[Project_owners] Wikifying old projects? A recycling idea...
cougio at gmail.com
Mon Aug 29 05:22:03 EDT 2005
Funny thing is the mailing list is providing the answer for me. Check
out the thread right below this one about an official project: "Oh
yeah, the strapline 'sign your life away' makes me want to check the
code before I use it too much :)"
The "what if someone puts garbage on the page" issue is irrelevant at
best because the user will see it and skip the page, and it will get
fixed quickly. But there is a security issue: someone posting an
infected xpi... this is wiki would not be just about text, but
installable software. But the fact is, there is no formal review
process in place for official projects either (setting one up, maybe
matching project owners so they review each others code would provide
an incentive to review others code and improve the overall quality of
code) and I don't think you can say for sure no mozdev project has
some spyware or crap in it. It's true that the less a project is used,
the more likely it is some crap may slip in and a security notice
should definitely be put on in the static text.
A central reviewed-and-approved repository has uses for people who
want safe stuff only, but many are also willing to review the code
themselves or take the risk to get the bleeding edge. Wikified
projects would be less secure than maintained ones, but not by much in
my opinion and as Balvin mentions, it is in fact likely that correctly
done, the wiki mods will be watched by more eyes than individual
projects and that should compensate, and likely be even better than
projects used by few people and maintained by a single developper
who's code never gets looked at by someone else. There could also be a
simple system where project owners only can put a special notice that
a certain xpi was checked and "should" be safe, and any user can also
post a notes saying it worked for them.... The only security central
repositories provide is context information and "appeal to authority"
(having credible people say it's safe), and a wiki can provide it too,
if less formally.
More information about the Project_owners