between port scanning or getting an IP list via an API and actually traversing the VPN in order to investigate it. This absolutely is not a legal threat by me, but if VPNGate were to learn of this, I wouldn't be surprised if they took action. Aren't there enough services out there that provide VPN IP lists without having to roll your own scanner? It would seem a safer bet for the WMF to use something like that. 125.161.156.63 (talk) 16:05, 19 December 2024 (UTC)[reply]
    Oh, you didn't have to anonymise yourself, we don't cast WP:ASPERSIONS here and now you won't get a reply notification but that's okay! :) I checked the terms of service of their website before making their bot and it just says not to do anything IRL illegal otherwise they'll give your logged data to authorities if subpoenaed, but I will reach out to the VPNgate operators in Japanese (good practice opportunity, huh) when I have time just to double-confirm they're okay with everything. But btw, they encourage checking that your IP has changed to demonstrate it has worked in their how-to-guides, and this isn't 'tranaversing" as we're not collecting data on every single node but only the public IP of the exit node. Re short-term volunteers, that's a great point, and I'll update the JSON schema of its published data to include a "number of sightings" number, so that the blocking adminbot would escalate blocks as this increases so maybe it starts really short term like 2.5 days/60 hours (6000 active volunteers on average, divided by 100 checked every hour, minimum time to ensure the IP has truly stopped) if it's just 1 sighting but ramps up exponentially if it's seen again as an egress IP untill we're talking like 6months - 2 years blocks. Re WMF tickets, the distributed fact of VPNgate that anyone can start hosting means that most VPNgate IP addresses won't have a bad "reputation" (I checked a whole bunch on a variety of reputation lists and the egresses always had "good"" reputations) so reputation checking won't help (but they need short term blocks), also as you can't publically see the egress with VPNgate cause it's different to ingress (unlike most networks). So WMF solutions are actually quite innovative and smart for most VPN/proxy networks, it's just that VPNgate is a bit different needing a unique solution, this bot. MolecularPilot 🧪️✈️ 04:43, 20 December 2024 (UTC)[reply]
    I guess I'm just too careful or chicken even if most people would refrain from casting aspersions.
    I don't quite understand why you say you're not traversing. You're not just touching the network from one side, you're passing through it and coming out on the other side, that's traversing. However if they don't mind it, then I guess you're in luck. Ecxept maybe if those Japanese laws they mention a mllion times in their documents have a problem with something like this.
    I don't know what the WMF is basing its reputation measurements on. My meaning was that sites like browserleaks.com almost always seem to know about the VPN status of the exit nodes I've used over time. I don't know where they're getting this information from exactly, but that's what I meant by reputation, not whether they're good or bad but what they're known to engage in, like being a VPN node. And that database is probabably built either through collaboration or by specialized services, which the WNF can use as well. Like email providers use common antispam databases instead of each rolling their own.
    In any case, good luck with your bot, because I'm afraid these persistent abusers you want to keep out by this probably won't be averse to paying for commercial VPNs if they have to, and many of those only cost a handful of bucks a month. Commercial companies will almost certainly have a TOS that would prohibit your bot, so to counter them the WMF would in the end still have to resort to a specialist or collaborative VPN IP list of some kind. You can probably cut down on casual troublemakers by tracking VPNGate but I don't think it'll help all that much much against anyone highly motivated. They can even continue using VPNGate, it'll just be less convenient because they have to find brand new nodes before you catch those.
    92.253.31.37 (talk) 17:39, 20 December 2024 (UTC)[reply]
    I'm not sure what you mean by "Japanese Laws" they keep mentioning they don't seem to mention any, when I told you that the ToS said don't do anything irl illegal I was referring to this ToS page which doesn't mention any "Japanese Laws" but just says don't do anything like CSAM like your government can subpoena us for, because we'll comply (and directions for LEOs to request this). Re reputation yes, the major VPNgate nodes that have done it for a while do have bad reputations, particularly 219.100.37.0/24 which is the example servers run by the university themselves - but as you said, because anyone can start a VPNgate server and then there's always brand new nodes that won't have bad reputations and can be abused. But - as I've stated in a different discussion above, the list of VPN servers to connect to only updates with new servers hourly, so while reputation services won't catch the new exit nodes (because they won't be used poorly enough to trigger flagging for a white), the bot constantly waits for updates to the list and then immediately tests it to determine the new egress IPs. Re commercial services generally, unlike VPNgate, they use datacenters and static IPs that are assigned to "Hotspot Shield, Inc." (as an example) so it's easy to CIDR range