[rkward-devel] install packages from git

meik michalke meik.michalke at uni-duesseldorf.de
Sun Dec 6 13:17:36 UTC 2015 

hi,

Am Sonntag, 6. Dezember 2015, 13:24:14 schrieb Thomas Friedrichsmeier:
> Even more useful, if the plugin already came pre-installed, so if we
> want Joe User to try the latest version of plugin XY, we could simply
> tell them "Click on this link

exactly. at first, i only wanted to make it more obvious to users that R 
packages can be installed directly from git source repos. when i was finished, 
i remembered that a while ago we made rkward:// links work system wide.

as for security, it sure is something to deeply care about, and actually this 
is not a new problem. in theory, rkward:// links could already be misused, i 
guess. a possible scenario could be: fill the plugin fields with content that, 
if it ended up in the generated R code, would rewrite it to do completely 
different stuff. e.g., instead of calling an data object "x", call it 
"x)\nsystem(...)" or something. this could work with any plugin, unless RKWard 
provides some sort of counter measures.

a first one could be a warning message before the actual dialog is opened, but 
that would only make sense if RKWard can detect whether it was called from its 
own run-again links (where the warning would be annoying) or from outside.

> In other words, I think it would make sense to include this in the
> official distribution (and have it activated by default), only I'm not
> quite sure, where it would go:
> 
> 1) It does not get added to the menu at all, assuming users are
> unlikely to use the plugin manually, in the first place.

hm, given that *i* originally wanted to use it, i wouldn't hide it from users 
;-)

> 2) Add it to File->Import, somewhere.

i wouldn't look for plugin installation in the "import" section, because it 
doesn't really import anything.

> 3) Add it to Settings, below "Manage R plugins and packages", which
> may mean making it *too* prominently visible, though.

that't where it's added at the moment (called "install from git"). my feeling 
was, it should actually be part of the package installation dialog, but i 
wouldn't add another tab to it. how about having a "install from git" button 
as part of the package install tab? that wouldn't be too prominent, but at the 
same time where it would look for something like that at first.

> (*): Seriously, this does raise some interesting questions on system
> security. Although, at least, opening a plugin from a link never
> auto-submits it (and it looks very reasonable to keep it that way, in
> light of this).

+1


viele grüße :: m.eik

-- 
  dipl. psych. meik michalke
  institut f"ur experimentelle psychologie
  abt. f"ur diagnostik und differentielle psychologie
  heinrich-heine-universit"at d-40204 d"usseldorf
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <http://mail.kde.org/pipermail/rkward-devel/attachments/20151206/4d317708/attachment.sig>

More information about the rkward-devel mailing list