How do I know if a plug in is safe?

• Sep 9, 2020 - 15:54

I hear that a Daily Log plug in has been developed. I started to read up on plug ins and the page warns that a plug in could be unsafe and to only use plug ins from a trusted developer. I don't know who developed this plug in and I don't know how to tell if it is safe to use. What next?


Comments

Well, https://musescore.org/en/project/daily-log clearly starts that @jeetee is the author, a long time regular here onmusescore.com
You can open the qml file with any text editor or view it on GitHub and check what it is doing.

Up to now we've only ever found one single potentially dangerous plugin: it loads other plugin code from the internet, something that can't get checked before using it, not easily at least.
(I'm talking about https://musescore.org/en/project/musicalion-upload-manager-0, I've made changes to that pages so that the code can get viewed before loading and running it, up till now that code does seem harmless)

So yes, in theory plugins might be able to do bad thing, but no, in practice this hasn't happened yet, not in the past 10+ years

In reply to by Rockhoven

I can vouch for Mike and Jojo :-D

In the past I have wondered about having some kind of "validated/approved" label for plugins when they were reviewed by "trusted" team members. Then again, history has proven that the MuseScore community so far is a positive one where no one has supplied abusive plugins so far. And there are those like Jojo that do review them occasionally if users, such as yourself, have questions about them.

Next to me, the MuseScore software you're running can vouch for all three of us as well. It contains code by Jojo and myself and many bugfixes and some features for which mike was the triggering factor in discovering them.

Hey! I'm trying this plug in while reading the Plug Ins Handbook. I've decompressed the zip file, and I've extracted it to the Documents/Musescore3/Plug Ins folder, so now it's installed properly. Now I'm at the Plug In Manager, and it says in the handbook to enable the plug in by checking the appropriate tick box. But which tick box is appropriate?

Do I check all of the boxes or just the two that say "daily log?

Do you still have an unanswered question? Please log in first to post your question.