RFC: Add-on verified

[pvizeli]

Context

Today, we have only the rating to see how carefully an add-on can affect the Host system (not the ecosystem itself).
However, we have no way to show bad actors or show users which add-on comes from a trusted source which is not part of the rating.

Decision

We create a new badge on the add-on front view and show a mdi:certificate in the corner and color based on the verified state. We have new API attributes for add-ons verified they can hold 4 states: owner, none, malware, full. Full is for the internal preinstalled repository only.

We create a new file on our fetch URL: store_verification.json:

"owner": [
   {
       "name": "XY",
       "repository": "http://xy",
   }
],
"full": [
   {
       "name": "XY",
       "repository": "http://xy",
   }
],
"malware": [
   {
       "name": "XY",
       "repository": "http://xy"
   }
]

The repository field work as a matcher and doesn't need the full URL to the repository.

We only add stores to the verified owner list, if they are:

• Well known community or other public projects leaders
• We have the full contact details of the Person
• These people sign a promise to not affect people installation and follow the best praxis

Malware stores get listed if there exists a risk that people destroy their installation or data get leaked.

This list is part of the codebase and can be updated over CF.