Skip to content

GitLab

  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
  • E extensions-directory
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Issues 21
    • Issues 21
    • List
    • Boards
    • Service Desk
    • Milestones
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Create a new issue
  • Issue Boards
Collapse sidebar
  • Extensions
  • extensions-directory
  • Issues
  • #48

Closed
Open
Created Jun 18, 2020 by herbdool@herbdool

Should Civi core provide a secure, standardized approach if extensions want to provide automatic self-updating? (Such as what CiviMobileAPI does)

CiviMobileAPI provides functionality for automatic self-updating (e.g. https://lab.civicrm.org/extensions/civimobileapi/-/blob/master/CRM/CiviMobileAPI/Utils/Extension.php). Some of it is using core API, but some of it is doing its own thing with hardcoded values:

  /**
   * Get latest version of extension download link
   */
  public static function getLatestVersionDownloadLink() {
    $version = CRM_CiviMobileAPI_Utils_VersionController::getInstance();
    $downloadUrl = 'https://lab.civicrm.org/extensions/civimobileapi/-/archive/';
    $downloadUrl .= $version->getLatestFullVersion() . '/civimobileapi-' . $version->getLatestFullVersion() . '.zip';

    return $downloadUrl;
  }

As far as I know Civi doesn't do any package signing to make this process more secure. At the very least, I think Civi should centralize this process to make this more secure.

Some things that would make this more secure:

  • package signing
  • put the toggle for automatic updates on the main extensions page. Perhaps a toggle for each extension.
  • provide core API for the whole process so extensions don't need to roll their own approach.
  • ensure that an extension is using an official path.
Assignee
Assign to
Time tracking