[TYPO3-dev] [TYPO3-v4] Removing the feature "Enable extensions without review (basic security check)" from EM

Lars Houmark lars at houmark.com
Wed May 12 23:02:59 CEST 2010 

Hi Marcus,

Marcus Krause wrote:
> Reasons:
> Only admins have access to the EM - a small number of TYPO3 users. I
> expect them to know/understand the checkbox's meaning.

And at the same time magically know/understand that updates will not be 
presented if they have it on? And that the extension they will be 
presented might be old versions? Right... Try thinking like a newbie 
admin instead of one that has deep knowledge of TYPO3 and the core code. 
Please!

> There has been a review recently and another one is about to come soon.
> Both affect major extensions.

It doesn't change the 99,9%. And what the general understanding is. 
Let's keep a checkbox and flawed integration in there for 2 or 3 
extensions. No, let's not!

> There were plans of having important extensions maintained by a team.
> Then, this checkbox might be used to highlight them amongst the others.

Plans and plans, nothing really happens. Also the TER was supposed to be 
cleaned up and old /non-mainted extensions removed - for the last 4 
years. Yet to happen.

> We have an extension security policy that most of TYPO3 users aren't
> aware of. This checkbox might remember users that only a small number of
> extensions in TER are completely audited in regards to security.

I know, I wrote it. Why not link to it on every extension download?

And I just read up on the old (long) discussion. It was about the time I 
left the security team and was on vacation in the period, which must be 
why I missed it. The reasons for keeping it seems really simple imho, 
and not much have happened since. Still this feature may be responsible 
for many installations running insecure even though it has been mainted 
by an admin that have updated extensions.

The simple fact is; Extension reviews is not happening the way it was 
intended when the TER feature was made, along with the EM feature. It 
has failed, and with the amount of extensions in TER (which I guess is a 
positive thing for the entire project as such) it will not happen in the 
way it was intended. Face it! Move on. Clean up!

If something comes up in the future that can be similar, then we can 
look at the implementing something in the EM that works with the new 
method/strategy.

I promise, I won't delete the code, that gets removed, from my local 
HDD, so we can quickly put it back in ;)

-- 
Lars Houmark

More information about the TYPO3-dev mailing list