MinuteElectron writes:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hello,
Recently I volunteered to help establish a system for providing an extension manager\repository combination for MediaWiki. During this time I have devoted some thought regarding how such a system would work, here I hope to summarize what ideas have been bounced around so far and stimulate further discussion that can be built upon.
To begin with, most of my effort went into designing and building a repository, doing this first was a bad idea, however; a manager that can be used without a repository is needed first before the specification for a repository can be made. Regardless thought has already been put into this (mostly in IRC discussions on #mediawiki) so it would be worthwhile listing ideas them here. - It is *extremely* dangerous to create a system that automatically downloads files that will be executed from the Internet and installed into an environment such as MediaWiki, if the repository that is being used is compromised via DNS spoofing or similar attacks, arbitrary access to the file system the client MediaWiki is running on and any data held in the wiki could be made available (without anyone knowing, if the malicious attack was crafted carefully). - For this reason signing should be used to facilitate transferring files between the repository and MediaWiki in a way similar to aptitude (Linux package manager). Perhaps done using SSL or some other system (maybe using public\private keys). - It should be possible for multiple repositories to be hosted, even if an official one were to exist some projects might like to have one so that their wikis can access custom extension and many other reasons. Once I develop my repository system I plan to release it under an open source license in a generalized way so it could be used by third parties as well as on a pseudo-official one probably hosted on the toolserver (maybe even the stable server after a while). - Due to the high demand such a system would receive static generated information would be desirable as opposed to a dynamic API. - Support for different versions of MediaWiki would be essential, presumably from the version of MediaWiki available when the extension manager is released onwards (therefore future backwards compatibility would be essential).
That's all I could think of for the repository, please add more in a reply if you can think of anything.
Moving on to the client (extension manager) many more factors would have to be covered. - One of the earliest problems I encountered was providing a system for updating configuration, it would be very difficult to maintain variables in a file so moving to configuration in the database is probably the only choice here (possibly both a database based and file based choices, but this could become hard to maintain). Validation on input would be required and so more coding would need to be made by extension authors (or the repository managers, if the maintainer of the extension wasn't willing to put effort into validation functions), this could probably be done using a configuration class for each extension extend from a main configuration class. This would most likely fit best into a separate configuration file so it could be loaded without the rest of the extension.
And I've gone and put all my points about an extension manager client into one bullet, discussion about this would be great; at least now I've written it out I understand better what it is I was planning so hopefully (providing someone doesn't find any flaws in my ideas) I might be able to start some coding. For now this will most likely have to stay as an extension as it will be too unstable to begin with, but hopefully once the project takes off it could be bundled in core along with a few common extension (which would then be able to be installed without configuration file editing due to this interface). Perhaps even, in the long run, the bulk of configuration could be moved into a configuration manager special page and validation classes -- this would certainly help many users.
If anyone else would like to contribute to an extension manager (I've noticed a couple of other people interested on IRC) maybe we could set up an IRC channel and collaborate on it -- work out some UI mock-ups, design basic code, discuss ideas in greater detail etc. -- if not I'll work out some basic code that can then be expanded on or twisted as required by anyone who wants to help.
Thanks, MinuteElectron. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkfdlGoACgkQkJvUlhoE3wSEWQCgt4NQuEJuNIVKJUKo4Z9itOEk cAYAn2WMTMrfz7dtwUgI9PjFrLs6qk+P =QsBY -----END PGP SIGNATURE-----
Don't we have it as maintenance/installExtension.php? --VasilievVV