block them and also the reputation of those deteriorates over time as they do bad things - the companies don't randomly get new IPs in random locations around the world, like VPNgate. In fact commercial reputation services excel at identifying commercial services (from my testing), but VPNgate is community distributed, like Wikipedia, and needs a unique approach. And yes, as I said to Daniel, I'll admit that blocking VPNgate won't fully stop this LTA or all proxy vandals but VPNgate is quite a large and widely used network (claiming a total of 18,810,237,498 lifetime connections) that is currently almost fully permitted to edit Wikipedia (the bot currently has 146 IPs in its list and as shown by the stats section of the toolforge frontend, ~60% are currently unblocked (and this is an underestimate because the list is mainly the "obvious" ones that are always provided first in the 98 hourly sample, like 219.100.37.0/24. This is because the bot has only had 1 full run of all IPs in a given hour's list, and many failed partial runs of just the first couple. I think blocking VPNgate significantly reduces the surface area for proxy attacks - only looking at only 10 of the blocked IPs I see link spam, edit warring, block evasion, vandalism and our favourite WP:LTA. MolecularPilot 🧪️✈️ 08:38, 21 December 2024 (UTC)[reply]
    They mention Japanese laws repeatedly in the texts shown when you click the licence and notice buttons under Help > About of the SoftEther VPN Client Manager. It's a canned statement saying they only comply with Japanese laws because they can't possibly follow every law worldwide.
    the bot constantly waits for updates to the list and then immediately tests it to determine the new egress IPs Are you going to run multiple instances of the bot in parallel, because the 98 IP list you get per hour seems far from sufficient for make claims about a strong level of protection if there are ~6000 egresses, many of which churn. With your current setup, an abuser can get their own list refresh, which would be different from what the bot gets, run it past your very helpful :) IP check tool and then make edits from any IP not covered. Which may not be many, but they only need one out of their 98, so it's likely they'll get something as long as the volunteer swarm keeps changing.
    Getting a bit more facetious, VPNGate could conversely determine the IP of your bot and block it as a censorship agent. :) I really think it contradicts the spirit of their operation even if they haven't prohibited it explicitly, since you don't happen to be a state agent. This is just my conjecture, but I'm guessing that if you looked at your IP list edits without focusing solely on the abuse, you'd also see constructive edits coming from them, quite possibly from people using VPNGate to bypass state firewalls. I am well aware of Wikipedia open proxy policy, but it can make editing somewhat difficult for such people.
    These remain my two sticking points: while useful, the bot won't be quite as effective as you represent; and you're arguably abusing their service to operate yours.
    Once this bot starts issuing blocks, you should probably amend Help:I have been blocked to include verbiage about having used a VPN in the recent past, because this situation isn't really covered by the "you are using a VPN" or collateral damage statements. 211.220.201.217 (talk) 15:21, 21 December 2024 (UTC)[reply]
    VPNgate does not have as firm of a ground as you claim. Yes, companies have terms of use and those terms of use often have clauses of disputes being filed in their local country. However, as multiple attourneys have pointed out, this local dispute solving when dealing with an customer from abroad does not really work. In reality, VPNgate is forced to deal with international laws, because otherwise they will just lose their case. (one of the legal opinions supporting this: https://svamc.org/cross-border-business-disputes-company-use-international-arbitration/ )
    As far as blocks go, yes, they could block one user, but let me remind you that there are 120,000 active wikipedia users. The script could just be passed on between users until all of their IP ranges are blocked. They would lose that war, every time. Snævar (talk) 20:11, 21 December 2024 (UTC)[reply]
    I don't recall claiming anything about firm ground. I have a problem with the WMF or parties associated with it engaging in somewhat questionable practices, even if it is for a good cause. I'm OK with port scanning or getting data from an API, because that's external probing, but actually passing through someone's premises with the intent of later restricting their users is something I find objectionable, and it is my conjecture that VPNGate would think likewise. If VPNGate blocked one user's bot, that would simply be an indication that they object to such activities, and having a million other users on the ready to take over would change nothing about that, and I'm fairly certain the WMF does not subscribe to this sort of hackerish way of thinking anyway. VPNGate aren't outlaws against whom anything goes, they operate a prefectly legitimate service, albeit one that some people abuse. It's also possible that it's just me, and VPNGate themselves have no objection to any of this. The OP was going to ask them, so I presume they'll inform everyone about the response sometime soon. 220.81.178.129 (talk) 11:44, 22 December 2024 (UTC)[reply]
