On Oct 8, 2015 3:13 AM, "Sam Bull" <sam hacking sent com> wrote:
>
> Am I right in thinking that a reviewer sees the same page as the author
> when looking at a new version of an extension, just with the additional
> option to approve the extension?
>
> If this is the case, then it is trivial to sneak malicious code through
> the review process.
>
> Steps to reproduce:
> Insert malicious code into extension and submit new version.
> Go to review page and reject your new version.
> Change shell version or some other trivial change.
> Upload new version.
> Observe review page shows a diff from the rejected version, thus
> the reviewer only sees the trivial change and approves the
> extension.
>
> If this is right, then the review diff really needs to be changed to
> show a diff from the last APPROVED version.
You're right in your analysis. Back when I was still reviewing extensions I used to look manually though all rejected versions (as a rejected version may have meant something was wrong), which is painful but works.
Right now nobody is maintaining the extension website, so it's unlikely that we would see this change happen.
(On the other hand, I think the automatic approval for metadata and doc changes considers the last approved version. If not, then we have a problem).
Giovanni
> _______________________________________________
> gnome-shell-list mailing list
> gnome-shell-list gnome org
> https://mail.gnome.org/mailman/listinfo/gnome-shell-list
>