spin icon indicating copy to clipboard operation
spin copied to clipboard
verified publisher icon fermyon

consider removing prompt when installing plugin

Open michelleN opened this issue 1 year ago • 4 comments

krew, kubectls plugin manager displays the following message instead of prompting to confirm installation of the plugin:

WARNING: You installed plugin "reverse-proxy" from the krew-index plugin repository.
   These plugins are not audited for security by the Krew maintainers.
   Run them at your own risk.

It would be nice to let people know they installed something we have not audited and skip the prompt step. I don't there is ever going to be a time when I say no and I always forget to use the --yes flag.

I'd love to see either of the following:

  • Map environment variable to value of the --yes flag so that you could set false if you are more cautious and want to be prompted.
  • Make default behavior more like krew's warning rather than prompting to confirm installation

michelleN avatar Mar 17 '24 17:03 michelleN

None of our plugins are technically "audited" even the ones that come from the registry. The original design of the plugin system follows the apt style package managers. I would still be in favor of styling and having the user acknowledge that they are installing an explicit action.

That being said I like the idea of having an environment variable similar to how we have SPIN_ALWAYS_BUILD that a user can set so that they can avoid the --yes flag.

karthik2804 avatar Mar 17 '24 20:03 karthik2804

I'm assuming krew doesn't automatically install plugins and then run them with just a warning? I think that's the main difference here.

Edit: Oh wait we install cloud without even a warning... :thinking:

lann avatar Mar 18 '24 13:03 lann

Oh I guess if you're talking about --yes you mean the actual spin plugins install command. Yeah I think it would be fine to just display a warning there, or at least default to "yes".

Separately, we might want to be a wee bit more explicit about the information displayed when we suggest installing if you run spin kube without the plugin already installed. Its weird that the message on explicit spin plugins install kube:

You are trying to install the `kube` plugin with Apache-2.0 license from https://github.com/spinkube/spin-plugin-kube/releases/download/v0.1.0/spin-plugin-kube-0.1.0-linux-amd64.tar.gz 
Are you sure you want to continue?

has more information than the prompt on spin kube:

Warning: `kube` is not a known Spin command, but there is a plugin with that name.
Would you like to install and run it now?

Also weird that the former defaults to "no" and the latter has no default.

TL;DR, I'd suggest:

  • Change the spin plugins install prompt default to "yes" (if not removing it entirely). I feel like the current behavior might have been my suggestion but people can change their minds OK? :sweat_smile:
  • Add more info (license and URL) to the "suggest installing this plugin" flow and have that default to "no"; accidentally installing from a suggestion like that would be no good.

lann avatar Mar 18 '24 14:03 lann

hi @michelleN can i work on this?

iamrajiv avatar Nov 29 '25 23:11 iamrajiv