-
Notifications
You must be signed in to change notification settings - Fork 29
Open
Labels
feature-requestRequest for new features or functionalityRequest for new features or functionalityneeds spike
Description
Since this extension handles package installs, it should also correct communicate to the user about package installs and get user consent. The flow around package installs, user approval, when to allow background installs etc should be discussed and a plan outlined.
Security:
This is an important part of the user trust boundary as we should only have extensions install packages that have user consent. There could be different categories, trusted extensions that are allowed to install packages and untrusted extensions that need user consent to install.
Scenarios:
- extension wants to install a package, it is not a pre-approved extension to install packages
- extension wants to install a package, it is a pre-approved extension to install packages
- user wants to reduce notifications and select to have packages installed in the background for a given extension
- user wants to add, revoke, or edit which extensions can install / remove packages in a given workspace
- user wants to add, revoke, or edit which extensions can install / remove packages at a user or more global level
- user wants to accept installing a package without consenting to approve this extension going forward
Questions:
- How do we make sure users are in control of the package installs while not making the experience too noisy?
- Are there any extensions (like ones published by microsoft) that do not need to be prompted for the user to accept maybe only notified?
- Do we still notify users on package install even if the installer is a pre-approved extension? Do users want to be notified every time?
Metadata
Metadata
Labels
feature-requestRequest for new features or functionalityRequest for new features or functionalityneeds spike