[Koha-bugs] [Bug 23890] Plugins that utilise possibly security breaching hooks should warn
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Wed Oct 30 07:58:19 CET 2019
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23890
--- Comment #8 from Katrin Fischer <katrin.fischer at bsz-bw.de> ---
I think the discussion is not if the users can install plugins themselves or
not - they already can. This is a discussion on how to make sure they get
better information about the plugins and if they are trustworthy. Also allowing
admins to whitelist certain repositories... and I think those are good ideas.
I like the idea for the plugins to provide some general information about them.
Maybe if we had plugins that were limited to only using what the APIs offer, we
could have a list of what they use as an indicator of potential damage. But as
our plugins can do 'anything', it's much harder. We could maybe ask developers
to include information about data that will be changed by their plugin in some
way? A list of core methods and hooks used?
I always liked how the DokuWiki system for plugins worked. They are listed in
the DokuWiki DokuWiki, with their repository/zip URLs. Then you can search that
from within your own installation, get info and also download and install if a
URL has been provided, alternatively, you can still upload zip files manually
for installing plugins provided elsewhere. (https://www.dokuwiki.org/plugins)
So maybe we could have a central directory of available plugins with
descriptions etc. This would allow us to add a form of rating, QA and similar
in the future, but still allowing people to do development using their
preferred tool. The DokuWiki directory also allows you to see how often a
plugin has been installed by others, as an indicator of those that are
popular/widely used. This could be an easy way to have a first indicator of
'quality'. They also include a 'report bugs' link in their directory that is
helpful.
As another security measure we could allow admins to 'whitelist' plugins or
sources in the directory locally and block the upload of zip files, so users
get a limited view of plugins supported/checked by their admins/providers.
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list