[TYPO3-dev] [TYPO3-v4] Removing the feature "Enable extensions without review (basic security check)" from EM

Ulrich Lorenz PHZ Luzern lorenz.ulrich at phz.ch
Wed May 12 20:43:16 CEST 2010


Hi Lars

There is absolutely nothing I could add to your statement. You are completely right. So: Go for it!


Thanks,

Lorenz


-----Ursprüngliche Nachricht-----
Von: typo3-dev-bounces at lists.typo3.org im Auftrag von Lars Houmark
Gesendet: Mi 12.05.2010 19:42
An: typo3-dev at lists.typo3.org
Betreff: [TYPO3-dev] [TYPO3-v4] Removing the feature "Enable extensions without review (basic security check)" from EM
 
Hi people,

For years I wanted to remove this feature.

Facts:

* There has been none or VERY FEW reviews of extensions over the past years

* This means +99,9% of all extensions is NOT reviewed

* Standard setting is looking up *reviewed* extensions only, which means 
+99,9% will not show up with the standard setting

* When using the "Update extensions" feature, TYPO3 uses the setting 
from the "Settings" of the "Import extensions" feature, and if it is set 
to *reviewed* only the updater will NOT list extensions that are updated 
- it might even hide an extension that was updated due to security 
issues - meaning this feature will work against what was the original intent

* My understanding is there will be no improvements in relations to 
reviews of extensions. There is not enough manpower to do the task.

* New users will of course do as TYPO3 recommends - which means they 
will only list *reviewed* extensions (the default setting) and because 
of this, they will be unable to find the extension they are searching 
for, and they will also not find updates to extensions because of the same

* The following popular extensions will NOT be found (in the latest 
version) while having *reviewed only* checked:
	- tt_news (finds version 2.2.24)
	- realurl (finds version 1.1.0)
	- templavoila (finds version 1.1.1)
	- phpmyadmin (not found at all)
	- sr_feuser_register (not found at all)

Because of the above new users might install old and potentially 
insecure extensions.

Over the years, there has been numerous questions to the security team 
about extensions not being available in TER. The main reason was 
probably because of having the setting on.

This configuration is outdated since its counterpart, actively reviewing 
of extensions by skilled people, is not being done and has not been for 
years (this is NOT criticism of that, simply a conclusion).

So IMHO this feature is useless and leads into different kind of 
problems which can all be solved simply by removing the feature and 
listing all extensions. An improved flash message box that tells the 
user that none of the extensions in TER can be considered reviewed and 
therefore the user should consider doing its own review, or at least be 
aware or this, should be added at the same time.

What do you think?

If there is quick feedback, I will work on removing the feature from the 
EM and provide a patch for the core list so it might be able to make it 
into 4.4.

-- 
Lars Houmark

_______________________________________________
TYPO3-dev mailing list
TYPO3-dev at lists.typo3.org
http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-dev



More information about the TYPO3-dev mailing list