Add ons manager - development and bugs topic

[yorik]

Ok this is now done in git commit 334222540, it should now be easier to support other git hosting platforms. It's just a couple of additional cases to add at the end of addon_utilities.py.

It is now possible to install the mooc WB without python-git.

Unfortunately, for the readme, it is generated in the browser, on the fly, with javascript. So it's not present when downloading the HTML of the page and we can't read it... This is silly, don't know why gitlab people did it that way...

[sgrogan]

Unfortunately, for the readme, it is generated in the browser, on the fly, with javascript. So it's not present when downloading the HTML of the page and we can't read it... This is silly, don't know why gitlab people did it that way...

Thanks yorik it gets better everyday!

Maybe now we should bounce this message down a level?

w.PNG (22.6 KiB) Viewed 2141 times

The stuff available from addon manager are not reviewed by the core FreeCAD team, but they are vetted (sometimes more or less) by the FreeCAD community.
IMHO this warning is warranted for the "configure" ie custom workbenches.I think the user should still opt in to addons, only with a softer message?

[jmaustpc]

Maybe now we should bounce this message down a level?

I think the message should be strong because we don't have any approval or moderation system at all. Since it's so easily installed from within FreeCAD people could very likely get a false sense of security.

[yorik]

maybe instead of "are not reviewed by the FreeCAD team" (because indeed they are, more or less), we could say something like "are not under the responsibility of the FreeCAD team"?

[Kunda1]

maybe instead of "are not reviewed by the FreeCAD team" (because indeed they are, more or less), we could say something like "are not under the responsibility of the FreeCAD team"?

@yorik, more or less is pretty vague though. Maybe we can be specific about what are vetting process is? Eventually, as FC grows we're going to need some sort of more in-depth vetting process. But that is still down the road

[sgrogan]

@yorik, more or less is pretty vague though.

I think this was in just my term.

Stuff in the add-ons repo is not the responsibility of the FreeCAD team. They are basically community vetted. After all that got added to the repo somehow.
From the configure tab a stronger message is warranted in my opinion. These could come from anywhere.

I'm in agreement with yorik that the add-on developers should become more "first class citizens" In commercial products sometimes these things are "Trusted Partners"

[Kunda1]

I'll clarify, i'm coming from the perspective of a user now. All these Addons/Workbenches with lots of code and functions and the ability to use python or git to download things from the web or start local servers (*cough*backdoors*cough*) etc... how do i know that I'm not compromising my box when I install these things?
There are all sorts of stories of attempts to compromise services like npm and even audacious attempts at the linux kernel.

As FC becomes more and more popular (we're seeing this as moderators where users are joining at an exponential rate daily!) we're going to need to think about how to seriously vet this 3rd party code or make distinctions between level of vetting.

This has been on my mind and i apologize if this takes the conversation off topic but just wanted to insert a nagging anxiety that I've been feeling for a while now (especially helping @yorik with the Addons repo).

[sgrogan]

This has been on my mind and i apologize if this takes the conversation off topic but just wanted to insert a nagging anxiety that I've been feeling for a while now (especially helping @yorik with the Addons repo).

We should open a new thread to discuss this. As the Addon manager becomes more and more mature the discussion is more important.

[yorik]

Maybe we could think of a proper "reviewing" system. That is, there would be addons that got reviewed by us, some which aren't. That would allow us to keep adding any new addon to the list, but it would help making trusted people feel trusted.

But there are complicated issues, though: We can trust people we know for quite some time, who have discussed their addons here on the forum, etc. But that would be a trust system based on the person, not the code. It's not fair. A new unknown addon developer should be able to ask for review too, which we could do. But since people can change their code all the time, this could quickly require huge amounts of reviewing time...

[Kunda1]

2 bugs in Addon Manager:
1. after uninstalling addon all logos for other addons dissappear in the Addon Manager dialog
2. after uninstalling an addon, click around on different addons (happens sometimes with just 1 but average is 3 different attempts) FC will crash hard with a very unhelpful error (this may be appimage related.
Relevant thread:
https://forum.freecadweb.org/viewtopic.php?f=3&t=37721