< Scratch Wiki talk:Community Portal

Archive This page is archive 108 of Scratch Wiki talk:Community Portal. If you wish to start a new discussion or revive an old one, please do so on the current talk page.


Archives

Archives (oldest first)
1 2 3 4 5 6 7 8 9 10
11 12 13 14 15 16 17 18 19 20
21 22 23 24 25 26 27 28 29 30
31 32 33 34 35 36 37 38 39 40
41 42 43 44 45 46 47 48 49 50
51 52 53 54 55 56 57 58 59 60
61 62 63 64 65 66 67 68 69 70
71 72 73 74 75 76 77 78 79 80
81 82 83 84 85 86 87 88 89 90
91 92 93 94 95 96 97 98 99 100
101 102 103 104 105 106 107 108 109
Unfinished discussions

2.0 Image Updating

A lot of images here need updating to 3.0. For example, the editor in the TOC, many Scratch Cats, etc. When will this be done?
Scramaso (talk | contribs) 10:33, 2 February 2020 (UTC)

I've asked an admin to update the TOC image. Not sure about the other ones.
Ravenclaw900 (talk | contribs) 16:21, 2 February 2020 (UTC)
There's not a set time when this will be done. It will be done gradually. Any time you see an image that needs updated, feel free to update it (but be sure to compress, crop, etc. the file).
EIephant Lover logo.png EIephant_Lover  Talk  Contributions  Subpages 
01:49, 9 February 2020 (UTC)

Scratch program image

Yes Done
The image showing the scratch program should be 3.0, not 2.0, right?
Mohie (talk | contribs)

Not necessarily, we use the 2.0 version for historical references. So, we should have to images for this. One for 3.0, and one for 2.0.
Also, could you link to what you're talking about, please? It would be so much easier for someone to know what you were talking about easily.
-unsigned comment by 12944qwerty (talk | contribs)
He meant the picture of the Scratch program shown in Scratch Wiki:Table of Contents needs to be updated to 3.0. Could an admin do this?
TenType (talk | contribs) 23:25, 11 November 2019 (UTC)
Okay... So is there going to be another section for 3.0, or is 2.0 going to be merged with 3.0?
And also, TenType is correct. I do mean the SW TOC.


Mohie (talk | contribs) 16:06, 12 November 2019 (UTC)

The picture has been updated months ago by kenny2scratch and is now Yes Done
TenType (talk | contribs) 20:52, 3 September 2020 (UTC)

Suggestion: Add a "sandbox" option in the user pull-down on the header

Yes Done

My suggestion is above — that's pretty much it. When you click on your username, you would see your username, "Talk," "Preferences," "Watchlist," "Contributions," "Log out," and "Sandbox" thrown somewhere in there. "Sandbox" would direct you to your personal sandbox, not the public sandbox. If the user hasn't created their sandbox, it would direct them to the page to create it.
Bigpuppy Logo.png bigpuppy talk ▪︎ contribs 16:59, 16 May 2020 (UTC)

Sounds like a cool feature. +1!
Dilek's Wiki Signature Picture.pngDilek10-Talk-Contribs-Profile Page 17:35, 16 May 2020 (UTC)
I think it's a good idea, but I think we can create a disambiguation page rather than direct to the personal sandbox. However, +1!
Ahmetlii (talk | contribs) 18:14, 16 May 2020 (UTC)
Wikipedia has this, but this is actually harder to implement than you might think - the skin does not hardcode the user dropdown links, they are generated by MediaWiki itself. Adding the sandbox link would require a hook somewhere in LocalSettings.php and that might mess up some rhythms. There could be a link in the For Editors box, though! Special:MyPage/Sandbox is a handy link. What say y'all?
Kenny2scratch logo.jpg kenny2scratch  Talk  Contribs  Directory 
18:35, 16 May 2020 (UTC)
Ah, I see. I think that's a good alternative then! :)
Bigpuppy Logo.png bigpuppy talk ▪︎ contribs 18:48, 16 May 2020 (UTC)
Good idea!
TenType (talk | contribs) 18:51, 16 May 2020 (UTC)

──────────────────────────────────────────────────────────────────────────────────────────────────── +1!:)
Ahmetlii logo.gif ahmetlii  Talk  Contributions  Directory 
19:07, 16 May 2020 (UTC)

Ken, any update on this? :)
Bigpuppy Logo.png bigpuppy talk ▪︎ contribs 00:30, 4 July 2020 (UTC)
Since 3 months, there's not an update; so I created my script for add Sandbox option but it's only working for Vector skin.
Ahmetlii logo.gif ahmetlii  Talk  Contributions  Directory 
09:55, 4 August 2020 (UTC)
Yes Added to sidebar
Kenny2scratch logo.jpg kenny2scratch  Talk  Contribs  Directory 
15:48, 29 August 2020 (UTC)

Even more featured images!

