Add ARK PubId Plugin by lurymorais (v3.0.0.0)#492
Conversation
Added ARK plugin details including names, descriptions, maintainer info, and release details.
|
Thanks, @lurymorais! I do recommend changing the following... <version>3.5.0.0</version>
<version>3.5.0.1</version>
<version>3.5.0.2</version>
<version>3.5.0.3</version>
<version>3.5.0.4</version>...for the semantic versioning form, which is more future-proof: <version>~3.5.0.0</version>@bozana, would you mind taking a look at the plugin? |
Removed versions 3.5.0.1 to 3.5.0.4 from plugins.xml.
@asmecher Done! |
|
Hi! Just checking in on this PR. It's been a couple of weeks and I wanted to see if there's any feedback needed. Also, I wanted to mention that I've released v3.0.0.0 of the plugin with new features and security improvements. Should I update this PR to the latest version, or would you prefer to review v2.0.0.0 first? Thanks! |
|
Hi @lurymorais, sorry for the delay -- too many PRs to review in the last time... |
|
Security review — this cannot be merged as is The README discloses the existence of a data-sharing/telemetry system and describes two levels (Basic and Complete). That partial disclosure is noted. However, the code does more than the README describes, and there are critical security vulnerabilities that are unrelated to telemetry. The plugin.xml entry proposed for the gallery makes no mention of the telemetry or data collection whatsoever — meaning journal managers would install this plugin with zero indication that their journal data will be sent to a third-party server. What the README does not disclose:
What a journal manager actually sees during installation: Critical security vulnerabilities (independent of telemetry):
On the GDPR/LGPD compliance claim: On the stated motivation:
No persistent credential, no pull endpoint, no ark_admin_secret, no per-journal registration, no contact email — none of that is needed for a statistics dashboard. Questions for the author:
|
|
Hi @lurymorais, during the security review I found some serious problems. The technical issues like the unauthenticated save_ajax.php endpoint and missing database migrations are fixable. But, can you answer the questions above and explain the data collection architecture. The plugin registers a persistent authentication credential on revistacarnaubais.com.br for every journal that installs it, creates a remotely accessible endpoint that your server can call at any time to pull journal data, and includes a token regeneration mechanism that gives your server permanent irrevocable access to that endpoint — none of which is disclosed to the journal administrator during installation. I do not think we can recommend this plugin to thousands of journals worldwide without understanding exactly what it does with their data. |
|
Pinging also @asmecher. |
|
Hi @bozana (and @asmecher too)! Some news about ark-plugin.
Telemetry ServerThe telemetry server code is now avaiable at: It handles:
Documentation Updated
Answers to Your Questions1. What is the ark_admin_secret used for, and why is it not disclosed in the README? It has been removed. The token regeneration mechanism no longer exists. No persistent credentials are stored. 2. Why does the plugin need a pull endpoint rather than a simple push from the journal? The pull endpoint was removed. The plugin now uses a pure push model. 3. Why is the journal's contact email collected even at the Basic telemetry level? It was removed. No emails are collected. Only NAAN, ARK count, and plugin version. 4. What is save_ajax.php doing bypassing OJS authentication entirely? It now requires OJS authentication, CSRF token, and proper roles (Manager/Editor). 5. Who has access to the data stored at revistacarnaubais.com.br, and what is the data retention policy? Just me. Data retention is 24 months with automatic deletion. Data retention:
The plugin is ready for re-review. If any inconsistency happens to arise, we will work to resolve it. |
This pull request adds the ARK PubId Plugin (v2.0.0.0) to the gallery, compatible with OJS 3.5.0.x.
Repository: https://github.com/lurymorais/ark-plugin