AO3 News

Site security (constant vigilance!)

Published: 2013-02-07 17:25:55 -0500

While developing the Archive of Our Own, site security is one of our top priorities. In the last couple of weeks, we've been reviewing our 'emergency plan', and wanted to give users a bit more information about how we work to protect the site. In particular, we wanted to make users aware that in the event of a security concern, we may opt to shut the site down in order to protect user data.

Background

Last week we were alerted to a critical security issue in Ruby on Rails, the framework the Archive is built on. We (and the rest of the Rails community) had to work quickly to patch this hole: we did an emergency deploy to upgrade Rails and fix the issue.

As the recent security breach at Twitter demonstrated, all web frameworks are vulnerable to security breaches. As technology develops, new security weaknesses are discovered and exploited. This was a major factor in the Rails security issue we just patched, and it means that once a problem is identified, it's important to act fast.

Our security plans

If the potential for a security breach is identified on the site, and we cannot fix it immediately we will perform an emergency shutdown until we are able to address the problem. In some cases, completely shutting down the site is the only way to guarantee that site security can be maintained and user data is protected.

We have also taken steps for 'damage limitation' in the event that the site is compromised. We perform regular offsite backups of site data. These are kept isolated from the main servers and application (where any security breach could take place).

In order to ensure the site remains as secure as possible, we also adhere to the following:

  • Developers are subscribed to the Rails mailing list and stay abreast of security announcements
  • We regularly update Rails and the software we use on our servers, so that we don't fall behind the main development cycle and potentially fall afoul of old security problems
  • All new code is reviewed before being merged into our codebase, to help prevent us introducing security holes ourselves
  • All our servers are behind firewalls
  • All password data is encrypted

What you can do

The main purpose of this post is to let you know that security is a priority, and to give you a heads up that we may take the site down in an emergency situation. Because security problems tend to be discovered in batches, we anticipate that there is an increased risk of us needing to do this over the next month. In this case, we'll keep users informed on our AO3_Status Twitter, the OTW website and our other news outlets.

Overall site security is our responsibility and there is no immediate cause for concern. However, we recommend that you always use a unique username / password combination on each site you use. Using the same login details across many sites increases the chance that a security breach in one will give hackers access to your details on other sites (which may have more sensitive data).

We'd like to thank all the users who contacted us about the latest Rails issue. If you ever have questions or concerns, do contact Support.

Comment

Tiny Release Notes for Release 0.9.5 Redux

Published: 2013-02-04 13:10:09 -0500

After deploying version 0.9.5 of the Archive last weekend, we (along with the entire Ruby on Rails community) were alerted to a critical security issue that had to be fixed immediately. We had just upgraded to Rails 3.0.19 and were working on fixing an unexpected bug this upgrade had caused: work information in subscription emails had lost its line breaks and arrived in one hard-to-read blob.

We deployed the security patch, together with the updated work information code, last Monday, and are now working on the next regularly scheduled release. Many thanks to Elz, Jenn Calaelen, Lady Oscar, Sarken and Scott for their contributions to this code update! Some information about the current security concerns regarding Ruby on Rails, and the measures we take to protect our servers and users, will be posted later.

As always, you can find currently known issues (and some workarounds) on our Known Issues page, and you can always contact Support in case you run into problems or have any questions.

Release Details

Features

  • Added a Tumblr button to the "Share" box available for all works: it will create a new Link post with work title, URL, and work information already filled in - you just have to add tags and push the button!

Bug Fixes

  • Upgraded Rails
  • Fixed the "Share" text to include HTML for line breaks, making it display correctly in email notifications as well as any blogging platform that accepts HTML-formatted text
  • Also added Additional Tags to the work information block; they had been missing previously

Comment

852 Prospect - Manual Import Support Chat Reminder

Published: 2013-02-01 13:02:57 -0500

As we reported early last month, due to delays in setting up the automated import for 852 Prospect, we are working to support authors who are interested in manually importing their stories into the Archive of Our Own.

There will be two public chats, hosted by the Open Doors and Support committees, on Campfire (the online chat platform the OTW uses). The first will be on February 2 at 22:00UTC. The second will be on February 10 at 01:00UTC. (Click the links to see when the chat is being held in your timezone). You can access OTW’s public chatroom using this guest link.

If you have questions and are unable to make it to the chat or have additional questions after, you can always contact Open Doors for further information.

Comment

Fandom Tags: Now with More Articles!

