* Aryeh Gregor <Simetrical+wikilist(a)gmail.com> [Tue, 5 May 2009 09:22:01
-0400]:
On Tue, May 5, 2009 at 1:51 AM, Dmitriy Sintsov
<questpc(a)rambler.ru>
wrote:
In #mediawiki IRC channel I've been told that
tgz upload is insecure
and poses a risk.
Allowing tgz uploads would allow the upload of arbitrary file formats.
We do not want to do this. For one thing, it's insecure: users might
think it's safe to install a binary executable just because it's from
mediawiki.org, but downloads aren't actually vetted. Noticeably
third-party downloads hopefully will be treated with some more
caution.
For another thing, allowing archive formats permits the upload of
content we don't want to permit on ideological grounds, or that cannot
be distributed under the GFDL. For instance, binaries without
accompanying source code; or DRM-encumbered data formats; or formats
that are otherwise not open because, for instance, they aren't
specified fully enough to permit full open-source implementations
(e.g., .doc). The first two cases not only are at least arguably
contrary to Wikimedia's mission -- see
http://meta.wikimedia.org/wiki/File_format_policy, although that never
passed AFAIK -- but are probably not legal as long as we're only
allowed to distribute under the GFDL.
MediaWiki extensions can just have their source code pasted into their
extension pages. This is marginally less convenient, but not by much.
I don't think Wikimedia is going to allow arbitrary file formats to
be uploaded anytime soon (and that's basically what .tgz would
permit).
Pasting the code is suitable only for small extensions, mine is
medium-size, has many source files and I can't imagine installing it
such way.
I believe there was a trick which would overcome tgz upload
restriction - some years ago, I've seen text-format archives
inside unix shell scripts, which can be extracted with bash (or maybe
even just sh) - probably just MIME decoding then passing to
tar/gzip. Then, such file can probably be uploaded with different
extension, while at documentation page one would ask to
rename and run the file after a download.
But anyway, I've choosed a _free_ hosting for my extension,
I hope the hoster won't delete it any time soon. Just an
external tgz link.
Dmitriy