• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Resource Guidelines

Joe Link

Well-known member
#63
Where can I submit a request that resources list external activity yes/no on at the top of the resource page, under "Visible Branding"?

Someone goes off the deep end and we lose years of work, data, or both? It's just not possible to reliably vet and track each add-on developer.

Many of us don't feel comfortable with external calls, period.
 

Mouth

Well-known member
#65
we have published a set of guidelines that all resources listed on XenForo.com must adhere to
Suggestion for the addition of a #6, something like;
"If information (such as regarding the server or user) is disclosed to an external server in the process of installation, use, or uninstallation of your add-on, the information that is being disclosed must only be related to that add-on (or add-ons by the same author), and no other add-ons or sever/user information"
 

Snog

Well-known member
#66
Where can I submit a request that resources list external activity yes/no on at the top of the resource page, under "Visible Branding"?

Someone goes off the deep end and we lose years of work, data, or both? It's just not possible to reliably vet and track each add-on developer.

Many of us don't feel comfortable with external calls, period.
While I understand the concern, I don't understand the logic.

External calls would not necessarily be the cause of losing work/data. Any code, written by any author can be the cause. But for an author to do that would mean a complete loss of credibility and an instant death in the add-on world.

Could I or any other author write malicious code? Yes.

Would I? No.
 

Joe Link

Well-known member
#67
Just out of curiosity, what sort of scenario could you see where *anything* an addon developer does/doesn't do causes you to lose years of work and data?
While I understand the concern, I don't understand the logic.

External calls would not necessarily be the cause of losing work/data. Any code, written by any author can be the cause. But for an author to do that would mean a complete loss of credibility and an instant death in the add-on world.

Could I or any other author write malicious code? Yes.

Would I? No.
I understand and accept the risk of a dev making a mistake, which I try to mitigate by being selective, testing, and reading comments by others. I was referring to something intentional/malicious.

I may be mistaken, and please let me know if I am. It seems add-ons which include server call(s) could allow them to do something impulsively, effecting past installs. I don't think any add-on is worth the possibility of someone having or gaining access to our systems, possibly without our knowledge.

Full disclosure, I have an issue with Google, Facebook, and others having this sort of access as well, though it's more on privacy grounds. Maybe I'm just odd :)
 

digitalpoint

Well-known member
#68
I may be mistaken, and please let me know if I am. It seems add-ons which include server call(s) could allow them to do something impulsively, effecting past installs. I don't think any add-on is worth the possibility of someone having or gaining access to our systems, possibly without our knowledge.
A callback to read something is different than downloading code to execute (which I think is what you are worried about, and also not allowed ever).

https://xenforo.com/community/help/resource-guidelines/
Executable code (such as PHP or SQL) cannot be downloaded by your add-on unless explicitly requested by the user, as a core function of your add-on. For the avoidance of doubt, your installation or uninstallation routines must not download code to execute.
 

digitalpoint

Well-known member
#70
Well totally different topic, but the only way an addon should be able to root the server is if your web server/PHP-FPM runs as root... At which point you have some serious security issues you should address. :)

But yeah, if addon is doing something malicious like stealing your data, I'd uninstall it regardless what the developer is doing. Hah
 

Adam K M

Active member
#72
Just a quick question -
At what point does it become better to create a new resource (listing) instead of updating an old resource listing. When your rewrite makes the new resource's options incompatible with the options of the old resource?
 

Mike

XenForo developer
Staff member
#74
This should have been clear, but to make it explicit, we have added a new line to the resource guidelines:
If your resource displays a visible copyright or branding message by default, this must be disclosed in the resource listing. There is a dedicated field to specify this.
Resource authors should audit their listings to ensure they meet this.
 

Mouth

Well-known member
#76
This should have been clear, but to make it explicit
I believe this treatment is needed for item #3 too - "Any price listed for your resource must accurately reflect the price paid without taking any other steps (such as enrolling in a subscription service)."
Several add-ons are coming through that are free/unpaid to download/install, but are useless without a monthly subscription service.
 

Chris D

XenForo developer
Staff member
#77
Mike's post is indicating that a new guideline was added, that didn't exist before.

Any resources which do not adhere to the guidelines should be reported in the usual fashion.
 

Mike

XenForo developer
Staff member
#78
Template Modifications category does not have the Visible Branding selection.
We'll consider changing that, though I would suggest that the purpose of that category essentially means that branding isn't something we would suggest should be done with what's in it. The purpose is either tutorials for changing a template or an add-on that is using template modifications (and nothing or very little else) to achieve their goal. If you're powering this with a reasonable amount of PHP code or extended custom UI stuff (options), it's probably not the right category.
 

Mike

XenForo developer
Staff member
#79
I believe this treatment is needed for item #3 too - "Any price listed for your resource must accurately reflect the price paid without taking any other steps (such as enrolling in a subscription service)."
Several add-ons are coming through that are free/unpaid to download/install, but are useless without a monthly subscription service.
Worth pointing out that the line you quote was related to a situation that was happening at the time (and still does happen): resources were being listed as free, but they could not be accessed (downloaded) without purchasing a subscription which allowed access to a collection of things. When the resource itself is free but requires payment to a third-party, it's a grey area and something that might need to be considered on a case-by-case basis.
 

HWS

Well-known member
#80
How do you deal with taxes to be added depending on the location of the buyer?

Should the price of the resource be named with the highest possible tax or without any tax at all?