I’d like your opinion about adding a warning banner in snippets.xwiki.org to warn about their usage: those snippets are not systematically reviewed and are often only proof of concepts. So they should be always used with taking care of reviewing the code before applying them in production environment.
To make that clear for users I propose to add a warning banner in all snippets page with the following content:
This snippet is provided by the community and has not necessarily been reviewed. Be careful to not reuse it blindly in a production environment as it might contains errors, security vulnerabilities and it could impact the confidentiality and the integrity of your data.
I don’t think we need a banner, for me this is part of the description of snippets.xwiki.org, ie that it’s code snippets contributed by the community and not reviewed and that should be used at your own risk. I.e. it’s not supported by the XWiki core devs.
Currently we just say:
Snippets are reusable portions of scripts that you can copy paste in wiki pages.
I’d update this info box.
Now if you want a banner, why not but for me it’s more about the general goal of the snippets wiki.
Thx
PS:
I don’t think we want to prevent their usage. Just warn about using them. I think you’ve just used the wrong word and you probably meant “to warn”.
Well yes the info box needs to be updated but I’m not sure it’s enough: it’s easy to miss as you might discover snippets by googling and just end up in a snippet page without reading the main description of snippets.xwiki.org.
Yeah… I’ll edit my post: bad french / english translation as usual.
+1 to update the description to make it clear that users use snippet at their own risks
+1 to repeat this in each snippet page as long as it’s not too intrusive
For example should we say on each forum page that the info mentioned have not necessarily been reviewed and the code snippets shared can contain security issues, etc too?
Should we say the same on each contrib repo README, because, even though contrib repos are supposed to follow the dev practices of dev.xwiki.org, thus including the security policy, most don’t actively apply it.
Actually this is already mentioned indirectly through the link to the development practices
Similarly, should we say on each extensions on e.x.o that is not supported by the XWiki core devs that they should be used at our own risk, that they can contain security issues, etc
This is also a bit mentioned indirectly by the “Developed by” (and soon by the Supported By).
I feel it’s good to have that info in a central location (e.g. contrib.xwiki.org home page for contrib projects, home page of exo for extensions, home page of the forum, in the desc of the xwiki-contrib GH organization maybe, etc). I’m not sure I’d repeat it on every single forum page for example, or on every single exo page (the supported by is enough IMO), or on every GH contrib repo (the link to the dev practices is enough IMO).
+1 for banner, but alternative to it I think such warning may be displayed as new entry or property for snippet page. But will it apply to all snippets after review, or this will be a new must have on creating new snippet?
I’m not sure we want to review the snippets. Also, it’s not easy to decide who’s the authority on the review. Imagine a dev saying it’s been reviewed. How do we know it’s correct?
And what if it’s been reviewed but the contributor makes a change to the page?
I just thought about it, we also have some FAQ entries that includes code examples in Velocity or Groovy. Then, should the banner cover both LD entries? With FAQ it’s quite easy to review current ones and update to valid workable content as there’re not many entries that hold cod.
What proposal doesn’t address cases, when official XWiki documentation includes links to some snippets and those links are added by XWiki developer. I.e this page AntiSpam Techniques.
IMO there should be no banner in the doc proper since it’s supposed to be verified. Now ofc, it’s possible for any contributor to add some page in the doc containing code (be it in the FAQ or elsewhere) and that it hasn’t been reviewed yet. But I don’t see an easy alternative except having a warning on the whole wiki which is probably too much.
I don’t think there’s a problem here but generally speaking I’d think we shouldn’t have links to the snippets wiki from the main doc. I think when that happens it’s probably a sign that the snippet needs to be moved to the doc proper. For example we have https://www.xwiki.org/xwiki/bin/view/Documentation/DevGuide/Scripting/APIGuide/ and not links to the snippets wiki.
I’ve just released with this message, I went beyond the main topic, as it’s more about a snippets wiki. Therefore, adding a global banner is probably not the best solution in this case.