search

DISTRHO / Cardinal

Virtual modular synthesizer plugin
https://cardinal.kx.studio/
GNU General Public License v3.0
2.07k stars 141 forks source link

[Feature request] StudioRack integration #653

Closed RustoMCSpit closed 2 months ago

RustoMCSpit commented 2 months ago

Description

It's an open-source plugin manager called StudioRack: https://github.com/studiorack

The aim of the project is to provide a free open-source way to manage plugin dependencies and their versions. It would involve the following steps:

Publish a Github release containing the plugin source along with metadata plugins.json
Tag your Github repository with studiorack-plugin so it can be discovered
Wait for the studiorack-registry to index your plugin (every 24 hours)
Check the registry feed for your plugin to appear
falkTX commented 2 months ago

I am going to say no to this, for several reasons:

  1. looking at a random plugin (e.g. https://studiorack.github.io/studiorack-site/instruments/studiorack/adlplug/adlplug) there is no link to source code, nor any way to verify the build is from you, or how it is packaged or anything at all.
  2. even when manually looking at the forked repo of adlplug https://github.com/studiorack/adlplug there are no commits related to the build of the project, just a release, so again I dont see a way to verify the build is a good one or malicious
  3. community chat goes over discord, a proprietary platform which quite some opensource devs have issues with (their terms of service and privacy policy are abysmal)

so with those the project does not inspire confidence and I do not want to be part of it. I could understand the discord part, but lack of transparency regarding the origin of the builds/binaries is a big red flag. you are basically incentivizing users to download and run random binaries that they have no way to verify to not be malicious.

I will reconsider my stance once studiorack project gets reproducible builds, with publicly visible logs for them. until then it is hard no.

RustoMCSpit commented 2 months ago

I will reconsider my stance once studiorack project gets reproducible builds, with publicly visible logs for them. until then it is hard no.

please contact the dev with all of your issues, it's a solo project so forgive them for shortcomings. just make issue requests here https://github.com/studiorack

RustoMCSpit commented 2 months ago

heres the email if you need it hello@kimturley.co.uk

RustoMCSpit commented 2 months ago

also, revolt is a foss clone of discord so if you make that issue request tell them that

RustoMCSpit commented 2 months ago

i contacted about discord, please do the rest!

kmturley commented 2 months ago

Hello, I am the creator/author of StudioRack open-source plugin management system.

Firstly thanks @RustoMCSpit for trying out my tool and for encouraging others to take a look. I have done everything myself so far and it is nice to have some help!

@falkTX Nice to meet you, I have seen many of your projects and you really have made difference in the open-source music world. So thank-you for that!

I will caveat that StudioRack was entirely created by myself in a vacuum, so there will likely be areas I overlooked and could definitely improve. I welcome feedback and suggestions for improvements!

Addressing the concerns raised:

1. No link to source code

If you click on the plugin author name, it will take you to the source code. It is a little bit hidden. I will work on making it more obvious!

Screenshot 2024-04-26 at 7 50 58 PM

2. Verifying the build matches the source

Yes you're 100% right here, the builds were manually added as releases by me. So in theory I could've injected malicious code. This was a short-term solution until I had the GitHub actions pipelines auto-building plugins.

I created templates for each plugin framework here: https://github.com/orgs/studiorack/repositories?q=template Which will run the build for Linux, Mac, Win and add the plugin.json the images and audio and create the release from a git tag. I managed to get it working for a few plugins, but every repo is different and got stuck on some.

My plan was to add the pipeline automation to all plugins, instead of manual releases. Which would solve this point!

3. Use of Discord

I was not aware of concerns with Discord and open-source. I am a member of sfz, sfizz, Owlplug, audioprogrammer Discords and it has not been mentioned. If this is a blocker I could absolutely consider migrating there. I just signed up and looked for audio plugin servers, couldn't find any but perhaps they are private?

@RustoMCSpit has created issues against my repos to address concerns, so I will address them there. feel free to open more issues and I hope I can make it a better tool for everyone to use!

RustoMCSpit commented 2 months ago

3. Use of Discord

I was not aware of concerns with Discord and open-source. I am a member of sfz, sfizz, Owlplug, audioprogrammer Discords and it has not been mentioned. If this is a blocker I could absolutely consider migrating there. I just signed up and looked for audio plugin servers, couldn't find any but perhaps they are private?

revolt is a tiny community, youll have to post links in your readme and people will join eventually and tell your discord to migrate over