[Lunatixz]

Fully Agreed.

Not sure who "GMaxera" is and I have no interest in installing an app by a dev that doesn't seem to be active in the community. I searched for a "release" posting, for his/her Curiosity Stream addon, online and can't find one. it may be ok, but it makes me  suspicious. Even if it is in the offical repo.

Thanks for the reply @matthuisman .  I found the release notes for your latest update, and figured out what was happening.

Glad to see you back from your "retirement". 
Especially with the newly found spare time I have.  Curiosity Stream is worth every penny of their subscription and I am glad I can use your addon to watch it on my TV, as opposed to using a laptop or phone.  

You'd rather trust users "observed" code behavior; over a line by line code review?  

I would rather have multiple eyes see popular code  vs an overworked kodi team who likely doesn't check every release of a relatively new addon with few users or devs involved
If old non functional addons have sat in the repo for a long time, forgive me for having doubts about code checking.
This isn't a criticism. I see it as the reality of software developed by volunteers. 

Broken plugins are always going to be an issue for any repository. Developers are welcome to submit their updates, and in the interim installing their "Beta" repo usually keep you running till an official submission is made. 

Multiple eyes by unknown reviewers is not comparable to a code review by team members. This is not to say all third-party developers are shady... Just clearing up if you want security either review the code yourself or trust that Kodi team members have for you.

[starslayer74]

If old non functional addons have sat in the repo for a long time, forgive me for having doubts about consistent code checking too.
This isn't a criticism. I see it as the reality of software developed by volunteers. 

I would agree with this.  I do see a lot of broken addons in the official repo, or poorly documented addons as well. Sometimes I look at an addon and read the description and can't tell for the life of me what it does! It's one thing for that to happen with a third party addon, but an "official" repo addon should be well documented and offer no ambiguity as to what it is for. 

Not a complaint, but an observation. I appreciate all that the team does to keep the base support functional and stable.

[Spinner65]

You'd rather trust users "observed" code behavior; over a line by line code review?  

I would rather have multiple eyes see popular code  vs an overworked kodi team who likely doesn't check every release of a relatively new addon with few users or devs involved
If old non functional addons have sat in the repo for a long time, forgive me for having doubts about code checking.
This isn't a criticism. I see it as the reality of software developed by volunteers.   

Broken plugins are always going to be an issue for any repository. Developers are welcome to submit their updates, and in the interim installing their "Beta" repo usually keep you running till an official submission is made. 

Multiple eyes by unknown reviewers is not comparable to a code review by team members. This is not to say all third-party developers are shady... Just clearing up if you want security either review the code yourself or trust that Kodi team members have for you.  

My point about old addons was not about them requiring updates. 

I ran into one official addon that was old and apparently not popular, and was effectively abandoned by the dev. In fact the website it was designed to work with was out of business. For whatever reason, the dev didn't let anyone know,  so the addon wasn't removed from the repo until I notified the team. 

My point is that team-members don't have unlimited time, so they rely on users to bring this stuff to their attention.
If you have an addon that has few users, it likely that it takes a longer time for someone to bring things to a team member's attention.
It's not like the team has time to check every addon to see if it abandoned of not.

For that reason..  I also don't assume that every release of an addon that is ALREADY accepted in the official repo has been checked.
I doubt you guys have time. Nor do I expect you to.

So expecting that official repo is 100% safe is naive imo.
Safer than some of the shady repos ?  Hell yes.  

That is why i only occasionally update software. it can break things, nevermind cause other issues.
I see kodi as no different so i check things before I update. Obviously not all users would, or could, do so.

But that said, it would be nice to have a system that prevents addon conflicts across repos.

[matthuisman]

Beta repos should always have at least the code of the stable repo correct?

So, if your on the beta repo, it should be at least upto date with stable? So why the need for kodi to replace the beta with the stable?

The user has chosen beta... Just keep them on that until they switch to stable.