Yes Done

If you have suggestions, please reply here. (I really wish we had a dedicated page for this...)
Bigpuppy Logo.png bigpuppy talk ▪︎ contribs 19:12, 29 July 2020 (UTC)

I think that keeping it in here is better because more people come here more often than not. Keeping it elsewhere might not lead many people to suggest images.
12944qwerty Logo.png 12944qwerty  Talk  Contribs  Scratch  20:54, 29 July 2020 (UTC)
What about the dedicated subpage for logging server faults? It already has a link on the main CP, so we can just do a similar thing for more featured images.
VFDan.png VFDan  Talk  Contribs  On Scratch  00:48, 30 July 2020 (UTC)
Yes, but once a server fault appears, people have motivation to log it so that it doesn't happen again.. In this case, people have to find an image, then go the CP, then to the link (unless bookmarked). Although I do see your point, I believe keeping it in the CP would have a lot more attention.
12944qwerty Logo.png 12944qwerty  Talk  Contribs  Scratch  15:06, 30 July 2020 (UTC)
I think that if we do make a dedicated page, it could go in the "For Editors" bar next to "WW Suggestions."
Groko13 (talk | contribs) 15:43, 30 July 2020 (UTC)

──────────────────────────────────────────────────────────────────────────────────────────────────── Here's a suggestion!
Groko13 (talk | contribs) 17:49, 30 July 2020 (UTC)

How about this one? File:Save Picture.png :) It might be interesting to people that that used to be a feature.
Bigpuppy Logo.png bigpuppy talk ▪︎ contribs 20:50, 30 July 2020 (UTC)
Yes Updated — I featured the two images that were suggested as well as File:When Shaken.png. :)
Bigpuppy Logo.png bigpuppy talk ▪︎ contribs 01:51, 29 August 2020 (UTC)

Raspberry Pi Extensions

According to this, there are 3 Scratch Extensions that are only available on the Raspberry Pi offline version of Scratch. They are a GPIO extension, a Sense HAT extension and a Simple Electronics extension. Would they be notable enough to have Wiki Articles about them?
Jammum Icon.png Jammum (💬 Talk - ✍️ Contributions - 🐱 Scratch) 10:47, 2 August 2020 (UTC)

Wouldn't that be a violation of S:NOSP?
Garnetluvcookie (talk | contribs) 14:52, 2 August 2020 (UTC)
If I know right, Scratch Wiki isn't accepting user-generated extensions anymore except the old ones. Also, I'm not sure about notability.
Ahmetlii logo.gif ahmetlii  Talk  Contributions  Directory 
15:26, 2 August 2020 (UTC)(edited)
@Garnetluvcookie — it says in the article that Jammum linked "... Scratch 3 was released in January this year, and since then we and the Scratch team have put lots of work into creating an offline version for Raspberry Pi." If the Scratch Team was working on it too, I think that it is not a violation of S:NOSP.
@ahmetlii — Please correct me if I'm wrong, but I think that's for user-generated Scratch extensions (e.g. Insanity). We still have articles about things like the Pen Extension and Video Sensing Extension.
@Jammum — I'm not sure whether they are notable enough either. :)
Bigpuppy Logo.png bigpuppy talk ▪︎ contribs 16:31, 2 August 2020 (UTC)
I would say that anything in official Scratch releases is beyond question of notability, even if only available on some platforms, it is not user-generated content. -unsigned comment by Naleksuh (talk | contribs)

──────────────────────────────────────────────────────────────────────────────────────────────────── Changed "the extensions" to "user-generated extensions". Sorry for confusion. :)
Ahmetlii logo.gif ahmetlii  Talk  Contributions  Directory 
10:40, 3 August 2020 (UTC)

