Proposal: removing searching for deps and run reporting

[Ben Hoskings]

Hi all, I'm considering removing `babushka search` and the associated Babushka::RunReporter that reports dep results.

Looking through the logs, 11 unique IPs (excluding my wormly checks) have performed searches in the last seven days, so general usage is light. (I never use it myself.)

I also think that it's making a risky operation too easy: a malicious dep source can run any code. (This isn't a security issue because that's how it works by design, through the front door: a dep source is supposed to run arbitrary code.)

But, I think that it's the wrong design choice to make "find a dep in a source I've never seen and run it" an easy task, or to make it look like I'm encouraging that, when I'm not.

To be clear: this wouldn't remove automatic source cloning with the `babushka source:dep` or anything like that, just `babushka search` output (and the associated reporting).

What do you think?

Cheers

Ben

[Paul Annesley]

It's not something I've used recently.

I think when I went to write some basic installer deps ages ago I used it to see if I was duplicating somebody elses work.

Some kind of web-based index/search of public deps would be cool, but not necessary.

And there's always google for "babushka-deps site:github.com".

--
--
To post, email babush...@googlegroups.com
To unsubscribe, email babushka_app...@googlegroups.com
~
http://babushka.me
http://github.com/benhoskings/babushka
http://groups.google.com/group/babushka_app
 
---
You received this message because you are subscribed to the Google Groups "babushka_app" group.
To unsubscribe from this group and stop receiving emails from it, send an email to babushka_app...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[Torsten Curdt]

But, I think that it's the wrong design choice to make "find a dep in a source I've never seen and run it" an easy task, or to make it look like I'm encouraging that, when I'm not.

To be clear: this wouldn't remove automatic source cloning with the `babushka source:dep` or anything like that, just `babushka search` output (and the associated reporting).

What do you think?

+1

cheers,

Torsten

[mcg...@gmail.com]

it looks like you already did this as babushka search shows nothing for any of my searches (git, ci, heroku). I suggest changing the docs, or giving a feature removed message when you try to search.

Richard. 

[Ben Hoskings]

I haven't removed it yet, there's just not very much data there :)

It only indexes top-level deps, i.e. the ones run from the commandline, and only from known-public sources, i.e. those starting with git://.

You can see everything indexed with `babushka search all`.

(I'm planning on removing it sometime in the next couple of weeks.)

Cheers

Ben

On 28 February 2013 09:44, <mcg...@gmail.com> wrote:

it looks like you already did this as babushka search shows nothing for any of my searches (git, ci, heroku). I suggest changing the docs, or giving a feature removed message when you try to search.

Richard. 

--

--
To post, email babush...@googlegroups.com
To unsubscribe, email babushka_app...@googlegroups.com
~
http://babushka.me
http://github.com/benhoskings/babushka
http://groups.google.com/group/babushka_app
 
---
You received this message because you are subscribed to the Google Groups "babushka_app" group.
To unsubscribe from this group and stop receiving emails from it, send an email to babushka_app...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

--
Cheers

Ben

[Ben Hoskings]

Update: I removed it :)

Searching is gone (along with bugreporting, which didn't work very well) in v0.16.4.

- Ben

--
Cheers

Ben