Introduce a way to make sure that H5P libraries are "official"
I would like to discuss a feature that might improve the security of H5P and also the integrity of H5P platforms. And it might make sharing of content easier.
Currently, some people patch H5P libraries in order to tweak them to their needs. That's fine on their platform. However, those patched libraries also end up in exported files. In turn, they can end up on other platforms if people with sufficient permissions upload the exported files and the origin library that was patched is not yet available on the target platform or in an earlier version. That's probably not something that people expect.
Similarly, deliberately manipulated H5P libraries could potentially find their way onto H5P platforms.
Therefore, I suggest to at least compute some hash value for every official H5P library (over all files) and make it available publicly. The H5P editor core should check official H5P libraries against that checksum when they are supposed to be installed and ignore those libraries if the checksum doesn't match. Alternatively, it could issue a warning and require explicit confirmation. Or it behaves the same as today - depending on the user role or on some configuration. A similar approach could be chosen for any H5P library (version) that doesn't exist on the official H5P library server. I feel it's not thaaaat uncommon anymore that people install H5P libraries that are not available on the H5P Hub yet, but maybe some people might want to know that they are about to install a library that's not on the H5P Hub and want to confirm this at least. Could also depend on a setting or user role, of course.
One could make this more complex (with signatures), but as long as the H5P Hub is the "only true source" of libraries, the checksum approach should suffice.
Another positive aspect: If admins need to worry less about others installing H5P libraries, it's more likely they grant this capability to more people thus reducing the likelihood that someone wants to upload content but can't because a library from the file being uploaded is not yet installed on the platform.
What do you, the H5P community, think about this?