Add one or more options in configuration file to disable plugin hooks

[henry40408]

Is your feature request related to a problem? Please describe

No.

Describe the proposed solution

I'd like to implement an option like disable_plugin_hooks or disable_plugin_{add,update,remove}_hook or both in .asdfrc:

disable_plugin_hooks = true

or

disable_plugin_add_hook = true
disable_plugin_update_hook = true
disable_plugin_remove_hook = true

...so I can review plugin before I asdf plugin add them

No breaking changes will be introduced.

Describe similar asdf features and why they are not sufficient

There is no method or option to disable plugin hooks as for v0.9.0

asdf plugin add

asdf/lib/commands/command-plugin-add.bash

Lines 45 to 51 in 9ee24a3

	if [ -f "${plugin_path}/bin/post-plugin-add" ]; then
	(
	export ASDF_PLUGIN_SOURCE_URL=$source_url
	export ASDF_PLUGIN_PATH=$plugin_path
	"${plugin_path}/bin/post-plugin-add"
	)
	fi

asdf plugin update

asdf/lib/commands/command-plugin-update.bash

Lines 50 to 57 in 9ee24a3

	if [ -f "${plugin_path}/bin/post-plugin-update" ]; then
	(
	export ASDF_PLUGIN_PATH=$plugin_path
	export ASDF_PLUGIN_PREV_REF=$prev_ref
	export ASDF_PLUGIN_POST_REF=$post_ref
	"${plugin_path}/bin/post-plugin-update"
	)
	fi

asdf plugin remove

asdf/lib/commands/command-plugin-remove.bash

Lines 13 to 18 in 9ee24a3

	if [ -f "${plugin_path}/bin/pre-plugin-remove" ]; then
	(
	export ASDF_PLUGIN_PATH=$plugin_path
	"${plugin_path}/bin/pre-plugin-remove"
	)
	fi

Describe other workarounds you've considered

Create a plugin to clone and checkout plugin repositories.

[weihanglo]

Second this feature. It is really useful!

[Stratus3D]

Why is disabling plugin hooks necessary? I'm not sure what you mean by "so I can review plugin before I asdf plugin add them". Plugins are just a set of shell script callbacks that can be reviewed prior to asdf plugin add.

[henry40408]

Hi @Stratus3D

What I actually want is version lock on plugins. Currently only repository URLs are recorded in https://github.com/asdf-vm/asdf-plugins , so generally when I asdf plugin add [plugin], asdf will clone the plugin repository on the recent commit of default branch. If maintainer's account got breached and malicious code might be injected into plugin hooks, sensitive data e.g. SSH keys on user's machine might be stolen.

I can review plugin hooks every time before I add the plugin, but I might get careless and miss the step at any moment. However, if we record commit SHA1 in https://github.com/asdf-vm/asdf-plugins , then we will have to update asdf-plugins when the downstream plugin updated, which is a lof of work. Freshness and stability are mutually exclusive.

So I maintain a clone of asdf-plugins myself, which is a set of submodules of plugin repositories. Every time I clone the repository, I can be absolutely sure that the plugin has already been reviewed by myself.

I will close this issue since what I want is different feature.

related issue: #166

[jthegedus]

Related #1204

Also note, you can "update" to a specific git ref to any sha: asdf plugin update <name> <git-ref>. So add then update, though not ideal, is doable. <git-ref> also accepts git tags, so tagged releases are usable. My personally maintained asdf plugins use GitHub releases, eg: asdf plugin update gcloud v1.1.0