addon store
27 views
Skip to first unread message
Don H
Jul 6, 2025, 11:25:16 AM7/6/25
to Nvda-...@nvaccess.org
Am I understanding that the addon's listed in the nvda addon store have
not been varified as safe? In other words the addon's listed contain no
harmful code.
not been varified as safe? In other words the addon's listed contain no
harmful code.
Noelia
Jul 6, 2025, 11:54:00 AM7/6/25
to nvda-...@nvaccess.org
Hello:
In fact, add-ons published on the store aren't verified as safe, and we install them at our own risk.
Here I'm copying info available in the readme of the store repository, and at the bottom of this message, I'll provide a link to a discussion where I give examples of difficulties found by me when I've tried to review add-ons. In sort:
- Some add-ons contain files that cannot be reviewed, for example, an executable file.
- Now I find, on the list of available add-ons compatible with my NVDA version, 144 add-ons in the stable channel of the store. Each of these add-ons can be updated at any moment by authors, so, even ifan add-on doesn't contain files which cannot be reviewed, this number is big and, in practical, I don't see how they can be reviewed.
- In case a team of persons, which imo should be big and working a lot of hours, could review these add-ons, it should be asured that these persons are trusted. I consider that NV Access are a small team working in just a reposotory (a project). Then I cannot imagine how they could select a team of people to review add-ons, and even if this was possible, I think that some add-ons deppending of the features and code included in them, may take even weeks or days to be fully reviewed, and of course in this case authors couldn't provide updates at any moment.
- Also, add-ons not only include features presented to users, but also documentation and translations.
Here's info available on the NV Access store repository:
Add-ons are run at user's own risk, add-ons in the add-on store do not undergo human security audits. The add-on store includes the following security measures:
• Add-on file integrity can be enforced via a SHA256 checksum.
◦ The checksum allows NVDA to ensure that add-on releases are immutable.
• Code scanning with CodeQL can detect vulnerabilities in Python code included in submitted add-ons.
◦ NV Access can manage code scanning alerts, available from the Code scanning link from the Security page.
• Virus Total is used to scan submitted add-ons. If malicious content is detected, the add-on will not be automatically included in the store. Please contact the flagged security vendors to get them to review and unflag the false positive. Please email in...@nvaccess.org if you need assistance with this process.
Human review process / code audit
Permalink: Human review process / code audit
• NV Access doesn't require a manual review of the add-on (code or user experience) itself before the add-on submission.
• NV Access manually maintains a list of approved submitters with permission to submit an add-on to the store. The process NV Access follows is described here.
• You are welcome to review code / UX of add-ons and provide that feedback directly to add-on authors.
• The SHA256 checksum of the .nvda-addon prevents undetected changes.
• Add-ons should comply with the NVDA code of conduct. Add-ons which are malicious or otherwise break the code of conduct can be removed by:
◦ Opening a pull request to remove the submitted add-on metadata
◦ Sending an email to in...@nvaccess.org
• Add-on file integrity can be enforced via a SHA256 checksum.
◦ The checksum allows NVDA to ensure that add-on releases are immutable.
• Code scanning with CodeQL can detect vulnerabilities in Python code included in submitted add-ons.
◦ NV Access can manage code scanning alerts, available from the Code scanning link from the Security page.
• Virus Total is used to scan submitted add-ons. If malicious content is detected, the add-on will not be automatically included in the store. Please contact the flagged security vendors to get them to review and unflag the false positive. Please email in...@nvaccess.org if you need assistance with this process.
Human review process / code audit
Permalink: Human review process / code audit
• NV Access doesn't require a manual review of the add-on (code or user experience) itself before the add-on submission.
• NV Access manually maintains a list of approved submitters with permission to submit an add-on to the store. The process NV Access follows is described here.
• You are welcome to review code / UX of add-ons and provide that feedback directly to add-on authors.
• The SHA256 checksum of the .nvda-addon prevents undetected changes.
• Add-ons should comply with the NVDA code of conduct. Add-ons which are malicious or otherwise break the code of conduct can be removed by:
◦ Opening a pull request to remove the submitted add-on metadata
◦ Sending an email to in...@nvaccess.org
Link to previouws info:
Discussion about improving add-ons reviews:
--
***
Please note: the NVDA project has a Citizen and Contributor Code of Conduct.
