Make the security scan dashboard deactivated by default

mleduc · October 3, 2023, 7:36am

Hello all,

Following this discussion as well as some additional chat, I reached the conclusion that the way the security scan dashboard presents himself is currently more a source of anxiety for admins that an actual help to keep wikis secure.

Therefore, I propose to:

deactivate the scan by default
add a disclaimer at the top of the administration page, explaining that the feature is currently experimental and might lead to false positive

Then, as soon as the roadmap allows, we’ll improve to feature until we reach a point where it can be activated by default again.

Here is my +1.

Thanks

tmortagne · October 3, 2023, 7:39am

+1

lucaa · October 3, 2023, 7:58am

ok for me.

vmassol · October 3, 2023, 8:01am

+1 to not bundle it by default and put a disclaimer on both the extension doc page and in the admin UI part of it, when it’s installed.

The disclaimer should mention that it’s currently experimental and that we’re working on improving the way we display information and on the underlying processes we need to set up to analyze false positives for security issues found. Or something like that.

mleduc · October 3, 2023, 8:05am

Indeed, I’d like to update my initial proposal:

not bundle the extension by default (instead of simply deactivating it)
add a disclaimer at the top of the administration page, but also on the documentation, explaining that the feature is currently experimental and might lead to false positive

cc @tmortagne and @lucaa as you expressed your opinion before the update

tmortagne · October 3, 2023, 8:07am

still +1

lucaa · October 3, 2023, 8:16am

I actually misread initially, I didn’t notice the “stop the scan” so my vote is for “debundle”, as we also have discussed orally about it…

So ok for me for debundle.

caubin · October 3, 2023, 10:05am

+1,

Thanks,
Clément

surli · October 3, 2023, 2:11pm

I haven’t followed the discussions, what’s the rationale for not bundling vs deactivating the feature? I mean, for discoverability it feels better to have the extension bundled even if not enabled. Even if it’s still need some work on it.

Also do we target some version to bundle it, e.g. do we plan to have it in 15.10.x?

vmassol · October 3, 2023, 2:29pm

Even without notifications, Admin users will see it and use it and will be frightened by what they see We need to work on what we present first. Having it as an experimental extension that you need to install makes it easier to let user know that it’s not ready yet for prime time and that we’re working on it.

vmassol · October 3, 2023, 2:30pm

The idea would be to work on it and to bundle/activate it in 16.x when it’s ready. We don’t think there’ll be enough time to do this in 15.x but we’ll see.

surli · October 3, 2023, 2:32pm

Ok thanks for the explanations. I don’t have a strong opinion on this so +0.

mflorea · October 5, 2023, 6:40am

+0

Thanks,
Marius

mleduc · October 5, 2023, 8:40am

Thanks for your answers, I’ve created Loading... for the corresponding changes.