RPi extensions must be documented, because they were worked on by the ST themselves. Naleksuh and Bigpuppy are correct here. Please go ahead and make those articles. My only RPi uses Raspbian Lite with no desktop, so I can't look at the extensions myself, unfortunately - if anyone has the full Raspbian on an RPi, I'd love to see some info on the extensions!
Kenny2scratch logo.jpg kenny2scratch  Talk  Contribs  Directory 
13:16, 3 August 2020 (UTC)
" Naleksuh and Bigpuppy are correct here." Me and bigpuppy said opposite things though. I assume that you mean it is notable, while bigpuppy had said that it wasn't. In any case, I myself do have a Raspberry Pi and under the grounds that they are notable will be creating these articles :) -unsigned comment by Naleksuh (talk | contribs)
I said that I wasn't sure whether it was notable. ;)
Bigpuppy Logo.png bigpuppy talk ▪︎ contribs 16:45, 7 August 2020 (UTC)

I'm disappearing

Hi, all. It's nearing the end of the summer, and I have to start facing realities. (Note: this is very much a ramble and I get to why I'm saying all this more towards the end, but what I say before is probably useful context.)

Situation

I'm starting Secondary 6 this school year, which is roughly equivalent to American 12th grade. (For those who didn't know, yes, I'm not even in college yet.)

The way our elective system works, at the start of S4 we choose three total subjects, and then study those three subjects + four more core subjects — for three years. The system here is much unlike the American one: we go in depth instead of in breadth. At the end of those three years, usually around March of the S6 year, we take the DSE exams, which are the government-run college entrance exams. These exams play a much more major part in college selection than, say, the SAT or ACT do in the US - and besides, I've already taken the SAT.

Three years of material for any subject is a lot. Three years of material for the elective subjects I take - physics, chemistry, and ICT - is a lot a lot. Then add on three years of material for the core subjects - Chinese, English, math, and Liberal Studies - and subtract Chinese, because I have an exemption for that, and you get metric tons of material. So much material, in fact, that it never actually fits into the three years - it's standard practice to have summer lessons between S5 and S6, lessons which have now come and gone for me.

Throughout S4 and S5, I've managed to more or less do actually pretty okay while getting away with doing the minimum amount of work necessary to achieve it. However, since I want to go to MIT like a good Scratcher, "pretty okay" doesn't cut it. I need to be best of the best. At this point, my academic results are fixed for the purposes of US college admissions, so I'm going to need to work extra hard on my applications if I want to go anywhere ideal in the US.

Simultaneously, S6 is not a year where anyone can "get away with" anything. By not doing much work in S4 and S5, I've succeeded in getting nice results while basically learning squat. Even though at its heart the DSE is an exam, it is not the kind of exam you can cram for (I'm looking at you, Japan and Korea). That means I need to put all the work I neglected in S4 and S5 into S6 instead.

Combine that with the fact that S6 is the most stressful year anyway. The teachers are going to be trying their utmost to rush through the rest of the curriculum, if any, as quick as possible, because past the turn of the year, it's no longer teaching and instead all exam practice. We don't even have the normal exam at the end of the first term (= semester) that all the previous grades do - instead, we have fully-fledged mock DSEs. (These happen in January, so it makes sense considering the DSEs are in March.) There are quizzes and tests every week or two.

(There are school guidelines for max amounts of homework that can be given to each grade. S3s get at most an hour per day, S4s 1.5h, S5s 2h. Ominously, we don't have any such guidelines - unless I'm misinterpreting, my grade has an unsurvivable surge of homework coming this year.)

And finally add to that the stresses that the pandemic has caused. S5 was the year that we were supposed to get through the majority of the curriculum; however, we started online classes at the start of February and if my principal isn't pulling a number out of her rear when she says they have had 70% effectiveness, that's 30% of the curriculum we'll have to get through in S6 instead.

More curriculum to get through in S6 means more time spent on teaching, and less time spent on practicing for the DSE. Morally that's probably a win, but in terms of what that'll do to our DSE performance it's a travesty. Realistically it'll mean more intense practicing during the time we do have, meaning more work and more studying necessary on my part.

What's the deal?

Okay, why am I telling you all this? Well, think about something. If I was doing the minimum amount of work necessary in S5, S4, and actually also S3, what did I do with all the effort I managed to save? Where did I use it?

Well, it was on the Wiki. The first server transfer happened around the end of my S3 year, and the second happened around the start of S4. I was the most active user for a long time, and until now I am still fairly present, even if I'm more passive than active nowadays.

