Jump to content
Squid

[Plug-In] Community Applications

3212 posts in this topic Last Reply

Recommended Posts

I'm pretty sure we talked about this before, the issues you would have is either you would need to make it a completely seperate stand alone system where people have to sign up / register to use, or you would have to tie it somehow to a unique identifier, perhaps the GUID or a md5/sha1/sha256 hash of the GUID, but then you also need some way to verify that the GUID being passed is real and not made up, that's not to say it's not possible, it just needs thinking about.

 

My preference would be an API feed that integrates with, for example, CA, so a user could click a rating and put a comment directly in CA and that is pushed to the the service, that would allow them to change it if they wanted as well and would be transparent to the user, but we would have to work out some way of verifying that they belong to a real system.

Share this post


Link to post

How about a phone home every day that states "I'm using this docker and this docker, etc..." and then you base the star rating on the count.  That would get you popularity based on use count anyway.  Obviously you would want to provide an opt out or maybe make it a opt in so that it does just start sending data you have to allow it first.

Share this post


Link to post

Who would opt in to that though?  Practically noone, making it useless, or worse than useless because maybe at first people would opt in but then later opt out, so even though they are still using the app it looks like the app has become less popular.

Share this post


Link to post

Who would opt in to that though?  Practically noone, making it useless, or worse than useless because maybe at first people would opt in but then later opt out, so even though they are still using the app it looks like the app has become less popular.

Thought that is what you would say but had to suggest it.

Share this post


Link to post

Definitely a resounding NO to the calling home...  (Plus something like collecting data on which applications are currently installed / running is not part of CA, as its job is merely to display available applications)

 

Like the SHA256 of the GUID.  A personally non-identifiable hash of a personally non-identifiable file.

 

But, tons of work to do in advance anyways.  #1 on the list is to start reading up on SQL and get a rough draft going with my MariaDB docker.  After that we can begin to look at hosting options.

 

 

Share this post


Link to post

The database part is actually very easy, the hard part is trying to stop people being able to game the system.

 

From a quick think about it, the only way I can see it would be possible is if limetech allowed us to query their system in some way, so if we sent a sha256 hash of a GUID, whether that was a valid hash, to do that they would have to store the hash next to the licence on their own system and allow us to query it, at which point they might decide to just do it all themselves.

Share this post


Link to post

I don't think that if the db was hosted outside of LT that they would ever allow an offsite db to query theirs.  If CA does go integrated with the OS, then I think that any db will be hosted by LT.  But that's not my decision.

 

And the more that I think of it, while I'm not particularily worried about someone gaming the system to give a particular app an extra vote or two, I am concerned about someone hacking into the entire db and messing with the entire thing.

 

Obviously, whatever code that I write will be subject to approval from whomever is hosting the db to ensure that any and all necessary controls are in place.

 

But security of the system is not what is initially worrying me.  My entire knowledge with SQL thus far is creating a DB for Kodi.  Will be doing alot of reading over the next couple of days.

Share this post


Link to post

I don't think that if the db was hosted outside of LT that they would ever allow an offsite db to query theirs.  If CA does go integrated with the OS, then I think that any db will be hosted by LT.  But that's not my decision.

 

And the more that I think of it, while I'm not particularily worried about someone gaming the system to give a particular app an extra vote or two, I am concerned about someone hacking into the entire db and messing with the entire thing.

 

Obviously, whatever code that I write will be subject to approval from whomever is hosting the db to ensure that any and all necessary controls are in place.

 

But security of the system is not what is initially worrying me.  My entire knowledge with SQL thus far is creating a DB for Kodi.  Will be doing alot of reading over the next couple of days.

 

expect to see squid's entire video db library online in the next few weeks

Share this post


Link to post

expect to see squid's entire video db library online in the next few weeks

My original reply to Kode was going to be along the lines of "even sparklyballs isn't narcissistic enough to game the system to grab an extra vote or two".  Now I'm not so sure...

Share this post


Link to post

expect to see squid's entire video db library online in the next few weeks

My original reply to Kode was going to be along the lines of "even sparklyballs isn't narcissistic enough to game the system to grab an extra vote or two".  Now I'm not so sure...

