Review resources before approving them (XF Community)

Status
Not open for further replies.
we_are_borg said:
Ever heard from a checksum, its also the trust between customer and developer. Do you think people would trust someone that say its checked by XF see this checksum and file and it did not add up.
Click to expand...
Ever hear of per-customer downloads such as automatic stripping of branding if the customer has paid for Branding Free?

Checksums do not work when it comes to validating downloads from external sites unless they are 100% identical for all customers, which is not the case. That's not even mentioning developers who may want to add license keys to the files (not a license check, just the key in a comment somewhere) for anti-piracy purposes. Those are two completely legitimate (non-malicious) and (probably) common reasons why you can't simply submit a download for a checksum, and I've not had any form of breakfast or caffeine yet this morning. Anyone more alert than me could come up with several other reasons.

That's ignoring the fact that you are requiring customers to know what a checksum is and how to verify it themselves, which in and of itself is a problem that you aren't able to solve.

Robust said:
Honestly, certification is the only real solution I see here.
Click to expand...
I would support the notion of a certification process, so long as it doesn't ban developers who fail to certify from posting their resources here. A certification process can be very intimidating, especially for new coders who have confidence issues.

You show me a single person who does not have a friend who says "I'm not very good, but..." and then proceeds to produce amazing art, amazing music, amazing code... If not amazing content, then certainly very competent content. You show me a person who claims they are without a friend like that, and I will call that person a liar :p

Stopping someone from posting because they aren't certified would kill the XF modding scene faster than you can say "vBulletin 5 Connect". Actually never mind that, go ahead and ban people who aren't certified. The uproar this would cause would mean our competition would be leaving, meaning DBTech would eat the entire market share MWAHAHAHAHAAAAAaaaaa...

No but seriously, don't do that.

Give certified developers a badge like staff has a badge here at the moment, and highlight resources by certified developers with a colour like inline moderation, but blue.


Fillip
 
DragonByte Tech said:
Ever hear of per-customer downloads such as automatic stripping of branding if the customer has paid for Branding Free?

Checksums do not work when it comes to validating downloads from external sites unless they are 100% identical for all customers, which is not the case. That's not even mentioning developers who may want to add license keys to the files (not a license check, just the key in a comment somewhere) for anti-piracy purposes. Those are two completely legitimate (non-malicious) and (probably) common reasons why you can't simply submit a download for a checksum, and I've not had any form of breakfast or caffeine yet this morning. Anyone more alert than me could come up with several other reasons.

That's ignoring the fact that you are requiring customers to know what a checksum is and how to verify it themselves, which in and of itself is a problem that you aren't able to solve.

......

Give certified developers a badge like staff has a badge here at the moment, and highlight resources by certified developers with a colour like inline moderation, but blue.


Fillip
Click to expand...

If developers have branded and branding free files they submit both of them thats easy to solve if you only have those options. Now for if you have more options that cant be solved by standard download like you say because there elements in it that are generated on the fly. Even that can be solved but it woul require an API so you can generate a checksum on the fly, after that people should be able to do a check on the XF site. So even generated files on the fly should not be an problem. Also note that you can upload the file before you do custom stuff to it so as developer you know that there where no issues to start with.

A badge and how would you get that and in what timeframe you need to get a new one some one that get the badge know can become crap the next day.
 
we_are_borg said:
If developers have branded and branding free files they submit both of them thats easy to solve if you only have those options. Now for if you have more options that cant be solved by standard download like you say because there elements in it that are generated on the fly. Even that can be solved but it woul require an API so you can generate a checksum on the fly, after that people should be able to do a check on the XF site. So even generated files on the fly should not be an problem. Also note that you can upload the file before you do custom stuff to it so as developer you know that there where no issues to start with.
Click to expand...
I'm not sure if you legitimately do not understand why this doesn't work, or if you're trolling.

The purpose of a checksum is to allow someone to verify that they have gotten a complete, uncorrupted and unmodified download, yes?

A checksum only works if you trust both the person providing the checksum, and you are able to verify the checksum yourself, yes?

In other words, if you go to ShadySite because they offer you Windows for free, and they say "here's the checksum for the download so you know it's legit!", that is 100% useless. You should not trust the administrators of ShadySite. You would download the file, generate your own checksum, then go to Microsoft and verify the checksum you have is the same as the checksum they provide for their download.

