Wikipedia talk:High-risk templates: Difference between revisions

First, this sounds like an excellent idea. And second, this page could easily be read as a vandal's guide to DOS'ing Wikipedia. Hence, I've preemptively protected all templates with over 5000 uses, and all metas with over 100 uses. Note that at least half of those were protected already, generally for precisely the reason that they were heavily in use. I do believe that any relevant changes to those templates can be discussed on the talk pages for the time being, as they should be. Radiant_>|< 00:16, 19 December 2005 (UTC)[reply]

Agreed that these should be protected. When do we start voting? — Omegatron 02:41, 19 December 2005 (UTC)[reply]

Umm. What? Why on Earth would we need to vote? Eurgh.

I'd say that this is so eminently sensible that we can consider it essentially policy already; certainly, if consensus discussion here remains in favour of such protection...

James F. (talk) 07:43, 19 December 2005 (UTC)[reply]

I agree that this is a good idea. Just need to make sure that this list gets updated periodically, since the list of templates that could be considered "high risk" will change over time. Triona 08:45, 19 December 2005 (UTC)[reply]

I strongly oppose protection. This implies that the community is not trustworthy. --Ixfd64 20:01, 19 December 2005 (UTC)[reply]

• No, it implies that the world as a whole cannot be trusted not to want to DOS us. Which has been proven by precedent. Radiant_>|< 20:44, 19 December 2005 (UTC)[reply]

Can someone unprotect Template:Album? It's edited frequently by participants of WP:ALBUMS. —Slicing (talk) 16:33, 20 December 2005 (UTC)[reply]

There needs to be some easy way of getting some of these temporarily unprotected. For instance, there is currently a big hubub about 'meta-templates' and the need to rewrite them... which in many cases can't actually be done by most users because they are protected. Maybe some process where a replacement template can be drawn up and copied in by an admin. --CBD _☎ ^✉ 17:01, 20 December 2005 (UTC)[reply]

• 1.Discuss on the talk page, 2.Ask your friendly neighborhood admin, or 3.WP:RPP. The whole point is that these templates are heavily in use and shouldn't be edited frivolously, so (1) should be best. Radiant_>|< 23:19, 21 December 2005 (UTC)[reply]

---

Which has been proven by precedent.

{{albumcover}} [1] has never been vandalized, and the template's ubiquity means any such effort would be reverted in a New York nanosecond. None of its siblings ({{dvdcover}}, {{bookcover}} &c.) are protected, and, again, none have ever been vandalized. Could you explain how this overprotection squares with Wikipedia:Assume good faith or the message inscribed in large friendly letters on Wikipedia's cover: "the free encyclopedia that anyone can edit"?

chocolateboy 00:21, 31 December 2005 (UTC)[reply]

The definition of whether a template is high-risk or not should include not only how often it's used but also its visibility. A template used on articles (like {{ref}} or {{note}}) is much more visible than one used mostly on image description pages. --cesarb 00:36, 19 December 2005 (UTC)[reply]

True, because visibility determines how quickly the touched pages will be regenerated, and thus how large/immediate the impact of an edit will be on the hardware. --bainer (talk) 21:34, 19 December 2005 (UTC)[reply]

I find this page fascinating more because it is a convenient hitlist of meta-templates which should be discontinued AND templates that should be subst'd. -- Netoholic @ 02:36, 19 December 2005 (UTC)[reply]

OH NOES!!!1! ;-)

Will you just be removing meta-templates as fast as you get to them, or is there some particular date on which everything remaining will get killed with a stick? —Kirill Lokshin 14:20, 19 December 2005 (UTC)[reply]

You obviously don't understand the purpose of templates if you're suggesting these all should be subst'd. —Locke Cole 13:02, 23 December 2005 (UTC)[reply]

I know the policy for semi-protection indicates it should only be used temporarily, but given that all of these templates are suddenly getting protected (meaning a majority of users won't be able to modify them without an admins help, which is utterly un-Wiki), I think semi-protection is a much better permanent solution than full protection. —Locke Cole 13:02, 23 December 2005 (UTC)[reply]

How about turning on semi-protection for the entire Template: namespace? :D -- Netoholic @ 09:06, 25 December 2005 (UTC)[reply]

That'd work. :P —Locke Cole 09:12, 25 December 2005 (UTC)[reply]

As unlikely as it sounds, I agree with Netoholic on this. I would support semi-protection for all templates and full protection for all meta-templates. — FREAK OF NUR_xTURE (TALK) 09:17, Dec. 25, 2005

I strongly agree with Netoholic on this. Nice idea. Matt Yeager 05:17, 30 December 2005 (UTC)[reply]

