778 - Restrict tagging on open repos
Open repos allow anybody to create a tag and thus create a new beta or release that's posted on Curse. Currently people that have not worked on a project at all are creating tags via svn just to get new versions posted on curse for path 3.0.2 when the project hasn't even been fully updated to work with 3.0.2.
Open repos need to block tag creation by anybody that is not on the projects author list or is not a site moderator (or higher).
| User | When | Change |
|---|---|---|
| Torhal | Fri, 03 Jun 2011 19:20:35 | Changed status from Accepted to Fixed |
| Torhal | Fri, 03 Jun 2011 17:02:45 | Changed assigned to from None to prencher |
| Ackis | Tue, 01 Feb 2011 18:00:53 | Changed assigned to from ckknight to None |
| Ackis | Fri, 27 Mar 2009 19:50:05 | Changed component from None to Component #18 |
| Ackis | Tue, 06 Jan 2009 18:59:17 | Changed assigned to from None to ckknight |
| Arrowmaster | Fri, 17 Oct 2008 23:31:31 | Create |
Facts
- Last updated on
- 03 Jun 2011
- Reported on
- 17 Oct 2008
- Status
- Fixed - Developer made requested changes. QA should verify.
- Type
- Defect - A shortcoming, fault, or imperfection
- Priority
- Critical - Must resolve in the specified milestone.
.jpg.-m0.png)
- Reply
- #15
Kaelten Wed, 21 Jan 2009 15:59:37we're meeting the camps halfway.
Today we're pushing a patch that will require someone to be an author on a valid project in order to commit to an open repo.
WowAce.com & CurseForge.com Adminstrator
Check out my new addon, OneChoice, it helps you pick quest rewards faster.
Developer of Ace3, OneBag3, and many other addons and libraries
Project lead and Mac developer for the Curse Client
- Reply
- #14
Nayala Sat, 01 Nov 2008 17:27:52This should be a separate option if I made my repositories open, which in my case I have and have given translators blanket permission to update my addons, I don't see why I as an author shouldn't have the option of allowing them to tag as well.
An ideas: Allow non-author/moderator tags but show them as something besides the normal Beta/Release in curse. (For example the packager would have to check who committed the SVN tag directory when deciding how to classify the file. It would also require the bug to be fixed where tagging from the web shows the commit as the wrong user.) This sounds like a good solution for repo clones as well.
Again this should be if the author wishes tagging, etc. to really be open. I understand the security concerns, as I have found and reported problems in addons on other sites in the past, including something that messed with auction house pricing.
- Reply
- #13
Swix Sun, 19 Oct 2008 07:01:09You right, it's all good.. but what i must do with updated localization file for this addon?
- Reply
- #12
Arrowmaster Sun, 19 Oct 2008 04:57:12If a project is not being maintained by somebody then new release versions should not be posted. This is to prevent the exact problem that happened with WowAce where projects that were dead for over a year and did not work properly were getting repackaged and people then saw 'last updated 2 days ago' or something and thought it really was a new version.
As for what site moderators will do, I am a site moderator on both WowAce and CurseForge and will help to get 'beta' files for addons with missing authors posted depending on the project and its current state. As a counter point example though, right now somebody is trying to fix Cartographer2 but I refuse to allow anybody other than Ckknight (the author) or anybody I don't trust to post a beta file for it. This is because I know first hand from previously maintaining it and reviewing the code that it is outdated and needs a serious rewrite even though it might 'work'.
- Reply
- #11
Swix Sat, 18 Oct 2008 14:56:38Xinhuan, if addon is working fine for this wow version, peoples will be using this addon, even if is abandoned. It's a habit. Looks at the cyCircled, for exmaple. Addon is abandoned, but peoples still love him and download 20k times for two days. Why not? As say APP, there is hope still... Why not?
- Reply
- #10
Xinhuan Sat, 18 Oct 2008 14:29:08Swix, as others have said, if the author is not around, then the addon is abandoned and should no longer be used.
- Reply
- #9
Swix Sat, 18 Oct 2008 13:02:35Xinhuan, ok. But if author is not accessible now, what then?
I trying to say, what with closing public tagging, must be implemented some system for updating locale. For example, if some peoples ("site moderators") will be tagging releases it would be great.
- Reply
- #8
Xinhuan Sat, 18 Oct 2008 13:00:25Swix, any tags should be done by the author(s). The author should look at the localization updates and make sure they are correct and working before tagging it.
- Reply
- #7
Swix Sat, 18 Oct 2008 12:58:30Nevcairiel, then localization updates will bу dead.. Why you thinking only about yourself? Peoples in other countries, with other locales want download releases with their locale through client. Why not?
Nobody talk about abandoned project, Arrowmaster, stop bawling..
- Reply
- #6
Xinhuan Sat, 18 Oct 2008 12:56:40This is a very serious security issue. Right now, anyone can create a Curse Account, and insert malicious code into any addon that has a open repository, tag it and the malicious code gets distributed via Curse Client.
Malicious code can easily include code that mails away your gold/items, delete your items, etc.