2015-10-03, 00:29
Turn off automatic updates, or manually install the specific add-ons you want to use from the repos you can't trust. Personally, I always disable automatic updates, for Kodi, my phone, my computer, everything. I choose when I want to update something, and I can prevent an update from breaking something that wasn't broken. This happens more often with just a single developer than it does with a conflict between two who are using the same ID.
The security risk happens when you choose to add sources or repos from untrustworthy sources. They don't have to hijack another add-on (ID or otherwise) if they themselves are untrustworthy. They can actually use their repo itself (which is an add-on, and can be updated) to inject whatever add-on they want, to do whatever they want, onto your system. Even blinding an add-on to a repo won't prevent that. If you think that is just about them being malicious, it's not. We've actually seen repos wage "war" on each other like this, and they thought they were doing it in the best interests of the user. The whole thing goes to shit when you can't trust the repo.
Also, don't forget that we have an add-on rollback feature specifically to help with things like botched updates.
The security risk happens when you choose to add sources or repos from untrustworthy sources. They don't have to hijack another add-on (ID or otherwise) if they themselves are untrustworthy. They can actually use their repo itself (which is an add-on, and can be updated) to inject whatever add-on they want, to do whatever they want, onto your system. Even blinding an add-on to a repo won't prevent that. If you think that is just about them being malicious, it's not. We've actually seen repos wage "war" on each other like this, and they thought they were doing it in the best interests of the user. The whole thing goes to shit when you can't trust the repo.
Also, don't forget that we have an add-on rollback feature specifically to help with things like botched updates.