Published: 2013-01-27 13:52:21 -0500

Good news for users browsing fandoms on the AO3 -- alphabetizing titles by articles such as "the" or "das" or "los" is now a thing of the past!

With this latest AO3 release, the Fandom names on the media pages now will sort alphabetically regardless of articles. Previously, the code that generated pages like the Theater Fandoms page sorted by the first letter of the canonical fandom tag name. Because we wanted the tags to be sorted alphabetically, we had to remove articles from the names of the fandom, unless the fandom name was only two words or otherwise was confusing without the article. Needless to say, we've been seeking a solution to this for some time, but required something internationally compatible that wouldn't strain our servers.

This deploy gives wranglers the ability to set a "sort name" on canonical fandom tags that is separate from the "display name". So we can now have fandom names such as "The Crucible - Miller" display the article, but be sorted under "C".

The deploy also ran an automated process on our existing fandom tags that should have automatically changed the sort name for tags starting with: a, an, the, la, les, un, une, des, die, das, il, el, las, los, der, and den. In some cases, this auto-corrected some fandom names incorrectly ("Die Hard (1998)" sorting under "H", for example).

This still leaves a large number of tags that need to be manually adjusted, as they had an article removed to allow proper sorting under the old system. The Tag Wranglers are working through the fandom tags, restoring articles where the fandom name should have one, and fixing any incorrect changes. It will not be an instant process, given there are over 11,000 canonical fandom tags on the Archive, so we ask for your patience if it takes us a while to fix your particular fandom.

In the meantime, if you have questions you can ask here or send a question to our Support team, who'll pass it on to the Wranglers. The Tag Wrangling Committee also has a Twitter account at ao3_wranglers for all sorts of tag-related discussion.

Comment

Release Notes for Release 0.9.5

Published: 2013-01-26 09:43:05 -0500

Welcome to Release 0.9.5! Ariana, Elz, Enigel, Lal, Sarken, and Scott S contributed code to this release, which was tested by our awesome testing team: Ariana, Elz, Emilie K, Estirose, Jenn Calaelen, Kylie, Lady Oscar, Mark B, Sam J., Sarken, and Tai.

We're starting into the new year with a small collection of fixes and improvements, with a bigger release slated for the February/March deploy. As always, if you run into any problems or have any questions, please contact Support. If you want to know if a feature you'd like to propose has already been suggested, or has been approved by our coders for a future update, visit our Feature Requests board (see the Internal Tools FAQ for more information).

Highlights!

Ignoring articles when sorting fandoms

On each media subpage, such as for Movies or Video Games, fandom tags were listed alphabetically, leading to somewhat irregular results when looking for fandoms starting with "The" or other articles. We have now changed the sorting code to ignore articles (a, an, the, la, le, les, un, une, des, der, die, das, den, il, el, las, los), while also giving the tag wranglers an option to manually override the sorting for a given tag in case of clashes. (For example, the German article "die" would lead to "Die Hard" being sorted under H, which is undesirable.)

No more OpenID

We've finally gone ahead and removed all support for OpenID accounts - a system we could never fully support, as the infrastructure behind it isn't without its own problems and our invitation system meant you couldn't just go ahead and use your OpenID login to create an account to begin with. We might consider different ways of accessing the site in the future, but as little more than a password replacement OpenID has outlived its use.

Activity log for admins

In this and the next several code updates, we'd like to focus on tools and enhancements for the people "behind the scenes" - members of the Abuse team, Open Doors, Support, Tag Wranglers, and so on. We're starting with a more convenient overview of recent admin activity, collecting all changes made to works by Abuse personnel, such as tag changes or deletions of works that were found in violation of the TOS.

Most of these enhancements will be invisible to the casual user, but we're hoping to make our volunteers' lives a little easier and enable a smoother experience for everyone.

Known Issues

See our Known Issues page for current issues. This list is updated with each release, so please make sure to give it a glance before contacting Support - it might just offer you a temporary solution to your problem right away.

