* Dmitry Samersoff <[email protected]> [2010-10-11 11:22]: > e.g. we have SomePlugin that known to be vulnerable, but we have to > use > it in a project. > Currently nothing prevents admin of other project enable it for its > own env.
Hmm, just put in in envdir/plugins? Then it's not available to other environments. >> Again, if someone already has R/W access to the env folder, you have >> bigger problems. > e.g. > A plugin developer type: cp myplugin.py myplugin_old.py > and than forget to delete myplugin_old.py with plenty of debug > printing. And what if he types: rm *? Etc, etc As Noah said, if someone has fs access, or can deploy plugins developed by themselves, they can break everything. >>> 2. No autoenable >> This just makes life difficult for simple, one-env sites. > Really? It's either one-line in ini file or couple of mouse clicks in > admin panel. A would say: sensible defaults. If someone puts a plugin in environment, he surely wants it enabled, so IMO it should be enabled by default. It's a very sensible solution. > Debugging issues like one with myplugin_old.py above eats much more > time. But only for you, and enabling all modules would have to be done by hundreads of other people, sorry. Plus all the questions on ML "why my plugin doesn't work". > We should separate trac core (i.e. controlled and supported by trac > team) information from one provided by third-party, untrusted plugins > to > avoid possible conflicts and save support efforts. Trac doesn't sandbox plugins, so you *have to* trust plugins, because they can do everything. I don't see how separating enabling modules from trac.ini helps with anything, sorry. I think you may have some valid points about probles in config like "trac farm", but the proposed solution IMO are not good defaults for trac, at least some of them. -- best regards silk -- You received this message because you are subscribed to the Google Groups "Trac Development" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/trac-dev?hl=en.
