Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Proposal - Reverse submission work-flow #93

Open
brandonlamb opened this issue Nov 1, 2016 · 12 comments
Open

Proposal - Reverse submission work-flow #93

brandonlamb opened this issue Nov 1, 2016 · 12 comments

Comments

@brandonlamb
Copy link

Instead of creating a bottleneck with moderators/approvers, what if when an asset was submitted it was automatically available.

At that point it could show as "community" supported, and then the testing support can be added once a moderator/approver tests out the asset.

You could possibly ping github to validate/verify the repo as required (some kind of spam protection?).

@bojidar-bg
Copy link
Contributor

@akien-mga I'm thinking... what if we expose a "testing API", which would allow everyone to get "bleeding edge" versions by autoapplying all edits on demand (and disabling SHA protections). Wouldn't this solve issues such as this one and #94?

@brandonlamb
Copy link
Author

Possibly. I guess I was questioning do you really want to be in the business of having to review every single submission and edit. Is that maintainable if this really takes off?

The reverse could be allowing users to feel safe by filtering/downloading "curated" (moderated) assets, while still being able to download "uncurated" which havent been reviewed/tested yet.

Or allow the community to do this via ratings or "as a user, i verify this worked for me".

@akien-mga
Copy link
Member

akien-mga commented Nov 1, 2016

Well it's not about checking that assets work, it's about security. We don't want Godot to be a major security vulnerability, where malicious content could be installed on the machines of our users via the assetlib.
With the way the assetlib works (allowing you to download the contents of any public git repo), it's trivial to ship a malicious binary and have it executed automatically by Godot using os.execute().

This is also way we validate all approved zip archives with their sha256 sum.

@brandonlamb
Copy link
Author

I'm not passionate enough about this topic to argue one way or another but would ask the question, isn't it as possible to download an npm module that does the same? Does someone review all npm modules submitted? Any shared code can potentially harmful code.

Does unity review all source code of submitted user assets (maybe they do)?

@vnen
Copy link
Member

vnen commented Nov 1, 2016

I think it's possible to do a "caveat user", wash our hands a bit and do the reverse approach: banning malicious content. However, we need to make sure the submission process can't be too automated to avoid bots filling the asset lib with bad content. If account and asset creation are manual and we enable GitHub hooks to just auto-update the assets, I believe it is manageable. (I assume the other providers have a similar function).

At one point there might be too much stuff to manually moderate, making the process itself less reliable anyway.

Just my 2 cents.

@arypbatista
Copy link

I would suggest: let's continue with the manual-moderation approach but let the community have access to the listings through a REST API: { name, version, url }

@kjcasey
Copy link

kjcasey commented Sep 18, 2017

Just used the reverse-submission work flow to manually moderate a few nasty sounding (curated) bugs that had been promoted to high status. That should buy me at least another 24 hour life-cycle. Thanks to all the coding contributors! You rock on!

@mhilbrunner
Copy link
Member

mhilbrunner commented Sep 26, 2017

I think your time would be better spent elsewhere, working on Godot, rather than looking at asset submissions - sure, ban reported malicious stuff, but GitHub doesn't screen public repos, neither does any package repository I know of. (pip? npm?)

Developers have to do due diligence when including a third party dependency anway:

Is it working? Is it secure? Is it maintained? Is it maintainable?

That should not be your job. You can recommend (curate) assets, but you should not aim to be the gatekeeper of every available asset.

Now, if, at some point, assets are available for money on the Asset Library and you get a cut of the profit, sure, moderate away. :)

Edit: Seeing as there is a "cost" filter on the Asset Library, I seem to have missed that this may already be the case, even if most (all?) currently available assets are free. In that case, moderate assets with price > 0?

@willnationsdev
Copy link

@mhilbrunner

Developers have to do due diligence when including a third party dependency anway...That should not be your job. You can recommend (curate) assets, but you should not aim to be the gatekeeper of every available asset.

Preach it man~ ;-)

@Calinou
Copy link
Member

Calinou commented Jun 22, 2018

What about automatically approving assets submitted by users who already have at least one asset approved?

@willnationsdev
Copy link

@Calinou At a bare minimum, I'd think that should work.

@follower
Copy link

Developers have to do due diligence when including a third party dependency anway:

I think it's worth keeping in mind that--in the context of Godot--"developers" includes e.g. less technical/experienced people such as designers and kids/teens coding their first game and therefore less able to evaluate code.

Another factor is the stated desire to keep the Godot core minimal and have standard practice be to require some functionality to be installed separately.

In addition, with any sort of package hosting system IMO it's pretty much inevitable that a malicious/damaging package submission will appear or be attempted--whether that's due to mistake, purposefully or due to a security breach. And if it's an open source project there's probably an issue just like this one that gets pointed to as a result. :)

I agree that it would be nice if the core developers were freed from doing review work but would there be enough other community members to step up to form a review team?

If such an event is "inevitable" I think it's worthwhile to consider these questions in relation to the topic:

  1. What process/precautions can be put in place to be prevent such an occurrence?
  2. How will damage be reversed/fixed/prevented should such an event occur?
  3. What will be the cost/impact of such an event on the project?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

10 participants