    Yes, this is definitely not something that should be adversarial or "us against them" and if they express concerns about this behaviour, we should totally not try and evade it - after all VPNgate does share our mission of spreading free knowledge to the world (and are very useful to spreading Wikipedia and other websites around the globe, it's just some bad actors taking advantage of the kind service of both the university and the volunteers creating a problem). We just need to find a way to work together to ensure that we both can continue to do our things. Being the holiday season, it's pretty busy for me and I'm sure the same is true for the operators so I will reach out in the new year re their thoughts on this. MolecularPilot 🧪️✈️ 04:45, 23 December 2024 (UTC)[reply]
    Hi! The abuser can't get their own list refresh seperate from what the bot sees, I guess I wasn't clear before but what I meant was that everyone gets the same 98 IPs every hour, and then the next hour another 98 are randomly selected to be shown to everyone.
    Re censroship/state agencies this doesn't help state agents or censorship at all, because they want to block the input/ingress IP addresses that citizens would use to connect to the VPN network, and knowing the egress that the VPN network uses to connect to servers doesn't help them at all. I have clarified this in the README.md now so anyone who sees the project will know that it can't be used for censorship.
    Re users bypassing state firewalls, they can still read and if they want to edit we have WP:ACC for that (abusers could go through acc I guess, but then they can't block evade once their account gets indef'ed - and VPNgate has been used a lot by link spammers, people who want to edit war (especially someone who got really upset about castes, I've seen a lot of edit warring from detected IPs about that) to evade the blocks on their main account).
    Btw, thank you for calling my tool helpful, I'm not the best at UI design but I tried to put some effort in and make it looks nice and have useful functions. Thank you to you as well for your time in providing soooo much helpful feedback to make the bot better. :) MolecularPilot 🧪️✈️ 03:52, 22 December 2024 (UTC)[reply]
    Also thanks for reminding me to provide guidance to users on this, I think the current WP:OPP block message doesn't really fit with the VPNgate mode of temporary volunteers (who the user effected might not even know about but could get a dynamic assignment with an IP blocked for a few days). I'll make a custom block template! :) MolecularPilot 🧪️✈️ 03:54, 22 December 2024 (UTC)[reply]
    Tada I guess... {{Blocked VPNgate}} Anyone reading this please feel comfortable to be WP:BOLD and make it better if you'd like, it's still a very early draft. :) MolecularPilot 🧪️✈️ 10:06, 22 December 2024 (UTC)[reply]
    While tone of you thanks seems to include some aspersions :), you're welcome if what I've said has helped you. If the list is the same for everyone, you can indeed be a lot more effective. My point about censorship was less about you helping state censors and more about you using the loophole that VPNGate haven't said anything about private actors, and giving the impression that abuse is the only thing it is being used for. 220.81.178.129 (talk) 11:39, 22 December 2024 (UTC)[reply]
    Oh no I'm really sad now, please don't take my tone when I thanked you in the wrong way (it can be both hard to express and pick up on the internet)! Maybe saying "sooooo" was a bit over the top, but you've genuinely gone back and forth with me a lot of times and always written detailed, logical suggestions or concerns to help, so genuinely, no sarcasm, thank you!!! :) MolecularPilot 🧪️✈️ 04:41, 23 December 2024 (UTC)[reply]
    All right then, and sorry about my tendency to lean a bit on the paranoid side. 159.146.72.149 (talk) 09:25, 23 December 2024 (UTC)[reply]
    That's so fine! :) MolecularPilot 🧪️✈️ 05:00, 24 December 2024 (UTC)[reply]
    How feasible would it be to make the list of IPs private/admin-only? I mean, they're still going to get blocked, and that's public, but I feel like making a public list, even if one may or may not already exist, might be an unnecessary step?
    If I ran a VPN service I'd be a lot less upset about Wikipedia defending itself than Wikipedia creating a public up-to-date list of VPN IPs that everyone can use, without effort, to mass block most of my VPN. – 2804:F1...57:88CF (::/32) (talk) 02:09, 24 December 2024 (UTC)[reply]
    I'm not really sure, I don't think there's a way to restrict viewing a page on EnWiki (I could whip up a MediaWiki extension enabling "read protection" of a page, but I doubt the WMF would install it), but we do have things like checkuserwiki, arbcomwiki etc. which have limited viewership so prep haps the bot could operate on a new antiabusewiki (but this would require even more work from WMF than installing the extension) and then a stewardbot could issue global blocks from there? I would also have to take down molecularbot2.toolforge.org and the GitHub repo (that anyone could just download code and run it to get their own list). But even if we don't have a list, it's trivial to query the MediaWiki API for block status (that's what the toolforge tool does in addition to seeing if the IP is listed at User:MolecularBot/IPData.json when you lookup an IP or generate stats), there's very high ratelimits for this, and you just need to check if the block reason is {{Blocked VPNgate}} or whatever message the adminbot/stewardbot leaves. MolecularPilot 🧪️✈️ 04:54, 24 December 2024 (UTC)[reply]

