@Vikipolimer - Can we get a better idea of when this might be deployed to Wikimedia production? And is there a sponsoring team at the WMF to assist in the management of maintenance, security, etc. issues?

@sbassett - We aim to deploy this extension to Wikimedia production as soon as it is ready. I commit to assume maintenance responsibilities once deployment is complete. I will co-operate with the relevant teams at the Wikimedia Foundation to provide oversight to make sure that maintenance, security, and other issues related to sponsorship and support are managed properly. The Turkish Wikipedia community has requested this deployment, so it will be initiated as soon as the necessary permissions are obtained. It is considered a productivity improvement, and there is no strict deadline for deployment. Its non-deployment does not obstruct anyone from performing their tasks. There is currently no sponsoring team, unless Moderator Tools has the capacity to support it. Gergő Tisza is currently reviewing the code, and I am awaiting the VUE code review.

Hello @sbassett , Gergő Tisza has completed the php code review, would you mind starting the security review?

In T355150#9464152, @Dogu wrote:

There is currently no sponsoring team, unless Moderator Tools has the capacity to support it. Gergő Tisza is currently reviewing the code, and I am awaiting the VUE code review.

We'll need at least one WMF employee or team to offer basic support for the extension for when it's deployed to Wikimedia Production. They can comment on this task as an official acceptance of that responsibility.

In T355150#9762726, @Dogu wrote:

Hello @sbassett , Gergő Tisza has completed the php code review, would you mind starting the security review?

Per our Application Security Review SOP, we schedule application security reviews at the beginning of each quarter, once all prerequisites have been satisfied. So this review will likely go into next quarter's planning queue. There is a very small chance I could get to it towards the end of this quarter, but I cannot promise that.

@sbassett we (Moderator Tools) have been talking about this internally and want to see this extension get into production. We are certainly willing to help, but we don't want to overpromise for our capacity. What does it mean to sponsor/offer basic support?

In T355150#9804134, @jsn.sherman wrote:

@sbassett we (Moderator Tools) have been talking about this internally and want to see this extension get into production. We are certainly willing to help, but we don't want to overpromise for our capacity. What does it mean to sponsor/offer basic support?

Sadly, I don't think we have a formal definition at this time, but as a co-owner/supporter, you would likely be expected to address bugs (especially security bugs) within a timely fashion. And otherwise guide and assist with the future development and maintenance of the extension.

In T355150#9812817, @sbassett wrote:

In T355150#9804134, @jsn.sherman wrote:

@sbassett we (Moderator Tools) have been talking about this internally and want to see this extension get into production. We are certainly willing to help, but we don't want to overpromise for our capacity. What does it mean to sponsor/offer basic support?

Sadly, I don't think we have a formal definition at this time, but as a co-owner/supporter, you would likely be expected to address bugs (especially security bugs) within a timely fashion. And otherwise guide and assist with the future development and maintenance of the extension.

@sbassett, @Dogu I don't think we currently have the capacity to support this. Our team composition has recently changed and we have also picked up stewardship of several projects, so we are concerned about overextending ourselves. This is something I'd be happy to revisit in the future after the dust has settled and we understand what our velocity and capacity is looking like with our current projects.

In T355150#9843260, @jsn.sherman wrote:

@sbassett, @Dogu I don't think we currently have the capacity to support this. Our team composition has recently changed and we have also picked up stewardship of several projects, so we are concerned about overextending ourselves. This is something I'd be happy to revisit in the future after the dust has settled and we understand what our velocity and capacity is looking like with our current projects.

Ok, thanks for the update.

@sbassett, as mentioned in T355150#9843260, it seems the Moderator Tools team lacks the capacity to support the Adiutor due to recent team changes and new projects. However, I believe it is essential for the security review to be conducted. The security review can be completed without a dedicated team overseeing it. We can explore other methods to ensure this process is completed. I am ready to collaborate and provide the necessary support.

On an aside, can this requirement be documented at Writing an extension for deployment, preferably with an explanation of what "basic support" means? It's disrespective of volunteer contributors' time, to put it mildly, if they only find out at the end of a long development and review process that their extension cannot be deployed for reasons they have no control over.

I would like to add them in case the Community Tech team is interested.

We're of course interested! But I'm afraid we simply don't have the bandwidth right now. For our team, this would need to go through the wishlist and get prioritized through our normal processes. More info at https://meta.wikimedia.org/wiki/Community_Tech/Phabricator_criteria

<threadjack>

In T355150#9907769, @Tgr wrote:

On an aside, can this requirement be documented at Writing an extension for deployment, preferably with an explanation of what "basic support" means? It's disrespective of volunteer contributors' time, to put it mildly, if they only find out at the end of a long development and review process that their extension cannot be deployed for reasons they have no control over.

Maybe the collective "we" should put some effort into making that page a bit more clear to folks that the lead sentence does not promise that the page documents all requirements for deployment of a skin or extension to the Wikimedia production cluster. The lead is currently (emphasis included) "This page documents the steps needed for a maintainer or code steward of a MediaWiki extension to get that extension through the review process before the extension is possibly being deployed to Wikimedia wikis." The key phrase there for expectation setting is "possibly being deployed". I believe this means that the documented steps are necessary, but not guaranteed to be sufficient.

There are some additional elements documented there that hint at, but do not explicitly state, current expectations:

• Stewardship - Add the project to the Developers/Maintainers page indicating who will be responsible for it's long term stewardship and maintenance.

• A review from the product owner for the affected area, if applicable. If you are unsure who that might be, it is likely a good idea to reach out to various engineering teams within the Product or Technology verticals for more information and guidance.

It is a bit hidden, but https://www.mediawiki.org/wiki/Security/SOP/Application_Security_Reviews also includes:

Code which has not gone through appropriate processes (Technical decision making process, the creation of a product roadmap or support plan, sponsorship by a Wikimedia Foundation team, etc.) so as to be a strong candidate for deployment upon Wikimedia production infrastructure.

This seems to be the most direct mention of a benefit of sponsorship by a Wikimedia Foundation team in either document. We can probably do a better job of surfacing this earlier.

In an ideal world we would have a clearly documented process that is actively used by all projects headed for a Wikimedia production deployment. In practice we have difficulty documenting such a process because we also have no governance system to vet and approve a checklist if one were drafted or to review and adjust the living document as practical application demands. This is at least tangentially related to MediaWiki Product, but likely also subject to consensus of a number of other teams and roles within the Foundation and larger technical community.
</threadjack>