Strongly Agree with Netaholic --Redlock 17:13, 16 December 2006 (UTC)[reply]

Meta-templates don't need any kind of protection unless the templates that use them are used in a significant number of articles. More importantly, this list seems to have a lot of false positives because it counts "see also" links in the same way as inclusions. -- Beland 08:22, 25 December 2005 (UTC)[reply]

I hereby recommend protecting or at least semi-protecting template:S-bef and template:S-aft. 14'000+ articles depend on them. They make a fine vandal vector. Ligulem 12:44, 26 December 2005 (UTC)[reply]

Done.--Patrick 14:06, 26 December 2005 (UTC)[reply]

Thanks! Ligulem 21:02, 26 December 2005 (UTC)[reply]

I added them to Wikipedia:Protected page (diff). Ligulem 21:07, 26 December 2005 (UTC)[reply]

template:book reference is protected but template:wikilink (used in book reference) is not. Ligulem 10:34, 31 December 2005 (UTC)[reply]

• Done, and this message copy/pasted to WP:RPP. Radiant_>|< 22:32, 4 January 2006 (UTC)[reply]

Radiant! proposes in this edit to merge this project page with Wikipedia:Protection policy or Wikipedia:Templates. I would agree to merge this into Wikipedia:Protection policy if that long statistic were not here. Is this statistic really needed? If yes, can it be kept up to date anyway? I fear no, so it would possible be better to remove that list anyway, which would then make the merge into Wikipedia:Protection policy fit nicely. Ligulem

It's a bit useless without the statistics, though—how will we know what needs to be protected? —Kirill Lokshin 18:17, 30 December 2005 (UTC)[reply]

Using the "What links here" I propose? "What links here" lists all articles that depend directly or indirectly on a template — as I understand it. Click on 500. If there are more than 500 articles directly or indirectly depending on a template, then that would probably make that template a good candidate for a protect. Ligulem 19:14, 30 December 2005 (UTC)[reply]

But that would require using Special:Allpages over the template namespace, wouldn't it? The problem isn't in determining whether a given template is highly used, but in finding all such templates by hand. —Kirill Lokshin 19:29, 30 December 2005 (UTC)[reply]

Mmm. I have nothing against that statistic. Just thought that adding that long thing into Wikipedia:Protection policy might be a bit a misfit. You are right that finding the high-used templates is not that simple and as such this table adds value. But interestingly the lemma of that section says "This is also before {{if}} et al really took off, so they are under-represented in this count" :-). So that statistic actually already is out of date, because qif is the most used now (32'000+ articles at my last count on What Links Here). What about moving only that statistic out to a separate page and put the rest into Wikipedia:Protection policy? Ligulem 20:52, 30 December 2005 (UTC)[reply]

That would work; maybe a separate Wikipedia:List of templates by usage? —Kirill Lokshin 21:02, 30 December 2005 (UTC)[reply]

Question: where should we put requests to protect an unprotected high-use template? (See also [2]). Ligulem 10:36, 31 December 2005 (UTC)[reply]

• WP:RPP comes to mind. Radiant_>|< 11:11, 4 January 2006 (UTC)[reply]

• I have done that and it was largely ignored for days. I then got more and more explicit but nowbody took notice. Then I thought I removed that vandal invitation ("hello come here this template is a vandal vector"). I had done this after having contacted an admin by wiki-email to protect a template. He asked me to use WP:RPP in the future. Which I then did. This whole protection stuff just fits badly with the normal wiki going and people do not understand it. I have still such a template which is not protected on which I simply gave up. Ligulem 21:47, 4 January 2006 (UTC)[reply]

• Ah. I forgot it's still there :). See next thread above. Ligulem 21:49, 4 January 2006 (UTC)[reply]

• Oh for the love of Jimbo... ok, Wikilink protected. Got any others? Radiant_>|< 22:22, 4 January 2006 (UTC)[reply]

Not ATM. Thanks! Can I send you a wiki-mail next time or should I post here? Ligulem 23:26, 4 January 2006 (UTC)[reply]

When I added the proposal, I specifically left out any test or rule to determine which templates are high-risk and ought to be protected. I included the statistics to possibly illustrate which templates might be risky. If people think that a one-by-one approach is best, then this page can be merged into WP:PP, no problems. But if having lists like these might be useful, then a separate page might also be useful. This would be to define "high-risk", in the same way that there is a separate page to define "vandalism". Also, the statistics can be updated by anyone with query access, or anyone with a more recent dump on a local wiki. --bainer (talk) 08:59, 14 January 2006 (UTC)[reply]