contentious topics/aware plus "topic code"

[edit]

i want to add the contentious topics/aware template to the top of my talkpage, but the list of topic codes says to substitute the template so i did but the israel/palestine topic code did not display. how do i include the topic code? Daddyelectrolux (talk) 19:04, 19 December 2024 (UTC)[reply]

@Daddyelectrolux You don't need to subst that template, you would just do {{Contentious topics/aware|a-i}}. --Ahecht (TALK
PAGE
)
19:51, 19 December 2024 (UTC)[reply]
the topic codes page states that the template should be substituted. perhaps that should be removed, to avoid new people from make my same mistake? thank you User:Ahecht. :) Daddyelectrolux (talk) 00:23, 20 December 2024 (UTC)[reply]
@Daddyelectrolux: You wanted to use Template:Contentious topics/aware which doesn't say to use subst. Template:Contentious topics/table is used to document other templates and it varies whether they require subst. I have added this to the documentation.[1] PrimeHunter (talk) 12:14, 20 December 2024 (UTC)[reply]
To be fair, up until yesterday Template:Contentious topics/aware/doc just linked to Template:Contentious topics/table. I updated it so that it properly transcludes the table, which hides the subst: syntax. --Ahecht (TALK
PAGE
)
15:27, 20 December 2024 (UTC)[reply]

Site is under maintenance

[edit]

I was unable to complete an edit a few minutes ago. I got an error message saying the site was under maintenance. Clicking on "back" did get me the edit I was trying to make and a few seconds later I was successful.

I posted just for documentation but I am having difficulty with a site that is very slow and I came here to do an edit to have something to do while waiting for pages on that slow site to come up. The slow site slows everything else down.— Vchimpanzee • talk • contributions • 21:21, 20 December 2024 (UTC)[reply]

Blacklisted website not on any blacklist

[edit]

I wanted to save an edit containing a link to tradingview.com but it keeps showing a message:

"Your edit was not saved because it contains a new external link to a site registered on Wikipedia's blacklist or Wikimedia's global blacklist. [...] The following link has triggered a protection filter: tradingview.com [...]"