 

never underestimate my ego......

Share this post


Link to post

clearly written by a bitter ex.

Don't you have one of them?

Share this post


Link to post

clearly written by a bitter ex.

Don't you have one of them?

 

Don't we all....  ::)

Share this post


Link to post

clearly written by a bitter ex.

Don't you have one of them?

 

Don't we all....  ::)

+1 CHBMB gets a point

Share this post


Link to post

I don't think that if the db was hosted outside of LT that they would ever allow an offsite db to query theirs.  If CA does go integrated with the OS, then I think that any db will be hosted by LT.  But that's not my decision.

Not directly query it, that is what REST API's are for

 

And the more that I think of it, while I'm not particularily worried about someone gaming the system to give a particular app an extra vote or two, I am concerned about someone hacking into the entire db and messing with the entire thing.

Don't take this the wrong way but that is the wrong attitude, if it's possible to do it (and it would be very easy to do it if not designed to prevent it), it *will* be done, hacking the database is actually less of a concern if it's someone who knows what they are doing doing it, if it's you doing it, well, that is something else as you clearly aren't that comfortable doing it.

 

Obviously, whatever code that I write will be subject to approval from whomever is hosting the db to ensure that any and all necessary controls are in place.

 

But security of the system is not what is initially worrying me.  My entire knowledge with SQL thus far is creating a DB for Kodi.  Will be doing alot of reading over the next couple of days.

I could probably do the entire thing in a few hours all you would do from CA is post to a url with the hash, an application identifier, the rating, and a comment, maybe a username as well if you wanted that displayed (else it would be anonymous), but there are too many unknowns at the moment

Share this post


Link to post

I don't think that if the db was hosted outside of LT that they would ever allow an offsite db to query theirs.  If CA does go integrated with the OS, then I think that any db will be hosted by LT.  But that's not my decision.

Not directly query it, that is what REST API's are for

 

And the more that I think of it, while I'm not particularily worried about someone gaming the system to give a particular app an extra vote or two, I am concerned about someone hacking into the entire db and messing with the entire thing.

Don't take this the wrong way but that is the wrong attitude, if it's possible to do it (and it would be very easy to do it if not designed to prevent it), it *will* be done, hacking the database is actually less of a concern if it's someone who knows what they are doing doing it, if it's you doing it, well, that is something else as you clearly aren't that comfortable doing it.

 

Obviously, whatever code that I write will be subject to approval from whomever is hosting the db to ensure that any and all necessary controls are in place.

 

But security of the system is not what is initially worrying me.  My entire knowledge with SQL thus far is creating a DB for Kodi.  Will be doing alot of reading over the next couple of days.

I could probably do the entire thing in a few hours all you would do from CA is post to a url with the hash, an application identifier, the rating, and a comment, maybe a username as well if you wanted that displayed (else it would be anonymous), but there are too many unknowns at the moment

No offense taken at all...  This is all completely brand new to me. 

 

The posting of a url with the appropriate info really appeals to me, since SQL is completely new, although I initially see some complications with that.  Namely editing of posts, etc.  But those hurdles can be climbed.

 

 

Share this post


Link to post

That wouldn't be that much of an issue with the GUID hash and the application identifier, the combination of which would easily allow for editing

Share this post


Link to post

Like the SHA256 of the GUID.  A personally non-identifiable hash of a personally non-identifiable file.

 

I assume you are talking about a hash of the flash GUID?  It's unique, controlled so hard to game, non-identifiable once decently hashed, and deterministic so nothing to store (or client storage code to write).  I see it on the Vars page, down at -

    [var] => Array

        (

            [MAX_DEVICES] => 25

        ...[snipped]...

            [flashGUID] => 154B-0005-0000-6E6B120022AD

 

Or it could be grepped from the syslog.

Share this post


Link to post

Yeah, the problem is anyone could pass a fake GUID and we wouldn't know that it wasn't a real one.

Share this post


Link to post

Yeah, the problem is anyone could pass a fake GUID and we wouldn't know that it wasn't a real one.