• I extracted the section "Statistics" into a new page at Wikipedia:List of templates by usage as per the discussion above. --Ligulem 10:23, 14 January 2006 (UTC)[reply]

I think we shouldn't merge this to any other project page for now. Wikipedia:Protection policy is a policy and this project page here is now a guideline, which is a good thing. Guidelines should not be merged into a policy. Wikipedia:Templates redirecs to Wikipedia:Template messages which fits badly either to receive this here. So leave it where it is. --Ligulem 10:32, 14 January 2006 (UTC)[reply]

• I'd agree with not merging, as long as all relevant pages (WP:PPOL, WP:RPP and WP:PP) clearly state that preemptively protecting a high-risk template is generally a good idea. Radiant_>|< 21:39, 14 January 2006 (UTC)[reply]

• Full support for your as "long as" clause. --Ligulem 21:52, 14 January 2006 (UTC)[reply]

According to Brion Vibber the primary stated rationale for this guideline is inherently false... these widely used templates do not place Wikipedia in 'signifcant risk' of heavy server load or 'denial of service' attacks. As such, I'd suggest that this page should be mothballed and many of these templates unprotected. Some could still be protected due to 'visibility' concerns, but the supposed dangers to the servers apparently do not exist.

For those who dispute Brion's claims... I say let's test it. Take the top ten templates (or whatever) on the list, edit them, and then revert them right back. If the statements on this page are true that should cause a massive surge in server load which will make Wikipedia unusable for some period of time. If the lead developer is correct then nothing significant will happen. This would be along the same lines as the 'breaching experiments' with deliberate vandalism to test how quickly it would be reverted. Any potential risks could be mitigated by performing the test during a lower usage time of day (e.g. 5am EST on Sunday) and/or having a developer standing by. I've seen a few of these 'high risk' templates edited without any noticable effect, so I feel confident that Brion is correct... but let's settle the matter once and for all. Find out whether this is a serious issue or not. If there is an issue then I'm all for protecting the servers. However, if there really isn't then I'm for removing unneccessary restrictions. --CBD _☎ ^✉ 19:31, 3 February 2006 (UTC)[reply]

I don't think anyone needs to test anything. I think we should set a fairly high threshold for protection and see how it goes from there. Something on the order of 5000 usages would work for me, since that is fairly easy to check with Whatlinkshere, since that's the maximum you can see on one page. -- Netoholic @ 20:22, 3 February 2006 (UTC)[reply]

Please refrain from doing tests. We just get some more bad reputation. Last time when snow blanked good'ole {{if}} he complained that the database was locked briefly (but who said he should change it?). At least please keep the conditionals and booleans protected until we have them replaced by MediaWiki functions (and yes Neto, I know you hate them). --Ligulem 20:31, 3 February 2006 (UTC)[reply]

Hrrrmmm... if we don't test it then this is all just so much smoke and mirrors. Protect at 5,000 transclusions thresh-hold? Why not 50? Or 500,000? It is a totally arbitrary limit. If the servers can take edits to pages which are transcluded into 4,999 others then I have to think that this is pretty much a non-issue even for the few templates larger than that. As to 'if' having 'locked the database'... how long is 'briefly'? Five seconds? I could live with that. Could a brief lag not have been something else entirely? I get them all the time. People keep arguing about this issue... there are edit wars on numerous pages... nasty comments... hurt feelings... and it is all phantoms. Let's get some facts on which to make reasoned decisions. --CBD _☎ ^✉ 20:46, 3 February 2006 (UTC)[reply]

Such tests are usually not done on a live system. If you want to do that, do your tests on a test system and measure there. And we are definitely not the ones that should do such tests. If at all the devs can do that. I think the devs have bigger problems than our ridiculous AUM fight. Brion already said that we should not care about server load caused by templates. If we start testing Brions statements he will probably apply technical mesaures to stop us. --Ligulem 20:59, 3 February 2006 (UTC)[reply]

Fun mode: This reminds me of a somewhat tragic story in a local bar in my area (I hope I get this right, sorry for my bad English): An official fire inspector visited said bar and complained about the fire safety of the decoration. The bar owner said that there isn't any problem and took out his lighter to demonstrate it. The bar burned to ashes. Q.E.D. (This is a true story). --Ligulem 21:15, 3 February 2006 (UTC)[reply]

As Brion said - forget about server load concerns. He wants to own that issue, all we should do is report problems. Let's focus WP:HRT by balancing the impact of vandalism vs. the frequency that the template actually needs to be changed. Taking a look at the list on Wikipedia:List of templates by usage (which is out-of-date), the "5000" threshold seems a reasonable first cut. It represents only a couple dozen templates which don't need frequent updates. We can add and remove on a case-by-case basis after discussing. -- Netoholic @ 21:12, 3 February 2006 (UTC)[reply]