So I tried to figure out whether I shouldn't use that website as a source and on what blacklist that website is supposed to be but I couldn't find anything. Is that a bug? Killarnee (talk) 14:18, 21 December 2024 (UTC)[reply]

It's on the global blacklist at meta:Spam blacklist. Anomie 14:29, 21 December 2024 (UTC)[reply]
Yeah. It was added in October 2017. See the request and link report. – Daℤyzzos (✉️ • 📤) Please do not ping on reply. 14:44, 21 December 2024 (UTC)[reply]
Hm now I found it too, somehow the find tool in Safari wasn't able to find it. Thanks you both. Looks like I have to search for another source. Killarnee (talk) 14:58, 21 December 2024 (UTC)[reply]

When I try to view this special page I just get the following error:

[8f6642e6-42f2-4bba-8e7d-01bac9220c2f] 2024-12-21 18:40:02: Fatal exception of type "Wikimedia\RequestTimeout\RequestTimeoutException"

Is anyone else getting this error when viewing that page? Thanks. 2A0E:1D47:9085:D200:E9BC:B9ED:405A:596B (talk) 18:42, 21 December 2024 (UTC)[reply]

It works now. Problems come and go. I had to restart my phone half an hour ago to get something to work. Extra: That was a problem with an app on my phone (nothing to do with Wikipedia). Johnuniq (talk) 03:10, 22 December 2024 (UTC)[reply]
I see a similar error when I try to check logs for Special:Log/ProcseeBot. [1d666f00-ed84-4e73-928d-04edc6edc844] 2024-12-22 10:33:05: Fatal exception of type 'Wikimedia\Rdbms\DBQueryTimeoutError'.DreamRimmer (talk) 10:39, 22 December 2024 (UTC)[reply]
Likely also worth noting that, above the error, it says To avoid creating high database load, this query was aborted because the duration exceeded the limit. Though I suppose that's the definition of a timeout... – Daℤyzzos (✉️ • 📤) Please do not ping on reply. 15:43, 22 December 2024 (UTC)[reply]
Tracked at phab:T325062. – DreamRimmer (talk) 18:00, 22 December 2024 (UTC)[reply]

Colors of images in {{Infobox government agency}} are inverted in the dark mode

[edit]

When the {{Infobox government agency}} template is included into some page, SVG images inside it have their colors inverted if the dark mode is on. See, for example, the article United States Department of State, specifically the seal: it should have dark blue outter ring, white inner circle with a brown eagle, but instead you can see the seal with a bluish-white outter ring, black inner circle with an orange eagle. Looked at several other infobox templates, none of them have a simmilar issue. Also, only vector images are affected by this, raster images are not. I wanted to try to debug it, but the template is fully protected. Tohaomg (talk) 17:30, 22 December 2024 (UTC)[reply]

@Tohaomg it's most likely this edit by @Jonesey95: that has introduced the behaviour. Probably best discussed at Template talk:Infobox government agency. Nthep (talk) 18:04, 22 December 2024 (UTC)[reply]
See the previous discussion. A more comprehensive fix is welcome. The sandbox is open for anyone to edit. – Jonesey95 (talk) 18:57, 22 December 2024 (UTC)[reply]
This is not an acceptable solution, please revert. Sjoerd de Bruin (talk) 20:52, 22 December 2024 (UTC)[reply]
The reason skin-invert worked for signatures was that white writing paper is common and even though colors in pens is varied, the most commonly used ones are dark.
Logos are not created on the basis of a palette of colors, unlike signatures. Logos are created to be visible and understandable from far away and close up. As such, they should not be inverted at large.
I consider the edit request in the template to be unactionable, as it did not ask for any particular solution, not even a hint at one. Snævar (talk) 23:24, 22 December 2024 (UTC)[reply]
I'm not sure why people are continuing to reply here. This discussion will be lost in the archives of VPT; please post at the template talk page with comments, suggestions, proposed fixes, or requests. – Jonesey95 (talk) 06:00, 23 December 2024 (UTC)[reply]
@Jonesey95: I am not buying that argument for one second, also you are refusing to talk about the issue itself. Stop this bureaucratic nonsense. Most issues are solved during discussion not after, it being "lost in the archive" is a non starter as an argument. Clearly neither myself or Sjoerddebruin are going to move this discussion to the template talk page. If you continue attempting to refrain from discussing about the issue itself, consider this your first warning. I would also like to voice my disappointment of how you are handling this, I do expect better than this. Snævar (talk) 09:24, 23 December 2024 (UTC)[reply]
Responding like this and bypassing the instructions that are clearly indicated at the top of the template page is really something, especially with an unsure edit summary. Sjoerd de Bruin (talk) 09:32, 23 December 2024 (UTC)[reply]
I wasn't discussing the issue here because of WP:MULTI. See the template's talk page for further discussion. I have reverted the change and continue to welcome a better way to fix the problem that was identified and that is still present. – Jonesey95 (talk) 15:55, 23 December 2024 (UTC)[reply]
[edit]

