Re: [josm-dev] Mandatory login for JOSM wiki

Sat, 26 Feb 2011 13:07:29 -0800 

On Sat, 26 Feb 2011, Sebastian Klein wrote:


Dirk Stöcker wrote:

 The biggest and in my eyes only important issue is the possibility to have
 malicious plugins and we can't anyway do anything against this without
 preventing plugins.


Yes we can:

(1) Make clear whether a plugin is from openstreetmap svn or an external 
binary (e.g. move external plugins to a 2nd tab in the preferences or remove 
them from the public list altogether).
(2) Introduce nightly builds for plugins and allow to ping the server for an 
intermediate build.



I think measure (1) can be done in a weaker form right now (short note in the 
plugin description), but we should keep our environment as open as possible. 
Measure (2) isn't necessary for security reasons in my opinion, but would 
improve the plugin work flow in general.



Well, you assume that OSM-SVN is much better than external plugins. I 
doubt that. If I'm willing I think I'm able to craft code in a way, so 
that brief review will not find the malicious parts. So even the storage of 
code in OSM-SVN will not really be safe. This is the major reason, why my 
rules for JOSM-SVN are more strict (I need to trust the contributor).


I think the major reason, why we have nearly no external plugins:
- automatic translation
- automatic version management for older versions
- automatic updates in case of JOSM changes


Most plugins started external and after the first issues with version 
changes we convinced authors to use SVN in future :-) So instead of 
forbidding (which I never like) I try to provide additional features as 
encouragement and it seems this works good.



I don't think it necessary to get stricter rules at all. In case we have 
trouble, we may change our policy, but as long as everything is fine we 
should be as open as possible.



For example our bug tracker does not need registration, which is very 
seldom nowadays. This means we have to care a lot more about SPAM and also 
it means we get a lot of reports, which don't help us a lot, as questions 
aren't answered, but it means also that we get a large number of very 
helpful reports.



So the same for plugins. Our open policy caused a lot of plugins 
introducing new features and attracted new developers. I don't want to 
change this without a real reason.


Ciao
--
http://www.dstoecker.eu/ (PGP key available)
_______________________________________________
josm-dev mailing list
josm-dev@openstreetmap.org
http://lists.openstreetmap.org/listinfo/josm-dev






















					Reply via email to