(Please note that I do not advocate piracy, illegal downloads of Windows is the only time I've ever seen the wider Internet talk about checksums so I used it for illustration purposes)

I hope you're with me thus far. Let me know if I've lost you, and I'll try to elaborate.

Right, so now we've established that a checksum needs to be provided by a trusted party in order for said checksum to be worth a damn.

If I give Chris D a copy of one of our products and he produces a checksum, that checksum would then be the standard to compare all downloaded files against, right?

Chris D would, in my previous example, be Microsoft. Why? Because he is the trusted party.

I would be the administrator of ShadySite. Why? Because I'm the untrusted party, I'm the party that needs to prove that I am providing all my customers with a legitimate download.

In other words, if I have provided a product to XF for them to generate a checksum, any checksums that I generate should not be trusted.

You are saying that if my product download area generates downloads on the fly, to provide features like automatic Branding Free, I should generate a new checksum.

WEE WOO WEE WOO! DANGER! DANGER! ALARM! ALARM! UNTRUSTED CHECKSUM FOUND!

If I can generate a new checksum on the fly and provide this to the user, what's to stop me from including malicious code and making this code part of the checksum?

If I add a virus to the download, and it changes the checksum from "15" (what Chris D got) to "24" (what I get with the virus included), and I tell users "if this is a legit product the checksum will be 24", the users might think this is a legitimate product.

(Please note checksums are obviously not two numbers, this is for illustration purposes.)

In other words, the only way what you are saying will work is if I give Chris D a copy of every customer's download for him to verify before the customer is allowed to download it.

I hope you can understand how utterly ridiculous this is.

Checksums only work if you trust the party providing the checksum. If you trust me to provide a valid checksum, you implicitly also trust me to provide a valid product.

we_are_borg said:
A badge and how would you get that and in what timeframe you need to get a new one some one that get the badge know can become crap the next day.
Click to expand...
People do not magically lose their ability to code, and the badge could be revoked if the person was found providing malicious code, or code that would not meet certification.


Fillip
 
@DragonByte Tech I dont think anyone here wants anyone banned from posting on the forums. And I don't think anyone wants to see legitimate developers banned from submitting legitimate addons either.

I think a certified developers badge would be awesome if it is feasible.
But any form of vetting would be an improvement to the current situation.
 
I’d like to chime in regarding automated checks for coding. PHP-code sniffer is a Composer addon. It’s easy to run from the command line; however the correct style rules must be enabled. For example, I ran the code sniffer on a newly modified bootstrap file and there were 50 lines of notices returned. All dealt with an extra line needed here, space versus tab, etc. it turns out the WP style wasn’t being honored. I reconfigured and reran.

The point, XenForo could produce style rules, make it available, and that report could be made public before purchasing.

Regardless, the greatest benefit would be improving the code quality without scaring off newbies like me.
 
LPH said:
The point, XenForo could produce style rules, make it available, and that report could be made public before purchasing.
Click to expand...

I'd hate something like this, the code style you use has no effect on quality. Whether I use tabs vs spaces, curly braces on the same line or new line makes absolutely no difference. We use PSR-2 for all of our PHP code. So naturally this would be flagged if they set this to match against their code style while an add-on that just runs random queries in controllers would be fine because they put curly braces on a new line, use the tab character and not the space character for indentation, etc
 
So this “badge” would be an XenForo endorsement of a developer. So what would be the requirements to get this nifty badge?

I don’t see how this badge benefits any newcomers. Then you have the developers that like to go MIA quite frequently then come back all Willy nilly like nothing happened. Will it just be code quality or a combination of that and superior support and long term membership here releasing add-ons?
 
Alfa1 said:
Admins giving up on XenForo because of addon troubles costs XenForo LTD directly and indirectly. Directly in terms of license sales and indirectly in terms or brand value/reputation damage. The latter negatively affects growth / new customers. In my view XenForo is a rock solid company that prides itself on regular bug fixes, security updates and holds itself to high standards. The state of the addon community starkly conflicts with that.

