Requests for Comment/Meta Interface Admin Group

Note: This RFC only affects Meta and does not apply globally.

Introduction
This RFC is intended to establish consensus regarding the use of the Interface Administrator user group on Meta. As some background, this group was added to MediaWiki core in (I believe) version 1.32 as an added layer of security against compromised administrator accounts. Previously, users with sysop access could edit all pages in the MediaWiki: namespace and edit all CSS/JS pages, both sitewide pages and personal user scripts. However, this posed a security risk because if an admin account was compromised or went rouge, severe damage can be done that would affect all users of the site by inserting malicious content into CSS or JS pages - perhaps more damage than would be done by perhaps deleting the main page or something like that. As a result, the  userright, which allows modification of pages in the MediaWiki: namespace, among other similar permissions, were revoked from the sysop group and given to their own independent group that is assignable by bureaucrats. However, on Meta these changes were overridden locally so that sysops still have the rights they originally had, and the interface admin group has since been unused.

However, there may be certain cases where access to the MediaWiki namespace and other interface pages is needed or desired while full administrator rights are not needed. The circumstance that prompted the creation of this RFC is a personal desire to do some work to improve Twinkle, which has its code hosted in the MediaWiki namespace, without applying for full administrator access. The purpose of this RFC is to establish consensus for use of the Interface Administrator group, which has the necessary permissions unbundled from the sysop group.

Proposal regarding group management
Currently, only Meta bureaucrats can add or remove the interface administrator user group, which limits the management of the group to only 2 users (John and Southparkfan as of writing). It is proposed that Meta administrators and Stewards also be allowed to manage the interface admin group, so that there is a number of people able to manage the group that any requests will be attended to in a reasonable amount of time.

Support

 * 1)  As proposer. Amanda Catherine (talk) 21:21, 22 May 2020 (UTC)

Oppose

 * 1)  While I  administrators being able to add interface admins, I am opposed to the Steward proposal as I see no need for Steward intervention on a wiki that has active administrators and at least one active bureaucrat. Stewards should intervene when a community needs assistance or support and I feel like that is not the case for Meta. Reception123 (talk) ( C ) 07:30, 23 May 2020 (UTC)
 * 2)  Per Reception -EK ● 📝 ● 🌎 23:43, 23 May 2020 (UTC)

Abstain

 * 1) Not against it, but the need to acquire  rights should be rare enough that burdening/awaiting a bureaucrat would not be a big problem.  I do support having   separate from other Admin rights on the basis of demonstrated need.  Another example is maintaining the Message of the Day (sitenotice/anonnotice), which are also in the protected   namespace.   23:04 22-May-2020

Proposal 1
A user may be added to the interface administrator user group at the discretion of a bureaucrat, administrator, or steward if the requesting user meets all of the following criteria:


 * A clear and specific purpose for requesting the right has been demonstrated (i.e. the user has made clear what exactly they plan to use the permissions for and are not "hat collecting")
 * The user already holds wiki creator, rollback, CVT, or other userrights that demonstrate that they are trustworthy
 * The user has no recent history of blocks or other sanctions on Meta
 * The user confirms that they have a strong password

Support

 * 1)  As initial drafter of this RFC I support either proposal 1 or proposal 2. Amanda Catherine (talk) 22:29, 22 May 2020 (UTC)

Proposal 2
Interface administrator rights may only be granted after a successful request at Requests for permissions, where successful is defined as:


 * The request has been open for at least 5 days
 * At least 5 users have independently supported the user requesting permissions (independently meaning without canvassing or meatpuppetry)

In addition, a request for interface administrator at RFP will not be considered valid unless the user has also met all of the following criteria:


 * A clear and specific purpose for requesting the right has been demonstrated (i.e. the user has made clear what exactly they plan to use the permissions for and are not "hat collecting")
 * The user already holds wiki creator, rollback, CVT, or other userrights that demonstrate that they are trustworthy
 * The user has no recent history of blocks or other sanctions on Meta
 * The user confirms that they have a strong password

Support

 * 1)  As initial drafter of this RFC I support either proposal 1 or proposal 2. Amanda Catherine (talk) 22:29, 22 May 2020 (UTC)

Comments

 * Repeating my chronic request that we get close to voting on exact text after a drafting interval with public input. Here, if Proposal 1 failed but Proposal 2 were adopted, 2's incorporation of criteria from 1 could lead to controversy.   23:08 22-May-2020
 * I think I have now addressed this. Amanda Catherine (talk) 23:28, 22 May 2020 (UTC)

Proposal 1
Interface administrator permissions may be immediately revoked by a bureaucrat, administrator, or steward without a prior discussion if either of the following occur:


 * The user account has shown indication of being compromised
 * The user has engaged in vandalism in restricted namespaces or on restricted pages

Support

 * 1)  As proposer. Amanda Catherine (talk) 22:29, 22 May 2020 (UTC)
 * 2)   All of the above groups should defend Miraheze against vandalism and all the rules should support their doing so..   23:17 22-May-2020

Proposal 2
Interface administrator permissions may be procedurally removed if the user holding the rights has been inactive on Meta for 30 consecutive days. If the user is active globally on other wikis, an attempt to contact the user and notify them of the pending removal of rights for inactivity should be made.

Support

 * 1)  As proposer. Amanda Catherine (talk) 22:29, 22 May 2020 (UTC)
 * 2) .  At least this.  The power to   is so specific and task-based, I wouldn't mind if it lapsed automatically after 30 days of disuse (even if the user remained on Meta doing other things); without prejudice against asking for the rights again if a new need arose.   23:14 22-May-2020

Proposal 3
Any member of the Miraheze community in good standing may initiate a request for removal of interface administrator rights ("vote of no confidence") if they believe that the rights have been abused, but there is not an urgent or emergency situation necessitating their immediate removal. A user starting such a request must demonstrate clearly why they believe the rights have been abused, and preferably should support their claims by providing diffs or discussion logs. A request for removal will be successful (i.e. will result in the removal of permissions) if:


 * The request clearly demonstrates abuse of the rights
 * The request has been open for at least 5 days
 * At least 5 users independently support the removal of the rights
 * There is no evidence that the request was created in bad faith as "retaliation" for actions with which one disagreed or other reasons

Support

 * 1)  As proposer. Amanda Catherine (talk) 22:29, 22 May 2020 (UTC)