I'm shure I'm shooting myself in my book ref foot: but I agree with Neto on this. --Ligulem 21:28, 3 February 2006 (UTC)[reply]

• CBD - IIRC the "brief database lock" was related to us by a dev. At any rate, the issue isn't really server load; the main issue is that (1) if something weird happens to a template, the average editor doesn't know how to fix it; (2) if frequently-used templates are frequently changed, that's bad for consistency (and yes, this does happen); and (3) just because we haven't had a "template vandal" yet... so some kind of preemptive protection is useful. 5000 is arbitrary but sounds reasonable. >Radiant< 01:02, 4 February 2006 (UTC)[reply]
  • The 'non server load' issues you mention are reasonable concerns for some of the extremely widely transcluded templates, but note that the project page currently focuses primarily on 'server load'. Since those concerns have been downgraded (Brion says they will be handled on the developer side when/if they become significant) we should probably update the stated reasons for permanently protecting some templates. --CBD _☎ ^✉ 01:30, 4 February 2006 (UTC)[reply]

I'm not that confident that we even need this page anymore, in light of Brion's assertions. If we go with a "5000" threshold, let's just add a paragraph to the main protection policy explaining the rationale. -- Netoholic @ 01:46, 4 February 2006 (UTC)[reply]

Looks like an apparently accidental edit to this template causes the most recent outage. I've preemptively protected it as a high-risk template. --cesarb 22:44, 5 March 2006 (UTC)[reply]

More detail: if I understood the conversations on #wikipedia-tech correctly, the cause was that changing the template to remove the image caused the problem while updating the file links for the image. --cesarb 23:14, 5 March 2006 (UTC)[reply]

Are there any frequently-used templates that aren't protected? Which ones are they? --128.192.246.198 21:15, 25 April 2006 (UTC)[reply]

See WP:BEANS. Abeg92contribs 16:12, 10 February 2007 (UTC)[reply]

These guidelines basically say when and where to use this. But what exactly is a High-risk template? Is it one that is frequently vandalised? Simply south 20:57, 10 August 2006 (UTC)[reply]

None of the templates were ever 'frequently vandalized'. For a long time vandals just didn't understand templates at all and left them alone. When a few finally caught on and edited some heavily used templates to get their vandalism displayed on thousands of pages this guideline was implemented to deal with it. Thus 'high risk' templates are really just 'high use' templates and those which are displayed in prominent places (like the main page). --CBD 12:02, 20 August 2006 (UTC)[reply]

When I drafted this I purposely left the definiton unwritten, although I did gather some statistics about high-use templates (available here, although they are wildly out of date). In practice, it has come to apply mainly to high volume templates and high visibility templates, as CBD said, although protection could be applied for any stable template where the community thinks it appropriate.

On a related note, the situation with respect to the way MediaWiki deals with templates has changed since this was first proposed, so perhaps an update to reflect that would be in order. --bainer (talk) 14:07, 20 August 2006 (UTC)[reply]

While I support semi-protection of any and all templates, I would like to propose that the new warnings at Wikipedia:Template messages/User talk namespace not become permanently fully protected. I do not agree with the current full protection of {{test}}, etc., and here’s why:

1. Unlike article templates such as {{unreferenced}}, which are transcluded, user page warnings are substituted; see WP:SUB#Templates that should be substituted. Because of this, the potential for instantaneous large scale vandalism is quite low. The HRT guidelines here refer only to transcluded templates.
2. These templates are on the watch list of almost all of the active members of WikiProject User Warnings, as well as many other editors and admins. We can handle the rare non-IP vandalism.
3. There are many valuable editors such as Khukri who do not yet have the mop, but are nonetheless doing great work with these new templates. This should not be barred at some point by a preemptive full protection.

I know there has been some disagreement on this (see the protection log for Template:Test), so it would be helpful to reach consensus here before the new templates “officially” roll out. -- Satori Son 02:59, 24 January 2007 (UTC)[reply]

The trouble is people often subst: them into place quickly and move on without reading everything they left. Thus, you could end up with subtle vandalism injected into dozens or hundreds or more userpages and require individual action on each page to fix. Night Gyr (talk/Oy) 03:32, 24 January 2007 (UTC)[reply]

• I say we fully protect them. These are the very embodiment of a high risk template. --tjstrf talk 04:30, 24 January 2007 (UTC)[reply]

