I have been running the Curiosity Stream addon created by Matt Huisman and I notice that there is now one in the official kodi.tv repo by GMaxera
For some reason kodi tried to update the GMaxera version over top of the older Matt Huismann version.
Anyone know if the GMaxera one in the official repo is a fork or something ?
Not a fork.
This is a current issue with how kodi add-ons works.
If two add-ons share the same addon ID, kodi will update to whatever has the newest versions.
Leads to all sorts of issues / possible "hijacking" of add-ons by bad characters by using same ids with higher versions.
I have a write-up of suggested changes to the kodi add-on system here:
https://github.com/xbmc/xbmc/pull/17677
If you want to keep using my one - I have changed the ID of it.
If you update to it's latest version, it should ask you to migrate to the new ID.
Worst case, uninstall the old one and install the new one via slyguy repo
(2020-04-24, 07:16)matthuisman Wrote: [ -> ]Not a fork.
This is a current issue with how kodi add-ons works.
If two add-ons share the same addon ID, kodi will update to whatever has the newest versions.
Leads to all sorts of issues / possible "hijacking" of add-ons by bad characters by using same ids with higher versions.
I have a write-up of suggested changes to the kodi add-on system here: https://github.com/xbmc/xbmc/pull/17677
If you want to keep using my one - I have changed the ID of it.
If you update to it's latest version, it should ask you to migrate to the new ID.
Worst case, uninstall the old one and install the new one via slyguy repo
Your suggested "Improvements" in your write-up offer nothing that hasn't been heavily discussed here already.
Facts are plugins CANNOT be hijacked without a user already installing a third-party repository. Which users are warned against when allowing "Unknown Sources".
As for repositories, Kodis official repository is the only "Trusted" source. The idea of a "Trusted third-party" repository logistically don't exist.
If a user is worried about hijacking only install repositories from trusted developers and stay away from plug-ins not found in the official Kodi repository.
No.
You can't expect every user to know what they are doing. Kodi has some responsibility to limit the exposure and at least make it harder for bad characters.
Automatically replacing addons with any higher version is simply stupid. The kodi warning will be like apple t&cs.no one reads it. And you know that.
If that's the best kodi can do to protect their users then its a worry.
You said its all been discussed. Nothing been done so I assume kodi is happy with how it is now?
How does a user install Netflix addon from official repo? Or a heap of others.
They can't. How do you know a repo can be trusted? You can't.
Anyway. No biggy. Will just start using 100.0.0 version numbers as that seems like only way.
Also, how well 'audited' are addons in the kodi repo anyway? Is every bit of code checked before merge? Only takes a few lines hidden in there somewhere to install a zip or another repo. And due to you thinking current system is fine, a 1000 addon dependencies being installed.
Think I'd rather trust a 3rd party addon with lots of user feedback and longer history.
Maybe a couple of undercover tests need to be done trying to get addons into the official repo with same bad code. Just to ya know. Make sure end users can trust it.
Some modules contain a huge amount of code, I'm sure it hasn't all been checked.
You can never be sure. So what's the harm in limiting the harm it can do.
And I can tell about your trusted comment that you haven't even read that github.
The only thing about trusted is the system repos (xbmc, libreelec) and even that just means you don't get so many warnings with them. Its still not a free pass to do what they want.
The idea of "trusted apps" is only valid if they are fully audited.
Take a Look at the Google Play store. Google recently pulled some "approved" apps that exploited a flaw to get root and install trojans. If a company like Google, with their deep pockets, can't keep junk out of their store, I don't seriously expect a team of kodi volunteers to do so.
To use the google play store as another example. Many apps are not available on the Google Play store, but are available from legit android sources like F-Droid.
Google commonly removes legitimate, non-malicious, apps. They do so for various reasons. Commonly they simply go against their business model, or open security risks for less experienced users.
So, advanced users who want to use advanced software, have no other option but to use the "unknown sources" feature to enabled the use of sources like F-Droid or even xda devs.
Having Kodi designed so that when someone updates to the latest, ACTIVELY developed addon, there is a risk of unknowingly getting a different addon from another repo, is a bit goofy.
Maybe there is a way to limit updates to the same repo ?
