Closed proyb6 closed 8 years ago
tanner0101
commented
8 years ago I think the closest thing we will have to plugins coming up will be Commands–similar to Laravel's Artisan commands.
Possibly we could implement an approval process by which one of Vapor's moderators gives Commands a "verified" status. This could indicate that someone familiar with Vapor has looked over the code and ensures that it is of good quality and performs that task it advertises.
proyb6
commented
8 years ago I think it may take Vapor's moderators lot of effort to verify and there will still be error prone (Linux is the largest software in the world) or vulnerability. The basic scanner would be sufficient and I think having a regexp or rules to improve upon scanner by the community will be ideally.
tanner0101
commented
8 years ago https://vapor.github.io/documentation/guide/provider.html gives a good overview on making providers.
🚀 What would be the best practice/guideline for plugins development without compromise security and code quality? Probably, creating a few test suite to scan for 1) sloppy code that use non-https 2) store clear text password (an APIs for encryption method is useful for plugin developers) 3) any code use untrusted/obscure URL should alert user before accept plugins/modules to avoid spoofing. 4) Any issues in Wordpress plugins vulnerabilities can be added here?
With this guideline, "vaporscan" command line can be a step ahead of Swiftpm.