[TYPO3-dev] [TYPO3-v4] Removing the feature "Enable extensions without review (basic security check)" from EM

Peter Klein pmk at io.dk
Wed May 12 21:59:39 CEST 2010 

+1
(I hate that useless checkbox)

--
Peter Klein / Clio Online

"Lars Houmark" <lars at houmark.com> wrote in message 
news:mailman.1.1273686371.24670.typo3-project-v4 at lists.typo3.org...
> Hi people,
>
> For years I wanted to remove this feature.
>
> Facts:
>
> * There has been none or VERY FEW reviews of extensions over the past 
> years
>
> * This means +99,9% of all extensions is NOT reviewed
>
> * Standard setting is looking up *reviewed* extensions only, which means 
> +99,9% will not show up with the standard setting
>
> * When using the "Update extensions" feature, TYPO3 uses the setting from 
> the "Settings" of the "Import extensions" feature, and if it is set to 
> *reviewed* only the updater will NOT list extensions that are updated - it 
> might even hide an extension that was updated due to security issues - 
> meaning this feature will work against what was the original intent
>
> * My understanding is there will be no improvements in relations to 
> reviews of extensions. There is not enough manpower to do the task.
>
> * New users will of course do as TYPO3 recommends - which means they will 
> only list *reviewed* extensions (the default setting) and because of this, 
> they will be unable to find the extension they are searching for, and they 
> will also not find updates to extensions because of the same
>
> * The following popular extensions will NOT be found (in the latest 
> version) while having *reviewed only* checked:
> - tt_news (finds version 2.2.24)
> - realurl (finds version 1.1.0)
> - templavoila (finds version 1.1.1)
> - phpmyadmin (not found at all)
> - sr_feuser_register (not found at all)
>
> Because of the above new users might install old and potentially insecure 
> extensions.
>
> Over the years, there has been numerous questions to the security team 
> about extensions not being available in TER. The main reason was probably 
> because of having the setting on.
>
> This configuration is outdated since its counterpart, actively reviewing 
> of extensions by skilled people, is not being done and has not been for 
> years (this is NOT criticism of that, simply a conclusion).
>
> So IMHO this feature is useless and leads into different kind of problems 
> which can all be solved simply by removing the feature and listing all 
> extensions. An improved flash message box that tells the user that none of 
> the extensions in TER can be considered reviewed and therefore the user 
> should consider doing its own review, or at least be aware or this, should 
> be added at the same time.
>
> What do you think?
>
> If there is quick feedback, I will work on removing the feature from the 
> EM and provide a patch for the core list so it might be able to make it 
> into 4.4.
>
> -- 
> Lars Houmark
>

More information about the TYPO3-dev mailing list