• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Add a field to resources to clearly indicate if there are callbacks to the developers server or not.

Alfa1

Well-known member
#1
This is a suggestion for the xenforo.com resources section.
Please add a custom field where developers need to select if their addon adds callbacks to their server or not.

The resource guidelines state that callbacks to an external server must be clearly declared in your resource description. However, what is 'clearly to the developer is often not clear to the customer. A developer may explicitly state that the addon does not use specific types of callbacks, but does something technical. While the customer understands this as no callbacks, it actually means the opposite.

If developers simply need to tick a radio button for the use of callbacks then its clear without a doubt and there should be no misunderstandings about this.

I think this is important as the community has seen several problems with a banned developer as well as addons which made communities stop working because the callback server went away. For many admins callbacks to the developers site are a no go area. Its important to have this information clearly visible.

Additionally it would be nice to have a search filter for this field so that we can filter out addons that have callbacks to the developers server.
 

Arty

Well-known member
#3
Developers that used those callbacks have been banned on this website and their name is censored. Their resources aren't listed. What else is there to do?
 

ozzy47

Well-known member
#7
There is a few developers that have callbacks to their servers to check licensing, copyright, etc. This typically happens during an upgrade or install, but some also check at regular intervals, which has caused some sites problems due to the frequency of the callback.
 

HWS

Well-known member
#9
"Don't worry about your valuables because there are no thieves on Earth. They are all in jail."
Developers with callbacks in their products should really not be compared with thieves! The problem with the one banned here was that he backloaded unknown code from his server with the callback. This is different from the callbacks used by several developers here to check licenses.

But I agree with @Alfa1, there should be a better marking of products using callbacks. We also are surprised by callbacks sometimes when we check a new add-on we bought. And we read every product description very carefully before purchase! Usually we disable such callbacks before installation (or after the first license check).

For a simple license check a passive XML or JSON check is the best way to do it.
 

Alfa1

Well-known member
#10
I can't agree more with @HWS The rationale for adding callbacks is normally very legitimate: a license check to confirm you have the right to use the software.

The problem with it is, that its hard to confirm what data is being sent and even legitimate callbacks can still pose a danger to your site if the developers server goes down or if it is badly implemented. For this reason a lot of admins will not install addons with callbacks.

Developers of course financially benefit from selling as many addons as possible. Clearly stating there is a callback function in the addon will dampen their sales. So there is a financial incentive not to do so. If this is a motivation for developers not to clearly declare callbacks is unknown. Some may just forget or word it in a way that not everyone understands.

Which is why it needs to be very clearly visible. A custom field would make this happen.
There should not be any unclarity about the existence of callbacks in software.
 

SneakyDave

Well-known member
#12
Didn't even realize "unclarity" was a word.

Isn't it already a xenforo rule that callbacks need to be documented in the resource manager addon page?

A custom field would be a yes or no. Describing the callback, and what it's used for is more important to me
 

Snog

Well-known member
#13
Developers of course financially benefit from selling as many addons as possible. Clearly stating there is a callback function in the addon will dampen their sales. So there is a financial incentive not to do so.
And they risk their add-on being removed here, which is more of a hit if they don't mention it. So, I'd suggest reporting add-ons that have callbacks that aren't in the add-on description.
 

Mike

XenForo developer
Staff member
#14
It is a rule that they have to be disclosed and indeed, if it's reported that there is one and it hasn't been disclosed, we would investigate. We did recently tweak the wording of this rule to try to make it clearer (https://xenforo.com/community/help/resource-guidelines/ - it's points 4 and 5 of the add-ons section).

My opinion is that a yes or no isn't that helpful on its own and an explanation of what, when and why is the important part.
Because of things that happened in the past, callbacks have been vilified as a whole. While it's certainly your prerogative to reject any add-on that has any callback, I think doing a check for license verification (such as to report the URL or potentially do some unique key check) isn't an unreasonable thing provided it is done in a safe way (not blocking primary execution, resilient against failures, etc). I feel that adding a custom field with a basic yes/no value would likely continue that vilification. Additionally, though a small point, the addition of the field may give a false impression about existing resources which don't get updated to have a value for the field. While they wouldn't say no explicitly, the absence of a yes would likely convey a similar meaning.

As a final point, I'm not sure the particular issue that led to this thread would be solved by a custom field. Based on that, I don't think the author considered their license check to be a callback due to a misunderstanding. I think it's very possible they still would have answered no. (This is something we will be contacting them about to clarify.)