Pretty sure osmc comes with the install zip enabled by default. It at least used too.
Are you saying users shouldn't use that then? They will never getting a warning.

At least be constructive with your arguments. You haven't suggested any way to fix it. Do all addon devs now have to namespace their addon ids to stop kodi replacing them in the future?

And what I suggested about the addon submission to test kodis process. That's called white hat.

And your saying every module has been checked? Requests? Arrow? There no guarantee these are same as their pip version. Could easily be changed by whoever submits it. Or their github compromised. Again, you can never be sure. So why not limit the damage that can be done once compromised.

[matthuisman]

So, what is yours / kodis response to this user?

He had an addon installed that he was happy with and kodi replaced it. How can he fix that or stop it happening again?

Remember, users are your customers. Yes, its free but they do give donations. Without users, you have no donations and no sponsors. They should always come first.

[Lunatixz]

Beta repos should always have at least the code of the stable repo correct?

So, if your on the beta repo, it should be at least upto date with stable? So why the need for kodi to replace the beta with the stable?

The user has chosen beta... Just keep them on that until they switch to stable.

It's up to the beta repositories developer to decide how to implement versioning.

Pretty sure osmc comes with the install zip enabled by default. It at least used too.
Are you saying users shouldn't use that then? They will never getting a warning.

OSMC is a fork of Kodi and NOT KODI! So it's beyond the realm of this conversation.

At least be constructive with your arguments. You haven't suggested any way to fix it. Do all addon devs now have to namespace their addon ids to stop kodi replacing them in the future?

And what I suggested about the addon submission to test kodis process. That's called white hat.

I did suggest a solution; only install repositories from trusted developers and submit plugins when possible to Kodis repo. It solves all the problems mentioned previously.

To be frank; the issue is unique to the Kodi community as developers (mainly hobbyists/noobs) rather "CLONE" existing plugins (projects); alter and place in their respective repository. Rather than think of the greater good! If things were handled properly; plugins (projects) would be properly "FORKED" in github where updates would be shared widely between developers. The idea you need a dozen plugins either sharing the same source, containing the same code, or parsing the same website is silly. Let's consolidate work and contribute to Kodi's repository when we can.

And your saying every module has been checked? Requests? Arrow? There no guarantee these are the same as their pip version. Could easily be changed by whoever submits it. Or their github compromised. Again, you can never be sure. So why not limit the damage that can be done once compromised.

AGAIN, ALL CODE is checked during submission review; regardless of whether its a small video plugin or a python module. We are looking for code that is harmful...

[matthuisman]

"It's up to the beta repositories developer to decide how to implement versioning."

So a user installs a beta repo and has older code than stable.
Makes sense.

This user has installed a plugin from a repo he trusts.
Its not his fault it's not in the kodi repo
So, whats the response to that?

[Lunatixz]

So, what is yours / kodis response to this user?

He had an addon installed that he was happy with and kodi replaced it. How can he fix that or stop it happening again?

Remember, users are your customers. Yes, its free but they do give donations. Without users, you have no donations and no sponsors. They should always come first.

Let's be clear.... "customers" Kodi isn't a product for sale.

To answer the user's question; I would suggest he/she reach out to the third-party developer of the plugin in conflict. Inform them their plugin id is in conflict with one found in Kodi's repository. I would also suggest the third-party developer work with the other developer to create a single plugin with shared credit. This way the code is submitted into Kodi's repository where it benefits EVERYONE!

[matthuisman]

You say that but then have your own 3rd party beta repo.

No different than kodi adding in a new add-on by someone else using the same id as an addon in your beta repo that isn't yet in kodi repo.
Kodi is going to replace your beta repos add-on.

And "put your addon in kodi repo" isn't a valid response.
There are many developers with various reasons not to do this.
If that's kodis official response - then why even have 3rd party repos.

If you want to go all Apple and lock it down - then get on with it.