(2020-04-24, 10:33)matthuisman Wrote: [ -> ]Think I'd rather trust a 3rd party addon with lots of user feedback and longer history.
.
Fully Agreed.
Not sure who "GMaxera" is and I have no interest in installing an app by a dev that doesn't seem to be active in the community. I searched for a "release" posting, for his/her Curiosity Stream addon, online and can't find one. it may be ok, but it makes me suspicious. Even if it is in the offical repo.
Thanks for the reply @
matthuisman . I found the release notes for your latest update, and figured out what was happening.
Glad to see you back from your "retirement".
Especially with the newly found spare time I have. Curiosity Stream is worth every penny of their subscription and I am glad I can use your addon to watch it on my TV, as opposed to using a laptop or phone.
As noted already, this has actually been discussed within the Team.
One of the main stumbling block is the usage of beta-test repos by developers, most commonly (but not exclusively) skin developers. The addon/skin is developed and tested in one repo, and then once it is proven ready it is submitted into the official repo. If we had the requirement for only updating from the repo where the addon was installed from, then people would end up with parallel installs of beta and release versions installed together, which is a recipe for disaster.
It should also be highlighted that the version of Kodi that we ship explicitly has install from third party repos disabled by default. It has to be enabled by the user, including a pop-up indicating the potential risks in doing so and an acknowledgement that they accept that risk. So by default the described risk is not present, as the only source is the official repo and we control what is accepted into that.
This is also why we dislike "meta" repos, and have the most common of them as part of our
banned addons (wiki) list. Not just through their often violation of our
piracy policy (wiki), but for their often lax attitude towards inclusion of forked higher numbered versions of even legitimate addons. It does of course apply to any 3rd party repo potentially, but those large meta-repos are the largest risk.
In the end we try to look after the general user base by curating the official repo and disabling third party ones. For more advanced users (or those who think they are) who make use of third party repos, then it is their responsibility to ensure that what they put on is trustworthy, and they are responsible also for any outcome that may happen if they don't make any effort to check things and just randomly install stuff from anywhere.
A couple of my blog posts (links in my sig) are on this very topic, as are a few older ones from other team members.
And I would add that without third party repos/addons, you don't get true innovation either.
For instance, the PVR I use is not on the official repo - and it's the best one (for my needs) that I've used since I started using Kodi a few years ago. It is self-labelled "unofficial" but the developer has an open forum over at the HDHomerun website, and he's super responsive to issues that are posted on there. His addon is so far ahead of anything else that I've used.
I agree that security falls on both sides of this, I don't think Kodi could realistically do anything more than they are doing when it comes to third party repos, without really locking down the software which would severely hurt the hobbyist/tinkerer. I could be wrong in that regard, but thats my opinion.
(2020-04-24, 15:58)DarrenHill Wrote: [ -> ]If we had the requirement for only updating from the repo where the addon was installed from, then people would end up with parallel installs of beta and release versions installed together, which is a recipe for disaster.
It would be cool to have functionality where a single source is used for both Beta and Non-beta addons.
The beta versions could be identified as such within the code, and have the beta simply skipped if the user didn't want to install/update beta versions.
I can run linux apps beta or stable, without ending up with parallel installs.
Obviously I am not a dev, but I assume this would require a major change, that would require more than a couple developers simply submitting code changes.
(2020-04-24, 10:14)matthuisman Wrote: [ -> ]No.
You can't expect every user to know what they are doing. Kodi has some responsibility to limit the exposure and at least make it harder for bad characters.
Automatically replacing addons with any higher version is simply stupid. The kodi warning will be like apple t&cs.no one reads it. And you know that.
If that's the best kodi can do to protect their users then its a worry.
You said its all been discussed. Nothing been done so I assume kodi is happy with how it is now?
How does a user install Netflix addon from official repo? Or a heap of others.
They can't. How do you know a repo can be trusted? You can't.
Anyway. No biggy. Will just start using 100.0.0 version numbers as that seems like only way.
Kodi development is community-driven; Anyone! Team-member or not is welcome to commit code for review. If you feel you can offer a better solution to Kodis plugin system, then please do so. No one is arguing that the current system is perfect.