Release Details

Features

  • Removed OpenID support
  • Added an activity log for Abuse admins
  • Made fandoms on media subpages ignore "the" and other articles when sorting alphabetically

Bug fixes and backend enhancements

  • The list of fandoms on a user's homepage was potentially breaking anonymity if the user had posted only anonymous works for a fandom, making it guessable which work in a collection belonged to them; this has been fixed to not display the fandom for anon works either in the list or the filters
  • Clicking "Edit Tags" from a work saved as a draft would take you to a form where your only option to save the tags would post the draft; this has been fixed
  • When marking a work for later, a success message would let you know it had been added to your history; it now helpfully links to your actual "Marked for Later" page
  • Accessing the "new comment" page attached to a restricted work would allow guests to leave comments on said work (without actually being able to see the work itself), this has been fixed to allow only logged-in users to comment
  • Fixed a problem with the caching on some collection fandom pages, where the works listing wasn't always updating properly
  • The notification emails for collection owners wouldn't be sent when someone added a work to a collection and also made it part of a series at the same time; this has been fixed
  • In preparation for the 852 Prospect archive import, we made some helpful changes to the page authors can access to claim their imported works
  • The page to change your username was quietly loading all usernames currently registered on the Archive, presumably in an attempt to make sure your choice hadn't been taken yet; this didn't actually work and was also a huge drain on the servers, so the code was changed
  • Changing your email would work even when the address given in the confirmation field didn't match your desired address; this has now been fixed
  • The Report Abuse form was behaving erratically; it now correctly sends a copy of the report if you enter an email address, and flashes an error if you request a copy but don't enter an address
  • A bug was preventing Abuse personnel from editing work tags and warnings on works that had been found to violate the guidelines for warnings; they can now follow through on procedure as laid out in the TOS
  • The invitation email was inviting you to join an "Organization of Transformative Works" project; the "of" has been silently replaced with the vastly more correct "for" now (oops)
  • On a user's Related Works page, their own translations were coded as an invalid mixture of tables and lists; this has now been fixed
  • Upgraded the version of Ruby on Rails our code runs on to make it easier to incorporate security updates and to pave the way for bigger upgrades in the next few months
  • We run a mirror version of the site that we use for testing, and it's now running in staging mode rather than production, which lets us customize and track things a little more easily

Comment

Farewell OpenID

Published: 2013-01-22 17:51:30 -0500

We announced quite a long while ago that we were phasing out the use of OpenID on the AO3. While the feature was convenient for some users, a very small percentage of accounts were using an OpenID login, and the amount of time spent on maintaining the feature outweighed the benefits of offering it as an option.

When we made the decision to phase out OpenID, we removed it as an option for new accounts. We're now removing the option completely, which means that existing accounts which are using OpenID logins will need to switch to logging in via a username and password combination. Only 57 users are currently logging in via OpenID, so this will not affect many people (we will be emailing all those users who do not currently have a password set up).

If you're currently using an OpenID login, you need to do the following:

1. Check your username (the default name for your account)
2. Log out of the Archive and choose the 'forgot password?' option next to 'Log in'.
3. Enter your username or email address to have a password emailed to you.
4. Log in using your username and the password which was sent to you.
5. Go to your profile to set a password of your choice.
6. Log in using your username and chosen password from now on.

We're sorry to those of you who did find the OpenID option useful. We'll continue to consider different login options going forward, but it's important to us to have something we can commit to maintaining fully. If you encounter any problems during the switch, please contact Support!

Comment

Scheduled downtime: firewall upgrade

Published: 2013-01-16 06:24:06 -0500

The Archive of Our Own will have some scheduled downtime on Thursday January 17 at 18.30 22:00 UTC (see what time this in in your timezone). We expect the downtime to last about 15 minutes.

This downtime is to allow us to make some changes to our firewall which will make it better able to cope under heavy loads. This will help with the kinds of connection issues we experienced last week: our colocation host has generously offered to help us out with this (thanks, Randy!).

As usual, we'll tweet from AO3_Status before we start and when we go back up, and we'll update there if anything unexpected happens.

Comment

852 Prospect - Manual Import FAQ

Published: 2013-01-10 12:46:57 -0500

Hi, 852 Prospect authors!

The 852 Prospect is still moving to the AO3 due to the state of its software (read more about this in our first post about the move), but there have been some unexpected delays with the code needed to do the automated import happen. For that reason, the Open Doors Committee will be emailing AO3 invitations (and explanations) to all of the 852 Prospect authors in the next few weeks. This will allow any interested author to set up their own accounts and import their stories to the 852 Prospect collection on AO3 if they don't want to wait. If you no longer have access to the email address you used on 852Prospect.org, or if you have questions not answered by this post, you can always contact Open Doors. (If you have verified your new address with Open Doors before, you don't need to do so again.)

To avoid duplicate stories when the rest of the collection is auto-imported in the near future, we request you post them using the manual URL importer feature. Doing it this way will ensure that all of the comments, kudos and hit counts will be on one story and that readers following old links from 852 Prospect will get to your stories easily.

