Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Improvement] User-supplied install config #9

Open
adam-alchemy opened this issue Dec 1, 2023 · 1 comment
Open

[Improvement] User-supplied install config #9

adam-alchemy opened this issue Dec 1, 2023 · 1 comment

Comments

@adam-alchemy
Copy link

  • Currently the spec supports dependencies and injected hooks. These address two problems with using plugin manifests alone:
    • Dependencies address “plugin incompatibilities”, where a plugin needs external functionality that it doesn’t want to hard-code. Right now this is only used for providing owner/root validation functions for sensitive plugin functions.
    • Injected hooks address “plugin permissions” by providing a way to apply protective checks to plugins as they’re installed, providing guard rails that “limit the blast radius” of malicious plugins. This can’t be done via regular plugin hooks for 2 reasons:
      • Manifests must be static in their contents, which means you would need a different manifest to apply a “permission” hook to different plugins. And since manifests are static, this means re-compiling the permissions plugin for each other plugin it is providing checks for.
      • Hooks must be applied after the plugin is installed, and unfortunately onInstall would allow a malicious plugin to perform actions before its permissions plugin is installed.
  • These are very opinionated usages, and the specifics of how they are used bleeds into the standard itself. If we can generalize “user supplied install configs” as a mechanism to supplement or override manifest fields, we can reduce spec complexity.
@jaypaik
Copy link
Contributor

jaypaik commented Dec 18, 2023

Related: #22, which proposes removal of injected hooks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Status: 2. Reference implementation
Development

No branches or pull requests

4 participants