• I would prefer to see these templates semi-protected, it was the fact that they were fully protected in the first place that got me interested in harmonising them, when I had to hunt for an admin to do some minor mods. In the same way that we wouldn't fully protect the George Bush article I think the same should apply to the templates. I and many others as was mentioned above would still like to have access to these templates in the future, and it would be a shame after months of work to have them locked away from us. It's going to be some weeks until the majority are happy with the wording and the tweaking edits stop, and it would be certainly premature to fully protect them now. I have all the templates in my watchlist as do other editors on the project and can keep an eye on them. In some part I also feel the onus is on the issuing editor to read what he has left and report or correct any problems. We are seeing this at the moment with the minor syntax bugs that are being reported, that they are looking at what is being issued, and leaving message in the project page. BradBeattie has offered to semi protect the templates in the short term, and I would like to see this continue to the long term, whilst we keep an eye and see what level of vandalism these templates attract. Lets not block all because one or two are targetted. Khukri ^{(talk . contribs)} 09:11, 24 January 2007 (UTC)[reply]

• sprotect. ≈ jossi ≈ (talk) 18:40, 24 January 2007 (UTC)[reply]

• Sprotect at first, until we get all the bugs and typos worked out (I found one a few days ago). Eventually, after the templates stabilize and become more widely used, I think full protection makes sense. We can always use the template usage notes to point people to the correct place to suggest changes. Dave6 20:33, 31 January 2007 (UTC)[reply]

• Do something - I just told a user they'd be shot if they continued to vandalize. Not that that would be a bad thing... I requested semiprotect on uw-vandalism4, but they should all have SOME level of protection... and soon! Mdwyer 20:05, 2 February 2007 (UTC)[reply]

And that, friends, is why you write your own templates. Remember, don't rely on wikis for accuracy! – Qxz 17:47, 21 March 2007 (UTC)[reply]

The guideline seemed to be a little out of date. Practice about protecting templates has become well-established, so it seems reasonable to describe which templates are protected in practice: highly used one and highly-visible ones.

The rationale had issues with WP:BEANS. The point of the examples, I think, was that the vandalism was reverted very quickly. The exact nature of the vandalism isn't needed here and just encourages people to repeat it. The risk of a DOS attack is mostly an inconvenience. The devs could turn off the job queue if they wanted, and the site would just keep on running, with null edits needed to update pages. — Carl (CBM · talk) 13:33, 31 October 2007 (UTC)[reply]

As you can see from the first version of this page things were alot different when it was first written. Problems back then were things like meta-templates, which were starting to get really popular, and templates like {{if}}, which essentially mimicked functionality we now have via ParserFunctions. So yes, it's a good idea to update it :) --bainer (talk) 15:35, 31 October 2007 (UTC)[reply]

User:East718 has blanket protected a great number of templates, e.g. Template:Country data Frøya, that obviously do not fall within the criteria set forth in the protection guidelines. I am strongly critical of this sort of low-threshold pre-emptive protection, and it also appears to me that this is against current guidelines. __meco (talk) 17:23, 12 December 2007 (UTC)[reply]

I've just added a section I felt necessary to be added... High-risk templates and biographies of living people. Please feel free to copy edit or comment. -- FayssalF - ^{Wiki me up®} 06:24, 4 June 2008 (UTC)[reply]

Hi FassaylF, I made a minor change in a couple of spots for what I felt was better grammar and tone: you had the construction "administrators would usually change...", and I made it "administrators may change..." (emphasis here only) - it seemed to me, as this is a guideline, that "may" would be the better expression to use. Best, umrguy42 18:10, 5 June 2008 (UTC)[reply]

Thanks Umrguy42. Much appreciated. -- FayssalF - ^{Wiki me up®} 09:42, 4 July 2008 (UTC)[reply]

After reading through this page it is still not clear why high risk templates should be protected instead of semiprotected. The server load rationale is described as an "inconvenience" and there are posts on this page (#Faulty Basis?) that contract this rationale completely. The vandalism rationale should not be an issue for established users and semiprotection should take care of concerns regarding unregistered vandals. The permanent protection policy only mentions heavily transcluded templates and the section regarding the protection policy in response to vandalism specifically notes it should not be a preemptive reason for full protection. I agree that heavily transcluded templates might require a higher level of protection but other "high risk" templates should not be automatically protected unless there is an established history of vandalism. It is contradictory to existing policy and protecting pages without good reason is against wiki principals and the assume good faith guideline. In addition, it makes editing and improving protected templates burdensome and frustrating. I think this convention should be reviewed and at the very least the rationale needs to be much stronger.  ~ Paul^T+/_C 06:08, 15 December 2008 (UTC)[reply]