NV Access expects that all community members will read and abide by the rules set out in this document while participating in this group.
https://github.com/nvaccess/nvda/blob/master/CODE_OF_CONDUCT.md
You can contact the group owners and moderators via nvda-user...@nvaccess.org.
---
You received this message because you are subscribed to the Google Groups "NVDA Screen Reader Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nvda-users+...@nvaccess.org.
To view this discussion visit https://groups.google.com/a/nvaccess.org/d/msgid/nvda-users/c9374011-d94f-495b-8782-3b3e58ee420c%40adams.net.
Sarah Alawami
Jul 6, 2025, 11:54:49 AM7/6/25
to nvda-...@nvaccess.org
I'm not sure where you got that info. I would just use common sense when downloading from any store. it's as safe as any store out there. Mistakes will be made, yes, but the community will be quick to let the maintainers know and said maintainers will do what ever it takes to get the offending add on out.
so TLDR, it is about 99.999 percent safe.
Thanks and happy Sunday.
Sarah Alawami | Salesforce Administrator | Accessibility
Consultant | Educator
Follow me on Linked
in.
Noelia
Jul 6, 2025, 12:02:53 PM7/6/25
to nvda-...@nvaccess.org
Hi Sara:
Imo it's not so safe. Personally, if I like an add-on, I install it when maintainers are known to me since they have participated in the community, or if I can review the add-on, providing that the source code is included and it doesn't contain for example executable files.
Of course, if I trust a maintainer I install an add-on maintained by this person without problems, and then, if I find a bug, or I have a suggestion, I can report it to the add-on maintainer.
I love new ad-on authors. But firstly I try to know something else about this person, for example how he or she participates in the community, if is a responsive person, how other contributions has done, for the community or NVDA, etc.
If an add-on is not very used, perhaps it contains bugs not detected easily by the community.
This is my opinion.
--
***
Please note: the NVDA project has a Citizen and Contributor Code of Conduct.
NV Access expects that all community members will read and abide by the rules set out in this document while participating in this group.
https://github.com/nvaccess/nvda/blob/master/CODE_OF_CONDUCT.md
You can contact the group owners and moderators via nvda-user...@nvaccess.org.
---
You received this message because you are subscribed to the Google Groups "NVDA Screen Reader Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nvda-users+...@nvaccess.org.
To view this discussion visit https://groups.google.com/a/nvaccess.org/d/msgid/nvda-users/d220a478-3094-46b5-ac6e-baf71e2ae8c4%40gmail.com.
Quentin Christensen
Jul 6, 2025, 10:47:12 PM7/6/25
to nvda-...@nvaccess.org
To be clear, this is no different to any other add-on store. Add-ons are given an automated virus-total scan to confirm there is no known malware etc, just as stores on other platforms do automated testing but warn about doing your own due diligence on add-ons or apps before trusting them:
Android apps: 6 Ways to Check an Android App Is Safe to Download
Windows store apps: Beware of Downloading Apps from Microsoft’s Windows Store - VIPRE
Of course, if anyone has any suggestions for ways we, with our limited team, can ensure additional safety of add-ons, we would certainly look at it, although it is not feasible for a human (NV Access or community volunteers) to vet every line of code of every add-on.
Hence, we warn to be careful about add-ons. Which is all not to take away from the wonderful ecosystem of add-ons which is out there, and of course it is also worth noting, that we have never encountered a malicious add-on in the wild.
Kind regards
Quentin
To view this discussion visit https://groups.google.com/a/nvaccess.org/d/msgid/nvda-users/CAAtLpydkv%2BKai%3DXx_SeCVzb9hkRbH7L-xaK4LjPotH-PMX1xSA%40mail.gmail.com.
Quentin Christensen
Training and Support Manager
NV Access
Training: https://www.nvaccess.org/shop/
Certification: https://certification.nvaccess.org/
Subscribe to email updates (blog, new versions, etc): https://eepurl.com/iuVyjo
Other groups: https://github.com/nvaccess/nvda/wiki/Connect
Mastodon: https://fosstodon.org/@NVAccess
Facebook: http://www.facebook.com/NVAccess
Reply all
Reply to author
Forward
0 new messages