On Sat, 26 Feb 2011, Sebastian Klein wrote:
Dirk Stöcker wrote:
The biggest and in my eyes only important issue is the possibility to have
malicious plugins and we can't anyway do anything against this without
preventing plugins.
Yes we can:
(1) Make clear whether a plugin is from openstreetmap svn or an external
binary (e.g. move external plugins to a 2nd tab in the preferences or remove
them from the public list altogether).
(2) Introduce nightly builds for plugins and allow to ping the server for an
intermediate build.
I think measure (1) can be done in a weaker form right now (short note in the
plugin description), but we should keep our environment as open as possible.
Measure (2) isn't necessary for security reasons in my opinion, but would
improve the plugin work flow in general.
Well, you assume that OSM-SVN is much better than external plugins. I
doubt that. If I'm willing I think I'm able to craft code in a way, so
that brief review will not find the malicious parts. So even the storage of
code in OSM-SVN will not really be safe. This is the major reason, why my
rules for JOSM-SVN are more strict (I need to trust the contributor).
I think the major reason, why we have nearly no external plugins:
- automatic translation
- automatic version management for older versions
- automatic updates in case of JOSM changes
Most plugins started external and after the first issues with version
changes we convinced authors to use SVN in future :-) So instead of
forbidding (which I never like) I try to provide additional features as
encouragement and it seems this works good.
I don't think it necessary to get stricter rules at all. In case we have
trouble, we may change our policy, but as long as everything is fine we
should be as open as possible.
For example our bug tracker does not need registration, which is very
seldom nowadays. This means we have to care a lot more about SPAM and also
it means we get a lot of reports, which don't help us a lot, as questions
aren't answered, but it means also that we get a large number of very
helpful reports.
So the same for plugins. Our open policy caused a lot of plugins
introducing new features and attracted new developers. I don't want to
change this without a real reason.
Ciao
--
http://www.dstoecker.eu/ (PGP key available)
_______________________________________________
josm-dev mailing list
josm-dev@openstreetmap.org
http://lists.openstreetmap.org/listinfo/josm-dev