Downloading plugins (Was: Summer of Code Projects)
Bill Barry
after.fallout at gmail.com
Fri Mar 2 14:32:51 UTC 2007
Gervase Markham wrote:
> Bill Barry wrote:
>> I would suggest each plugin passes a whole bunch of "safety" tests
>> (to be determined some time in the future) and would then need to be
>> signed by official reviewers (note).
>
> This has big problems. a) Analysing code to make sure it's not
> malicious is really hard, and a lot of work even if you can't do it
> perfectly.
We can't make certain that the code is not malicious (not perl anyways),
but we certainly can make sure it conforms to coding standards
associated with bugzilla (taint, warnings, passes included test suite,
uses dbi, ...) . We can also make sure each plugin has contribution
history to tell who did what (cvs blame and logs) to help deter people
from intentionally writing malicious code.
> b) This sort of close coupling basically makes the plugins a part of
> Bugzilla anyway.
>
Is that a problem? I think it would help getting contributers to
Bugzilla itself.
More information about the developers
mailing list