There have been several notable cases of autoconfirmed vandals adding penises to templates, or using CSS vandalism, and there are some templates which would be a valued prize for them, which, due to our knowledge of how they think and the damage they could do should be fully protected. Imagine a penis on 10,000 widely viewed pages and only a handful of individuals who know how to remove it. This type of vandalism has caused a lot of problems in the past, so such protection is not necessarily pre-emptive. We know there are vandals who target any template with over a certain number of transclusions, or who target the most heavily viewed pages. I agree that most templates should not exceed semi-protection, but there are quite a few which should. -- zzuuzz ^(talk) 15:26, 15 December 2008 (UTC)[reply]

What are the consequences for vandalism to a semi-protected page? Is it any more or less severe than vandalism to a semi-protected template? ~ Paul^T+/_C 07:46, 16 December 2008 (UTC)[reply]

Template vandalism usually signifies knowledge and intent, as well as block evasion and sockpuppetry in most cases, and almost always results in an immediate block. Such vandals would be treated no differently if they were vandalising articles. -- zzuuzz ^(talk) 11:13, 16 December 2008 (UTC)[reply]

Re Paul: vandalism is only one of the two reasons (but it is worse than you may think - there are a couple people who make it a hobby to find ways to vandalize templates). The other reason is the job queue. Highly used templates need to be edited differently than regular templates. Instead of a sequence of small edits, changes to a highly used template should be compressed into a single edit, to keep from inflating the job queue. A long job queue doesn't slow down the site but it does slow down other editors who have to wait longer for changes to other templates to become visible. Most editors are not familiar with these things, and they don't need to be, because the templates that are used often enough for this to be an issue are protected. — Carl (CBM · talk) 14:17, 16 December 2008 (UTC)[reply]

Re Vandalism: Shouldn't vandalism by autoconfirmed users to semiprotected pages be treated more severely than normal? Also, shouldn't template vandalism be treated more severely than article vandalism since the changes are propagated to multiple pages? And, the combination of these two, shouldn't template vandalism by autoconfirmed users to semiprotected templates be considered most egregious of all? Isn't there a more severe punishment that could be used in these cases?

Re The job queue: I appreciate that concern and I generally try to compress my changes into as few edits as possible regardless of the page I'm editing. However, full protection can actually make it harder to apply major changes to templates in one edit since the admin making the change will want to easily understand what the changes are. Often making more than one change at a time will be harder to explain and make it less likely for the changes to be made. The job queue issue really is only an inconvenience and if the issue is documented properly I don't see why it couldn't be an additional guideline (with severe penalties for misuse) instead of assuming that editors can't be trusted to make appropriate changes to highly used templates. ~ Paul^T+/_C 15:41, 16 December 2008 (UTC)[reply]

I'd like to bring this topic up again as there was never any solid response around why high risk templates are automatically fully protected rather than put under semiprotection first. There are many editors that do not have admin rights and I have not read a good argument for why we should be prevented from editing these templates. ~ Paul^T+/_C 00:43, 11 September 2009 (UTC)[reply]

Well, it's simple: Take a template like the {{ambox}}. At the time I write this it is transcluded on 720,000 articles. Since it is so widely used many editors are aware of it and constantly ask us to add features to it, change the images it uses, change the colours it uses and so on. If it were just semi-protected then it would be constantly edited by those well meaning users. But as we see from the requests and code suggestions people add to the talk page, then most of the edits would be contrary to consensus, most of those edits would bloat it with unneeded functions, and many of those edits would break it. That means the template would most of the time be more or less broken, or ugly. And that would be visible on 720,000 articles... And that's just what the well meaning editors would cause.

And that is not just assumptions based on the suggestions on the talk pages of such templates, we have seen it happen when we have had high-risk templates just semi-protected.

Also, our template vandals would edit that template, so it would every now and then display a penis-image on those 720,000 articles.

We already spend a lot of time cleaning up after well meaning edits by clumsy admins and explaining to them to first test in the /sandbox and then discuss on the talk page before they edit high-use templates.

And regarding making one change at a time and explaining the changes: Well, for testing and demonstration we use the unprotected /sandbox and /testcases of the template. For more permanent demonstration we often add /test1 and /test2 subpages to the template. And for explaining and discussing changes we use the talk page. Then when we have consensus and have tested the code we add it to the template. All those subpages and the talk page are unprotected and can be edited by any user. So the coding and testing of high-risk templates can be and often is done by non-admins. Just the deploying of the finished code is done by an admin.

But I agree that templates that are only semi-widely used should just be semi-protected. After all, we admins can't take care of everything so we need regular editors to manage most of the templates. So I for one have often just semi-protected templates, already back when other admins said templates should only be unprotected or fully protected.

