I posted this info in http://forum.joomla.org/index.php/topic ... #msg446094 but I think this topic is more suitable for this discussion.
Currently Extensions with security issues are removed from the extensions directory. Then it is not possible (or very difficult) to find and download a certain extension that has a known vulnerability. On the other hand, by removing the extention from that Extension site, all info about the extension (and hyperlinks from the forum to that extension) is lost!
I would prefer the Extensions site to have only the download button being removed, and a security warning included. Plus which version number of the component was at risk + known manual safety hacks. Then all info about the component/module/plugin stays at the same place. Now the Attention: Official List of Vulnerable 3rd Party Add-ons!!! http://forum.joomla.org/index.php/topic,79477.0.html thread is a great source for the safety of 3rd party extensions. But I would prefer that info with the components themselves at the Extensions site.
I am fully aware that my opinion would cost a lot of programming. Furthermore I have not thought a lot about the disadvantages of a system like this, so if you have any negative points about my idea, please post those too....
Extensions with security issues: only remove download?
Moderators: tydust, LorenzoG, timothy.stiffler
-
pe7er
- Joomla! Enthusiast
- Posts: 162
- Joined: Thu Aug 18, 2005 8:55 pm
- Location: Nijmegen, The Netherlands
- Contact:
Extensions with security issues: only remove download?
Kind Regards,
Peter Martin (aka pe7er)
db8.nl - Joomla! implementation, programming, template and component development [Dutch]
>> Questions? Get help more easily with JTS-post Assistant: viewtopic.php?f=428&t=272481
Peter Martin (aka pe7er)
db8.nl - Joomla! implementation, programming, template and component development [Dutch]
>> Questions? Get help more easily with JTS-post Assistant: viewtopic.php?f=428&t=272481
-
ot2sen
- Joomla! Ace
- Posts: 1384
- Joined: Thu Aug 18, 2005 9:58 am
- Location: Hillerød - Denmark
- Contact:
Re: Extensions with security issues: only remove download?
Hi pe7er,
Thanks for your suggestion.
True theres some pros and cons by temporarely unpublishing vulnerable extensions. But like you said:
Agree that there´s some downsides too by unpublishing. (Temp. broken links, confusion, etc.)
We could do something like your suggestion by manually taking over ownership and changing the information temporarely, but then again that might not be worth the effort needed to keep on top of this.
Let us discuss this within the team to see if we can improve the handling of extensions with certain issues. (that could be known security issues, hacked webpages or downloads that are not available)
Thanks for your suggestion.
True theres some pros and cons by temporarely unpublishing vulnerable extensions. But like you said:
Then it is not possible (or very difficult) to find and download a certain extension that has a known vulnerability.
Agree that there´s some downsides too by unpublishing. (Temp. broken links, confusion, etc.)
We could do something like your suggestion by manually taking over ownership and changing the information temporarely, but then again that might not be worth the effort needed to keep on top of this.
Let us discuss this within the team to see if we can improve the handling of extensions with certain issues. (that could be known security issues, hacked webpages or downloads that are not available)
Re: Extensions with security issues: only remove download?
The same applies to Joomla! Forge (we can set a project to "project member access only"). We don't have any control over the Forge software, so for the moment with any security issues a project also removes visibility.
Antonie de Wilde - Forum admin
