You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cordova.apache.org by Joe Bowser <bo...@gmail.com> on 2012/09/13 21:15:36 UTC
[Android] CB-1062 : Should a plugin be able to get an instance of any
plugin via plugin manager?
Hey
So, this was a feature request and I can see how it can be useful, but
I can also see how an untrusted plugin can go and totally screw with
other plugins. I know that we basically assume that developers who
use plugins know what they are doing, but after all the times we broke
plugins we know that this definitely isn't the case. So, how do
people feel about this issue? Should we punt it and say that it's a
security risk because application devs can't read Java, or do we allow
it and warn plugin developers.
Any thoughts?
Joe
Re: [Android] CB-1062 : Should a plugin be able to get an instance
of any plugin via plugin manager?
Posted by Filip Maj <fi...@adobe.com>.
Late to the party but I think this is a reasonable request.
On 9/14/12 3:41 PM, "Simon MacDonald" <si...@gmail.com> wrote:
>The more the merrier.
>
>Simon Mac Donald
>http://hi.im/simonmacdonald
>
>
>On Fri, Sep 14, 2012 at 5:36 PM, Joe Bowser <bo...@gmail.com> wrote:
>
>> OK, so the guy posted his use case. I think we should ask him for a
>> patch, since he clearly has implemented it already.
>>
>> Thoughts?
>>
>> On Thu, Sep 13, 2012 at 2:15 PM, Joe Bowser <bo...@gmail.com> wrote:
>> > I don't know why this is needed, to be honest. I'll ask in the
>>ticket.
>> >
>> > On Thu, Sep 13, 2012 at 12:52 PM, Simon MacDonald
>> > <si...@gmail.com> wrote:
>> >> That's my question, why do we need this?
>> >>
>> >> Simon Mac Donald
>> >> http://hi.im/simonmacdonald
>> >>
>> >>
>> >> On Thu, Sep 13, 2012 at 3:46 PM, Andrew Grieve <ag...@chromium.org>
>> wrote:
>> >>
>> >>> I don't think there's any such thing as an untrusted plugin when
>>you're
>> >>> talking about letting it include whatever source it wants in your
>> project.
>> >>>
>> >>> I think this request is reasonable, but I'd also be curious to know
>> what
>> >>> the use-cases are.
>> >>>
>> >>>
>> >>> On Thu, Sep 13, 2012 at 3:15 PM, Joe Bowser <bo...@gmail.com>
>>wrote:
>> >>>
>> >>> > Hey
>> >>> >
>> >>> > So, this was a feature request and I can see how it can be useful,
>> but
>> >>> > I can also see how an untrusted plugin can go and totally screw
>>with
>> >>> > other plugins. I know that we basically assume that developers
>>who
>> >>> > use plugins know what they are doing, but after all the times we
>> broke
>> >>> > plugins we know that this definitely isn't the case. So, how do
>> >>> > people feel about this issue? Should we punt it and say that it's
>>a
>> >>> > security risk because application devs can't read Java, or do we
>> allow
>> >>> > it and warn plugin developers.
>> >>> >
>> >>> > Any thoughts?
>> >>> >
>> >>> > Joe
>> >>> >
>> >>>
>>
Re: [Android] CB-1062 : Should a plugin be able to get an instance of
any plugin via plugin manager?
Posted by Simon MacDonald <si...@gmail.com>.
The more the merrier.
Simon Mac Donald
http://hi.im/simonmacdonald
On Fri, Sep 14, 2012 at 5:36 PM, Joe Bowser <bo...@gmail.com> wrote:
> OK, so the guy posted his use case. I think we should ask him for a
> patch, since he clearly has implemented it already.
>
> Thoughts?
>
> On Thu, Sep 13, 2012 at 2:15 PM, Joe Bowser <bo...@gmail.com> wrote:
> > I don't know why this is needed, to be honest. I'll ask in the ticket.
> >
> > On Thu, Sep 13, 2012 at 12:52 PM, Simon MacDonald
> > <si...@gmail.com> wrote:
> >> That's my question, why do we need this?
> >>
> >> Simon Mac Donald
> >> http://hi.im/simonmacdonald
> >>
> >>
> >> On Thu, Sep 13, 2012 at 3:46 PM, Andrew Grieve <ag...@chromium.org>
> wrote:
> >>
> >>> I don't think there's any such thing as an untrusted plugin when you're
> >>> talking about letting it include whatever source it wants in your
> project.
> >>>
> >>> I think this request is reasonable, but I'd also be curious to know
> what
> >>> the use-cases are.
> >>>
> >>>
> >>> On Thu, Sep 13, 2012 at 3:15 PM, Joe Bowser <bo...@gmail.com> wrote:
> >>>
> >>> > Hey
> >>> >
> >>> > So, this was a feature request and I can see how it can be useful,
> but
> >>> > I can also see how an untrusted plugin can go and totally screw with
> >>> > other plugins. I know that we basically assume that developers who
> >>> > use plugins know what they are doing, but after all the times we
> broke
> >>> > plugins we know that this definitely isn't the case. So, how do
> >>> > people feel about this issue? Should we punt it and say that it's a
> >>> > security risk because application devs can't read Java, or do we
> allow
> >>> > it and warn plugin developers.
> >>> >
> >>> > Any thoughts?
> >>> >
> >>> > Joe
> >>> >
> >>>
>
Re: [Android] CB-1062 : Should a plugin be able to get an instance of
any plugin via plugin manager?