However, I was only able to do that because I was skimping (though not skipping) school, something I can't afford to do for the year that decides basically all of my future. I could have gone to any school, come from any background, but as long as it's the DSEs I'm facing then it all comes down to this year.

I read somewhere once that in the Arctic people just have 30-hour sleep cycles during the times of year where the sun is permanently up or down. That sounds perfect for me, but I live in the tropics, where people very much have 24-hour cycles. What that means is I don't have enough hours in the day for what is essentially two streams of work. I don't consider the Wiki work, but stress-wise it's about equivalent.

What this means

I'm going to start trying to aggressively organize my day. Certain things at certain times, planned out ahead of time. While it sounds boring, I'm pretty sure if I don't then I'm going to drown. I can't plan everything just yet, because I don't know what this year is going to be like, but I can predict with relative accuracy that I'm not going to be able to find a place for the Wiki.

With that in mind, I will be drastically reducing my presence here. For now, I think I'll still check in on weekends, but that may change once I figure out how much work exactly we're going to be getting. However, what's certain is that weekdays are going to be completely Wiki-less for me, effective this coming Monday, when school starts. If you have anything you have to get my attention for, you'd better do so now (though not on this topic).

Conclusion

As the Terminator said, "I'll be back." This isn't the end of my Wiki life. I just need to step back for this, the most important of years. I'll miss it dearly, and I'll be glad to return once the DSEs are over.

If weekends turn out to be viable, I'll see you then; if not, April 2021 is the earliest you'll hear hide or hair from me.

Goodbye.
Kenny2scratch logo.jpg kenny2scratch  Talk  Contribs  Directory 
15:12, 28 August 2020 (UTC)

We'll all miss you dearly. I'd like to thank you for all the work you've put into this Community over the many years; we truly wouldn't be where we are now without you. Thank you!
border=3px Drunken Sailor [ Talk | Contribs | More... ] 15:31, 28 August 2020 (UTC)
I just realized I singlehandedly pushed the CP over the archive threshold...
Kenny2scratch logo.jpg kenny2scratch  Talk  Contribs  Directory 
15:32, 28 August 2020 (UTC)
Does that mean we need another bureaucrat, whether a new one or an existing one becoming active again? (and I got caught in an edit conflict)?
Jammum Icon.png Jammum (💬 Talk - ✍️ Contributions - 🐱 Scratch) 15:35, 28 August 2020 (UTC)
I will miss you. You've always been there to answer my many questions, and I hope to see you again. Like Drunken Sailor said, we wouldn't be where we are today if we hadn't had you—from the server transfers, to TemplatesFTW, to day-to-day edits, patrolling, and account request processing. Good luck in your studies, and I'll see you later. ;)
Bigpuppy Logo.png bigpuppy talk ▪︎ contribs 16:48, 28 August 2020 (UTC)
Thank you for what you've done on the wiki, especially for helping us EWs and admins out. Good luck, and I hope you'll be able to come back soon. :)
(edit conflict with the topic below)
TenType (talk | contribs) 17:02, 28 August 2020 (UTC)
Thanks for being the most active and the most contributed user in the wiki ever since Scratch Programming Wiki founded! Thanks also for your helps to me, patrols and other things that I cannot count... I'm grateful for your all edits. :)
And also, in other hand, we may need a bureaucrat and a new bot(because TemplateFTW's future is unknown); although @apple502j is helping for administration and code reviews. I guess someone from the bureaucrats may promote him.
Ahmetlii logo.gif ahmetlii  Talk  Contributions  Directory 
19:20, 28 August 2020 (UTC)
TemplatesFTW will probably be run by jvvg, but we're not thinking about promoting anyone. Also, I've only been here 3 years, dude - the Scratch Programming Wiki was in 2008. My contributions pale in comparison to some other admins.
Kenny2scratch logo.jpg kenny2scratch  Talk  Contribs  Directory 
01:51, 29 August 2020 (UTC)
Although nobody will be promoted, Jvvg has only one edit on Special:ActiveUsers, and I mentioned in an earlier post in this discussion that another bureaucrat needs to increase activity involving the Wiki.
Jammum Icon.png Jammum (💬 Talk - ✍️ Contributions - 🐱 Scratch) 07:31, 29 August 2020 (UTC)
Thanks so much for everything that you've contributed to the Wiki! Good luck in your studies, and hopefully we'll see you soon.
Groko13 Logo.png Groko13 / talk / contribs 03:53, 29 August 2020 (UTC)
There is no need for another bureaucrat to increase activity. Nobody is obligated to be here. I'm not being replaced - I'm just up and leaving for a while.
We've basically settled on bigpuppy as an overall Organizer of Things (not actual title) - he stays active and just... handles things. Jvvg can then only come in if bigpuppy escalates. He was already doing this, but the difference is that he is now only able to escalate to jvvg, and not me, unless it's something only I can do, in which case it's permissible to ping me.
Kenny2scratch logo.jpg kenny2scratch  Talk  Contribs  Directory 
11:31, 29 August 2020 (UTC)
Hey, good luck with your studies! See you later...
Dominic305.png Dominic305  Talk  Contribs (1,730)  Scratch  Directory 
14:47, 30 August 2020 (UTC)
Good luck with your studies. :)
R4356th (talk | contribs) 15:34, 30 August 2020 (UTC)

