[07:58:56] <wm-bb>	 <Eugene233> Hi All, How can we get help with automatic merges for https://gerrit.wikimedia.org/r/c/labs/tools/WdTmCollab?
[07:59:41] <wm-bb>	 <jeremy_b> 404 (re @Eugene233: Hi All, How can we get help with automatic merges for https://gerrit.wikimedia.org/r/c/labs/tools/WdTmCollab?)
[08:06:06] <andre>	 and what are "automatic merges"?
[08:06:53] <wm-bb>	 <Eugene233> I mean after +2 on a patch jobs are stated automatically and merged. (re @wmtelegram_bot: <andre> and what are "automatic merges"?)
[08:07:38] <andre>	 Is there a working link?
[08:08:55] <wm-bb>	 <Eugene233> https://gerrit.wikimedia.org/r/admin/repos/labs/tools/WdTmCollab (re @wmtelegram_bot: <andre> Is there a working link?)
[08:27:15] <wm-bb>	 <jeremy_b> gated* I guess
[09:31:47] <wm-bb>	 <djhartman> Posting here as well, as about 150 bots were still using this deprecated login method last week and might break.
[09:31:48] <wm-bb>	 <djhartman> Starting next week, bots logging in using `action=login` or `action=clientlogin` will fail more often. This is because of stronger protections against suspicious logins. Bots using bot passwords (https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Bot_passwords) or using a loginless authentication method such as OAuth (https
[09:31:48] <wm-bb>	 //www.mediawiki.org/wiki/Special:MyLanguage/OAuth/ <clipped message>
[09:31:50] <wm-bb>	 <djhartman> Owner-only_consumers) are not affected. If your bot is not using one of those, you should update it; using `action=login` without a bot password was deprecated in 2016 (https://lists.wikimedia.org/hyperkitty/list/wikitech-l@lists.wikimedia.org/message/3EEMN7VQX5G7WMQI5K2GP5JC2336DPTD/). (https
[09:31:50] <wm-bb>	 //lists.wikimedia.org/hyperkitty/list/wikitech-l@lists.wikimedia.org/message/3EEMN7VQX5 <clipped message>
[09:31:51] <wm-bb>	 <djhartman> G7WMQI5K2GP5JC2336DPTD/) For most bots, this only requires changing what password the bot uses
[12:34:32] <wm-bb>	 <albertoleoncio> Wouldn't it be possible to send a specific notification directly to the developers of these bots? Ideally via email. (re @djhartman: Posting here as well, as about 150 bots were still using this deprecated login method last week and might break.
[12:34:32] <wm-bb>	 <albertoleoncio> Starting next ...)
[12:43:10] <wm-bb>	 <albertoleoncio> I really get annoyed with the way things are deprecated around here. I would try my best to minimize the impacts of actions like this, but it seems that the default attitude is always "we've given enough time, the volunteers can figure it out".
[13:39:58] <wm-bb>	 <cvictorovich> I might want to do so (re @djhartman: Posting here as well, as about 150 bots were still using this deprecated login method last week and might break.
[13:39:59] <wm-bb>	 <cvictorovich> Starting next ...)
[13:40:44] <wm-bb>	 <cvictorovich> I meant, send mass emails to operators of these robots (re @albertoleoncio: Wouldn't it be possible to send a specific notification directly to the developers of these bots? Ideally via email.)
[13:40:55] <wm-bb>	 <cvictorovich> If we know who they are
[13:49:23] <wm-bb>	 <lucaswerkmeister> if I got an email from a random person claiming I need to change my bot login code I’d probably assume it was a phishing attempt tbh (re @cvictorovich: I might want to do so)
[13:49:36] <wm-bb>	 <lucaswerkmeister> if any emails are sent they should come from the WMF
[13:51:10] <wm-bb>	 <lucaswerkmeister> the logins are logged (“api-feature-usage” dashboard in logstash, search for `feature:"main-account-login"`), but the logged user name is the one before the login finishes (i.e., the IP address the request comes from), so it’s only partially useful :S (re @cvictorovich: If we know who they are)
[13:52:05] <wm-bb>	 <cvictorovich> But mails via Wikimedia has own address (re @lucaswerkmeister: if I got an email from a random person claiming I need to change my bot login code I’d probably assume it was a phishing attempt...)
