[dokuwiki] Re: [GSOC] Rewrite Plugin Management
- From: Michael Hamann <michael@xxxxxxxxxxxxxxxx>
- To: dokuwiki <dokuwiki@xxxxxxxxxxxxx>
- Date: Sun, 27 Mar 2011 23:35:46 +0200
Hi,
Excerpts from Piyush Mishra's message of 2011-03-25 04:14:43 +0100:
> 2011/3/25 José Carlos Campos <zecapistolas@xxxxxxxxxxxxxx>:
> > On Thu, Mar 24, 2011 at 8:54 AM, Michael Hamann
> > <michael@xxxxxxxxxxxxxxxx> wrote:
[...]
> >> Some other suggestions: It might be nice to display some popular or
> >> featured plugins when you haven't searched for anything. In your table I
> >> also can't see any way to sort it, I think that should be added.
> >
> > My ideas is: if search field is empty show Installed Plugins, if not,
> > show Search Plugin and Installed Plugin which match with search.
>
> I think what he meant here was showing a list of plugins which is umm
> different from other plugins in a certain way.
> eg:- already being downloaded a lot of times.
> Or has been tagged "!featured" or something to mark it as a featured plugin.
Yes, exactly. But it's not requirement, just an idea. The problem is
imho that there are so many plugins that you don't know where to start
and the first plugin you'll find might not be the best one. So imho it
would be nice to show (new) users some selected plugins. But there is
also another problem, the plugins need to be select, I don't know if the
plugins and templates team has made any progress on the selection.
You can read more about this on
//www.freelists.org/post/dokuwiki/Idea-about-managing-Plugins-on-dokuwikiorg,8
and
//www.freelists.org/post/dokuwiki-teams/plugin-template-Suggestion
- perhaps integrating these "solutions" into the plugin manager might be
a nice idea, too. Or supporting plugin bundles in general.
> >> Have you already thought about the security part? I.e. how users can
> >> trust the plugin they're downloading? Perhaps some kind of review
> >> system, or download URL change protection, or at least some feedback
> >> that is sent to the server with a button "this plugin works for me"?
> >>
> >
> > Yes, I thought a little about security.
> > My idea:
> > - When someone install a new plugin, it's more safe to start disable.
> > After install user maybe has doubt for that plugin, so it's start
> > disable.
Okay, that sounds good. Wordpress has also the concept to try enabling
the plugin temporarily and if the request (in an iframe afaik) doesn't
succeed the plugin won't be enabled. I don't like iframes but perhaps we
could do something similar by making plugin enabling a two-step process:
a) enable plugin temporarily by ignoring the disable-setting/file
b) display a page or a redirect where the plugin is then finally enabled
And if enabling the plugin fails the user can simply go back and
everything will still work.
Or we could simply execute an Ajax request in the background and check
if it works, or perhaps implement both methods and decide based upon the
availability of JavaScript in the browser.
> > - On page of project has write: "Maybe creating a web of trust by
> > having trusted people (splitbrain, chimeric, Chris-S, foosel, …) who
> > then can examine code by others and trust them?" it's cool but I think
> > this isn't a good solution, because 'trusted people' will have a lot
> > lot lot of work to see all code from all plugins. But if users can
> > vote on 'Authors' of plugins, we can have popularity for 'Authors'
> > (similar to popularity of plugins and templates) and maybe with this
> > we can have more opinions/feedback of 'Authors'.
Yes, probably such a list of trusted people isn't that good/working. I'm
not sure if the vote feature will really work because I can't imagine
the figures won't be that different from the current popularity data
except that developers with a lot of plugins will get more votes. Votes
can also be abused easily if you don't protect it properly.
> > - Other idea, when you submit a new plugin for DokuWiki repository
> > that plugin is signed with the user's private key or something like
> > that? If a 'Author' had 99% of popularity and if his plugins is all
> > signed with his key, we can trust on this person and his job, no? I
> > think, so.
The problem is that signing the plugin might be difficult unless we
provide a simple step for doing it and it won't work at all with the
automatically created archives of GitHub that are currently used for a
lot of plugins.
I'm also not sure the most popular plugins are the best ones. If you
look at the code in the Wordpress Plugin repository e.g. plugins like
All In One SEO Pack that are really popular had or still have security
issues (have a look at
http://www.wptavern.com/forum/plugins-hacks/1492-all-one-search-engine-optimization-pack-must-suspended.html)
and it is even blocked by some webhosters afaik because it badly impacts
the performance by modifying the HTML output of the template using
string manipulation, and the coding style was also not that good, at
least some time ago. So imho popularity is no sign for good plugins that
should be installed by everybody.
Michael
--
DokuWiki mailing list - more info at
http://www.dokuwiki.org/mailinglist
Other related posts:
