1. TShock for Terraria 1.3.5.3 is released! Check it out here. Why not follow us on Twitter while you're at it?

Should we remove plugin approvals?

Discussion in 'Community News' started by nicatronTg, Feb 13, 2017.

?

Remove plugin approvals?

  1. Yes. Let developers submit anything (including viruses) they want.

    9.4%
  2. No. Check the reputation of developers before approving only (don't binaries).

    15.6%
  3. No. Keep decompiling plugins (check binaries, not source code).

    75.0%
  1. nicatronTg

    nicatronTg Shank / hakusaro
    TShock Founder TShock Admin

    Joined:
    Jul 21, 2011
    Messages:
    704
    If you've submitted a plugin recently, you've noticed an increased delay in plugin approval time. This is because the current requirements for approving plugins is decompiling each plugin update and validating that no malicious code is present in the plugin.

    However, developers are extremely busy and can't always do this in a timely fashion. Should we remove plugin approvals, and let plugin developers upload plugins at will, without us checking them?

    Please vote in this poll. If we have a majority of votes and at least 100 votes, we will take that action. If we don't get 100 votes, we will do nothing. Cheers!

     
    • Useful Useful x 2
  2. xCykrix

    Plugin Developer

    Joined:
    Jan 14, 2015
    Messages:
    49
    I personally believe that we should be lightly monitored and checked as there can be some serious damage. However a team of selected people that have the time and patience to dedicated to releasing and monitoring plugins. Since it is slightly apparent that the people who do monitor cannot keep up with other things they do. Expanding the team or getting people with more time could profit it.
     
    • Agree Agree x 2
    • Like Like x 1
  3. Onsen

    Onsen Level 8

    Joined:
    Dec 8, 2015
    Messages:
    283
    I'm worried about if there are 100 active users in this forum now. lol

    BTW, as for the main subject, is there any way to deploy the plugin dll automatically (from its source on GitHub) under your team's control? (like as travis?)
    If can, you just need to validate source code only... this might not efficient so much though.
     
    • Like Like x 2
  4. nicatronTg

    nicatronTg Shank / hakusaro
    TShock Founder TShock Admin

    Joined:
    Jul 21, 2011
    Messages:
    704
    1. We get a lot of guest traffic per month, not registered users though.
    2. It's probably possible if everyone adopted the same format for .cs only plugins. It's not possible right now though.
     
    • Agree Agree x 2
  5. Enerdy

    Enerdy Satellite Admin
    Plugin Developer Zero Day Plugin Author

    Joined:
    Nov 14, 2012
    Messages:
    507
    I like the idea of creating a format standard. This would help not only the issue at hand, but also the creation of a centralized plugin repository for faster plugin management (similar in functionality to NuGet, or APT). This would reduce the setup and maintenance time for advanced server owners by avoiding the need to check the plugin's page on Resource Manager, download the binary and replace the currently existing one for every single plugin each update. Naturally, an effort like this would only be made possible if we could certify the integrity of the source code, so we'd need this format standard for automated build server first.
     
    • Like Like x 2
  6. kenichi2k5

    kenichi2k5 Level 2

    Joined:
    May 10, 2015
    Messages:
    43
    I rather wait than have a potential security risk in my computer. Also the trustworthiness of your website will also suffer.

    I say keep monitoring the plugins just get more people in the team.
     
  7. tanpro260196

    tanpro260196 Level 4

    Joined:
    Oct 30, 2015
    Messages:
    97
    1 day and only 11 votes.... =))
     
  8. LoveOryks

    LoveOryks Level 4

    Joined:
    May 12, 2014
    Messages:
    87
    100? Sounds like a little too much, but nah.

    In my opinion, it shall stay like it is. If people are intelligent enough, they will know its worth the wait.

    Keep checking.
     
  9. shaitan1977

    shaitan1977 Level 4

    Joined:
    Jul 6, 2014
    Messages:
    61
    I'd rather you guys take your time on them, than the alternative. It gives us non-coders piece of mind.
     
  10. XGhozt

    Plugin Developer

    Joined:
    May 12, 2012
    Messages:
    171
    I know I'm a little late here, but... how about a hybrid solution? Perhaps there is a way to tag plugins as "verified". Any newly uploaded plugins will show up right away but it's the users choice if they want to the take the risk or not. As you go in and check them, just give it some kind of flag so we know it's safe.
     
    • Agree Agree x 1
    • Useful Useful x 1
  11. dylanisawesome1

    dylanisawesome1 Level 0

    Joined:
    Oct 29, 2012
    Messages:
    1
    The suggestion I put on slack was a set of simplistic automated tests for things like changing permissions or deleting worlds. The other option, which I like more, would be to go the route of Android and require authors to specify sensitive permissions, such as perms or stopping the server, and only allow them to use those APIs if specified. That way you can list permissions on the forum page.
     
  12. Ryozuki

    Plugin Developer

    Joined:
    Dec 25, 2014
    Messages:
    46
    I'm for "No. Check the reputation of developers before approving only (don't binaries)."

    So if you are a new plugin dev, or it's your first / second plugin, it should be checked, otherwise not. It's a bit "meh" to wait to see your work being released so late.

    - My opinion