──────────────────────────────────────────────────────────────────────────────────────────────────── It's now past midnight, and we're officially in Monday, my time. It's time for me to sign out of the Wiki.

Again - if it turns out our workload allows for it, I will be back on weekends. If not... see you in April.

I love y'all. Farewell, even if only for now.
Kenny2scratch logo.jpg kenny2scratch  Talk  Contribs  Directory 
16:12, 30 August 2020 (UTC)

Bye :(
Bigpuppy Logo.png bigpuppy talk ▪︎ contribs 16:14, 30 August 2020 (UTC)
Goodbye... And, it's time for school for a lot of users(including me), even studies will be taught by remote education.
Ahmetlii logo.gif ahmetlii  Talk  Contributions  Directory 
16:26, 30 August 2020 (UTC)
Ken - I wish you all the best in the days ahead. :) @Jammum We'll re-assess activity levels among the administration as necessary and make a decision whether fresh blood is necessary. Thank you for your input.
Makethebrainhappy (talk | contribs) 17:42, 30 August 2020 (UTC)
Dang, gotta love the last year of high school. I wish you luck in your studies, and I look forward to seeing you again! Please feel free to stop by and say hi once in a while. :)
DownsGameClub (talk | contribs) 19:56, 31 August 2020 (UTC)
Message from Ken: the exams are in April and May, so he returns in June
Logo of Apple502j.jpg Apple502j Talk/Activities 2,205edit 10:06, 1 September 2020 (UTC)

──────────────────────────────────────────────────────────────────────────────────────────────────── Alright, it's the weekend now (I've just come home from taking the IELTS). For now, it looks like weekends are a viable option. I'll still be much less ever-present, but I'll be checking in on weekends until they too get stressful.
Kenny2scratch logo.jpg kenny2scratch  Talk  Contribs  Directory 
09:45, 5 September 2020 (UTC)

Report about Login Bypass Vulnerability

TL;DR: A bug made it possible for someone to hack your Scratch Wiki account. However, no account was hacked (as far as we know), and it was fixed.

We identified a vulnerability in ScratchLogin, an extension of the MediaWiki which was secretly installed this month. We didn't announce this feature because this feature is intended to be used by someone who cannot access their account using password - usually ones who have email problems. MediaWiki is, as you may know, a software which is used to power this Wiki.

ScratchLogin allows users to log into accounts and reset passwords, using comment verification (which you probably did it once, when making your account.) However, due to some bugs, any user could log into your account or reset password of it.

The detail of the bug: MediaWiki converts underscore to space (for example, Scratch_Wiki_talk:Community_Portal becomes Scratch Wiki talk:Community Portal). Let's say the attacker is trying to hack an Wiki account named "example". The attacker can create account on Scratch with "example_", "_example" or "exa__mple", and comment on the verification project. MediaWiki first converts underscore to space, so it becomes "example ", " example" or "exa mple". However, MediaWiki does not allow spaces at the start/end of the username, and it also doesn't allow repeating spaces. MediaWiki automatically strips such letters, so the username becomes "example" (or for the repeating underscores, "exa mple", with one space instead of two), allowing the attacker to log into an account named "example".

This kind of bug is technically called authentication bypass by alternate name. The bug itself is fixed in the latest version of ScratchLogin, by disallowing login using username with bad underscores.

However, as far as we know, no account was hacked or had their password changed by this. We will check logs to confirm this soon.

This bug was discovered by a genius researcher shpdg, and was patched by jvvg and kenny2scratch. For technical details, see the advisory on GitHub.

