Extensions safety/trust

clarkwinkelmann

I want to talk about extensions safety.

Some marketplace have processes to check applications/extensions are free of malware (like the App Store). Sometimes you have to wait until your code is approved.

The fact Flarum uses composer allows us to quickly create extensions and also allows us to not depend on any official distribution system/marketplace. This makes it pretty easy to create malicious extensions and get users to install them on their servers.

Even official marketplaces don't comfort me very much with this kind of things, because I often don't know that they really check. I was thinking of introducing a way to measure extensions trust without depending on every extension going through a verification process.

Developers could review extension code they find and give them a note (example: fully trusted, code safe but dangerous dependencies, unsafe, malicious) and sign it along with the packagist/github url, version number and md5 checksum with a PGP key, ideally one from Keybase.

All these signatures could be published in a GitHub repo/Gist/anything really. Any marketplace (or an extension) could fetch these signatures and check the reviews.

Using Keybase would mean that I could give a list of Twitter or GitHub usernames of devs I trust and the marketplace will tell me which extensions they approved. All this could be done through a GitHub/Twitter login in the marketplace, but using Keybase means anyone can check the authenticity of the review as well as the identity of the reviewer.

I've not seen this kind of thing for any marketplace at the moment. I will try building a proof of concept, but in the meantime I thought I could get some feedback here.

My idea is to create documentation for a JSON-formatted signature that includes the data from above, a webservice to easily allow devs to generate that JSON payload and then publish the signature in a GitHub repo on my account. The repo could then be used as a composer dependency for a trust check extension.

What do you think ?

PS: I certainly could do with a security expert to decide what to put into that JSON payload ?

jordanjay29

I love this. There's been talk about creating a Flarum marketplace, complete with our own packagist implementation (with cloned repos for Flarum libraries). This could certainly hook into that, and at the very least ban bad actors from submitting to it.

Having a method for securing Flarum extensions by way of a validation library would be amazing. I hope we can find someone with the security expertise to create one, it would be a valuable timesaver and peace of mind for everyone here.

luceos

Interesting. Some of your ideas are an echo of what I proposed in the past as well..