I wonder if anybody remembers some technical details of the use of File:Wiki.png for the logo in the top-left corner during the 2000s (not limited to enwiki). This discussion led me to asking this. I found some clues on Commons – quoting myself from the aforementioned discussion:

The log for File:Wiki.png shows two interesting entries:

commons:Commons:Deletion_requests/Archive/2005/09#Image:Wiki.png is also interesting. [...]:

Image:Wiki.png should be moved to a different name (already re-created at Image:Wiki-commons.png) as it currently is aliasing that name on every wiki project and therefore not allowing local logos on those projects. Tim has already changed the logo location, so it shouldn't break the commons logo, but we should wait about a week before moving it to give time for the caches to update. The logo is now hardcoded so there is no need to protect this specific image.

Does anybody remember any further details?

Thanks, Janhrach (talk) 20:59, 22 December 2024 (UTC)[reply]

I don't really remember, but we have historical records of the configuration going back to 2012. The current system, where logos of each wiki are stored in the configuration, was introduced in 2015 in change 209616 and other commits around that time. Wikis had the option to use the locally uploaded Wiki.png as a logo until 2017, when it was removed in change 359037. Alas I don't really know the historical context around these changes, I just found them in the history. Matma Rex talk 14:13, 23 December 2024 (UTC)[reply]
Thanks. Janhrach (talk) 14:17, 23 December 2024 (UTC)[reply]

Log out

[edit]

I keep logging out every time I close the browser on my phone. Achmad Rachmani (talk) 22:11, 23 December 2024 (UTC)[reply]

Do you have some sort of ad blocker or privacy thing enabled that isn't allowing you to save cookies perhaps ? —TheDJ (talkcontribs) 22:15, 23 December 2024 (UTC)[reply]
@TheDJ: I have some sort of ad blocker enabled. Achmad Rachmani (talk) 22:22, 23 December 2024 (UTC)[reply]

Cat-a-lot gadget

[edit]

Hi. To follow up a query a user had on my talk page, I wanted to see if there was any way that edits using Cat-a-lot could be marked as minor by default? At present there is now way I am aware of to mark these edits as minor. Alternatively, would there be another way these edits could be filtered out of watchlists? We have a tick box to hide "page categorization", so could they maybe be included in that for example? Thanks. Jevansen (talk) 23:42, 23 December 2024 (UTC)[reply]