And my add-on was around long before the other and also posted here in the forums.
If the other user did a simple search, they would have found it.
They could have reached out....

[Lunatixz]

You say that but then have your own 3rd party beta repo.

No different than kodi adding in a new add-on by someone else using the same id as an addon in your beta repo that isn't yet in kodi repo.
Kodi is going to replace your beta repos add-on.

And "put your addon in kodi repo" isn't a valid response.
There are many developers with various reasons not to do this.
If that's kodis official response - then why even have 3rd party repos.

If you want to go all Apple and lock it down - then get on with it.

And my add-on was around long before the other and also posted here in the forums.
If the other user did a simple search, they would have found it.
They could have reached out....

Huh? Now I'm in your headlights? I have a beta repo; where I push in-between hotfixes... and various projects in development! Then I submit a proper update to Kodis repository. I responsibly handle my versioning, where there is no conflict with my stable builds. I also check with Kodis repo to make sure I do not run into an id conflict. 

You have to understand that id conflicts will happen, They will always happen... No matter what! Google play store doesn't allow developers to use the same package id! Get in the mindset of Kodi repo being "PRIME" If you're a developer and you develop outside of Kodis repo; it's up to you to maintain an id that does not conflict! It sucks! but that's reality when you chose to develop in the dark. It doesn't matter who came first... I've had my share of id conflicts in the past; you move on. If you are concerned about them submit your plugins to Kodis repo or come up with a unique id that is unlikely to be used again.

[matthuisman]

Android doesn't allow 3rd party repos though does it.
There is no potential for conflicts as it knows when you upload - if its taken or not.
Also, they namespace with the developer in case of same add-ons by different developers.

Yes, they will happen - but kodi shouldn't automatically install what ever has the highest version.
All my notes in that github are purely to put the user in control and make it harder for bad things to happen.
Nothing should happen automatically that hasn't been explicitly previously Ok'd by the user.

If it's all about version numbers, then we are going to have a hyper-inflation scenario where each addon is pushing their add-ons versions to crazy high numbers to ensure "they win".

My fix for this users issue was pushing a higher version number, so users kodis would then update back to mine.
Then I had it auto-migrate to a new ID.

How silly of a fix?
I needed to use the issue to fix the issue.

If this is the only way to do it going forward, then maybe Kodi needs some notes in the developing add-on area.
Explain that any ids shared across repos will be replaced with higher version so it's important to make your ids unique now (and unique in the future)
Only way to do that is by using unique names that won't be used elsewhere (random hash string anyone?)
Still doesn't stop Bad Guy X seeing your ID and using it in his repo to force update to mineware.

Lets just remember - you hijacked this thread.
I told the user what the issue was and how to fix it.
I then showed him I was aware of it and pointed to some notes I made that could help fix it.

You just "came in hot" as usual with no constructive points except "Beta repos would suffer".
Which if you did things a slightly different way - they wouldn't.
Your forcing others to suffer and potentially get bad stuff on their installs because you don't want to change slightly.
If you want beta repo to get the stable update - then just push the same stable code to the beta repo.
It's not hard. It makes a lot more sense that what you push to a repo - is what the user gets.
Saves you having to check version numbers, make sure they are higher etc.
Makes it easier for you!

It seems very personal to you that someone even suggests there could be a better way of doing things.
I see "Team Kodi" in your title - what is your position?
I couldn't see any commits to the kodi codebase recently - I did see my name though.
You guys doing great job at making other devs want to get involved by the way.

[Lunatixz]

Android doesn't allow 3rd party repos though does it.
There is no potential for conflicts as it knows when you upload - if its taken or not.
Also, they namespace with the developer in case of same add-ons by different developers.

Yes, they will happen - but kodi shouldn't automatically install what ever has the highest version.
All my notes in that github are purely to put the user in control and make it harder for bad things to happen.
Nothing should happen automatically that hasn't been explicitly previously Ok'd by the user.