As I see it XenForo has a real issue were for admins who want more features it is easy to end up without working addons and out of money, Or simply without motivation to pursue a failing project. This is the issue that I would like to see addressed. IPS 4.2 did not only have such massive affect on XenForo customers because it has so many cool features in the core, but also because of the troubles that XenForo admins have experienced with the dozens of addons you need on XF to have a similar feature scope. People get tired of all the addon issues and move to greener pastures.

There will always be addons of lesser quality in the XF marketplace, but currently its just too crazy. And instead of improving it seems to be getting worse.

IMHO resolving this issue has significant value for XenForo as a brand.
Click to expand...
https://theadminzone.com/threads/xenforo-3rd-party-resources.145863/page-3#post-1106655
 
Jake B. said:
I'd hate something like this, the code style you use has no effect on quality.
Click to expand...

My point wasn’t clear. By having the code style, the returned report focuses on quality, helping identify code smells. Without the rules, the report is cluttered with spacing, tabs, etc.
 
Jake B. said:
Whether I use tabs vs spaces, curly braces on the same line or new line makes absolutely no difference.
Click to expand...
If it allows for an automatic first pass check then it makes a difference. Some of Woltlab requirements:
There are some requirements you should met before starting:
  • Text editor with syntax highlighting for PHP, Notepad++ is a solid pick
  • *.php and *.tpl should be encoded with ANSI/ASCII
  • *.xml are always encoded with UTF-8, but omit the BOM (byte-order-mark)
  • Use tabs instead of spaces to indent lines
  • It is recommended to set the tab width to 8 spaces, this is used in the entire software and will ease reading the source files
Click to expand...
 
DragonByte Tech said:
I'm not sure if you legitimately do not understand why this doesn't work, or if you're trolling.

The purpose of a checksum is to allow someone to verify that they have gotten a complete, uncorrupted and unmodified download, yes?
Click to expand...

Yes thats the general idea.

A checksum only works if you trust both the person providing the checksum, and you are able to verify the checksum yourself, yes?
Click to expand...

Yes a checksum needs to be check else it would not matter.

In other words, if you go to ShadySite because they offer you Windows for free, and they say "here's the checksum for the download so you know it's legit!", that is 100% useless. You should not trust the administrators of ShadySite. You would download the file, generate your own checksum, then go to Microsoft and verify the checksum you have is the same as the checksum they provide for their download.
Click to expand...

Yes if a site provides a checksum its based on trust like all downloads.

(Please note that I do not advocate piracy, illegal downloads of Windows is the only time I've ever seen the wider Internet talk about checksums so I used it for illustration purposes)

I hope you're with me thus far. Let me know if I've lost you, and I'll try to elaborate.

Right, so now we've established that a checksum needs to be provided by a trusted party in order for said checksum to be worth a damn.

If I give Chris D a copy of one of our products and he produces a checksum, that checksum would then be the standard to compare all downloaded files against, right?
Click to expand...

Yes that checksum would be used by all standard downloads, this download is standard nothing generated per customer its the same for everyone. You can have two one is branded other brand free so it depends what your customer has bought. He can then take that download and check it on the XF website if the checksum is the same he either sees the branded or unbranded checksum.

Chris D would, in my previous example, be Microsoft. Why? Because he is the trusted party.

I would be the administrator of ShadySite. Why? Because I'm the untrusted party, I'm the party that needs to prove that I am providing all my customers with a legitimate download.

In other words, if I have provided a product to XF for them to generate a checksum, any checksums that I generate should not be trusted.
Click to expand...

Correct the only checksum you provide is the checksum that you get from Chris this is either branded or unbranded one. Files with generated content are another matter. The customer can upload the file at Chris and should get the same checksum back for either branded or unbranded file.

You are saying that if my product download area generates downloads on the fly, to provide features like automatic Branding Free, I should generate a new checksum.

WEE WOO WEE WOO! DANGER! DANGER! ALARM! ALARM! UNTRUSTED CHECKSUM FOUND!

If I can generate a new checksum on the fly and provide this to the user, what's to stop me from including malicious code and making this code part of the checksum?
Click to expand...

No not an allert alarm or red allert. Like i said you have for your self all ready checked the file (not generated yet) in the Chris system so you know the developer that there no issues with it. At this point a checksum is not needed because per customer it will change the only thing you needed to know was that there no issues with the file thats importent to get it automated if the check fails it will fail for all users.

