FME Hub items and security

That's an excellent question that I've also asked myself (and Mark Ireland some time ago). I suspect that unless it's been published by Safe Software, you're sort of on your own.

Look no further than this "transformer" that uses the SystemCaller to rickroll you. Harmless, sure, but it very clearly demonstrates the issue:

https://hub.safe.com/publishers/virtualcitymatt/transformers/3dclipper-notproductionready

I was going to point out that I always check who made it and that people who work for (or used to work for) Safe, or a partner, or are well-known members of the community, are probably okay to trust.

But apparently I need to remove @virtualcitymatt​ from that list 😂

Haha, yes this transformer was indeed my subtle attempt to make people a bit more aware they need to be careful

Also be aware that accounts could be hacked. So there could be a trustworthy person that someday will post a custom transformer or example workbench that does not do what you expect.

There will be a day that there is a question asked on the forum "could you help me with my workbench". And somewhere in the workbench there is a transformer named AttributeRenamer_22 that is in fact a SystemCaller or PythonCaller.

It could help if FME could be set to show the real transformer name and not a custom name.

Another solution would be that there is a warning when a workbench or custom transformer contains transformers that are potentially harmful. Like PythonCallers, SystemCallers, HTTPCallers.

I don't expect Testers, Clippers and AttributeRenamers to have the potential to do real harm.

This is what I did too - all just SystemCallers

To me, having to download a workbench to help somebody here is already something that will make me think twice before replying. I'm much more likely to help out if there's screenshots attached.

With regards to transformer names, you're absolutely right! One of the reasons I'm very much against renaming transformers (ask anybody who has ever received training from me). Scrolling through the navigator could be a way the user checks the real transformer types.

I can also see a "Workspace checker workspace", a workspace that checks another one and reports on potentially harmful transformers, like the ones you mention.

I think an idea or an improvement to the Hub/Workbench would be to indeed show a warning that this workspace/transformer/format contains potentially harmful content.

Another option could be like with excel and macros, as in the user needs to first acknowledge and enable these potentially harmful tools. The code which was used to develop the Change Detection tool could be leveraged to explore/highlight these potentially harmful areas.

Lots of good points here. I'm also very much against renaming transformers, there's almost nothing worse than to open somebody else's complex workspace only to find weird acronyms and descriptions rather than the transformer name.

Regarding a workspace to audit 3rd party workspaces: I've already made such a thing for a client, it's not very difficult using the FMW reader. Although you do have to fiddle a bit to get to the startup and shutdown scripts, as the FMW reader does not currently support them.

Hey all, I'm happy to say we're currently looking at implementing a warning when users install content from the Hub, whether that be packages or custom transformers. We're planning to release this as part of FME Desktop 2023.0. I'll update everyone here when this has been added to a new version of FME and would be interested in your feedback once it has been released!

For your reference, the internal ticket number is FMEDESKTOP-13650.

Great news, yes I seem to remember something like this being mentioned at the UC

Just curious: do you mind if we cover this custom transformer in a webinar? My original question was sparked by a question on our own forum and I think the following discussion we've had over here has some very good points.

Yes! please do!