Feature #50501

The ability to just import/fetch/download an extension from the TER without installing it.

Added by Dave no-lastname-given over 7 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Must have
Assignee:
-
Category:
Extension Manager
Target version:
-
Start date:
2013-07-28
Due date:
% Done:

100%

Estimated time:
PHP Version:
Tags:
Complexity:
medium
Sprint Focus:

Description

It would be nice if we could just import/fetch/download an extension from the TER but not automatically install it into a running system. This was possible to do in the old extension manager but not in the extensionmanager version 6.x.x.

I normally check out the contents of an extension myself before installing an extension.
Sometimes new extensions can break a running Typo3 site. Some extension authors have my trust and I may automatically install them, but when I am working with something/someone new I always double check the extension manually by putting my eye quick to the code.

I do this because in Typo3, security auditing of extensions is an after thought, meaning it occurs after an extension has already been publically available in the TER, for that reason alone, automatic installing of extensions does more harm than good.

Automatic installs of extensions DOES NOT allow you to do your own security audit first.
That is a very compelling reason to re-introduce this feature.
It is something you should encourage new Typo3 integrators to be doing.
Security should always trump convenience, if not, you are doing it wrong.

On a side note: sometimes I will download an extension for modification reasons.
I do not want to install it until after I have made my changes.


Related issues

Related to TYPO3 Core - Bug #50347: ExtensionManager: Overwriting existing extensions with older versions without warningClosed2013-07-23

Actions
Has duplicate TYPO3 Core - Bug #55373: Extension manager installs (activates) extensions automaticallyClosed2014-01-27

Actions
#1

Updated by Philipp Gampe over 7 years ago

  • Status changed from New to Accepted

I second to this.

An easy solution would be to set a switch in the extensionmanager extension to either install it directly or not. This should be simple to implement.

Otherwise we need an UI/UX concept again to let the user choose while downloading or before installing it.

Can you please create an issue in the UX team tracker and relate it to this one?

#2

Updated by Ingo Renner over 7 years ago

  • Status changed from Accepted to Rejected

Dave no-lastname-given wrote:

...download an extension from the TER but not automatically install it into a running system.

(emphasize added by me)

You don't do that on a production system.

#3

Updated by Dave no-lastname-given over 7 years ago

Ingo Renner wrote:

You don't do that on a production system.

No you probably shouldn't on a production system, I am not saying that I do, but it does not mean you even have to do it on a NON production system. The point is there is no choice to just import and not install.
And that is a security issue in my mind regardless if it is on a production system or not.

Because your non-production system is also connected to the net or how else did you get the extension in the extension manager??? That does not make it safe from a potentially malicious extension that automatically installs.

And your reply doesnt address the other issue I pointed out, sometimes you want to just import but not install an extension for modification reasons.

IMHO your rejection of this idea is not fully baked.

#4

Updated by Dave no-lastname-given over 7 years ago

Also a running system is not just a production system, it is a Typo3 install in production or in a state of development/staging.

#5

Updated by Philipp Gampe over 7 years ago

  • Status changed from Rejected to Needs Feedback
  • Complexity set to medium

@Ingo I second the idea to just fetch an extension.

#6

Updated by Dave no-lastname-given over 7 years ago

Made a related UX issue for extra feedback: Feature #50582

#7

Updated by Philipp Gampe over 7 years ago

We need another action in between that shows all changes to be done (just as in the old (old) EM)

#8

Updated by Dave no-lastname-given over 7 years ago

Philipp Gampe wrote:

We need another action in between that shows all changes to be done (just as in the old (old) EM)

I think I mentioned this in the UX issue, I agree. I thought though you could keep the current behaviour in the new EM (simple mode: auto install at own risk no questions asked.) and then a more verbose version (advanced mode:where all install/import questions are asked and options considered) and the process is thoroughly reviewed before executing.

I did find the old process in the old EM a bit clunky (@see off-topic) even though you could cope with it, it was not very clear when dealing with dependencies in what step of your initial extension install you were in when dependencies installations were being satisfied. I could imagine some nice ajax wizardy here.

Though I think the UX team might come up with a more elegant solution.

off-topic:
Another gripe of mine is that extensions installs are not very easily rolled back to previous versions. They are always overwritten, I think that is a shame. It would be cool if you could import multiple versions of the same extension, and then just symbolically link to the actively installed one. Maybe also support for an ext_rollback.php to rollback any DB/structure changes. But that would require some serious rethink of how extensions are treated.

Versioned extensions directory structure for rollback:


my_extension -> .my_extension/1.0.2
.my_extension/
  1.0.1/
  1.0.2/
  1.0.3/

It would also support old extensions that cannot be rolled back.

Anyway sorry for the Off-topic. Maybe I should post that as a far future feature or maybe it should hang in the shadows for now, I am not sure. It would be cool though.

#9

Updated by Alexander Opitz about 7 years ago

  • Status changed from Needs Feedback to New
#10

Updated by Gerrit Code Review over 6 years ago

  • Status changed from New to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/30972

#11

Updated by Gerrit Code Review over 6 years ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/30972

#12

Updated by Gerrit Code Review over 6 years ago

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/30972

#13

Updated by Gerrit Code Review over 6 years ago

Patch set 4 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/30972

#14

Updated by Gerrit Code Review about 6 years ago

Patch set 5 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/30972

#15

Updated by Gerrit Code Review almost 6 years ago

Patch set 6 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/30972

#16

Updated by Gerrit Code Review almost 6 years ago

Patch set 7 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/30972

#17

Updated by Susanne Moog almost 6 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
#18

Updated by Benni Mack over 2 years ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF