[TYPO3-ect] Ideas to clean up TER
Michael
typo3ml at schams.net
Mon Jan 30 12:55:46 CET 2012
On 30/01/12 20:33, Franz Holzinger wrote:
>> I just want to clarifiy that "unmaintained" extensions sould also mean
>> unmaintained by the Security Team.
Is the main difference between "normal" and "unmaintained" extensions
from the Security Team's perspective that if someone reports a security
issue with an "unmaintained" extension, the Security Team does not try
to contact the developer but simply removes the extension? This would be
legitimate from my perspective.
Is there anything else that applies to "unmaintained" extensions in
regards of security and the Security Team in particular?
>> Because of that, these extensions
>> must be excluded from the EM with *no* option to include them.
Sounds ok to me. A non-obvious option to show them in the EM would be
nice but I agree, it's better to exclude them completely in the EM. If
you still have the option to access the t3x file (e.g. via TER's
search), you can install even unmaintained extensions (but not
"accidentally", that's for sure) :-)
>> Same goes for the TER website.
>
> Then almost nobody will be able to find those extensions. This means
> that they are lost, if there is not link and a search tool on typo3.org
> which helps to find those unmaintained extensions.
Yes, that's exactly my concern. I understand that we want to clean up
the TER and I definitely support this. However, instead of physically
deleting unmaintained extensions or hiding their existence, I would
suggest to mark them and let every system, every component, etc. decide
how to handle those extensions. The EM could ignore them. The TER search
results could list but clearly highlight them as "unmaintained". The
extension key registration process could do whatever we decide. And so on.
A great example for "unmaintained" developments is the PHP::PEAR
repository. Have a look at the packages and go to "Mail":
http://pear.php.net/packages.php?catpid=14&catname=Mail
The package "Mail_Mbox" is not maintained at the moment, which is
unfortunately not very obvious in the list view, but click on the
package name:
http://pear.php.net/package/Mail_Mbox
A note informs you, that (quote) "this package is not maintained, if you
would like to take over please go to...".
I really, really love the idea of "cleaning up the TER" (maybe better:
cleaning up the extension list) and I think the first step would be to
develop rules how to identify "unmaintained" extensions. Personally, I
like the concept Jigal suggested: tie extensions to TYPO3 versions. If
we introduce a new status ("unmaintained" or similar) that would give us
a lot of flexibility.
The second step would be to decide how various systems (and maybe Teams
like the Security Team) should handle extensions with this status.
What do you think? Any other comments?
Cheers
Michael
More information about the TYPO3-team-extension-coordination
mailing list