[josm-dev] Mandatory login for JOSM wiki
Sebastian Klein
bastikln at googlemail.com
Sat Feb 26 16:29:40 GMT 2011
Dirk Stöcker wrote:
> The biggest and in my eyes only important issue is the possibility to
> have malicious plugins and we can't anyway do anything against this
> without preventing plugins.
Yes we can:
(1) Make clear whether a plugin is from openstreetmap svn or an
external binary (e.g. move external plugins to a 2nd tab in the
preferences or remove them from the public list altogether).
(2) Introduce nightly builds for plugins and allow to ping the server
for an intermediate build.
I think measure (1) can be done in a weaker form right now (short note
in the plugin description), but we should keep our environment as open
as possible. Measure (2) isn't necessary for security reasons in my
opinion, but would improve the plugin work flow in general.
In fact, only 2 out of all 65 plugins are external at the moment.
However, many svn plugins have been external in the past and got
integrated later. I guess the main reason is, that josm changes too
often and as plugin author it is hard to keep up with that. (Core
developers care for plugins that are in svn.)
It seems to me, there are two main reasons for authors to add external
plugins: On the one hand some people are too shy to ask for a svn
account and like to build in their own familiar environment. On the
other hand there are developers that would be capable of adding their
sources to svn, but prefer not to do so for some reason (e.g. git
fetishists or control freaks).
I guess we can live without the second kind but there is no reason to be
unkind to beginners.
Sebastian
More information about the josm-dev
mailing list