[TYPO3-dev] [TYPO3-v4] Removing the feature "Enable extensions without review (basic security check)" from EM
Peter Klein
pmk at io.dk
Wed May 12 21:59:39 CEST 2010
+1
(I hate that useless checkbox)
--
Peter Klein / Clio Online
"Lars Houmark" <lars at houmark.com> wrote in message
news:mailman.1.1273686371.24670.typo3-project-v4 at lists.typo3.org...
> Hi people,
>
> For years I wanted to remove this feature.
>
> Facts:
>
> * There has been none or VERY FEW reviews of extensions over the past
> years
>
> * This means +99,9% of all extensions is NOT reviewed
>
> * Standard setting is looking up *reviewed* extensions only, which means
> +99,9% will not show up with the standard setting
>
> * When using the "Update extensions" feature, TYPO3 uses the setting from
> the "Settings" of the "Import extensions" feature, and if it is set to
> *reviewed* only the updater will NOT list extensions that are updated - it
> might even hide an extension that was updated due to security issues -
> meaning this feature will work against what was the original intent
>
> * My understanding is there will be no improvements in relations to
> reviews of extensions. There is not enough manpower to do the task.
>
> * New users will of course do as TYPO3 recommends - which means they will
> only list *reviewed* extensions (the default setting) and because of this,
> they will be unable to find the extension they are searching for, and they
> will also not find updates to extensions because of the same
>
> * The following popular extensions will NOT be found (in the latest
> version) while having *reviewed only* checked:
> - tt_news (finds version 2.2.24)
> - realurl (finds version 1.1.0)
> - templavoila (finds version 1.1.1)
> - phpmyadmin (not found at all)
> - sr_feuser_register (not found at all)
>
> Because of the above new users might install old and potentially insecure
> extensions.
>
> Over the years, there has been numerous questions to the security team
> about extensions not being available in TER. The main reason was probably
> because of having the setting on.
>
> This configuration is outdated since its counterpart, actively reviewing
> of extensions by skilled people, is not being done and has not been for
> years (this is NOT criticism of that, simply a conclusion).
>
> So IMHO this feature is useless and leads into different kind of problems
> which can all be solved simply by removing the feature and listing all
> extensions. An improved flash message box that tells the user that none of
> the extensions in TER can be considered reviewed and therefore the user
> should consider doing its own review, or at least be aware or this, should
> be added at the same time.
>
> What do you think?
>
> If there is quick feedback, I will work on removing the feature from the
> EM and provide a patch for the core list so it might be able to make it
> into 4.4.
>
> --
> Lars Houmark
>
More information about the TYPO3-dev
mailing list