If it's all about version numbers, then we are going to have a hyper-inflation scenario where each addon is pushing their add-ons versions to crazy high numbers to ensure "they win".

My fix for this users issue was pushing a higher version number, so users kodis would then update back to mine.
Then I had it auto-migrate to a new ID.

How silly of a fix?
I needed to use the issue to fix the issue.

If this is the only way to do it going forward, then maybe Kodi needs some notes in the developing add-on area.
Explain that any ids shared across repos will be replaced with higher version so it's important to make your ids unique now (and unique in the future)
Only way to do that is by using unique names that won't be used elsewhere (random hash string anyone?)

Android allows users to optionally enable the ability to install "UNKNOWN SOURCES" where users can install any APK packages they want. Sound familiar?  

Pushing higher versions only becomes a battle between conflicting ids and is a poor solution. Unfortunately, the ONLY solution is for the plugin NOT found in Kodi's repo is to change its ids.

Kodi's stance is pretty simple... Kodi does not police how users use Kodi; We inform users of the risks inherent with third-party repos, and can only be responsible for what's found in the official repository.

If developers want to work in the dark.... which again... being frank; there are only a SMALL number of reasons that would exclude a plugin from the official repo... So we encourage developers to submit and are working hard to make the process easier.

Still doesn't stop Bad Guy X seeing your ID and using it in his repo to force update to mineware.

Again, leads back to users only installing trusted repositories where BAD GUY X doesn't exist.

[matthuisman]

Oh, now your using "trusted repositories".

How do I know what is a trusted repository?
How can I trust your beta repo?
How do I know someone hasn't got your github password and pushed whatever?

Your saying Windows should just remove any anti-virus / sandboxing etc.
Instead, just tell users to only install trusted exes.

Are you just playing ignorant to win the debate?
Your saying Kodi believes no users use builds?
Saying no 80y/o users get a box setup by their cousin that has a repo installed?
No builds / forks have the warning disabled.

Or, are you saying that Kodi doesn't care about those users?
It can only be one or the other.

You seem like a developer who forgets about the end-user
You assume they are technically knowledgeable and even worst - you assume they are security conscious.

All they know it's a media center on that little box.
They wouldn't even imagine it has the potential to use of all their bandwidth or mine coins.
Just like how people don't think their smart fridge can be hacked to order too much milk.

Who cares though right - as long as I do the minimum - I'll get my holiday once a year.

I'm done - I'm off to build a PlutoTV add-on with version 100.0.0 that uses Kodis built-in TV / EPG so can merge with my other channels.

[starslayer74]

You guys doing great job at making other devs want to get involved by the way.

I recently had the same argument when another Team Kodi member called out one of my addons because I shared a link to the install file on a "dodgy" website... a website that a lot of people host their files on...a website that I have used for other addons without a single word uttered. They also ridiculed my posting style...and pointed out that there was another addon that did the same thing (which I was unaware of...and checked later to find it to be broken, at least for me). 

Don't get me wrong, I love the software, I appreciate the work being done by the team, but there is definitely an elitist attitude that is prevalent. If you're not part of the club, you might get singled out and they are sure to push people who are well meaning away.

[Lunatixz]

Oh, now your using "trusted repositories".
How do I know what is a trusted repository?

Not getting into a philosophical argument about "trust"... its a subjective understanding; that never has a guarantee.

In order to install my beta repo through legitimate means, you would have to be a forum member and/or know of me. That's the "Trust" part; Background checking... Prior interactions and history.

How can I trust your beta repo?
 

Well, I've been an active developer on the official forum for a number of years; have 5k posts, a positive rep.. and submitted 66+ Plugins in the official repository... That's an above-average start; however, you get the point. Actions; I'm not a fly by night developer.

How do I know someone hasn't got your github password and pushed whatever?
 

Because I've enabled 2FA, and not getting into details of how someone with enough drive can crack that... its safe relative to any computer software.