Hi,
Dirk Stöcker wrote:
No, we don't want that really. Anonymous editing is a major part of the
JOSM concept till now and most important contributions are anonymous or
not logged in and I spent really a lot of time into improving the Trac
spamfilter to be a usable tool to find potential issues.
Beside this Sebastian and I monitor every change afterwards and check if
they are dangerous or spammy.
I'm not talking about help pages etc., i'm talking about JOSM
configuration options that are now in Trac. If we want to allow
anonymous edits to them, then I suggest that we should invent something
where these things are signed by someone and JOSM only uses them after
they have been signed.
I find it unacceptable that someone can inject any imagery source or
preset or map style into *every* JOSM instance without even having to
log in.
Yes, there will be a time inbetween, when dangerous stuff can be
included, But this is a problem with OpenSource in general.
No. In the normal OSM SVN we at least have accountability - if someone
uploads something malicious then we know who it was and we can block the
account, or at least people know "stuff uploaded by X is not
trustworthy". All I'm saying is that I want the same accountability on
the JOSM trac *if* JOSM is built in a way to automatically download
configuration information from there.
Correct me if I'm wrong but as I see it, currently it is very well
possible that a JOSM user is shown presets, plugins, imagery layers or
map styles where we don't even know who put them there. I don't think
that's right.
The biggest and in my eyes only important issue is the possibility to
have malicious plugins and we can't anyway do anything against this
without preventing plugins.
If someone downloads a .jar file from somewhere on the net and installs
it - their problem. If someone clicks "update plugins" in his
out-of-the-box JOSM installation and gets malicious code - our problem.
I am not requesting that we find ways to perfectly prevent it, but I
think accountability ("user XYZ changed the plugin list on <date>") is
absolutely required. Otherwise this *will* be abused sooner or later,
and massively reduce the trust users place in JOSM. We must think about
these things before they happen. We have a responsiblity towards our
users that we cannot simply do away with by saying "there lots of other
ways how users can shoot themselves in the foot so why bother if JOSM
adds some more".
Bye
Frederik
--
Frederik Ramm ## eMail [email protected] ## N49°00'09" E008°23'33"
_______________________________________________
josm-dev mailing list
[email protected]
http://lists.openstreetmap.org/listinfo/josm-dev
