[Talk] Plugins Quarantine

thomthom

@chrisglasier said:

@thomthom said:

That sounds complicated and open to any kind of bugs and unforeseen issues.
SketchUp has a shared environment where all plugins reside in.

Well it isn't at least in JavaScript. After all I am only suggesting rearranging the same environment on selection of a plugin.

Javascript, WebDialogs, yes. They are isolated. In SketchUp Ruby API, no - is is shared. How do we deal with that? I cannot rewrite Ruby and SketchUp to make it work completely different from how it is designed. Do you have concrete samples of actions that could be done based in the status quo?

@chrisglasier said:

@unknownuser said:

Because of that it is each developer's responsibility to ensure they encapsulate everything to avoid clashes.

Now that does not work because you are involving human policing. Anyone can create a website. If they don't follow the language rules it won't work. It will never compromise any other website as far as I know. The existing Sketchup plugin system should be modified for the same ends.

Again - the same as above. Websites are isolated entities. SketchUp plugins are not! Oranges and apples.
The reality is that the environment is shared. We must deal with that - it's what we've been doing here for a long time and it's wasting a lot of time. Since it is shared there must be some human policing. Developers must take responsibility.

@krisidious said:

I like the idea better of a review board and or SCF approval or review board approval. then people would add their work to some submission area where everyone would look at it in their respective test installations, then if it passes muster it is added to then SCF plugin index of approved plugins. and they could advertise with some icon as such. then I could just look for the approved icon and know I'm safe.

of course who would reward this panel? this review board? as it is now Thom and Tig and some others pour over newly released plugins and warn us and the developer of errors or conflicts. while a great service to the community, these few individuals get nothing but knowledge and thanks in return.

That wouldn't make any less work for us - having to moderate every plugins there is. I want to educate, not police. I will not be on such a board.

The bottom line is:
Most plugins do work nicely with each other. It's just a very few sets that's causing trouble. But these few is causing a lot of extra work for other developers who get support request, and a lot of work for us moderators. We do realise that new developers might not know how the SketchUp plugin ecosystem works and we do provide feedback. But when this feedback is ignored, what are we to do?

chrisglasier

@TT

As usual I failed to expose essential details behind my proposal. Simply though the applications I have made using JavaScript have a core section which provides the basic mechanism to manipulate raw data and individual devices which make different types of multimedia displays from it. The devices could be loaded all at once to create a situation similar to an environment of Sketchup plugins.

Many of my devices have a start() function so the last one loaded is always current. To ensure the right start function matches the selected device I have its file reloaded after the device has been selected. I don't know if that can be done in Ruby. If so I think the comparison is valid.

Any devices with any function prefixed core will not work. Couldn't this be applied to core Sketchup as part of Trimble's application?

Just ideas ...

thomthom

@chrisglasier said:

Any devices with any function prefixed core will not work. Couldn't this be applied to core Sketchup as part of Trimble's application?

That would be something the SketchUp devs would have to do. We cannot modify the SketchUp core. A more robust plugin environment, even a sandbox feature authors can opt in for would be nice. But it's a SketchUp feature request, which is another topic all together. What can we do right now, as is? Today, or this week?

chrisglasier

@thomthom said:

@chrisglasier said:

Any devices with any function prefixed core will not work. Couldn't this be applied to core Sketchup as part of Trimble's application?

That would be something the SketchUp devs would have to do. We cannot modify the SketchUp core. A more robust plugin environment, even a sandbox feature authors can opt in for would be nice. But it's a SketchUp feature request, which is another topic all together. What can we do right now, as is? Today, or this week?

Well I could draft the request if you and the others agree to check it and endorse it ... in a new topic of course.

thomthom

Sure. Got my thumbs up for that.
I just wanted to keep this topic in the lines of what we can act on now. Not something we'll have to wait for any potential future release a few years ahead into the future. Because right now we spend hours every week on these issues.

micione

I'm sorry,
I am not an expert on the subject.
But I would like to ask a question: TIG, Thomthom, it would be possible to create a plugin (also not free) that "reads" the other plugins? To find out if you try to change the class-base, etc..
I realize that they must not be easy, but You are true professionals.

thomthom

There are so many ways base classes can be expanded - but one could perhaps catch the most common ones...

Aerilius

If there's no decision taken about total removal of such scripts, one could add a tag to the plugin post's title that is considered by the plugin index script.

TIG

@thomthom said:

There are so many ways base classes can be expanded - but one could perhaps catch the most common ones...
and... since no one pays us to do this, then it's a balance between us fixing the problems as they arise in users' posts, versus us writing a tool to fix problems, that were created by others and which they ought to fix themselves...

Fellow members... please don't get us wrong here... this kind of problem is NOT widespread...

There were some scripts a while ago that overwrote base-classes etc and messed up others' legit tools - these are now rarer. - but several of them are 'popular' and still carry the tainted code - but as they are 'old' the authors show no urgency in resolving these problems...

There are some toolbar compilations that bundle 'old system files' and install them in the wrong folders etc - again these are somewhat old tools and could readily be fixed, had the authors got the will, but because these are 'old' they show little urgency...

Some recent 'BIM/BAM/BOM' tools are 'in beta' and so they are somewhat half-baked. These can currently change the setting of any model the user opens, without the user's knowledge or prior consent... Again this can be fixed so that the changes only apply to SKPs where the user chooses to make them into 'BIM' SKPs... This needs fixing before the tools are 'safe'...

