https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24632 --- Comment #16 from David Cook <dcook@prosentient.com.au> --- (In reply to Jonathan Druart from comment #15)
You are assuming that an author who is trusted once is trusted for all the plugins they will write. This assumption is wrong IMO.
This assumption is the same as the software package managers on Windows and Linux. I think it's a fair and conventional assumption to make. That being said, I agree with the content of what you're saying, which is why this feature needs to be paired with a whitelist where administrators can define which plugins should be allowed to be installed. That way administrators specify that only X authentic plugins from Y trusted authors can be installed. I'm planning to code the whitelist functionality too, but haven't had the time yet. In lieu of it, I think adding a signature system alone is better than the nothing that we have at the moment. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.