[Typo3-dev] Welcome back in the "goto-age"?

Michael Stucki michael at typo3.org
Wed Mar 23 07:58:15 CET 2005 

Hi Mr. Kraft,

>> Could many of the "enrich the core with expected
>> functionality"-extensions not move the functionality to the core?
> 
> I don't like to say it but somehow I "fear" contributing to the core.
> 
> What if I make some contribution and after a few months it comes out that
> one of those contributions is responsible for opening a big security hole
> in Typo3. As you have already seen from the last "Security alert"
> (DB-cross site scripting in an extension) it really goes wild if some
> major bug is found. Just think if this bug wouldn't have been in a (not so
> often used) extension but in the Core ...

This is nonsense. Before stuff will get into the core it is reviewed by at
least two people, and it's up to you to show this to even more people if
you're not sure about any impacts.

And by the way, a core patch is definitely more anonymously than an
extension because you don't see exactly who has changed what (unless you
look at the CVS log, of course). But if I see a kb_-extension, it's really
easy for me to see who is responsible...

> Michael (Stucki) already meant that the "KB Better stdWrap" extension with
> which you can replace
> {pattern} markers in a stdWrap field by any arbitrary value from Typo3
> {(every field from all objects, arrays),
> should go into the core. But he also pointed out some security issues.

At least, the problem should be discussed. I think there are already some
other ways for reading global variables with Typoscript, but let's check
this first...

> I wouldn't like to see that this goes into the core and afterwards I'm the
> bad guy because of openeing a big security hole.

Obviously you didn't understand what my claim was. See above.

> Pherhaps the problem with many extension authors is that they don't react
> upon mails sent to them regarding some of their extensions... Pherhaps
> they even aren't in the Typo3 world anymore ... Such extensions should get
> marked "Unsupported"

This can be solved in some way, but it won't change if people just start
forking it. Let's say we give them 4 weeks to respond and if they don't
respond, you can have the extension ownership (or so...)

Regards, michael
-- 
Want support? Please read the list rules first: http://typo3.org/1438.0.html

More information about the TYPO3-dev mailing list