Moderators spend disproportionate time fixing these issue, so we are looking at ways of stopping them happening...
The other disproportionate 'time-waster' is the [usually-new] users who can't read/understand simple instructions and download/install/activate relatively simple sets of files+helpers without getting error messages... We are also discussing how we might reduce the 'failure-rate'

Aerilius

@unknownuser said:

but several of them are 'popular' and still carry the tainted code - but as they are 'old' the authors show no urgency in resolving these problems...

Forking&fixing (if license allows) and taking the original offline then. I know it's not our job. Or just taking them offline. Or we just add a warning but then the status quo doesn't change because there are users who don't remember from where they downloaded software or don't remember having seen such a warning.
Also a problem is that they are still distributed over other ways/websites where plugins are never updated.

@unknownuser said:

users who can't read/understand simple instructions and download/install/activate relatively simple sets of files

That is something Trimble/SketchUp should fix. A plugin installer plugin works only for users who are able to install that.

thomthom

@aerilius said:

A plugin installer plugin works only for users who are able to install that.

There is the Install Extension features of SU8M1... but it doesn't seem to be much used.

TIG

If your Simple-Plugin-Installer came as a RBZ file then if they have >=v8M2 it will put the file into 'Plugins' - it's pointless them doing it manually as it needs that version to work anyway... The instructions can be relatively clear and simple...
Although, if they can't install a single .rb file into the right Plugins folder etc then they ought to be barred from using a computer anyway
After your tool is installed then they can use that tool to install all future tools in RBZ/ZIP/RB/RBS formats...

Aerilius

Offtopic: I'm thinking whether one could include code to validate an installation and to fail gracefully in any case no matter how wrong a user messed up the files.

But that doesn't help for other plugins.

thomthom

@tig said:

If your Simple-Plugin-Installer came as a RBZ file then if they have >=v8M2 it will put the file into 'Plugins' - it's pointless them doing it manually as it needs that version to work anyway...

True, it would work better as a repackaged RBZ, with step by step screenshots of installing via Extensions.

Jim

Hi everyone. Interesting discussion; thanks for the feedback.

First I will say that I know the title "Plugins Quarantine" is a bit of hyperbole. The purpose of the quarantine is simply a resource to keep track of plugins that are behaving badly to help in trouble-shooting plugin problems. With the list in place, we can point user to the topic and say "remove these plugins if you have them installed." And with a warning message close to the download in the original plugin thread, hopefully fewer people will be tempted to install.

I am not planning on removing any but the most offensive plugins. The Matchbox plugin redefines the behavior of Array concatenation in SketchUp-Ruby. Arrays are probably the single most used data structure in Ruby and nearly every single plugin uses them. This is the problem - a single plugin can redefine the behavior of a built-in function that every other plugin relies on.

Note that with Matchbox, I only moved the download from the Plugins forum to the Quarantine post. The download is still available, and it has been downloaded 4 times since being moved in spite of the warnings!

@unknownuser said:

For my part Sketchyphysics make some troubles with some of other plugins
So use it only when you need it else rename Sketchyphysics.rb in rbo for example

This is a problem. SketchyPhysics is a great plugin, but the implementation needs improvement. I have attempted to message the author of SP, but have not had any reply. It will be quarantined until the code is cleaned up.

@aerilius said:

If there's no decision taken about total removal of such scripts, one could add a tag to the plugin post's title that is considered by the plugin index script.

I've considered this, and like the idea of an extra warning tag in the plugins index. It might happen.

Thomthom proposed there should be 2 quarantine levels - warnings and bannings. I agree. Bannings will be reserved for the worst of the worst. Most plugins will just get a warning. After all if we erase the download, we also erase the possibility for anyone to download the code in order to fix it.

thomthom

I think the Matchbox plugin is so bad it should be wiped of the face of the digital earth. Really - as you say it's been downloaded several times already within a thread strongly warning about it. I say we remove this dead horse so people don't poke it.

Jim

Also, I may set a date of "SketchUp 9" for banning any remaining troublesome plugins. That will be a good opportunity for users to cleanup their plugins folder.

TIG

I agree that Matchbox and SunPosition [?] should "disappear" - they have no merit that counteracts their problems.
SketchyPhysics has it's fan-base, but is a problem with base-class fiddling... so "warn!" and no 'support' to anyone who uses it.
DrivingDimensions is similar... BUT its author is arrogant and does nothing to fix the mess his tool makes, despite advisements... I say "strong warning!" and no 'support' [ever] to anyone who uses it.

chrisglasier

@tig said:

I agree that Matchbox and SunPosition [?] should "disappear" - they have no merit that counteracts their problems.
SketchyPhysics has it's fan-base, but is a problem with base-class fiddling... so "warn!" and no 'support' to anyone who uses it.
DrivingDimensions is similar... BUT its author is arrogant and does nothing to fix the mess his tool makes, despite advisements... I say "strong warning!" and no 'support' [ever] to anyone who uses it.

Simply if the problem is base-class fiddling then the base-classes should be protected by design not dictum. Technical prowess not personal intervention.

TIG

Well... how are you going to 'protect' these Ruby base-classes from rogue authors' 'fiddling' ?
Even the very core base-classes like Array can be added to... or much much worse overwritten by 3rd party... Let alone the 'additional' Sketchup ones.

'Looking' inside .rb scripts to find potential issues is limited because there are so many subtle ways of messing up base class/methods, and of course it's impossible with complied .rbs versions like DrivingDimensions !

I'd prefer 'personal' intervention [aka simply 'shunning' or 'forewarning-about' problem-scripts] to some draconian behemoth that polices the streets of Ruby like Judge Dread in the shadows... doling out 'justice'... for who watches the watchers ? ...

How exactly would you do this ?