<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:DengXian;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@DengXian";
panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-AU link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoNormal>Hi all,<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I was doing my morning reading, and noticed that Microsoft have a Windows Package Manager in the works (<a href="https://www.theverge.com/2020/5/20/21264739/microsoft-windows-package-manager-preview-download">https://www.theverge.com/2020/5/20/21264739/microsoft-windows-package-manager-preview-download</a>). While that might not be newsworthy for many people interested in FOSS, you might reconsider when you look at what they’re doing for a community metadata repository: <a href="https://github.com/microsoft/winget-pkgs">https://github.com/microsoft/winget-pkgs</a> <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Here’s an example of a metadata file for 7-zip in that repository: <a href="https://github.com/microsoft/winget-pkgs/blob/master/manifests/7Zip/7Zip/19.0.0.yaml">https://github.com/microsoft/winget-pkgs/blob/master/manifests/7Zip/7Zip/19.0.0.yaml</a>. It includes a URL to the installer and a SHA256 hash for integrity checking. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Now according to <a href="https://github.com/microsoft/winget-cli">https://github.com/microsoft/winget-cli</a>, it doesn’t look like they’re using that Github repository as *<b>the</b>* metadata source repository. Indeed after a bit of digging it appears that the actual default metadata source is <a href="https://winget.azureedge.net/cache/source.msix">https://winget.azureedge.net/cache/source.msix</a>, which contains a SQLite database of metadata (index.db). <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I think that’s an interesting model. We could use <a href="http://gitlab.com/koha-community/plugins">http://gitlab.com/koha-community/plugins</a> like <a href="https://github.com/microsoft/winget-pkgs">https://github.com/microsoft/winget-pkgs</a> where people could submit pull requests to get plugin metadata added to the repository. That would enable there to be a basic level of curation. We could then use something like <a href="https://plugins.koha-community.org/">https://plugins.koha-community.org/</a> to serve actual metadata (in whatever standardish format we want) to either the Koha web UI (and a Debian package Koha CLI tool like “koha-plugin-get” which make plugin deployment and maintenance potentially easier for sysadmins). There could be an automated process for updating plugins.koha-community.org from http://gitlab.com/koha-community/plugins too. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>People would be free to point to other plugin metadata repositories (e.g. vendor-specific repos), but by default it would be set up for the Koha Community plugin metadata repository. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>In terms of security, we could mimic Debian’s Apt model of signing the plugin metadata manifest. That way, when setting up a plugin metadata repository in Koha, all you need to do is import a public key/cert to get trusted access to the repo. With the Koha Community repository, we could bake that public key/cert into Koha releases, so it would be seamless for end users.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>The hardest part of this process would be settling on what metadata manifest format to use for <a href="https://plugins.koha-community.org/">https://plugins.koha-community.org/</a>. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Actually, the hardest part would be trying to maintain some kind of backward compatibility. Maybe that’s best done by rebranding the current plugin model as “Legacy Plugins” or “Manual Plugins” and then just building a separate web UI for the Repository model. We could re-use the same internals. We could also have separate controls for enabling/disabling “Manual Plugins” vs “Repository Plugins”, so that vendors could provide access to plugins via a repository but prevent people from uploading random plugins from the Internet. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Anyway, food for thought. I’m happy to do a lot of this work (probably in my personal time rather than work time), but I’d want to make sure there is some buy-in from other vendors and Koha plugin creators first. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>David Cook<o:p></o:p></p><p class=MsoNormal>Systems Librarian<o:p></o:p></p><p class=MsoNormal>Prosentient Systems<o:p></o:p></p><p class=MsoNormal>72/330 Wattle St<o:p></o:p></p><p class=MsoNormal>Ultimo, NSW 2007<o:p></o:p></p><p class=MsoNormal>Australia<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Office: 02 9212 0899<o:p></o:p></p><p class=MsoNormal>Online: 02 8005 0595<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>