Wedge

Sounds like fun... :-/

The OP needs updated to reflect this.

It needs updating to reflect the correct title too. I'll deal with it when I get chance, thanks for reminding me :)

Now updated to actually be more accurate.

Shall we remove the package manager by now?

Well, it still has some useful stuff like dealing with unpacking mods and so on - but the more I think about it the more I am kind of leaning towards what XenForo does - and not having any kind of unpacking on the server. It certainly solves permissions headaches but isn't so friendly.

I thought that unpacking through PHP would on the contrary ensure that files are all writable by PHP..?

Making it writable from PHP means exposing it to being writable by the web server. Convenient, sure, but on shared hosting, you have to make it writable to all users since on most shared hosts I've seen, the web server user is not the same as the owner of the files and very often isn't in the same group - meaning that your files have to be world writable by definition.

This is why systems get hacked: folks change the permissions and trigger the system to abuse it. Now, if you're not modifying core files, you limit the damage that can be done - but still all the plugin files are within the cross-hairs, and anything on that server that happens to get compromised, can compromise any and all plugins. Even attachments aren't really that safe - but they're safe in that they can't directly be executed by the server (or at least, on anything remotely sane, shouldn't be able to be executed), though attachments I accept have to remain world writable by definition.

On the other hand, if users have to upload plugins, they get them uploaded via FTP and invariably that just works as expected. The plugin gets uploaded, it's not writable by the web server so it's protected from being infected by any other compromised site on the server.

Yes, it's not as convenient as having something that does it all magically, but I'd argue it's a lot safer and doesn't require what amounts to a workaround.

What's more important: being secure or being convenient? You know as well as I do that users don't actually care about being secure, but they love convenience, and we have to make a call on what we think as more important, because we have to care when the user doesn't.

Y'know, I simply really like(d) the idea of downloading gzipped plugins from within Wedge... :-/

Yeah, it's one of those things that would be very awesome, but the security aspect makes me incredibly wary about doing it.

Certainly it isn't required for alpha and can be shunted back to beta, but given that other systems are doing this exact thing (and they're paid, no less) with little apparent ill-will as a result, it does give me confidence that it might not be so bad after all.

It would certainly encourage people to think a bit more carefully about whether they really need a plugin or not.

I'll take security over convenience every time (in the past our site has been compromised many times, and cleaning up just takes too much time), but I understand the difference; there will be folks for whom the opposite applies. To massage an apposite saying, you can't please all the people all the time...  :whistle:

I know you guys don't like Wordpress much, but it does allow (as SMF) to download and install plugins/themes/upgrades directly from the web interface. What technique did they use? Same as SMF (so files with 777 permissions)?