/addon-datastore

Where add-ons are submitted to the NVDA Add-on Store

OtherNOASSERTION

Add-on Store

The addon-datastore repository is a data pipeline of submitting, validating and transforming add-on data to views. These views are hosted on the NV Access server and are available in the NVDA Add-on Store.

Please note: the NVDA project including the Add-on Store has a Citizen and Contributor Code of Conduct. NV Access expects that all contributors and other community members will read and abide by the rules set out in this document while participating in the project or contributing add-ons.

Guide for submitters

Add-on authors who wish to have their add-on distributed through the Add-on Store should refer to the submission guide.

Design overview

For an overview of the whole Add-on Store, read the design overview.

About security

Add-ons are run at user's own risk, add-ons in the add-on store do not undergo human security audits. The add-on store includes the following security measures:

  • Add-on file integrity can be enforced via a SHA256 checksum.
    • The checksum allows NVDA to ensure that add-on releases are immutable.
  • Code scanning with CodeQL can detect vulnerabilities in Python code included in submitted add-ons.
  • Virus Total is used to scan submitted add-ons. If malicious content is detected, the add-on will not be automatically included in the store. Please contact the flagged security vendors to get them to review and unflag the false positive. Please email info@nvaccess.org if you need assistance with this process.

Human review process / code audit

  • NV Access doesn't require a manual review of the add-on (code or user experience) itself before the add-on submission.
  • NV Access manually maintains a list of approved submitters with permission to submit an add-on to the store. The process NV Access follows is described here.
  • You are welcome to review code / UX of add-ons and provide that feedback directly to add-on authors.
  • The SHA256 checksum of the .nvda-addon prevents undetected changes.
  • Add-ons should comply with the NVDA code of conduct. Add-ons which are malicious or otherwise break the code of conduct can be removed by:
    • Opening a pull request to remove the submitted add-on metadata
    • Sending an email to info@nvaccess.org

Non-exclusivity

This system does not restrict add-on authors from developing, publishing, and distributing an add-on outside this store. NVDA will still allow local installation from a *.nvda-addon file. The data hosted here is distributed under the ODC-PDDL license. A plain language summary can be found here.

Status badges

  • Status for latest submitted add-on: view submissions
  • Status for validating all submitted add-ons: view validation attempts