[Koha-bugs] [Bug 20415] Remove UseKohaPlugins system preference

[bugzilla-daemon at bugs.koha-community.org]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20415

--- Comment #6 from Tomás Cohen Arazi <tomascohen at gmail.com> ---
(In reply to Liz Rea from comment #5)
> They don't, that's the point. The reason for the many hoops here was that we
> didn't want front end staff uploading un-verified code (none of the plugins
> are independently audited, nor do they go through a community QA process) to
> the public server filled with personally identifying information without the
> IT departments of libraries being aware that it was happening. 
> 
> I can imagine a (however unlikely) scenario where someone makes a Really
> Awesome Plugin(tm) that provided a function that lots of libraries want,
> that does the feature but also sends the entire database to an unscrupulous
> 3rd party. With the hoops, we can at least be sure that someone with access
> to the server has spoken to the person in the library about their
> intentions. Without them, either the sysadmin or the librarian could do this
> independently and without speaking to each other.
> 
> Experience tells me that librarians will do almost anything to get out of
> talking to the IT department (yes it's a generalisation). This isn't a good
> thing in this scenario, we have to think about the potential for theft of
> data via the plugin system and do what we can to make sure that the people
> tasked with protecting the data (the IT departments, usually) know exactly
> what code is running on their publicly facing web servers. The multi factor
> turn on for this feature is at the very least, due diligence on our part. We
> could warn more, to be honest.
> 
> I hope this helps explain my perspective a bit.
> 
> Cheers,
> Liz

I agree with Liz.

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.