commons:Help:Gadget-Cat-a-lot#Preferences says there's a preference for that, it also shows this image: commons:File:2013-03-31-Gadget-Cat-A-Lot-prefscreen.png... is that just outdated info? does the interface still look anything like that?
Edit: erm, right, commons:Help:Gadget-Cat-a-lot#As your user gadget also shows how to set preferences with javascript, which I think is what you might have to do if there is no option (due to it not being a gadget on Wikipedia? You installed it as an user script, at least.) – 2804:F1...57:88CF (::/32) (talk) 02:23, 24 December 2024 (UTC)[reply]
Aha! The userscript you imported the gadget from (User:קיפודנחש/cat-a-lot.js, you import them here), manually sets the preference, including a minor: false!
I'm pretty sure you can overwrite that by just adding a line setting the preference after you import the script, but you could aso just copy their script into your common.js (replacing the import) and change that part to minor: true, that would also do what you want. – 2804:F1...57:88CF (::/32) (talk) 02:36, 24 December 2024 (UTC)[reply]
Hi. Thanks for this. I've updated User:Jevansen/common.js, but this doesn't seem to have changes things. Perhaps I've not done it right? Jevansen (talk) 21:02, 24 December 2024 (UTC)[reply]
Then I'm really not sure hm, I had tried looking at how other people did it, like User:Roland_zh/common.js (which seemed to work: diff), but I'm not really seeing much different? I mean it's set after the import, I guess. Well that and they are importing the gadget two different times, in two different ways...
I did find User:Liz/cat-a-lot.js, but I cannot confirm that it works, since Liz seemingly never used it.
If those don't work then I don't know, I'm sorry. Can't test it without an account anyways - maybe someone else will know. – 2804:F1...26:F77C (::/32) (talk) 21:27, 24 December 2024 (UTC)[reply]
Huh... the script you used was intentionally set to false this year: User talk:קיפודנחש/cat-a-lot.js#Minor: false
Because Help:Minor edit says adding and removing categories is not a minor edit... – 2804:F1...26:F77C (::/32) (talk) 21:40, 24 December 2024 (UTC)[reply]
Good find. I have to admit this isn't a guideline I could recall. Think it's generally an accepted practise to mark as minor any automated cat additions done on mass, as long as they're not in contentious topic areas or especially BLP sensitive etc. It was an admin that made this request to me after all. At any rate, you've definitely solved the cause of the issue here. Appreciate your help. Jevansen (talk) 01:32, 25 December 2024 (UTC)[reply]

Is it unproblematic to use `lang=` spans in section headers?

[edit]

Of course, I know it's wrong to use templates like {{lang}} in section headers, but I know anchors work correctly in the transcluded HTML, so is there any reason a header like === <span lang="la">Tu quoque</span> === would break something? Remsense ‥  16:59, 24 December 2024 (UTC)[reply]

Considering how {{subst:anchor}} works in section headings, this should be fine. I tested it in the sandbox and nothing went immediately wrong. jlwoodwa (talk) 05:22, 25 December 2024 (UTC)[reply]
When considering whether markup is OK in headings, there are several things to check - these include:
  • Whether the heading is actually broken, such as the appearance of the terminal equals signs in the rendered page
  • Whether inward links work from normal Wikitext
  • Whether inward links work from special pages (e.g. the little arrows in a watchlist)
There may be others. But generally, a <span>...</span> tag pair is fine. --Redrose64 🦌 (talk) 11:01, 25 December 2024 (UTC)[reply]

Question from Raph Williams65

[edit]

Hello everyone, i created my own template — {{Golden Badge Award}}, but it does have documentation, could someone explain to me how i could add documentation in the template. &‐Raph Williams65 (talk) 12:31, 25 December 2024 (UTC)[reply]

@Raph Williams65: I guess you meant it does not have documentation. After posting here you created Template:Golden Badge Award/doc which is shown at Template:Golden Badge Award. Is there still something you want help with? PrimeHunter (talk) 21:12, 25 December 2024 (UTC)[reply]
@PrimeHunter: after i asked the question, i went to Template:Documentation subpage and found my answer. —Raph Williams65 (talk) 04:01, 26 December 2024 (UTC)[reply]

Delivering pings on the watchlist page

[edit]

Apologies if this is old hat. Like many people, I sit on my watchlist page, clicking the "View new changes" link every so often. This would keep me up to date with stuff that I wish to be informed of, except that pings are not delivered. (By "delivered" I mean that the ping icon appears at the top of the page.) I only see that I have been pinged if I go to some other page. Would it be easy to deliver pings on the watchlist page too? For example, clicking the "View new changes" link could be added to the actions that cause ping delivery. Zerotalk 02:17, 26 December 2024 (UTC)[reply]