Please reply if you have any concerns or questions about this. Please do not tell a lie, we can always check the logs.


Logo of Apple502j.jpg Apple502j Talk/Activities 2,205edit 17:00, 28 August 2020 (UTC)

I checked existing logs and confirmed nobody is hacked after August 21st. We can neither confirm nor deny that you are hacked before this date. However, the possibility of an attacker targetting this Wiki and hacking it is pretty low.
If you think your account is hacked, you can reset your password at Special:PasswordReset. You don't need to (and should not) report here.
Logo of Apple502j.jpg Apple502j Talk/Activities 2,205edit 17:26, 28 August 2020 (UTC)
Vulnerability details published at https://nvd.nist.gov/vuln/detail/CVE-2020-15164 - the CVSSv3.1 score, used to score vulnerabilities, is 10 out of 10, the highest.
Logo of Apple502j.jpg Apple502j Talk/Activities 2,205edit 17:58, 28 August 2020 (UTC)
I'm so happy to hear it's solved. I'm assuming that accounts didn't hacked by someone.
Ahmetlii logo.gif ahmetlii  Talk  Contributions  Directory 
18:42, 28 August 2020 (UTC)
What is the purpose of scratch login? It may be more of an issue than it is really worth.
Acebsa (talk | contribs) 19:14, 28 August 2020 (UTC)
Scratch login needs to be opt-in. I have no words for the idea that this comment api or whatever can allow anyone to log into any account. Even if this vulnerability is fixed, it is still an inherently flawed idea to enable this for every account without the owner's permission.
Naleksuh.jpg Naleksuh (talk | contribs) 19:27, 28 August 2020 (UTC)
@Acebsa:
ScratchLogin allows users to log into accounts and reset passwords, using comment verification (which you probably did it once, when making your account.)

– apple502j

Also, it's handy for some users who entered wrong email.
Ahmetlii logo.gif ahmetlii  Talk  Contributions  Directory 
19:32, 28 August 2020 (UTC)

────────────────────────────────────────────────────────────────────────────────────────────────────I'm pretty sure that idea is rejected, Naleksuh - we trust that users keep their Scratch credentials safe and secure - you need to have access to a Scratch account named exactly the same as your Wiki account (which you need to have). In case the Scratch account gets compromised, the ST should take care of it, and again, we are not responsible for others using weak password or leaking it. If it's opt-in, they would probably forget about the feature and get locked out like before.

Yeah, it's good this got fixed. Also my second or third time reporting vulnerabilities - learning something is more fun when you're working on real case.
Logo of Apple502j.jpg Apple502j Talk/Activities 2,205edit 19:42, 28 August 2020 (UTC)

Vulnerability Disclosure Timeline (time in JST):
0:54am shpdg sent private messages to the administrators
1:04am patched
1:32am vulnerability disclosed
2:45am CVE published
Logo of Apple502j.jpg Apple502j Talk/Activities 2,205edit 06:09, 29 August 2020 (UTC)
Great Job everyone! I believe that we've answered all questions regarding this security patch. Yes Done
Makethebrainhappy (talk | contribs) 17:47, 30 August 2020 (UTC)

Allow templates to be searched

It does what it says on the tin. Often I'm trying to find a template but I don't know the exact name or capitalization of it.
VFDan.png VFDan  Talk  Contribs  On Scratch  21:06, 4 September 2020 (UTC)

Can't you just go to Category:Templates?
border=3px Drunken Sailor [ Talk | Contribs | More... ] 21:22, 4 September 2020 (UTC)
Alright, apparently searching Template:whatever allows me to find close matches. Yes No change necessary
VFDan.png VFDan  Talk  Contribs  On Scratch  21:25, 5 September 2020 (UTC)

Does this article need an update?