--David Göthberg (talk) 10:33, 31 December 2009 (UTC)[reply]

IMHO the whole High-risk templates and biographies of living people section is superfluous, and could be substituted by a simple "If a template relates to a biography of a living person that would strengthen any arguments in favor of (preemtive) protection of said template". Or something like that. That sentence should just be added to the previous section, and does not warrant a section or even subsection of its own. Debresser (talk) 20:19, 9 September 2009 (UTC)[reply]

I agree, that section is far to large. It could be condensed down to 2-3 sentences and as you say then added to the section above it. Although there are some useful stuff at the top and bottom of that section that is not specific to BLP templates, and could be reused somewhere else.

--David Göthberg (talk) 10:40, 31 December 2009 (UTC)[reply]

Y Done - And I moved some of the links down to the "See also" section.

--David Göthberg (talk) 05:18, 13 February 2010 (UTC)[reply]

I intend to add something like this to this guideline:

Documentation and padlock

See also: Wikipedia:Template documentation

Both semi and fully protected templates should always have the {{documentation}} template. That template loads the unprotected /doc page, so that non-admins and IP-users can edit the documentation, add categories and add interwiki links.

After a template has been protected {{pp-template}} should be added to it, so it displays a padlock and gets categorised as protected. Admins usually add {{pp-template}} at the bottom of the template page itself, in the <noinclude> area. If the {{pp-template}} is missing then non-admins can add it to the bottom of the /doc page of the template, in the <includeonly> area.

Thus, the bottom of a protected template should usually look like this:

<!--Last line of your template code--><noinclude>

{{pp-template}}
{{documentation}}
<!-- Add categories and interwikis to the /doc subpage, not here! -->
</noinclude>

The above text is just documenting and explaining a long standing praxis. One of the reasons I want to add that text to this guideline is so we can link to it from Wikipedia:Protection policy#Templates, thus keeping the "Templates" section short in the policy page. See also the discussion at Wikipedia talk:Protection policy#Template protection.

--David Göthberg (talk) 11:01, 31 December 2009 (UTC)[reply]

We have now updated the {{documentation}} template so it automatically adds {{pp-template}} on protected and semi-protected templates. So I added a simpler version of the above text.

--David Göthberg (talk) 04:07, 13 February 2010 (UTC)[reply]

The following discussion is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.

---

Resolved

Background: One of the things Wikipedians do here is have a signpost - a weekly "newsletter" which can either be "distributed" to one's user talk page, or transcluded in a userspace page to always show just the current one. The signpost is implemented using headline pages for the specific editions (such as Wikipedia:Wikipedia Signpost/2010-04-19), and its articles are the subpages (such as Wikipedia:Wikipedia Signpost/2010-04-19/News and notes). The current headline page is designated using Wikipedia:Wikipedia Signpost/Issue, and transcluded on thousands of pages using {{Signpost-subscription}}.

The problem: While {{Signpost-subscription}} and Wikipedia:Wikipedia Signpost/Issue are both fully protected, this protection doesn't extend to the signpost headline page, which is a high risk template. This makes edits like this cause lots of disruption on Wikipedia. The user doing this clearly knows what (s)he's doing; anyone else would have trouble knowing about the signpost, finding it, and using the {{#ifeq: to hide the location of the edit. This isn't the first time this happenned; however, it appears that each time the user is getting better at hiding the action. The first instance I know of was this, causing a backlog of hundreds of pages at CAT:CSD before it was reverted.

The solution: We need to protect the current signpost. I can come up with 4 ways to do it:

1. Protect (or semi-protect) each new signpost as part of the publishing process.
2. Re-instate the cascade protection of Wikipedia:Wikipedia Signpost/Protection.
3. Create some edit filter to prevent edits from new or unregistered users to any signpost (not just the current one).
4. Add a regex to MediaWiki:Titleblacklist preventing new users from editing the signposts.

How should we handle the situation? עוד מישהו Od Mishehu 08:33, 22 April 2010 (UTC)[reply]

I say Option 1 is best - isn't SOP with high-risk templates semi-protection anyways? —Jeremy ^{(v^_^v Dittobori)} 08:47, 22 April 2010 (UTC)[reply]

Whilst I am personally unsure what solution would be most effective here, I think that something does need to be done. In a similar scenario within the last 24 hours, pages with the signpost on them were put into the category for Unblock Requests which swamped it. Although most pages were quickly fixed by a revert and purge, some oddity occured in which a handful of user pages were stuck in the category despite being purged, although I eventually managed to clean that up by doing dummy edits to the affected pages. (Or by blanking and restoring them). All in all, I think some form of protection should be used to avoid disrupting some of our administrative processes. --Taelus (talk) 10:50, 22 April 2010 (UTC)[reply]

