Asdf: Feature Idea: asdf install to also install plugins

Created on 22 Jan 2018 · 7Comments · Source: asdf-vm/asdf

First of all, thanks for asdf - it's a pleasure to work with! Especially when using multiple languages. Also love how it's gradually gotten better (love installing plugins by name!)

This is just an idea for a little feature improvement that I'd like to see.

Steps to reproduce

Get a repo with a .tool-versions of many different plugins. Run asdf install

$ cat .tool-versions 
rust 1.23.0
crystal 0.24.0
nodejs 9.3.0
elixir 1.6.0
haskell 8.2.2
clojure 1.8.0
golang 1.9.2
ruby 2.5.0

Expected behavior

I'd have loved that despite installing all the versions of plugins I already got it'd also install the plugins themselves (i.e. I don't have haskell installed, first install it then the specified version).

Actual behavior

On the first plugin it doesn't have installed, asdf aborts.

$ asdf install
rust 1.23.0 is already installed
# lots of stuff
No such plugin # hit haskell here

Environment

OS: Linux Mint 18.3

asdf version: 0.4.1

enhancement help wanted

Source

PragTob

👍16

Most helpful comment

Looks like it is forgotten, but the feature idea is cool!

kvokka on 22 Oct 2018

👍4

All 7 comments

I don't have much time right now but I do want to weigh in on this. I have some concerns about the security aspects of this. Here is a scenario:

Malicious code gets into a plugin in our plugins repo/list (quite possible, since we don't control most of them)
asdf user clones down a git repository for an open source project. Project contains a .tool-versions file that references the asdf plugin in the plugin repo containing malicious code.
User runs asdf install. Malicious code in plugin is invoked and can do anything on the users system.

Notice the user did not run any code in the software project they just cloned down. Maybe they don't actually trust the code at all. But it's not obvious to the user that the .tool-versions file is actually dictating what code is downloaded and run on their system when they run asdf install.

While this may not be very likely, it is possible and poses a very real security risk. I know that this issue just builds on the previous plugin-repository work, but I think this is probably a bad idea. If we do decide to move forward with this there must be a configuration setting added to asdf to disable this functionality entirely, so that paranoid people like me can sleep at night. I manually install all my asdf plugins so I know exactly what's installed on my system (https://github.com/Stratus3D/dotfiles/blob/master/scripts/setup.sh#L127). I do not let the plugin repository dictate what gets installed.

Stratus3D on 23 Jan 2018

And yes, we should be doing security auditing of all plugins we list in the plugin repository. I don't really have any experience with security auditing, and I don't really have the time to learn enough and then automate the process for plugins, but it needs to be done if we are going to continue to providing a list of canonical plugins to asdf users.

Stratus3D on 23 Jan 2018

👍1

:wave:
Thanks for the answer! My idea would be to at least get user confirmation during this like "This needs plugin xyz (link to repo) - shall I install it? Y/n" - I hope this would alleviate some of your concerns :)

In general I agree. Installing random stuff from the Internet is always scary :)

PragTob on 23 Jan 2018

@PragTob confirmation with the repo URL is a good idea. I'd be ok with that, assuming there was an option added to the .asdfrc to toggle this feature (or maybe all the plugin repo niceties).

Stratus3D on 23 Jan 2018

I also agree with @Stratus3D that we could make this configurable.
I personally never felt that having to manually adding the plugin was particularly a burden, but if someone would like to work on this I am open to the idea.