[TYPO3-dev] Removing "enable extension without reviews" checkbox
Marcus Krause
marcus#exp2009 at t3sec.info
Wed Jun 17 21:00:05 CEST 2009
David Bruchmann schrieb am 06/17/2009 10:19 AM Uhr:
> ----- Ursprüngliche Nachricht -----
> Von: Steffen Gebert <steffen at steffen-gebert.de>
> Gesendet: Mittwoch, 17. Juni 2009 10:06:07
> An: typo3-dev at lists.netfielders.de
> CC:
> Betreff: Re: [TYPO3-dev] Removing "enable extension without reviews"
> checkbox
>> Dmitry Dulepov wrote:
>>> Simply +1. Checking it is the first thing I have to do in every
>>> installation.
>>
>> Me too - for us "experts" it's just an annoyance / ritual and for
>> beginners it might be a blocker because they can't find the extension
>> they're searching for!
>>
>> Steffen
>
>
> Seems it's impossible to stop it ;-)
Imagine following two scenarios!
User A & User B
Scenario 1:
A: Hey B, I got our website working. It was a lot of work but in the end
... it's running now. Mailing list helped a lot.
3 months later:
B: A, you've set up our website some time ago, right?
A: Yes.
B: Well, it has been compromised.
A: Shit, but I only installed extensions from TER.
B: Yes, you installed 60 extensions, throughout alpha, beta and stable
versions.
A: But extensions in TER are secure, aren't they?
B: Actually, ... they are not. Everybody can upload crappy extensions.
A: But, I wasn't aware of that. Nobody told me so.
Scenario 2:
A: Hey B; I wanted to install powermail but EM told me it's not
available. But I've seen it on typo3.org.
B: Yeah, I guess I know why it failed. Did you un-check "reviewed only"
in EM?
A: No, why should I do that?
B: Some time ago it was planned that every extension will be reviewed
but it's a huge task. Only few elderly extension versions are reviewed.
A: But if I un-check "reviewed only" nobody had a look on those
extensions. Am I safe to install?
B: Yeah, uncheck and please always have a look in the code that you are
going to install. Also try to install stable versions only, check out
comments!
A: Thanks B. I'll try to do my best.
END
I'd always choose 2 over 1; aka. keep it the way it is. Un-checking
means reading and understanding what you are doing.
Don't forget that it's nothing that annoys users; only admins are affected.
You as experienced admin know what it means and a single click won't hurt.
However, new admins will need to understand the concept behind it. Thats
great. And admins of a ECMS will probably manage to unveil the "review
concept".
Please keep it! Add an explanation "reviewed only is activated" to the
retrieve and update functions.
Marcus.
--
TYPO3 Security blog: http://secure.t3sec.info/
More information about the TYPO3-dev
mailing list