Posted by Joe Bowser <bo...@gmail.com>.
OK, so the guy posted his use case. I think we should ask him for a
patch, since he clearly has implemented it already.
Thoughts?
On Thu, Sep 13, 2012 at 2:15 PM, Joe Bowser <bo...@gmail.com> wrote:
> I don't know why this is needed, to be honest. I'll ask in the ticket.
>
> On Thu, Sep 13, 2012 at 12:52 PM, Simon MacDonald
> <si...@gmail.com> wrote:
>> That's my question, why do we need this?
>>
>> Simon Mac Donald
>> http://hi.im/simonmacdonald
>>
>>
>> On Thu, Sep 13, 2012 at 3:46 PM, Andrew Grieve <ag...@chromium.org> wrote:
>>
>>> I don't think there's any such thing as an untrusted plugin when you're
>>> talking about letting it include whatever source it wants in your project.
>>>
>>> I think this request is reasonable, but I'd also be curious to know what
>>> the use-cases are.
>>>
>>>
>>> On Thu, Sep 13, 2012 at 3:15 PM, Joe Bowser <bo...@gmail.com> wrote:
>>>
>>> > Hey
>>> >
>>> > So, this was a feature request and I can see how it can be useful, but
>>> > I can also see how an untrusted plugin can go and totally screw with
>>> > other plugins. I know that we basically assume that developers who
>>> > use plugins know what they are doing, but after all the times we broke
>>> > plugins we know that this definitely isn't the case. So, how do
>>> > people feel about this issue? Should we punt it and say that it's a
>>> > security risk because application devs can't read Java, or do we allow
>>> > it and warn plugin developers.
>>> >
>>> > Any thoughts?
>>> >
>>> > Joe
>>> >
>>>
Re: [Android] CB-1062 : Should a plugin be able to get an instance of
any plugin via plugin manager?
Posted by Joe Bowser <bo...@gmail.com>.
I don't know why this is needed, to be honest. I'll ask in the ticket.
On Thu, Sep 13, 2012 at 12:52 PM, Simon MacDonald
<si...@gmail.com> wrote:
> That's my question, why do we need this?
>
> Simon Mac Donald
> http://hi.im/simonmacdonald
>
>
> On Thu, Sep 13, 2012 at 3:46 PM, Andrew Grieve <ag...@chromium.org> wrote:
>
>> I don't think there's any such thing as an untrusted plugin when you're
>> talking about letting it include whatever source it wants in your project.
>>
>> I think this request is reasonable, but I'd also be curious to know what
>> the use-cases are.
>>
>>
>> On Thu, Sep 13, 2012 at 3:15 PM, Joe Bowser <bo...@gmail.com> wrote:
>>
>> > Hey
>> >
>> > So, this was a feature request and I can see how it can be useful, but
>> > I can also see how an untrusted plugin can go and totally screw with
>> > other plugins. I know that we basically assume that developers who
>> > use plugins know what they are doing, but after all the times we broke
>> > plugins we know that this definitely isn't the case. So, how do
>> > people feel about this issue? Should we punt it and say that it's a
>> > security risk because application devs can't read Java, or do we allow
>> > it and warn plugin developers.
>> >
>> > Any thoughts?
>> >
>> > Joe
>> >
>>
Re: [Android] CB-1062 : Should a plugin be able to get an instance of
any plugin via plugin manager?
Posted by Simon MacDonald <si...@gmail.com>.
That's my question, why do we need this?
Simon Mac Donald
http://hi.im/simonmacdonald
On Thu, Sep 13, 2012 at 3:46 PM, Andrew Grieve <ag...@chromium.org> wrote:
> I don't think there's any such thing as an untrusted plugin when you're
> talking about letting it include whatever source it wants in your project.
>
> I think this request is reasonable, but I'd also be curious to know what
> the use-cases are.
>
>
> On Thu, Sep 13, 2012 at 3:15 PM, Joe Bowser <bo...@gmail.com> wrote:
>
> > Hey
> >
> > So, this was a feature request and I can see how it can be useful, but
> > I can also see how an untrusted plugin can go and totally screw with
> > other plugins. I know that we basically assume that developers who
> > use plugins know what they are doing, but after all the times we broke
> > plugins we know that this definitely isn't the case. So, how do
> > people feel about this issue? Should we punt it and say that it's a
> > security risk because application devs can't read Java, or do we allow
> > it and warn plugin developers.
> >
> > Any thoughts?
> >
> > Joe
> >
>
Re: [Android] CB-1062 : Should a plugin be able to get an instance of
any plugin via plugin manager?
Posted by Andrew Grieve <ag...@chromium.org>.
I don't think there's any such thing as an untrusted plugin when you're
talking about letting it include whatever source it wants in your project.
I think this request is reasonable, but I'd also be curious to know what
the use-cases are.
On Thu, Sep 13, 2012 at 3:15 PM, Joe Bowser <bo...@gmail.com> wrote:
> Hey
>
> So, this was a feature request and I can see how it can be useful, but
> I can also see how an untrusted plugin can go and totally screw with
> other plugins. I know that we basically assume that developers who
> use plugins know what they are doing, but after all the times we broke
> plugins we know that this definitely isn't the case. So, how do
> people feel about this issue? Should we punt it and say that it's a
> security risk because application devs can't read Java, or do we allow
> it and warn plugin developers.
>
> Any thoughts?
>
> Joe
>