[Koha-bugs] [Bug 20415] Remove UseKohaPlugins system preference

[bugzilla-daemon at bugs.koha-community.org]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20415

--- Comment #5 from Liz Rea <liz at catalyst.net.nz> ---
They don't, that's the point. The reason for the many hoops here was that we
didn't want front end staff uploading un-verified code (none of the plugins are
independently audited, nor do they go through a community QA process) to the
public server filled with personally identifying information without the IT
departments of libraries being aware that it was happening. 

I can imagine a (however unlikely) scenario where someone makes a Really
Awesome Plugin(tm) that provided a function that lots of libraries want, that
does the feature but also sends the entire database to an unscrupulous 3rd
party. With the hoops, we can at least be sure that someone with access to the
server has spoken to the person in the library about their intentions. Without
them, either the sysadmin or the librarian could do this independently and
without speaking to each other.

Experience tells me that librarians will do almost anything to get out of
talking to the IT department (yes it's a generalisation). This isn't a good
thing in this scenario, we have to think about the potential for theft of data
via the plugin system and do what we can to make sure that the people tasked
with protecting the data (the IT departments, usually) know exactly what code
is running on their publicly facing web servers. The multi factor turn on for
this feature is at the very least, due diligence on our part. We could warn
more, to be honest.

I hope this helps explain my perspective a bit.

Cheers,
Liz

-- 
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.