Right now we are trying to decide how we should manage a plugin repository system. Before we decide anything, we’d love to gather input from the community to see what they’d like! I look forward to reading all the constructive feedback you guys provide. Feel free to give suggestions to my proposals or make your own.
Proposal 1: Bukkitdev like system
We could handle things very similarly to how we did on BukkitDev. This includes:
- Proactively review every file before they are
available for download.
- Auto scan files for red flags but still
review by hand.
- Allow CIs for dev builds.
This system is as secure as the moderators handling the reviews. It allows for catching complex backdoors before they are made public but it also sacrifices speed and burns out the moderators reviewing the plugins. Approval time fluxuates a ton based on how many developers are able and willing to review files. Times ranged from a few minutes to a few days.
We could look at changing specifics such as development build / CI policies.
Proposal 2: Community moderation
Another option is to handle reviews completely community moderated.
- Rely on the community to decompile and review files for backdoors or
- Have a team of staff that reviews files that throw up
- All files immediately available for download.
This system is not very secure but it allows for instant download of any file. This is similar to how Spigot handles their resources except that they don’t scan files to flag them for moderators, they just review as reported (from what I’ve gathered).
Proposal 3: Combination of proactive and reactive reviews
This system is a compromise of security and speed.
- Proactively review the first file of each author or project.
- After the first file, all files are immediately available for download.
- Scan additional files and flag for review. Certain flags would bump files to the top of the queue, otherwise files would be reviewed in the order they are submitted.
- A system such as ‘semi-normal’ and ‘normal’ to denote if files have been reviewed.
- Possibly have certain flags (such as .setOp and System.execute) force a file to be proactively reviewed before it is available for download.
Obvious cons to this system: people uploading a safe file to get passed the proactive review system and then upload malicious files after that, moderators become lackadaisical and don’t bother reviewing files that aren’t flagged.