* Aryeh Gregor Simetrical+wikilist@gmail.com [Tue, 5 May 2009 09:22:01 -0400]:
On Tue, May 5, 2009 at 1:51 AM, Dmitriy Sintsov questpc@rambler.ru wrote:
In #mediawiki IRC channel I've been told that tgz upload is insecure and poses a risk.
Allowing tgz uploads would allow the upload of arbitrary file formats. We do not want to do this. For one thing, it's insecure: users might think it's safe to install a binary executable just because it's from mediawiki.org, but downloads aren't actually vetted. Noticeably third-party downloads hopefully will be treated with some more caution.
For another thing, allowing archive formats permits the upload of content we don't want to permit on ideological grounds, or that cannot be distributed under the GFDL. For instance, binaries without accompanying source code; or DRM-encumbered data formats; or formats that are otherwise not open because, for instance, they aren't specified fully enough to permit full open-source implementations (e.g., .doc). The first two cases not only are at least arguably contrary to Wikimedia's mission -- see http://meta.wikimedia.org/wiki/File_format_policy, although that never passed AFAIK -- but are probably not legal as long as we're only allowed to distribute under the GFDL.
MediaWiki extensions can just have their source code pasted into their extension pages. This is marginally less convenient, but not by much. I don't think Wikimedia is going to allow arbitrary file formats to be uploaded anytime soon (and that's basically what .tgz would permit).
Pasting the code is suitable only for small extensions, mine is medium-size, has many source files and I can't imagine installing it such way.
I believe there was a trick which would overcome tgz upload restriction - some years ago, I've seen text-format archives inside unix shell scripts, which can be extracted with bash (or maybe even just sh) - probably just MIME decoding then passing to tar/gzip. Then, such file can probably be uploaded with different extension, while at documentation page one would ask to rename and run the file after a download.
But anyway, I've choosed a _free_ hosting for my extension, I hope the hoster won't delete it any time soon. Just an external tgz link. Dmitriy