[13:52:38] <wm-bb>	 <cvictorovich> Sent via Email user feature (re @cvictorovich: But mails via Wikimedia has own address)
[15:35:20] <wm-bb>	 <djhartman> I hear this a lot, but we are in a big place with lots of things happening. It’s kinda inevitable that people need to pay attention if they want to keep being on this moving train. (re @albertoleoncio: I really get annoyed with the way things are deprecated around here. I would try my best to minimize the impacts of actions like...)
[15:37:12] <wm-bb>	 <djhartman> Not sure.
[15:37:14] <wm-bb>	 <djhartman> I think a problem could be that a significant amount of these accounts do not have a verified emailaddress either? (re @albertoleoncio: Wouldn't it be possible to send a specific notification directly to the developers of these bots? Ideally via email.)
[15:43:35] <wm-bb>	 <Ladsgroup> On top of this. I think main problem is that back then the amount of maintenance done was not comparable to the past couple of days and since things were stagnant, not much change was required of the users but a lot more is happening and it's a good thing. For example in this specific case, the reason this change is being pushed is massive improvements in account
[15:43:35] <wm-bb>	 security that ar <clipped message>
[15:43:36] <wm-bb>	 <Ladsgroup> e industry standards now. (re @djhartman: I hear this a lot, but we are in a big place with lots of things happening. It’s kinda inevitable that people need to pay attent...)
[15:46:47] <wm-bb>	 <djhartman> True a lot of the changes over the last 3 years or so were specifically because we DIDNT bother volunteers for 15+ years in these areas, and now we are so far behind that we no longer have a choice. (re @Ladsgroup: On top of this. I think main problem is that back then the amount of maintenance done was not comparable to the past couple of y...)
[17:12:52] <wm-bb>	 <MaartenDammers> Thanks for sharing. Classic bad WMF communication. I probably run 5 of these and first time I heard about this. How am I supposed to know this again? (re @djhartman: Posting here as well, as about 150 bots were still using this deprecated login method last week and might break.
[17:12:53] <wm-bb>	 <MaartenDammers> Starting next ...)
[17:15:11] <wm-bb>	 <kostajh> It was posted on wikitech-l https://lists.wikimedia.org/hyperkitty/list/wikitech-l@lists.wikimedia.org/thread/CAUMEHWPUYJJKMCDZNEUAHCI3G7T2U66/ and in tech news https://meta.wikimedia.org/wiki/Tech/News/2025/23
[17:17:12] <wm-bb>	 <jeremy_b> should also go to wikitech-ambassadors. maybe try to find libraries with lists too? pywikibot (re @kostajh: It was posted on wikitech-l https://lists.wikimedia.org/hyperkitty/list/wikitech-l@lists.wikimedia.org/thread/CAUMEHWPUYJJKMCDZN...)
[17:18:42] <wm-bb>	 <kostajh> Per the suggestion above, we could try to email individual accounts. One related issue here is that many of these bots aren’t following the user agent policy and don’t have contact information readily available https://foundation.wikimedia.org/wiki/Policy:Wikimedia_Foundation_User-Agent_Policy
[17:19:43] <wm-bb>	 <jeremy_b> that UA policy is very long standing
[17:20:21] <wm-bb>	 <jeremy_b> no custom UA and no email set on wiki?
[17:20:55] <wm-bb>	 <MaartenDammers> [citation needed] (re @kostajh: Per the suggestion above, we could try to email individual accounts. One related issue here is that many of these bots aren’t fo...)
[17:21:01] <wm-bb>	 <jeremy_b> I guess then you have also the tedious manual option of try to find where does this bot specify who runs it and then see if they have contact.
[17:22:46] <wm-bb>	 <MaartenDammers> Yesterday and Monday, that does explain why I didn’t see this before. But it already breaks next week. What’s up with the short notice? (re @kostajh: It was posted on wikitech-l https://lists.wikimedia.org/hyperkitty/list/wikitech-l@lists.wikimedia.org/thread/CAUMEHWPUYJJKMCDZN...)
