[josm-dev] Mandatory login for JOSM wiki

[Dirk Stöcker]

On Sun, 27 Feb 2011, Frederik Ramm wrote:

>>  No, we don't want that really. Anonymous editing is a major part of the
>>  JOSM concept till now and most important contributions are anonymous or
>>  not logged in and I spent really a lot of time into improving the Trac
>>  spamfilter to be a usable tool to find potential issues.
>>
>>  Beside this Sebastian and I monitor every change afterwards and check if
>>  they are dangerous or spammy.
>
> I'm not talking about help pages etc., i'm talking about JOSM configuration 
> options that are now in Trac. If we want to allow anonymous edits to them, 
> then I suggest that we should invent something where these things are signed 
> by someone and JOSM only uses them after they have been signed.
>
> I find it unacceptable that someone can inject any imagery source or preset 
> or map style into *every* JOSM instance without even having to log in.

Well. This is not the case. You still need an active user-interaction to 
activate something. Before you only have a list of installable options.

And this is a common method for a lot of software tools today (one of the 
major ones beeing Mozilla Firefox).

>>  Yes, there will be a time inbetween, when dangerous stuff can be included,
>>  But this is a problem with OpenSource in general.
>
> No. In the normal OSM SVN we at least have accountability - if someone 
> uploads something malicious then we know who it was and we can block the 
> account, or at least people know "stuff uploaded by X is not trustworthy".

Well this is not really a valid argument. You only know a virtual 
personality. As I already said - when doing malicious code then all of 
these ways can be used relatively easy. Even getting malicious code into 
JOSM core is easy and there the restrictions are much higher than for 
OSM-SVN.

> All I'm saying is that I want the same accountability on the JOSM trac *if* 
> JOSM is built in a way to automatically download configuration information 
> from there.

This is wrong. We don't download configuration information. We download 
extension lists presented to the user to choose from.

> If someone downloads a .jar file from somewhere on the net and installs it - 
> their problem. If someone clicks "update plugins" in his out-of-the-box JOSM 
> installation and gets malicious code - our problem. I am not requesting that 
> we find ways to perfectly prevent it, but I think accountability ("user XYZ 
> changed the plugin list on <date>") is absolutely required. Otherwise this 
> *will* be abused sooner or later, and massively reduce the trust users place 
> in JOSM. We must think about these things before they happen. We have a 
> responsiblity towards our users that we cannot simply do away with by saying 
> "there lots of other ways how users can shoot themselves in the foot so why 
> bother if JOSM adds some more".

Sure there can be abuse in the future. But what I try to tell you is, that 
we can't prevent that at all. To get security we need to constantly watch 
the current state. Raising the initial barrier means for me personally 
much more work, as I need to have a much closer look on the new lowest 
level (the OSM-SVN in this case).

I'm not willing to reduce the openess of JOSM only because of 
considerations of potential misuse as long as the problem cannot be solved 
at all. We do our very best to encourage the methods we have a 
little better under contral (like OSM-SVN and Trac) and till now this 
strategy works fine.

If you think it is necessary, you can add "You are downloading extensions 
from external sources" in case styles/presets/plugins are installed. But I 
doubt users really read these texts or react accordingly. At least I 
myself know nobody who stops doing what he is doing only because the 
program tells him there is potential danger involved.

Ciao
-- 
http://www.dstoecker.eu/ (PGP key available)