[Koha-bugs] [Bug 20340] Ability to use authentication plugin

[bugzilla-daemon at bugs.koha-community.org]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20340

--- Comment #54 from David Cook <dcook at prosentient.com.au> ---
(In reply to Alex Arnaud from comment #48)
> I do understand this argument. I even agree that plugins (and not only
> authentication ones) could contain security issues. 
> For "our" hosted libraries, we disabled writing permission on plugins
> directory.
> Looks like a tricky solution and we probably need a better one but it means
> that administrators have the final word.
> 

That's really interesting to know. That's probably the most logical way to do
it presently, but I agree that it would be nice to have a more elegant
solution. I think that's the key thing I'd like to see come out of this
discussion really. 

> IMO plugins are useful (even essential) to satisfy specific libraries
> requests and not to avoid community processes.
> i wrote this patch in order to create an authentication plugins that can
> request many LDAP backends and fallback on an other one.
> Seems too specific to be suggested to the community.
> To go further, as discussed above, i think we should consider generally
> LDAP, CAS etc... as specific feature that would become plugins (may be
> another debate).

I totally agree in theory. I would love to see all the authentication methods
structured as plugins that can be added/removed as necessary, although I think
it should be done by administrators rather than librarians. 

> To return to security topic:
> Today, many free plugable systems provide repositories with a large amount
> of plugins that have been reviewed, tested and validated by their community
> as safe. Users can easily download ones from other sources but they know
> it's at their own risk.
> Maybe we should be inspired by that.

I'd argue that "they know it's at their own risk" isn't necessarily true. It's
like how many people sign contracts without reading them, or tick the "Terms
and Conditions" box without reading the Terms and Conditions. People seem to
just assume that nothing bad will ever happen to them. 

However, I like the sound of the plugins being reviewed, tested, and validated
by their community. I recall there being an unwillingness to provide a
repository for fear that it would create an "endorsement" of plugins by being
in the repository, but... I think you're right. People read and trust reviews.
If they had a centralized place for reviewing plugins, I think that could
really build confidence in using them, and provide people without technical
knowledge a source to make more informed decisions.

-- 
You are receiving this mail because:
You are watching all bug changes.