[TYPO3-dev] [TYPO3-v4] Removing the feature "Enable extensions without review (basic security check)" from EM

Jigal van Hemert jigal at xs4all.nl
Thu May 13 00:16:14 CEST 2010


Marcus Krause wrote:
> Reasons:
> Only admins have access to the EM - a small number of TYPO3 users. I
> expect them to know/understand the checkbox's meaning.

Everybody who installs TYPO3 is an admin. The 1-2-3 installer is being 
updated to install a dummy package with relevant information, because 
those admins do not understand how to setup a TYPO3 installation 
manually. That's the level of admin you see in real life!

> There has been a review recently and another one is about to come soon.

Must have missed that on the front page of typo3.org ;-)

Seriously, what is the ratio of reviewed vs. not-reviewed in TER? How come?

> There were plans of having important extensions maintained by a team.
> Then, this checkbox might be used to highlight them amongst the others.

And a team is a safe guard against security problems?

> We have an extension security policy that most of TYPO3 users aren't
> aware of. 

How come? Create awareness in another way than this.

> This checkbox might remember users that only a small number of
> extensions in TER are completely audited in regards to security.
> 
> In 99% of the TER extensions you are exposed to the risk to install
> insecurely written extensions.

But as Lars pointed out, it also stops updates from being installed.

In the previous discussion I had problems with potential legal 
consequences. This doesn't seem to be an actual issue, so if there is no 
real outlook that there will be massive reviews in the near future the 
option is pointless.

+1 for removing.

-- 
Jigal van Hemert
skype:jigal.van.hemert
msn: jigal at xs4all.nl
http://twitter.com/jigalvh




More information about the TYPO3-dev mailing list