Yes Done

As I have mentioned on it's talk page, the Disappearing Text Bug is still existent in Scratch 3.0 as mentioned on this forum topic. Does this article need an update or not?
4096bits 60x60.gif 4096bits | Talk | 192 Contribs | Profile 23:23, 11 September 2020 (UTC)

Most likely. if you'd like, you can update it.
Garnet.gif garnetluvcookie  talk  contribs  directory  00:39, 12 September 2020 (UTC)
Alrighty, I've removed the obsolete template and updated the information.
4096bits 60x60.gif 4096bits | Talk | 192 Contribs | Profile 14:02, 12 September 2020 (UTC)

hi

hi (
-MCBOY-FAN (talk | contribs) 06:34, 13 September 2020 (UTC))

Welcome to the Scratch Wiki! Although, I do not think discussions just saying just 'hi' belong here.
Jammum Icon.png Jammum (💬 Talk - ✍️ Contributions - 🐱 Scratch) 06:43, 13 September 2020 (UTC)
Welcome!
(Jammum) - Why couldn't it? This is the Community Portal is it not?
12944qwerty Logo.png 12944qwerty  Talk  Contribs  Scratch  19:57, 17 September 2020 (UTC)

Downgrade to CC BY SA 3.0

This may seem like a drastic change, but please, read the full OP before replying.

I suggest that the Wiki downgrades to 3.0. Why? There's a suggestion (that has a good chance of getting accepted) on Scratch suggesting to upgrade to 3.0, the version that Wikipedia is under. Since Scratch is under 2.0, it is illegal to use content from Wikipedia, and most importantly, the Scratch Wiki!

Although there is the chance of more loopholes (i don't know since I'm not a copyright lawyer), it will make sure that there's no copyright infringement from using content from Wikipedia here and on Scratch and content from the Scratch Wiki on Scratch.
Garnet.gif garnetluvcookie  talk  contribs  directory  13:29, 14 September 2020 (UTC)

That's wrong, you can use an CC-BY license under all CC-BY licenses. That's why we can change the license and that's why we won't change the license. Sorry.
Ahmetlii logo.gif ahmetlii  Talk  Contributions  Directory 
13:43, 14 September 2020 (UTC)
I don't think it is legally possible to downgrade license versions. Ahmetlii is correct - CC BY-SA 2.0 allows contents to be used in contents under newer versions: "You may distribute, publicly display, publicly perform, or publicly digitally perform a Derivative Work only under the terms of this License, a later version of this License with the same License Elements as this License, or a Creative Commons iCommons license that contains the same License Elements as this License (e.g. Attribution-ShareAlike 2.0 Japan)."
Logo of Apple502j.jpg Apple502j Talk/Activities 2,205edit 18:03, 14 September 2020 (UTC)

New User Recommendations

Hi folks! I like to plug this program every so often because I find it quite nifty: Scratch_Wiki:New_User_Recommendations. You can suggest users who would make great future Wikians and we invite them to apply! It's that simple - help grow our community and have more fun with your friends editing the Wiki. I look forward to reading your recommendations!
Makethebrainhappy (talk | contribs) 23:25, 14 September 2020 (UTC)

Report about Cross-site Scripting Vulnerability

TL;DR: A bug made it possible for someone to use your Scratch Wiki account. However, no account was hacked (as far as we know), and it was fixed.

On September 15th (today) I, apple502j, discovered Stored Cross-site Scripting vulnerability in the ScratchSig extension for MediaWiki. MediaWiki is, as you may know, a software which is used to power this Wiki. Cross-site Scripting is a name for the bug which allows attackers to inject JavaScript that gets executed in visitors' browser. "Stored" means the content that triggers script execution is stored inside the database.

MediaWiki, by default, makes it so that script tags are converted and don't execute as a script. However, when handling inputs inside ScratchSig, the conversion was not applied, which allows Cross-site Scripting by this simple MediaWiki code:

<scratchsig><script>alert(1)</script></scratchsig>

This executes alert(1) in the browser, if someone visited the page containing the code. But the story doesn't end there - this is more dangerous than it sounds!

MediaWiki has some features that allow the scripts to do some actions. This includes editing pages, reading pages (including deleted ones), deleting pages, etc. This is mostly used for Common.js and other scripts, to enhance the Wiki. This is a proof-of-concept code that I used, which triggered on jvvg's account:

<scratchsig><script>
(new mw.Api()).postWithToken("csrf", {
  action: "edit",
  title: "Scratch Wiki:Sandbox",
  format: "json",
  appendtext: "\nhello world"
})
</script></scratchsig>

I calculated the CVSS score to 8.7 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N.

The vulnerability was reported to jvvg, who first responded this:

since it only allows injecting HTML (and not, say, database queries), I'm going to bundle that with the upgrade rather than doing it immediately

After "hacking" his account, he changed his mind. The patch was given by Naleksuh. The advisory was published at GitHub, just like the previous vulnerability.

