Bug #90248
closed
Don't mark extensions set as "excludeFromUpdates" as insecure
0%
Description
If an extension is set to "excludeFromUpdates" (ext_emconf.php), this extension should not be marked as "insecure" in EM. Usually it is neccessary to set extensions to "excludeFromUpdates" for a local extension, which also exists in TER from another vendor. Like developing a custom local extension "news" although there is already another TER version of "news".
In addition, thoose extension should not show up in "system report" as warning.
Additionally, for thoose extensions no language files should be fetched from TER. I've already created another ticket for this: https://forge.typo3.org/issues/90236)
Updated by Georg Ringer almost 5 years ago
- Related to Bug #90236: Language manager doesn't respect extension set to "excludeFromUpdates" (ext_emconf.php) added
Updated by Georg Ringer almost 5 years ago
- Status changed from New to Rejected
Thanks for creating this issue!
I will reject this idea. The reason is that the the information if an extension is insecure or not is really important and more important than a possible false positive through a duplicated extension key. Especially if the original extension is used and would have been patched the extensions' state should be still insecure until an official update is used.
The issue #90236 is a bit different because with that the real behaviour of an extension can change because the xlf files are downloaded to the server. In this issue, nothing happens except the warning.
Updated by Jan Kornblum almost 5 years ago
What do you think about introducing an additional state like "customLocal" or "localOnly" for thoose extensions? So it would be possible to differ between "excludeFormUpdates" (used for patched TER extensions) and "customLocal" (implemented for a ceartain custom an not in TER)?
In think it is not a good behaviour to generally mark any "custom" extension as insecure (only because an TER version with same key exists). Imagine a customer needs to get a "custom" extension "news" (not your one). Customer now pays lots of money for developing it... Then the customer looks in EM and tells you "why did i get an insecure extension"???
There must be another way to implement a local only extension with a TER key without it is automatically marked as insecure . An better way than just setting ext version to 9999999 ;)