The Netflix plugin developer is more than welcome to submit the plugin for a review into the Offical repository.
(2020-04-24, 10:33)matthuisman Wrote: [ -> ]Also, how well 'audited' are addons in the kodi repo anyway? Is every bit of code checked before merge? Only takes a few lines hidden in there somewhere to install a zip or another repo. And due to you thinking current system is fine, a 1000 addon dependencies being installed.
All code; line by line submitted to Kodi's repository for review is audited by our team members on a voluntary base... A very time-consuming process that ensures the code is safe.
(2020-04-24, 10:33)matthuisman Wrote: [ -> ]Maybe a couple of undercover tests need to be done trying to get addons into the official repo with same bad code. Just to ya know. Make sure end users can trust it.
You're awfully hostile; maybe you should help rather than become part of the problem?
(2020-04-24, 10:33)matthuisman Wrote: [ -> ]You can never be sure. So what's the harm in limiting the harm it can do.
And I can tell about your trusted comment that you haven't even read that github.
The only thing about trusted is the system repos (xbmc, libreelec) and even that just means you don't get so many warnings with them. Its still not a free pass to do what they want.
Long-Term: Yes! Kodis plugin environment should be sandboxed...
"You can never be sure". Yes you can code is not magic; it's limited by design; All code is reviewed (LINE BY LINE), sure human error can overlook a security flaw... however name one project that doesn't happen with?
Your interpretation of the submission process, vetting, and trusted developers sounds troubling... why don't you submit your plugins for review and find out first-hand whats involved.
(2020-04-24, 16:18)starslayer74 Wrote: [ -> ]And I would add that without third party repos/addons, you don't get true innovation either.
For instance, the PVR I use is not on the official repo - and it's the best one (for my needs) that I've used since I started using Kodi a few years ago. It is self-labelled "unofficial" but the developer has an open forum over at the HDHomerun website, and he's super responsive to issues that are posted on there. His addon is so far ahead of anything else that I've used.
I agree that security falls on both sides of this, I don't think Kodi could realistically do anything more than they are doing when it comes to third party repos, without really locking down the software which would severely hurt the hobbyist/tinkerer. I could be wrong in that regard, but thats my opinion.
"true innovation" is a very subjective outlook....
I agree that most plugins posted here or on legitimate sites start as third-party plugins and some are truly works of art. However, 99% of the drek I've obscured users installing contain regurgitated old code, haphazardly maintained and almost always contains something fishy wither it be obfuscated code blocks or URLs.
(2020-04-24, 15:54)Spinner65 Wrote: [ -> ] (2020-04-24, 10:33)matthuisman Wrote: [ -> ]Think I'd rather trust a 3rd party addon with lots of user feedback and longer history.
.
Fully Agreed.
You'd rather trust users "observed" code behavior; over a line by line code review?
(2020-04-24, 20:00)Lunatixz Wrote: [ -> ] (2020-04-24, 15:54)Spinner65 Wrote: [ -> ] (2020-04-24, 10:33)matthuisman Wrote: [ -> ]Think I'd rather trust a 3rd party addon with lots of user feedback and longer history.
.
Fully Agreed.
Not sure who "GMaxera" is and I have no interest in installing an app by a dev that doesn't seem to be active in the community. I searched for a "release" posting, for his/her Curiosity Stream addon, online and can't find one. it may be ok, but it makes me suspicious. Even if it is in the offical repo.
Thanks for the reply @matthuisman . I found the release notes for your latest update, and figured out what was happening.
Glad to see you back from your "retirement".
Especially with the newly found spare time I have. Curiosity Stream is worth every penny of their subscription and I am glad I can use your addon to watch it on my TV, as opposed to using a laptop or phone.
You'd rather trust users "observed" code behavior; over a line by line code review?
I would rather have multiple eyes see popular code vs an overworked kodi team who likely doesn't check every release of a relatively new addon with few users or devs involved
So i install a new addon that has been added to the offical repo… i would assume that it would be fully vetted because it is new or from a new developer.
But.. 4 releases later ? is it always checked for each release ?
If old non functional addons have sat in the repo for a long time, forgive me for having doubts about consistent code checking too.
This isn't a criticism. I see it as the reality of software developed by volunteers.