Downloading plugins (Was: Summer of Code Projects)

Bill Barry after.fallout at
Fri Mar 2 14:32:51 UTC 2007

Gervase Markham wrote:
> Bill Barry wrote:
>> I would suggest each plugin passes a whole bunch of "safety" tests 
>> (to be determined some time in the future) and would then need to be 
>> signed by official reviewers (note). 
> This has big problems. a) Analysing code to make sure it's not 
> malicious is really hard, and a lot of work even if you can't do it 
> perfectly. 
We can't make certain that the code is not malicious (not perl anyways), 
but we certainly can make sure it conforms to coding standards 
associated with bugzilla (taint, warnings, passes included test suite, 
uses dbi, ...) . We can also make sure each plugin has contribution 
history to tell who did what (cvs blame and logs) to help deter people 
from intentionally writing malicious code.
> b) This sort of close coupling basically makes the plugins a part of 
> Bugzilla anyway.
Is that a problem? I think it would help getting contributers to 
Bugzilla itself.

More information about the developers mailing list