My thoughts on a service for hosting and/or auto-installing plugins

Seems like many are interested in having some system to install plugins automagically (like APT) :: more seem eager to have a central repository for approving and distributing plugins (like dev.bukkit’s system).

Here’s my thoughts, please don’t hate :: as always, constructive criticism is welcomed…

_de automatic download and installation:
Software separate from Sponge should do this. Whether this be a Sponge plugin or a completely separate application, I do not think that this needs to be implemented into Sponge itself. Possibly some type of program can be used to abstract server setup for newbie owners. Of course the program would need a list/input of the plugin sources… That brings us to a central plugin distribution repo or something like that.

_de distribution repository:
I definitely think that a main site will be great for hosting the majority of plugins. I never did like how sometimes it would take upwards of two weeks for one of my plugins to be approved by the staff at dev Bukkit; I understood it, but this will need to change. I propose that if a central place to host most plugins is made, authors can post immediately and have their plugins hosted immediately.
I propose that the community decides for themselves whether a plugin is safe. Members can review the source of a release (decompiling; although I do not advocate this) on their own time and submit a review of it. This review can contain anything that server owners should be aware of. Here’s what it might contain:

Plugin safe: Probably. RMI is not documented, but probably not evil.
Review: Plugin does what it says, mostly. Connections to the developer’s website are made to share your server’s OS and other anonymous information (for statistics?).
Overall: Users should be safe.

I’m open to suggestions. Especially because I’m extremely tired as I write this and certainly have missed some things.

1 Like

Lapis is working on something similair :wink:

The system would need to take into account the required dependencies of those plugins, and check if the required versions of those dependencies are actually available, too.

But yes, something like apt-get sounds nice :slight_smile:

If plugin information is properly documented in the plugin.[some ext], you could even have it check for errors that would arise from permissions, commands, aliases, etc.

Sounds interesting. :slight_smile:

“I propose that if a central place to host most plugins is made, authors can post immediately and have their plugins hosted immediately.”

So backdoored plugins directly from the main site? O.o

Yes, but those should be clearly marked as possibly malicious. Of course anything that violates the law of whereever the repo is hosted should be taken down (as well as anything that gets DMCA’d, of course). I think that a community can often times rate/flag plugins better than an inside team of moderators, and if moderators are denying plugins that users could enjoy, then people are missing out.

@instanceof, I do understand what you’re saying at

However, even if the community “decides” whether it is malicious, it’s still a security concern. Also, Sponge wouldn’t be getting good rep for hosting malicious plugins just willy nilly. Perhaps if there was a separate section or a check-box setting to see “Unconfirmed Safe Plugins” or something, that’d be great. Just my idea, though. :wink:

I like that idea! I suppose official moderation / approval moderators will be needed to give the final “OK” to a plugin. Either way, it’s great for developers since they can get their plugin’s latest release out to the public quickest.

I just thought of something else as well. Possibly each projects that new developers make will have to get mod approval before even being publicly available. Then, as a developer shows that his plugins are legit (nothing has been reported malicious, or malicious content has been resolved with the moderators), he can push instant public releases to the plugin repository. Of course these releases would first go into your “Unconfirmed Safe Plugins” section or similar.