manual installer
greggles - July 10, 2008 - 21:20
| Project: | Plugin Manager |
| Version: | 6.x-1.x-dev |
| Component: | Code |
| Category: | task |
| Priority: | normal |
| Assigned: | jabapyth |
| Status: | closed |
Jump to:
Description
I just noticed this commit - http://drupal.org/cvs?commit=125744
I think that the manual installer provides a great feature - it allows you to install a tarball from anywhere which might be useful to people who use modules from outside of d.o.
Perhaps it should be hidden somewhat but for now I think it is a great thing to leave in to isolate testing different pieces of the module.
What do you think?
#1
Though any address could have been supplied in the installer, only an address from d.o would have worked. The function that downloads files can, by design, only download files from Drupal.org. This was done so that, in the event that the XML stream at update.drupal.org was compromised, a vulnerability was found in the plugin_manager module, or the server falls victim to DNS poisoning (remapping update.drupal.org with evilhacker.com) causing the corruption of the repository, arbitrary code could not be downloaded from any location.
However, if the benefits of allowing code to be downloaded from other locations outweighs any potential problems, I am willing add that ability (and in turn, the manual page.)
#2
I think installing from third party sources (i.e. other than d.o) is a nice features to have. This is like RPM and APT, they can use any repository not just a single one. Of course, we need to put a big warning that third party repos have far less visibility than d.o, and hence can be less secure and even more prone to contain malicious code.
Joshua, this is not a top priority though, let us finish what we were set out to do first, then add these extra things.
#3
Sounds good. I will add this to the todo list. It hopefully shouldn't take long.
#4
Agreed. It might also make sense to limit these based on repositories that are in a configuration variable in the settings.php. Otherwise if someone gets access to this then they could install any module they want (including dangerous ones).
Limiting it to drupal.org for now seems fine to me.
#5
I realize this task has been "post-poned" for something like 10 weeks. Now, however, looks like a time where this might could be added. There are some things I wonder though. Should we support uploads? How about specifying the URL? Should we require md5's on uploads / external urls? Is this feature still desired? Etc...
#6
hmmm i think actually uploads would be the best way to do this -- that would prevent dns poisoning. The user could actually look at what they will be installing (w/ and archive program or w/e) to make sure.
With the way the code now works, this manual install will have to be a separate process from the regular queue/md5/login/install.
I also agree that this page could be disabled/hidden by default -- probably only us dev types will need to use it on a regular basis
#7
ill get to work on this
#8
So I've added a manual installer page (Commit #143648), but made it "hidden" -- its unlisted in any menus. Also, you can only install by upload, and there's a big warning message telling you to make sure to check the tarballs you upload.
Is there anything else that needs adding?
#9
#10
Automatically closed -- issue fixed for two weeks with no activity.
#11
So, I was definitely wrong. Let's make the manual install page visible.