One of many problems...

 

I guess you could register to be able to rate / comment.  Or like you said do a check against the GUID in LT's db.  Or do both...

 

All of this is really starting to sound like the only real solution is to actually have LT host the db.  Excepting of course keeping the status quo and if you like the app register @ docker and star / comment there - (I can see sparklyballs getting a docker alias and starring all his containers  ;) Why wouldn't he.  He does awesome work around here and deserves more stars than he has)

 

The net result is that since as jonP posted CA will eventually become integrated, and I would think that its a no-brainer that any db for ratings would be hosted by them that there's not much more that can be done on the ratings system until that happens, beyond basic programming for look & feel with my internal builds. 

 

You wouldn't think that the last piece of the puzzle would be the hardest to fit it...  Nor that this chain of plugins: Repo Update -> Community Repositories -> Community Applications) was actually started by an off-the-cuff remark by Binhex

 

i was looking at creating a "SuperRepo"  on git that pulls from all the other repos so that users only need to reference one repository for all docker apps, might revisit this when i get a min  ;D

Awesome idea.  Would be the Binhex/unRaid appstore.

 

Updated OP  Thanks

Share this post


Link to post

Updated ( sorry archedraft  ;) ) to 2015.08.24

 

Well, this plugin was compliant with all of the new security measures being introduced in unRaid, but during 6.1RC6 development, LT discovered another security hole which affected a routine which CA happened to use (I'm probably the only plugin author who uses this particular routine)

 

The net result is that yet another update had to be issued.

 

Update has been tested on 6.01, 6.1 RC-5, and 6.1RC6.  I *think* it will be OK on 6.0, but don't still have a bzroot / bzimage for that release (not to mention I don't have 6.1 RC1-4 anymore either)

 

So, in a nutshell if you are running 6.0 or 6.1 RC1-4 those versions are no longer supported by this plugin, and you should upgrade to either 6.0.1 or 6.1RC6+  (not to mention that the plugin looks better on RC5+)

 

 

Share this post


Link to post

... LT discovered another security hole which affected a routine which CA happened to use (I'm probably the only plugin author who uses this particular routine)

 

Well this rc6 security change affected a large part of the webGUI too, you are certainly not alone here :D

Share this post


Link to post

Updated to 2015.09.01

 

For the first time in a while, an OS update for unRaid did NOT require an update for CA to be operational  ;D

 

However, dockerHub coincidentally slightly modified their website with the net result that the conversion routines for dockerfiles (if  you enabled dockerHub searches) would not work correctly.  >:( I guess that if I didn't have bad luck, I'd have no luck at all.

 

 

Other changes (which I was originally holding off on until the next feature is debugged):

 

- Removed a few options from the settings, as effectively they are now deprecated.  This would namely be Update Reminder time, and Use Application Feed, and auto-update

 

There is now no way to permanently disable within CA the use of the application feed.  (If you're going to use this plugin, you might as well use it properly).  The plugin will automatically update the list of applications from the feed every time you enter the plugin (takes a second or two).  As mentioned previously, there can be a delay of up to ~2 hours for a new application to appear within the feed.  For this reason, the Update Applications button is still present.  If you KNOW that a new app is available, but CA isn't displaying it, either wait 2 hours, or hit Update Applications.

 

Because the CA by design automatically updates itself with the appFeed, the auto-update settings, and the update reminder time became pointless.

 

 

Further results from dockerHub is an optional feature and can be enabled within the settings.  I have added a "Suggested Search Terms" for when CA *thinks* it can come up with a better term than what you were using.  As usual, if you have dockerHub search enabled, then clicking on the app name within the recommended apps or hub Search results will search for more results..  Clicking on the author in hub results will search more from the author, etc.  Everything has balloon tips, so just hover over anything on the screen to find out what it does.

 

Also some minor graphics / pop up changes, and too many under the hood changes to list.

 

Plugin is still completely compatible with 6.1 and 6.0.1.

Share this post


Link to post

You must love that spinning ring  ... when doing an update it's all over the place  ;D

 

But honesty, thanks for the update!

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.