General security question about community provided edge drivers

That is admirable. But there are plenty of apps on app stores that are free, but they are still verified. SmartThings needs to implement a driver store where both free and fee based drivers are available, and all of them are vetted.

Hopefully they could fund this by a commission on paid drivers, but I am guessing they are too lazy to do this. IMHO “Lazy” has been a key factor in SmartThings since day one.

2 Likes

Lol

Sorry, I didnt mean ‘you want’ I meant ‘a developer wants’

1 Like

Who knows? But that doesn’t mean that an option to avoid installing uncertified/unapproved drivers is not useful.

1 Like

Hi!

There’s no news about this. The Edge platform keeps evolving and the team is aware of your feedback about this.
We understand your concern about installing external drivers, so this info is for your reference:

  1. The popular drivers we’ve seen published have been by well-known community members like @Mariano_Colmenarejo, @TAustin, @ygerlovin, @philh30 (Forgive me if I’m missing someone). We constantly interact with them and know their main purpose is helping others with drivers that also helped them create automation for their homes. We highly appreciate their work and cooperation with the team when investigating issues.
  2. Currently, drivers cannot access outside the LAN network to avoid unauthorized calls to malicious URLs, especially because it would be transparent to you.
  3. Drivers can only interact with devices connected to them, which means, they cannot control other devices you’ve installed with other drivers/integration types. Doing this would require:
    • Access to the public Internet
    • Access to a token to make requests which can only be created by you (PAT) or Authorized by you (OAuth)
  4. Currently, in the channel invitation, you can see the permissions provided to the driver. For example, this driver has the permission for Zigbee actions, remember this will be only to the devices it controls:
    image
  5. As developers, once we’ve packaged a driver, we cannot change its permissions, we get the following error:
Error: Request failed with status code 400: {"requested":"...","error":{"code":"BadRequestError","message":"Permissions have been modified","details":[]}}

We need to delete the package completely to be able to change them.

  1. Thanks to the logcat command in the ST CLI, you can see the incoming/sent messages between the Hub and device so you could notice if there’s strange behavior.
  2. Developers can provide a Terms of service page related to their driver:
    image

Driver’s certification requires a fee and the intellectual property is verified. This means the device manufacturer (or an official representative) is the best candidate to develop and certify the integration.
If you’d like a device to be part of an official integration, you can contact their Customer Support area to request it, it will be up to them to decide if they want to pursue a partnership with SmartThings.
You can see more details about the certification policies here.

Note: Please, remember to install third-party drivers carefully. Looking at the comments on the “release” posts of their users is always helpful.

5 Likes

You need to publish an online store for these, for devs to make available both free and fee based drivers (just like Apple and Android app stores). All drivers need to be vetted/certified by you… and you can recover expenses by charging a commission on fee based drivers.

Just do it.

A store is not going to happen, nor should it. Its way too much work and responsibility on Samsung’s part for maybe a few hundred drivers at best. They already have a certification process. If you only want to use certified drivers, only buy WWST certified devices. Or build your own drivers. They don’t need anything else.

If I was Samsung management and the ST team came to me and said, “for 3rd party developers to create their own Edge drivers, next we need to build out a whole store architecture, create a new certification process, do payment processing and support, and create new workflows for the whole process.” All for a few hundred drivers (sub 500 at best)? If I were in their shoes I would just kill off 3rd party development/integration. Why bother with it? Zero upside.

2 Likes

One more thing to add to your list: when you create a channel, you have to provide a terms of service URL. Doesn’t that also get displayed to the user when they enroll their hub?

Control4 is a much bigger ecosystem and install base (at least in HA scale) than ST. There are several 3rd party companies that make drivers and either they sell/support themselves directly or they go thru a driver provider like https://drivercentral.io that provides sales/billing and customer support for a fee. Control4 doesn’t touch any of it. You buy a driver and then work with a licensed Control4 integrator to install and support it.

You have Certainly listed some of the most prolific edge driver creators in the community, but there are at least a dozen more authors who have published edge drivers and shared them here. :sunglasses:

In no particular order

@lmullineux
@fison67
@Daniele_Ratti
@csstup
@veonua
@iquix
@krlaframboise
@hongtat
@k.v.riel
@rxwen
Blue yeti software
roadDOG
erickv
johnconstantelo
schwark
Konnichy
BarryA

Those are just the ones I can think of off the top of my head, there are probably more. :thinking:

In some cases, it’s just a one-off for a device that they themselves had and decided to share it with the community. In other cases, the author has developed several very sophisticated edge drivers.

I can only post 10 usernames in one post, so I just dropped the at sign for the others

5 Likes

I hate to add fuel to the fire, as there already seems to be a lot consternation around this: but source code on github has no direct relationship with the actual driver published through a channel. So that’s a false sense of security…

9 Likes

Oh, that’s right, it is included in the main page of the Channel invitation (where you accept and enroll your Hub):
image

1 Like

If you’re concerned about only running either WWST certified drivers or community drivers where you have access to the source (ala Groovy IDE style) that’s easy enough to solve:

  1. Only install drivers from Samsung’s WWST certified channel
  2. Create your own channel that you control. Associate your hubs only with this channel.
  3. Now, only install community drivers where you can:
    a. Clone the github repo of the community drivers you wish to use. Inspect that code. Decide if its right for you. Maybe it contains custom capabilities that you wish to clone and use instead.
    b. Package and publish any and all of the drivers to your own channel with one command in the CLI.
    c. Now you know what code is running and control the update frequency on your own hubs just as you did in the Groovy IDE.
    d. Sure, you have to keep up with any updates of the drivers, but you had to do that with the Groovy IDE before too.

Samsung has provided all the tools necessary to use your own SmartThings Edge ecosystem the way you want to.

5 Likes

One needs to deliberately enroll into a driver sharing channel to obtain non-certified drivers. Driver sharing is opt-in by default.

5 Likes

lol

But you can install the driver from github…sort of like the copy and paste of the groovy world

For the developers who provide drivers but do not post the code. Can I ask why you do not post the code?

Not a trick question

it is a kind of volunteering, I have created a working driver for myself and don’t want to keep it all to myself. (like baking cookies and bringing them to a party)
So I share the driver with a community, maybe someone will find it helpful and bring some ideas
(bring hot tea to the party)

If you force me to do these hoops and processes, I will either charge you my usual consulting fee or just move to another platform.

4 Likes

Not doing something is a default mode. It’s like asking “Why don’t you work extra?”
There must be a reason to do things.

but I’ll try to explain, I don’t post all the code I have:

  • because I forgot or don’t think ahead that this can be useful
  • the code doesn’t fit my GitHub profile, I don’t want to explain to HR why most of my GitHub commits are not related to my position
  • there is no access to GitHub from places I work, or I don’t want to switch environments.
6 Likes

Ok… so there will never be another channel for certified drivers other than the dedicated WWST channel?

Anyone else apart from @veonua want to comment? I’d really love to know. Is it because -:

  1. You are going to monetize your work?
  2. You might monetize your work?
  3. It’s extra work is not likely to benefit you?

Does anybody here know what it costs to certify a driver for WWST? Short of having to send two pieces of the hardware the driver is for, I’ve not seen anything other than “an estimate for the testing/certification will be sent to you”.

While I do feel monetized drivers should be certified, the expense may be way over the top.