Approving plugins


#1

How do plugins get approved? Decompiling the jar? Just looking at the source code, if available? Or even only observing the behavior?
Who does this?

I am asking this because a decompiled jar produced from Kotlin code looks very strange and is very hard to read.


#2

Yeah it will basically be decompiled and analysed.
Plugins written in other jvm languages (scala/kotlin etc) may take longer to review.


#3

For open source plugins, why not just compile the plugin and check if some has hash functions as the uploaded plugin. If it has, just read the source code it was compiled from instead?


#4

IIRC, there was a guide floating around about the porper steps for managin/reviewing plugins on Ore. @windy @Zidane @gabizou: Do any of you have the link?


#5

I have seen some plugins where the source code (e.g. on GitHub) is different from the source code used to compile the jar. This will cause the hashes to be different and will cause the checking of the jar to fail.

I don't say it is a bad method (I like the idea) but you can't rely on this method, because;
1. the developer might have changed a few things; after compiling (before uploading the source code) or before compiling (already uploaded the source code).
2. the developer uploads his source code after the plugin is validated
3. or some random other reason

Note that: these are just some examples, for most (open source) plugins the method would work.


#6

It's still a WIP IIRC and @mbaxter is really the mastermind behind that, I expect it to be available after the "full" rollout.


#7

To partially answer your question, here's a few bits of information relevant to Ore and Kotlin.

  • When Ore is fully released there will be available, on the Sponge Documentation, information on requirements for projects and plugin approval information.
  • We will review plugins using whatever tools and techniques we deem necessary to minimize risk to users of Ore.
  • To the best of our ability plugin review will be handled FIFO.
  • Kotlin, Scala, and any other JVM-compatible-but-not-really-Java plugins may be harder to review.
    • Might take longer to approve.
    • We'll allow them, though. We're drawing the line at actual obfuscation.