Home/ Questions/Q 6995929
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-27T20:05:33+00:00

This is a very general question, and I think my context does not matter

  • 0

This is a very general question, and I think my context does not matter to it.

Let’s say there’s a plug-in system, so users will be able to install plug-ins and have new functionality, so they’ll like to go on and install them carelessly.
But there’s the security concern. Plugins could contain badly-written code, or even malicious code.

One solution to stability is to isolate the plugins from the rest of the app (which is what Google Chrome does, to great effect).
But regarding security, it’s different.

If I were to make sure the plugins would be “safe to install”, that would not only put a lot on restrictions on plugins, but also would force me to make a whole API/format for plugins (let’s say embed a scripting engine), which I’d rather not do (much more simple is have them as libraries).

So, what can I do about plugins? Should the user be responsible for it’s security? Should I require source code for plugin submissions and inspect/sign “trusted plugins”?
What would you do? (It’s not an enterprise app, it’s a personal project to be released open-source).

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    If it is open source project, then I guess most of the plugins will also be open source, that means that anyone (of course, only experienced part of your community will do it) can explore the source code of the plugin, and that makes it less secure and more secure at the same time. Because anyone can discover security problems by exploring the code and exploit those problems, but on the other hand security problems will become known and fixed quite fast depending on your community activity. And, of course, it is less likely that someone will put malicous code into open source plugin on purpose.

    You can also create a plugin site where users will post their rating about the plugin and you (as site and product owner) can recomend some of the good and “safe” plugins. That’s what Mozzila and many others do.

    But in general, I think that user should be resposible for security in any case. Controlling everything is expensive. You never know how many security bugs you have in your code and you never know how many plug-ins are there. Let the community do the job since it’s open source.

    • 0