[17:24:43] <wm-bb>	 <MaartenDammers> Probably just people like me who never bothered about botpasswords. I’ll see if I can switch a couple. Didn’t anyone happen to make an easy query of dashboard to see top bots that are affected? (re @jeremy_b: I guess then you have also the tedious manual option of try to find where does this bot specify who runs it and then see if they...)
[17:26:41] <wm-bb>	 <jeremy_b> see here. unclear if someone made a list. (re @lucaswerkmeister: the logins are logged (“api-feature-usage” dashboard in logstash, search for feature:"main-account-login" if you have access), b...)
[17:36:06] <wm-bb>	 <kostajh> I don’t think we could share the list publicly. If you have WMF-NDA access, the list is here https://phabricator.wikimedia.org/P76424 (re @jeremy_b: see here. unclear if someone made a list.)
[17:38:41] <wm-bb>	 <kostajh> https://gerrit.wikimedia.org/r/c/mediawiki/extensions/WikimediaEvents/+/1150025 isn’t merged yet so there’s still ~6 days to update affected bots. If there is a need to delay this further, we should discuss it on the phab task.
[17:39:19] <wm-bb>	 <MaartenDammers> We did a similar approach when we wanted everyone to switch from old Pywikibot version (re @kostajh: I don’t think we could share the list publicly. If you have WMF-NDA access, the list is here https://phabricator.wikimedia.org/P...)
[17:45:20] <wm-bb>	 <jeremy_b> could be interesting to add to that list date of last edit. if it's not active then nbd. (re @kostajh: I don’t think we could share the list publicly. If you have WMF-NDA access, the list is here https://phabricator.wikimedia.org/P...)
[17:45:50] <wm-bb>	 <MaartenDammers> I see @gtisza already put a -2 on it for now. Feels like a deja vu. We had a similar case where api folks were pushing a change on a very short timeline that would break most bots. (re @kostajh: https://gerrit.wikimedia.org/r/c/mediawiki/extensions/WikimediaEvents/+/1150025 isn’t merged yet so there’s still ~6 days to upd...)
[17:45:55] <wm-bb>	 <jeremy_b> and/or date of last login
[17:48:59] <JJMC89>	 the last login was within the last 7 days (as of when the paste was created)
[17:50:19] <wm-bb>	 <MaartenDammers> Fun logging in to a bot account that has 10M+ edits. Usually you have thousands of notifications
[17:53:04] <wm-bb>	 <jeremy_b> I do see you on the list (re @MaartenDammers: Thanks for sharing. Classic bad WMF communication. I probably run 5 of these and first time I heard about this. How am I suppose...)
[18:02:28] <wm-bb>	 <lucaswerkmeister> I haven't tested it but the code looks like there should be a warning in the API response (re @MaartenDammers: Thanks for sharing. Classic bad WMF communication. I probably run 5 of these and first time I heard about this. How am I suppose...)
[18:02:40] <wm-bb>	 <lucaswerkmeister> so you should have been able to see it there, I expect
[18:09:59] <wm-bb>	 <AntiComposite> i mean bad API warning handling is also a recurring problem
[18:13:19] <wm-bb>	 <AntiComposite> I have no confidence that the old but critical bots that have been left in my lap actually emit API warnings
[18:38:02] <wm-bb>	 <AntiComposite> going with "the passwords look like BotPasswords so hopefully they don't break"
[18:44:26] <wm-bb>	 <jeremy_b> or check if you're on the list or just try to use bot password to login in browser? (re @AntiComposite: going with "the passwords look like BotPasswords so hopefully they don't break")
[18:49:30] <wm-bb>	 <AntiComposite> I don't have WMF-NDA access. I could test them but meh
[19:36:07] <JJMC89>	 AntiComposite: you should be able to see the list now
[23:24:24] <wm-bb>	 <jeremy_b> wayback machine broken for anyone else? do they have a status page? I just found FAQ site. 503 for everything, even tried `example.com` (a real website)
[23:31:43] <wm-bb>	 <nerim4n> they usually use Twitter for status updates
[23:31:49] <wm-bb>	 <jeremy_b> seems healthier now 🤷
[23:41:23] <wm-bb>	 <jeremy_b> https://github.com/iipc/awesome-web-archiving is a lot