[Proposal]: Improve add-on user experience and help restrict bad repos / bad addons

[Proposal]: Improve add-on user experience and help restrict bad repos / bad addons - Printable Version

+- Kodi Community Forum (https://forum.kodi.tv)
+-- Forum: Development (https://forum.kodi.tv/forumdisplay.php?fid=32)
+--- Forum: Kodi Application (https://forum.kodi.tv/forumdisplay.php?fid=93)
+--- Thread: [Proposal]: Improve add-on user experience and help restrict bad repos / bad addons (/showthread.php?tid=353690)

[Proposal]: Improve add-on user experience and help restrict bad repos / bad addons - matthuisman - 2020-04-20

https://github.com/xbmc/xbmc/pull/17677#issue-403118062

Maybe better to discuss here than github pinging everyone each time a comment is made on that PR.

RE: [Proposal]: Improve add-on user experience and help restrict bad repos / bad addons - V8MEM - 2020-04-20

All of this looks like a sad excuse not to implement actual package signing.

RE: [Proposal]: Improve add-on user experience and help restrict bad repos / bad addons - matthuisman - 2020-04-20

How would 3rd party repos work with package signing?
They host their own signature?
Then bad repos can do that as well.

None of my proposal has anything to do with man-in-the-middle or anything like that.
It's unrelated. A bad repo / addon can still be signed.

If your plan is for kodi to hold the signatures - then why not just force every addon to be in kodi repo.

But please do advise how we can keep same functionality with 3rd party repos and signing and suddenly have none of the issues outlined above.

and ps: Kodi repo addons actually have a hash header on their redirect to mirrors to ensure kodi gets the correct add-on

Adding a checksum / hash to addons to would be easy.
The main repo xml would just have a checksum of the latest zip.
That still doesn't solve all the other issues.
That just ensures you get the actual correct zip and it isn't modified or malformed during download
But you still need to trust the repo xml is the real one.

Could also enforce https for repos

its always going to have weakness when dealing with 3rd party
All we can do is our best to make it more difficult and make the user aware of what is happening.

RE: [Proposal]: Improve add-on user experience and help restrict bad repos / bad addons - V8MEM - 2020-04-20

(2020-04-20, 06:55)matthuisman Wrote: How would 3rd party repos work with package signing?

Same as 3rd party repos on any linux distro, users import the authors key to the trusted keyring.

RE: [Proposal]: Improve add-on user experience and help restrict bad repos / bad addons - matthuisman - 2020-04-20

that still doesn't solve half of the issues.
That just makes sure your getting the version the author intends.
A simply checksum in addons.xml solves the same issue.
The author can still be bad.
The bad addons can still come pre-installed on builds etc.

Yes, installing the key shows you trust them.
But so does installing their repository.

I'm happy for suggestions as long as it solves all the issues at the top of that post.