Downloading plugins (Was: Summer of Code Projects)

Gervase Markham gerv at mozilla.org
Fri Mar 2 14:57:23 UTC 2007


Bill Barry wrote:
> We can't make certain that the code is not malicious (not perl anyways), 
> but we certainly can make sure it conforms to coding standards 
> associated with bugzilla (taint, warnings, passes included test suite, 
> uses dbi, ...) .

We can - but what does it buy us? We're just doing free QA for their 
project.

And we can't exactly tell admins "don't install this - it doesn't have a 
2-space indent".

> We can also make sure each plugin has contribution 
> history to tell who did what (cvs blame and logs) to help deter people 
> from intentionally writing malicious code.

"Don't install this - it doesn't have a public source repository"?

>> b) This sort of close coupling basically makes the plugins a part of 
>> Bugzilla anyway.
>>
> Is that a problem? I think it would help getting contributers to 
> Bugzilla itself.

It's a problem because it defeats the entire point of plugins. The point 
of plugins is that someone else does all the work, and we don't have to 
worry about it too much. So people can extend Bugzilla in the directions 
they like without taking core development team resources.

Gerv




More information about the developers mailing list