Hey, thanks for a detailed review Caleb!
I have addressed all of your comments below in detail:
Updated the Section 2(Project Summary) part with more details. I hope this addresses your concern!
These are some really important points, here are my thoughts! As we understand that Human Involvement is essential for safety, right? We can't fully automate trust. But we can make the human review process fast and efficient so the delay is minimized.
Thoughts on Security Update Problem:
This is actually a nuanced problem. We can think about it from two angles:
The old system's 30 minute security fix is actually a false advantage. Here's why:
- Yes, a plugin author could push a security fix and it reaches users in 30 minutes
- But that same 30 minute window is also how a malicious update reaches users in 30 minutes
- The old system can't distinguish between a genuine security fix and a malicious update so the speed advantage cuts both ways
A security fix takes longer but users can trust it's actually a fix and not an attack disguised as one.
Thoughts on UX(making review process fast):
1. Automated scanning:
- Semgrep + socket.dev run automatically
- If scans pass cleanly, reviewer only needs to check the diff
- Most legitimate security fixes are gonna be small and obvious to review quickly
2. Priority labels for security updates
- Plugin authors can label their PR as "security fix"
- Reviewers prioritize these above regular submissions
3. Expedited review for recommended plugins
recommendedplugins are from trusted, well-known developers, their updates get priority in the review queue
4. AI assisted review
- After Semgrep and socket.dev pass, an AI model analyzes the source and posts a structured report as a PR comment. Summarizing what the plugin does, detected capabilities (network access, filesystem, eval usage), and for updates, a plain English diff summary
- Reviewer verifies the report rather than reading raw code from scratch, significantly reducing cognitive load
- AI assists, never replaces — final approval always requires a human
- A discussion about this can be found here: [Vetting Process]
You're right! the framing was misleading and I will update the proposal. It's a genuine trade-off, we lose speed but gain verification. I've addressed how we plan to minimize the delay right above this.
I spent some time trying to fit npm into the workflow but every approach I tried just added complexity without meaningful security gains. The .jpl still needs to be built somewhere trusted, and that has to be GitHub Actions anyway. So the source would go GitHub → npm → back to GitHub to build, which doesn't add anything at the build step. The only real benefit of npm would be native socket.dev integration, but we can run socket.dev directly on the cloned source without publishing to npm at all.
The only genuine concern I have with dropping npm is plugins that don't have a public git repository. But looking at the current plugin list, these are a very small minority. Plugins without a public repo would simply remain unreviewed permanently, which seems like a reasonable trade-off.
That said, I want to make sure I'm not missing something important here. Is there a specific security or workflow benefit of npm that you feel my current approach doesn't cover? I'm open to reconsidering if there's a strong reason I haven't thought of!
Regarding other forges — great point, I missed that completely! I will update the proposal to make the system forge-agnostic from the start. The review system only requires a public git repository URL and a commit hash, not a GitHub-specific URL. Developers on GitLab, Codeberg, or any other forge submit the same way. The automated scanning runs on the cloned source regardless of where it's hosted. The only GitHub-specific part is the review PR itself, which lives in joplin/plugins — Joplin's existing infrastructure.
You're right, poor word choice on my part. I will update "distributed" to "made available" throughout the proposal. The meaning was that any malicious plugin becomes available to all Joplin users within 30 minutes with no human review, not that it gets pushed automatically.
That's really good advice, thank you! I'll be honest, I was trying to show maximum commitment but you're right that it's not realistic. I will update the timeline after thoroughly reviewing my semester timetable.
Looking forward to your thoughts and happy to iterate further on this!