We expect nobody (except jvvg) was hacked using this vulnerability. However, because this existed for years, we are unable to check all revisions of the Wiki.

Timeline (Sept 15th JST):

  • 11:46AM discovered vulnerability, sent report privately to jvvg
  • 11:47AM the reply "since it only allows injecting HTML..."
  • 11:57AM Proof-of-concept code triggered on jvvg's account, Scratch Wiki:Sandbox edited
  • 12:15PM Patch applied
  • 12:29PM Advisory created


Logo of Apple502j.jpg Apple502j Talk/Activities 2,205edit 03:46, 15 September 2020 (UTC)

Thank you for informing us of this, and to Apple502j, Naleksuh, and jvvg for discovering and fixing it! :)
Bigpuppy Logo.png bigpuppy talk ▪︎ contribs 03:55, 15 September 2020 (UTC)
Thanks! :)
Ahmetlii logo.gif ahmetlii  Talk  Contributions  Directory 
07:30, 15 September 2020 (UTC)

Creating a redirect

Yes Done
Should we create a redirect of "Who is the creator of Scratch?" to "Who created Scratch?"? There are chances someone may search that, but it may not be necessary, so I'm going to ask it here. Should we create the redirect?
4096bits 60x60.gif 4096bits | Talk | 192 Contribs | Profile 00:20, 16 September 2020 (UTC)

I think so. I don't completely understand your proposal, so can you clarify?
Garnet.gif garnetluvcookie  talk  contribs  directory  00:30, 16 September 2020 (UTC)
In a nutshell, "Who is the creator of Scratch?" is just a different way to say "Who created Scratch?", so I want to create the redirect in case someone searches "Who is the creator of Scratch?" instead of just "Who created Scratch?". Sorry, if I'm making it even less understandable, I can't really explain it that well.
4096bits 60x60.gif 4096bits | Talk | 192 Contribs | Profile 00:37, 16 September 2020 (UTC)
Personally, my view is that redirects are cheap, even though this conflicts with the view of many other editors and even established policy that is very strict about what redirects are allowed. However, there are countless variations on how to phrase any given question. I'd say create it if you want, but don't concern yourself with making such redirects.
Naleksuh.jpg Naleksuh (talk | contribs) 02:14, 16 September 2020 (UTC)

──────────────────────────────────────────────────────────────────────────────────────────────────── After this conversation, and that people are being confused about it and that it's unneccessary, I'm not going to do it.
4096bits 60x60.gif 4096bits | Talk | 192 Contribs | Profile 19:40, 17 September 2020 (UTC)

Ehh???

The Wiki was down for a bit, what happened? It might be the MediaWiki update, but I'm not sure.
Garnet.gif garnetluvcookie  talk  contribs  directory  22:50, 16 September 2020 (UTC)

Nope, as a user doing some QA stuff for the update, that has nothing to do with the update; nothing has changed on the server (besides regular Wikian edits, of course). We're still smoke testing a lot of things and working on things we need to fix. I'm not sure of the cause, but I can tell you for sure that it is not due to the update.
VFDan.png VFDan  Talk  Contribs  On Scratch  01:06, 17 September 2020 (UTC)

Protect my new archive

Here, but once my header is on it.
Garnet.gif garnetluvcookie  talk  contribs  directory  12:32, 29 August 2020 (UTC)

 Please clarify: you would like this page (the page it was ultimately moved to) to be protected? :)
Bigpuppy Logo.png bigpuppy talk ▪︎ contribs 15:07, 29 August 2020 (UTC)
(Now this page?) :)
Bigpuppy Logo.png bigpuppy talk ▪︎ contribs 15:27, 29 August 2020 (UTC)
Yes.
Garnet.gif garnetluvcookie  talk  contribs  directory  20:54, 13 September 2020 (UTC)
Yes Done
Bigpuppy Logo.png bigpuppy talk ▪︎ contribs 20:56, 13 September 2020 (UTC)

protect my talkpage

I'm not in the best mood and I have a good chance of being a bit rude
Garnet.gif garnetluvcookie  talk  contribs  directory  00:50, 17 September 2020 (UTC)

No Not done, users need a way to contact you. If you feel you have a chance of being rude, please just make sure to keep yourself in check. Perhaps take a few deep breaths? :)
Bigpuppy Logo.png bigpuppy talk ▪︎ contribs 00:56, 17 September 2020 (UTC)