[TYPO3-dev] Removing "enable extension without reviews" checkbox

[Franz Holzinger]

Imagine following third scenario!

User A & User B


Scenario 3: (merge of scenario 1 and 2)

A: Hey B; I wanted to install powermail but EM told me it's not
available. But I've seen it on typo3.org.
B: Yeah, I guess I know why it failed. Did you un-check "reviewed only"
in EM?
A: No, why should I do that?
B: Some time ago it was planned that every extension will be reviewed
but it's a huge task. Only few elderly extension versions are reviewed.
A: But if I un-check "reviewed only" nobody had a look on those
extensions. Am I safe to install?
B: Yeah, uncheck and please always have a look in the code that you are
going to install. Also try to install stable versions only, check out
comments!
A: Thanks B. I'll try to do my best.
3 months later:
B: A, you've set up our website some time ago, right?
A: Yes.
B: Well, it has been compromised.
A: Shit, but I only installed extensions from TER.
B: Yes, you installed 60 extensions, throughout alpha, beta and stable
versions.
A: But I know that this is your fault, because you have told me that 
extensions in TER are secure enough! You have told me to uncheck the 
'reviewed extensons only' check box.
B: Yes, but we have needed those extensions and nobody did a security 
review. But I have also told you to have a look into the source code of 
each extension before you install it! So you did not comply my rules 
thoroughly enough! It is not enough if you just uncheck the 'reviewed 
extensions only' box.

END


You cannot choose if scenario 2 or 3 will happen to you. You should 
never tell anybody to uncheck this 'reviewed extensons only' box because 
then you could be made guilty for it if a security issue will happen on 
one of those installed extensions. Therefore I prefer not to have this 
checkbox at all. Otherwise the person who unchecked it might be made 
responsible for this.

- Franz