Actually I'm surprised nothing like this has happened before. The Signpost isn't like anything else on WP, I don't think the normal rules apply. Unless I am mistaken, it is not ok for just anyone to come in and start altering it. I don't see any problem with adding protection to it, since we have now seen the widespread harm, or at least big pain in the ass, that can be caused by someone monkeying around with it. Are the comment sections on their own subpages? We don't want to block the ability to leave comments. Beeblebrox (talk) 16:52, 22 April 2010 (UTC)[reply]

Nor would we want to block the ability of non-admin signpost contributors (anyone can contribute, by the way) like me to work on stuff, so definitely not full protection...there have been a couple of cases where I have fixed typos after publication had already occurred, and that's something constructive full protection would prevent for non-administrators. Ks0stm ^(T•C•G) 19:09, 22 April 2010 (UTC)[reply]

I'd support a semiprot or similar solution, but not full protection. • ɔ ∫ → 01:33, 23 April 2010 (UTC)[reply]

I edit the Signpost regularly without an account to fix errors. It is foolish to disbar competent editors from contributing in order to save your poxy (and, given the watchlist function, unnecessary) subscription service. Whatever about the merits of page protection for readers of the encyclopaedia, the insider target audience of the Signpost is well aware of and impervious to fleeting vandalistic edits – vandalised versions will be immediately recognised and reverted without any need for protection. What actually useful purpose does your proposal hope to achieve that would counter the loss of unregistered contributors? 86.41.54.80 (talk) 12:01, 23 April 2010 (UTC)[reply]

I don't think vandalism is a regular problem on Signpost articles, and definitely individual articles should be left open to editing by unregistered users, who have done more good than harm overall. There is a case for semi-protecting the headline pages, and if there was cascading semi-protection, that would make thinks a lot easier. I can semi-protect the new headline page each week when it gets created from now on.--ragesoss (talk) 14:27, 23 April 2010 (UTC)[reply]

The discussion above is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.

As incidents like Wikipedia:Administrators'_noticeboard/Incidents#HJ_Mitchell_mass_fully_protecting_templates show, there are often disputes regarding exactly which templates qualify as "high risk", and should be fully protected even in the absence of significant prior vandalism. Much future conflict would be avoided if this guideline provided numerical thresholds for protection, depending on the namespaces in which templates appear -- > x for articles, > y for talk, etc. These wouldn't be hard limits to be imposed in all cases, but guidance in the absence of any particular reasons to treat specific templates differently. Suggestions? Peter Karlsen (talk) 04:58, 15 September 2010 (UTC)[reply]

As a possible starting point, when this guideline was created five years ago, Radiant! "protected all templates with over 5000 uses, and all metas with over 100 uses."[3] Peter Karlsen (talk) 05:15, 15 September 2010 (UTC)[reply]

For this discussion to make sense, I'd like to know how many significant incidents of actual template vandalism have happened the past. If none have happened, we're just giving the vandals ideas. We're super-careful with templates transcluded into the main page at any given time (that's why cascade protection was invented) and those are protected as part of the main page update process. What about vandalism of other templates? Does anyone know of any templates that have become protected due to a history of vandalism? I'm not saying none exist, but in the past couple days (as part of the mass-protection rollback that got us here), I've looked at a number of templates that had semi-protected and I didn't see a single instance of actual vandalism in any of them. 75.62.2.105 (talk) 05:27, 15 September 2010 (UTC)[reply]

Yes, it has happened. For instance, Template:Ed, which I believe used to appear in hundreds of thousands of pages, received vandalism like [4] -- this was one of the templates initially protected as "high risk" [5]. Template:! appears on over four million pages: do we really want to create the prospect of penis vandalism on all of them? Peter Karlsen (talk) 05:38, 15 September 2010 (UTC)[reply]

As a side-note, if a template is really "high-risk", then semi-protection isn't enough, since vandals will simply bypass it. There is, perhaps, some "intermediate-risk" category to which semi-protection may be applied to avoid casual vandalism, even though it won't stop determined malefactors. If so, numerical guidance should also be provided. What I'm unsure about is whether pending-changes level two protection can be effectively applied to templates. If so, then it might provide substantially more security than the fig-leaf of semi-protection, while avoiding the restriction of editing inherent in full protection. Peter Karlsen (talk) 05:50, 15 September 2010 (UTC)[reply]

I made the argument on ANI that it almost never makes sense to semi-protect a template, since a vandal sophisticated enough to attack templates can figure out autoconfirmation. Pending changes on templates is an interesting idea. 75.62.2.105 (talk) 06:20, 15 September 2010 (UTC)[reply]