[TYPO3-dev] Re: [TYPO3-v4] Removing the feature "Enable extensions without review (basic security check)" from EM

Marcus Krause marcus#exp2010 at t3sec.info
Wed May 12 22:49:53 CEST 2010


Lars Houmark schrieb am 05/12/2010 07:42 PM Uhr:
> Hi people,
> 
> For years I wanted to remove this feature.
> 
> Facts:
> 
> * There has been none or VERY FEW reviews of extensions over the past years
> 
> * This means +99,9% of all extensions is NOT reviewed
> 
> * Standard setting is looking up *reviewed* extensions only, which means
> +99,9% will not show up with the standard setting
> [...]
> What do you think?
> 
> If there is quick feedback, I will work on removing the feature from the
> EM and provide a patch for the core list so it might be able to make it
> into 4.4.

I'm still for keeping this one.

Reasons:
Only admins have access to the EM - a small number of TYPO3 users. I
expect them to know/understand the checkbox's meaning.
There has been a review recently and another one is about to come soon.
Both affect major extensions.
There were plans of having important extensions maintained by a team.
Then, this checkbox might be used to highlight them amongst the others.

We have an extension security policy that most of TYPO3 users aren't
aware of. This checkbox might remember users that only a small number of
extensions in TER are completely audited in regards to security.

In 99% of the TER extensions you are exposed to the risk to install
insecurely written extensions.


Marcus.


Follow-up to: typo3.dev

-- 
Member TYPO3 Security Team
Blog on TYPO3 Security: http://secure.t3sec.info/blog/




More information about the TYPO3-dev mailing list