To help you do this, you can read the Archive FAQs on Importing, Collections and Tags, and the short FAQ below.

There will also be two public chats, hosted by the Open Doors and Support committees, on Campfire (the online chat platform the OTW uses). The first will be on February 2 at 22:00UTC. The second will be on February 10 at 01:00UTC. (Click the links to see when the chat is being held in your timezone). You can access OTW’s public chatroom using this guest link.

How do I add my stories to the 852 Prospect Collection in the Archive?
How do I import stories from 852Prospect.org?
How do I search within the 852 Prospect Collection?

 

How do I add my stories to the 852 Prospect Collection in the Archive?


For stories already posted on the Archive of Our Own:
1. Access your dashboard while logged in and click on "Edit Works".

2. Select the stories you would like to add to the 852 Prospect Archive collection, and click "Edit".

3. In the second gray box, there is a field for "Add to Collections". Start typing "852 Prospect Archive"; it will pop up as a suggestion. Click on it.

4. Down at the bottom, click "Update All Works".

5. Because the 852 Prospect Archive collection is moderated, your story/stories will not be added right away.

While importing stories to the Archive of Our Own:
1. While signed in, go to the 852 Prospect Archive collection page (http://archiveofourown.org/collections/852_Prospect_Archive) and click on the button in the upper-right hand corner, "Post to Collection".

2. Import your story using the "Import From An Existing URL" feature. (See below for instructions.)

 

How do I import stories from 852Prospect.org?


1. While logged in, click on the "Post New" button in the upper-right hand corner.

2. On the next page, click on "Import From An Existing URL Instead?" (also in the upper-right hand corner).

3. Copy the URL of your story on the 852Prospect.org website, and then paste into the window for URLs.

4. Select your story rating (required); pick one of five choices:
Not Rated: Select this if you do not wish to rate your story.
General Audiences: For stories on 852Prospect.org that were rated Gen or PG.
Teen and Up Audiences: Select this if you would like to rate your story for PG-13 audiences.
Mature: For stories on 852Prospect.org that were rated R.
Explicit: For stories on 852Prospect.org that were rated NC-17.

5. Select applicable warnings for the AO3 (required). (Any other warnings you would like to add to your story can be added under Additional Tags.) There are six choices, mark all that apply:
Choose Not to Use Archive Warnings: Select this if you do not wish to assign warnings to your story.
Graphic Depictions of Violence: For stories on 852Prospect.org that had a "violence" warning, or otherwise contain scenes of graphic violence.
No Archive Warnings Apply: Select this warning if you do not believe the AO3 warnings apply to your story.
Rape/Non-Con: For stories on 852Prospect.org that had a "rape/nc" warning, or otherwise contain rape or non-consensual elements.
Underage: Select this warning if your story contains an underage person in a sexual relationship with another character.

6. For "Fandoms" (required), start typing "The Sentinel" and it will appear as a suggestion. Click on it. (Add other fandoms if applicable.)

7. For "Category", please select whichever you feel are applicable, or else none:
F/F: Female/Female
F/M: Female/Male
Gen: General: no relationship, or containing relationships which are not the main focus of the work
M/M: Male/Male
Multi: Any combination of relationships, multiple partners
Other: Other

8. For "Relationships", start typing one character's name and select the correct suggestion.

9. Add any other tags (warnings, or tags that mirror 852Prospect.org categories) that you see fit under Additional Tags. Please note that Additional Tags should not be hyphenated. (For a list of all the tags currently in use within The Sentinel fandom, see this page.)

10. Click "Import". It will take you to a preview screen of the story you imported (or, if you entered multiple URLs, links to preview screens for the stories you imported). On the preview screen for each story, there are four choices down at the bottom:
Post: Click this if you are happy with the formatting and would like to post.
Save Without Posting: Click this if you would like to save this story to your draft folder, to edit/post another time. (Please note, drafts are only saved for a week from the day they were first created.)
Edit: Click this if you would like to edit the story before posting.
Cancel: Click this to cancel, and start over another time.

 

How do I search within the 852 Prospect Collection?


To search within a collection, make sure you are on the 'works' view of a collection. You can browse to the 'works' view of a collection by clicking 'works' on the sidebar of the collection. You can search within the collection by clicking 'search within results' on the right hand side of the page, within the filters sidebar. This searches all the fields associated with a work in the database, including summary, notes and tags, but not the full work text. There are special characters you can use to further customize your results; the '?' button explains them in more detail.

Comment


Pages Navigation