Notes on site adminship

[Duplode]

Earlier today on the ZakStunts shoutbox, @Alain il professore and @MiDiaN raised some valid questions about site governance. That provides a good occasion to bring together key information about how the site is ran, which is spread across various corners of stunts.hu, to a single place. We're happy to answer any follow-up questions, or generally any other question about you might have about it.

Technical security

Since the technical aspects are the topic of Alain's companion thread, in this post I'll just add a few general notes about the evolution of the site.

As Alain mentioned, back in 2006 the ZakStunts server was invaded by a hacker. Nineteens years later, though, the scenario is very different from the one under which that attack happened, with two main differences. Firstly, stunts.hu is now hosted by a professional provider, which provides automated backups among other things. Secondly, Dreadnaut has, in a gradual process over the years, rewritten the ZakStunts site code, replacing fragile solutions with more robust ones, and error-prone manual admin routines with automated ones.

The ZakStunts code base is currently maintained in a repository under the 4d-stunts organisation on GitHub. Though the repository is currently private, we're open to granting access to community members who would like to follow the site development.

ZakStunts management

@zaqrack (our founder and backer), @dreadnaut and me (who handle the day-to-day affairs of the site) have full access to the code and data of stunts.hu, and of ZakStunts in particular. The three of us are the only ones with access to the critical parts of the site with respect to competition integrity, such as ZakStunts admin commands and the site database. While Dreadnaut and me have the same access on an operational level, Dreadnaut has the final word on the interpretation of and changes to the ZakStunts rules, as well as on the code that goes live on the site.

A few extra remarks on database access. Direct access to the database is occasionally needed for admin tasks, as well as for a few processes that haven't been fully automated in the site yet (the most visible example right now being the PTB updates). I also use it to collect data for research purposes (as in the balanced bonuses project). Unlike the admin tools implemented in the ZakStunts site proper, querying the database directly can potentially expose non-public information about replays. To avoid accidentally seeing data I'm not privy to as a pipsqueak, I follow a self-imposed rule of not doing database work during the quiet days. That's why, for instance, I only post the final PTB update for a race after the deadline, and not immediately after the PTB window closes at the start of the quiet days. (In theory, an urgent need -- say, the site goes down on deadline Saturday, and querying logs in the database is necessary to diagnose the problem -- could justify making an exception, though I don't remember any such situation actually happening across the years I've been involved with adminship.)

Forum management

Zak, Dreadnaut and me also have admin powers on the Forum, with the latter two being currently active as global moderators. Unrestricted access means that accidentally viewing subforums of teams we don't belong to is a real concern. To mitigate that, shortly after Zak made Dreadnaut and me Forum admins in 2018, we have created separate admin accounts, @dreadnaut+ and @Duplode+ respectively. These accounts are only used when carrying out admin or modding tasks make it necessary; otherwise, we stick to our regular accounts which have no admin permissions.

Wiki management

The users with elevated permissions on the Stunts Wiki are the three global admins mentioned above, plus @dstien and @JTK. Account creation at the Wiki is done by request solely for the sake of controlling spam. We'll create an account for anyone who wants to contribute. (If you're interested, just send me a PM.) 

[Alain il professore]

Thank you for taking the time to lay this out. It's reassuring to hear about the move to professional hosting, automated backups, and the long, careful rewrite of the site code. The admin separation on the forum (+ accounts) is also a thoughtful safeguard.

To help current and future pipsqueaks understand how things work—and to reduce the need for repeating explanations across threads—could we consolidate a few items in one place on stunts.hu? Concretely:

1) Security & privacy overview (high-level, non-sensitive)

Replay publication policy?

Storage & access?

Web protections?

Integrity?

Responsible disclosure: a security contact (e.g., security@...) and a short, friendly policy.

2) Governance & access clarity

Who has operational access to code and database (All of that is thankfully already named here), and for what kinds of tasks.

The "quiet days" norm for admins doing DB work= great practice; maybe just write it down as policy so everyone knows the existing guardrails.

A lightweight changelog for rules and code that affect competition integrity (even a forum thread like this one works).

3) Community collaboration

The GitHub repo is private for good reasons; still, a read-only window for interested community members—under an informal contributor agreement—could help with feedback and continuity.

This makes me thing about one thing, on another topic: I don't have credentials for stunts wiki, because I never asked for them. I don't believe in a centralized and locked down information source. There will never be edition battles on a three people biased wiki. I advocate for multiple sources of information for stunts citizens seeking by themselves truth and neutrality about what happened in the past.

If you'd like, a small group can help draft the Security & Privacy page, and sanity-check the wording so it's clear without exposing internals.

None of this needs to be heavy. A concise page and a pinned forum topic would already reduce uncertainty, make moderation easier, and set a reference for future seasons.

Thanks again to Zak, Dreadnaut and you for keeping the lights on all these years. I'll always admire this fine work, and don't forget you can count on me with the will to fight until my last breath for its preservation if needed. Until then, happy to contribute if useful.

[Duplode]

To help current and future pipsqueaks understand how things work—and to reduce the need for repeating explanations across threads—could we consolidate a few items in one place on stunts.hu?

It would sure make a lot of sense to consolidate the key information somewhere easy to find -- perhaps a revamped "About" page at ZakStunts. On the Forum side, pinning this thread here, on the "meta" subforum, could be a good start.

This makes me thing about one thing, on another topic: I don't have credentials for stunts wiki, because I never asked for them. I don't believe in a centralized and locked down information source. There will never be edition battles on a three people biased wiki. I advocate for multiple sources of information for stunts citizens seeking by themselves truth and neutrality about what happened in the past.

The only reason why account creation is restricted on the Wiki is that at one point in the 2010s we were overwhelmed by spammers (look at the block log and weep). We'll create an account for anyone who's interested in contributing; there's zero partisanship about it.

(By the way, I'll add a section about the Wiki to the opening post.)

[MiDiaN]

Thanks for the well-formulated answer. I might have watched too many Karl Jobst youtube videos about cheating in gaming so I start to see it everywhere But one thing that would ease my mind even if this community is very tight and friendly, is to have some sorts of admin functions to see logs of actions. For example replay data handling (removing, timestamp of who downloaded it etc.) and forum browsing history. Maybe there is already idk.