(2012-08-13, 08:57 AM)Leefish Wrote: [ -> ]Is it likely? I don't really think so. 
And I am afraid you are right.
Probably a "Plugin Quality Team"? Just as there is one (SQA) for the MyBB core, there could be other for accepting submitted plugins as "Secure". That could be nice with the new mods site coming soon, but I doubt it will happen, TBH I doubt the MyBB team will "officially" do something related to this in their own at all.
(2012-08-13, 06:04 PM)Omar G. Wrote: [ -> ]Probably a "Plugin Quality Team"? Just as there is one (SQA) for the MyBB core, there could be other for accepting submitted plugins as "Secure". That could be nice with the new mods site coming soon, but I doubt it will happen, TBH I doubt the MyBB team will "officially" do something related to this in their own at all.
I actually agree on this, to be honest.
(2012-08-13, 08:22 AM)Wolfseye Wrote: [ -> ]In my oppinion, and don't get that wrong please, 
any plugin submitted here should be checked by some people with real knowledge into things and evaluated if there is any form security concern, the plugin developer should be notified of that and asked to fix it before its hosted as a plugin on the official MyBB site.
That's exactly what we do. All plugins are manually checked for anything dangerous, whether intentional or not, but checking each file line by line isn't something we have the time or man power to do.
There is an internal discussion regarding a core place, possibly on the docs site, where vulnerable plugins would be listed. This is still in discussion though so that might not actually happen.
(2012-08-13, 06:14 PM)Nathan Malcolm Wrote: [ -> ]That's exactly what we do. All plugins are manually checked for anything dangerous, whether intentional or not, but checking each file line by line isn't something we have the time or man power to do.
I don't intend to be harsh (or similar?) but you accept plugins with empty content guys, so don't, please don't comment that Nathan.
(2012-08-13, 06:26 PM)Omar G. Wrote: [ -> ] (2012-08-13, 06:14 PM)Nathan Malcolm Wrote: [ -> ]That's exactly what we do. All plugins are manually checked for anything dangerous, whether intentional or not, but checking each file line by line isn't something we have the time or man power to do.
I don't intend to be harsh (or similar?) but you accept plugins with empty content guys, so don't, please don't comment that Nathan.
I can't speak for every single member of staff. I'm speaking for the majority of staff. As you do not know how the verification process works I ask that you do not comment on that.
I personally download plugins that have been submitted, manually read through the code looking for places missing escapes and stuff then test the actual functionality of the plugin before approving it - that's why the current process takes as long as it does. People don't seem to understand that and that's why we get so many PMs off people basically saying "please approve my plugin - I submitted it an hour ago...".
(2012-08-13, 06:14 PM)Nathan Malcolm Wrote: [ -> ]That's exactly what we do. All plugins are manually checked for anything dangerous, whether intentional or not, but checking each file line by line isn't something we have the time or man power to do.
(2012-08-13, 06:33 PM)Nathan Malcolm Wrote: [ -> ]I can't speak for every single member of staff. I'm speaking for the majority of staff. As you do not know how the verification process works I ask that you do not comment on that.
Then be more specific, tough since you are staff I should be the one wrong here, right?
---
One other thing about seeing this no working, is plugin developers complaining about people openly announcing the vulnerabilities in those plugins.
(2012-08-13, 06:43 PM)Omar G. Wrote: [ -> ] (2012-08-13, 06:14 PM)Nathan Malcolm Wrote: [ -> ]That's exactly what we do. All plugins are manually checked for anything dangerous, whether intentional or not, but checking each file line by line isn't something we have the time or man power to do.
(2012-08-13, 06:33 PM)Nathan Malcolm Wrote: [ -> ]I can't speak for every single member of staff. I'm speaking for the majority of staff. As you do not know how the verification process works I ask that you do not comment on that.
Then be more specific, tough since you are staff I should be the one wrong here, right?
(2012-08-13, 06:26 PM)Omar G. Wrote: [ -> ] (2012-08-13, 06:14 PM)Nathan Malcolm Wrote: [ -> ]That's exactly what we do. All plugins are manually checked for anything dangerous, whether intentional or not, but checking each file line by line isn't something we have the time or man power to do.
I don't intend to be harsh (or similar?) but you accept plugins with empty content guys, so don't, please don't comment that Nathan.
You should be more specific. I have never seen a case where an empty plugin has been approved. I most certainly have never done so. I'm simply saying that the majority of staff check each plugin before approval. If there's one staff member that does approve plugins without checking them, well they should. There's no doubt about that.
If you're being specific then you're saying none of us check plugins before approval which isn't true.
(2012-08-13, 06:14 PM)Nathan Malcolm Wrote: [ -> ]That's exactly what we do. All plugins are manually checked for anything dangerous, whether intentional or not, but checking each file line by line isn't something we have the time or man power to do.
I never understood this to be honest. Based on Nathan's comment, its clear that there is a possibility that someone could upload a potentially harmful plugin deliberately and it could be approved. For example, one line of code could delete a forums entire user table. Its horrendous to know that plugins like these have the possibility to be uploaded and approved.
I totally understand that mybb staff are volunteers, but thats no excuse for allowing a potentially harmful plugin to be uploaded to the mods database. If staff dont have the time to review each plugin throughly, then dont provide users with a mods database. Security should be top priority, not quantity. I'd rather see half the amount of fully approved plugins in the database, than a huge bunch of plugins that are not throughly checked and "may" be potentially harmful.