Comments (11)
Regarding the metadata submitted, I will add a GitHub action extracting these from the submitted .s4ext
file and posting it as a comment to the PR.
from extensionsindex.
I agree that it is an extra step to look these up. For this reason, I don't even attempt to review a PR on my phone etc.
Asking the submitter to manually copy some details would not help much because we actually need to check if the source (s4ext file, source code, website) are correct. These are all also expected to change (even the extension name, repository URL, etc. is often changed as a result of the review process).
@jcfr's suggestion for automatically extracting (and maybe also validating, comparing if the content matches, valid, etc.) using GitHub actions could help. It would be necessary to be able to regenerate this report at any time, because most of the files are outside the ExtensionsIndex repository, so the GitHub action would not be triggered automatically.
I'm also wondering if we are trying to do too much. Maybe we could just let anyone submit almost anything and just but assign a trust level to each extension (0 = not reviewed, 1 = passed basic review, experimental, ... 4 = commonly used, well maintained, essential extension) to let users know what they can expect. We could filter the extensions manager to show TL >=1 extensions by default.
from extensionsindex.
Maybe we could just let anyone submit almost anything
Would this further open up the factory build machine to security risks? The build machine already has extensions building based on a branch name which allows for the maintainers of those repos to push anything which could include malicious execution of scripts on the factory build machines? @jcfr Is there anything being done to mitigate this risk?
from extensionsindex.
In addition to the build machines, which probably don't have any valuable data anyway, allowing unreviewed extensions to be installed on user machines is a big security risk too since they are running with the user's privileges.
from extensionsindex.
PyPI is free for all, without any security or other audit whatsoever. Therefore, even if we review a package and even if we lock the extension git hash, somebody can still sneak malicious content. It is of course a universal problem that all app stores suffer from. Slicer is not worse than for example the Chrome extensions store. Let's talk about it more at today's weekly meeting.
from extensionsindex.
Sorry Iām unable to attend the weekly meeting today though I would be interested in what you all discuss. If there is less review of extension submissions that then results in malicious code, does the extension store have liability as well (Kitware since packages are served from their server) in addition to the malicious actors?
Detailing first party extensions could help to promote trust when browsing the extensions manager. These would be extensions within the Slicer GitHub organization.
from extensionsindex.
If there is less review of extension submissions that then results in malicious code
Less review is extremely unlikely to result in more malicious code. More malicious code will appear if there are more malicious actors.
does the extension store have liability as well
We keep following standard industry practices here: zero liability. Maybe we should show a disclaimer in the extension manager to clarify this?
Detailing first party extensions could help to promote trust
I agree this could be the key: provide information on how much we trust the developers. It could be a distinct score from the extension's quality (e.g., modules save their state into the scene) or maturity (e.g., algorithms are validated), or we could have a combined metric for all these qualities.
from extensionsindex.
Maybe we could just let anyone submit almost anything
I have to say this discussion veered off quite far from the initial topic! I personally do not see why it would be important to let anyone submit just anything, and I do not see why it would be a burden at all to write few sentences about what the extension is doing. If that is too hard, what can be expected in terms of maintenance of the extension?
from extensionsindex.
We need to decide if we want to simplify the review process. If we choose to simplify by deciding based on the submitted metadata then it makes sense to make all metadata conveniently accessible in the pull request, because the whole decision could just take a few minutes. If we decide to keep extension reviews as thorough as they are currently (taking 4-8 hours including initial review and follow-ups with developers), then we can close this issue right now, because saving a few minutes in the review process does not matter.
The underlying issue is that we are getting more extension submissions that we do not have time to thoroughly review and bring up to current standards. We either discourage developers from contributing by our long response time or we let low-quality extensions published in the app store. I think discouraging developers is very bad, so I'm trying to see if it was possible to let in low-quality extensions without hurting users.
from extensionsindex.
I really wish people could distribute extensions without going through the extension index. It puts us in the loop for every project in a way that's different from the github, npm, and pypi model.
from extensionsindex.
@lassoan thank you for the response. I now understand how poorly timed my suggestion was. I most definitely appreciate it takes huge effort to review the submissions. I didn't mean to make your work more complicated!
I have to say that, at the same time, if the PR has a description of the extension, it would perhaps be more likely for someone who is not usually reviewing extension to be motivated to spend time testing it, if it is within the are of expertise or interest for that person. So it potentially could help you. For example, if I see an extension related to prostate cancer (or other applications where we have interest and expertise), I would be more than willing to ask the engineer working with me to spend time testing it and summarizing experience, or even do it myself.
from extensionsindex.
Related Issues (20)
- CI: Additional tests HOT 1
- Failed to register TorchIO extension HOT 18
- trying to add auto3dgm extension to slicer HOT 1
- Icon and description in Extensions Manager HOT 4
- ABL Temporal Bone Segmentation extension HOT 4
- Missing Python files in TorchIO extension on 4.13.0-2020-11-30 (revision 29496 / f5944be) linux-amd64 HOT 5
- Bad dependencies kill entire extension build HOT 3
- Allow logos with higher resolution HOT 10
- ExtraMarkups is not built for Slicer 5.2.2 HOT 2
- Extensions with invalid homepage, iconurl and screenshots metadata
- Repository name test fails if url contains a trailing slash
- 2023.12.12: An extension displays a blocking popup related to CUDA installation HOT 18
- 2024.02.02: SlicerBreast_DCEMRI_FTV extension displays a blocking popup
- Meta issue referencing extension updates HOT 3
- Update readme file for json files
- Remove Auto3DGM from extension catalogue HOT 1
- Meta issue referencing extension package upload fixes
- Meta issue referencing extension config&build fixes
- 2024.06.21: An extension displays a blocking popup related to DICOM SEG meta-data
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
š Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ššš
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ā¤ļø Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from extensionsindex.