Hi Michal, I would say that the plugin system (like many plugin systems) is risky. As Jonathan indicates, plugins are not reviewed by the Koha Community, so we can make no guarantees regarding safety/security of individual plugins. Since the plugins are third-party code, they could contain anything. That said, I doubt that you'd find any/many malicious Koha plugins in the wild. You're more likely to find Koha plugins that just have accidental security vulnerabilities. For instance, I have found some that have SQL injection vulnerabilities, which I wouldn't recommend using (although I say that personally and not as a member of the Koha Community - I'm not reviewing any plugins at a community level).
In terms of safety, you're *probably* more likely to find accidental problems rather than malicious ones, although practically speaking you could encounter either. There is a fledgling conversation about adding signature (ie author verification) for plugins (https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24632). With this verification, you could set up Koha to only use plugins from a trusted provider (like Prosentient Systems, PTFS Europe, ByWater Solutions, BibLibre, EBSCO, etc.) . That wouldn't keep you safe from accidental security vulnerabilities, but it would keep you safe from malicious plugins. The trade-off with plugins is that you get new functionality quicker but it's not as rigorously reviewed as the Koha codebase. David Cook Systems Librarian Prosentient Systems 72/330 Wattle St Ultimo, NSW 2007 Australia Office: 02 9212 0899 Online: 02 8005 0595 -----Original Message----- Date: Thu, 16 Apr 2020 03:28:34 -0700 (MST) From: Michał Dudzik <dudzikmic...@wp.pl> To: koha@lists.katipo.co.nz Subject: [Koha] Is Koha plugin system safe? Message-ID: <1587032914820-0.p...@n5.nabble.com> Content-Type: text/plain; charset=us-ascii The koha plug-in system enables easy system expansion with an additional non-standard function. I have received several queries from librarians about the security of the plug-in system. Personally, I have not observed any problems, so I would like to ask if using the plug-in system is safe? Regards, Michal -- Sent from: http://koha.1045719.n5.nabble.com/Koha-general-f3047918.html ------------------------------ Message: 2 Date: Thu, 16 Apr 2020 12:54:23 +0200 From: Jonathan Druart <jonathan.dru...@bugs.koha-community.org> To: Michał Dudzik <dudzikmic...@wp.pl> Cc: koha <koha@lists.katipo.co.nz> Subject: Re: [Koha] Is Koha plugin system safe? Message-ID: <cajzkny6-uxzgusrhuizsns5ir9hoqe7couywh50p+gkukfn...@mail.gmail.com> Content-Type: text/plain; charset="UTF-8" Hi Michal, It depends on the plugin :) A plugin can do almost everything it wants, so you should only install plugins you really trust. And you should give the permissions to manage them to librarians you really trust as well. I should add that plugins are almost never reviewed (by the QA team for instance), so they could potentially contain security issues. Regards, Jonathan Le jeu. 16 avr. 2020 à 12:28, Michał Dudzik <dudzikmic...@wp.pl> a écrit : > > The koha plug-in system enables easy system expansion with an > additional non-standard function. > I have received several queries from librarians about the security of > the plug-in system. > Personally, I have not observed any problems, so I would like to ask > if using the plug-in system is safe? > > Regards, > Michal >
signature.asc
Description: PGP signature
_______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz Unsubscribe: https://lists.katipo.co.nz/mailman/listinfo/koha