If I add a virus to the download, and it changes the checksum from "15" (what Chris D got) to "24" (what I get with the virus included), and I tell users "if this is a legit product the checksum will be 24", the users might think this is a legitimate product.

(Please note checksums are obviously not two numbers, this is for illustration purposes.)
Click to expand...

No because the user can upload the file at chris and see that the check failed of that file because the one you let Chris check needed to be “15” not “24” so if you edit the file its not the one on file at Chris.

In other words, the only way what you are saying will work is if I give Chris D a copy of every customer's download for him to verify before the customer is allowed to download it.

I hope you can understand how utterly ridiculous this is.

Checksums only work if you trust the party providing the checksum. If you trust me to provide a valid checksum, you implicitly also trust me to provide a valid product.

People do not magically lose their ability to code, and the badge could be revoked if the person was found providing malicious code, or code that would not meet certification.


Fillip
Click to expand...

The generated files are an issue but not something that would be a showstopper for this.

Like i said above you as developer knows that file that is generated for a customer in ungenerated form will pass the check at Chris. Now it gets a bit tricky i as customer go to your site and goto downloads i click want filenamev1.0.0.zip that file after its generated is send to Chris and is checked, you know it will not fail because the ungenerated one did not fail if you altered to much and did alter something that is checked it will fail if you did something wrong. After Chris checked it that checksum is in the system of Chris your customer gets a warning that the download is ready for download and downloads it. He goes to Chris does the checksum and its either good or fail good when its the same that you provided after generation and check or fail if you tried to add something after the check at Chris. If you did something that let the check fail the checksum is not in Chris system at that point the customer knows something is wrong. I called this the API developer sends file that is generated and gets checked.[/quote]
 
Last edited:
Alfa1 said:
@DragonByte Tech I dont think anyone here wants anyone banned from posting on the forums. And I don't think anyone wants to see legitimate developers banned from submitting legitimate addons either.

I think a certified developers badge would be awesome if it is feasible.
But any form of vetting would be an improvement to the current situation.
Click to expand...
Alfa1 said:
@DragonByte Tech I dont think anyone here wants anyone banned from posting on the forums. And I don't think anyone wants to see legitimate developers banned from submitting legitimate addons either.

I think a certified developers badge would be awesome if it is feasible.
But any form of vetting would be an improvement to the current situation.
Click to expand...

On the contray for me it’s for building up more trust between developer and customer. The developer can say i did this to gain trust that minimum requirements are met. If the check fails i hope that the developers seeks help and look what happened and with others make sure its fixed and people learn. Its not for you failed 3 times and bye your not welcome thats not what the check is for.
 
DragonByte Tech said:
I would support the notion of a certification process, so long as it doesn't ban developers who fail to certify from posting their resources here. A certification process can be very intimidating, especially for new coders who have confidence issues.
Click to expand...
My issues with certification is that it hurts newer developers entering the community. It'll kinda reduce their sales or deincentivise them from joining the community as a developer, and really we probably want more developers in the community than less.

Also if it costs money it'll end up doing the same thing, hurt new developers from entering the community.
 
Robust said:
My issues with certification is that it hurts newer developers entering the community. It'll kinda reduce their sales or deincentivise them from joining the community as a developer, and really we probably want more developers in the community than less.

Also if it costs money it'll end up doing the same thing, hurt new developers from entering the community.
Click to expand...

So you want to let developer develop add-ons and let people install those add-ons while the developer cant pass the certification. What if the new developer did something like not using the security systems that XF uses or something i heard use raw queries. With a certification you at least know he should not do that.

Yes we want more developers but they need to know what to do and not release add-ons for just that without care what they did was correct or not.
 
In my honest opinion, no offense to anyone, it would be a waste of time letting XF go through codes.
Most of the stuff is reviewed by users anyway, so if anything fishy is there, someone will notice it sooner or later.
And if an addon is "poorly coded", so what? Most of those are free anyway, so you can stop using them. And if they are paid ones, it would ruin the reputation of such developers if they wouldnt fix those issues.

And besides the question if reviews would be a waste of time or not, I don't think XF would want to go that way. That is a massive legal responsibility. If such a thing would happen, it would mean legally XF would be responsible for every line of code. I don't think XF wants that. Why risk it when you can put the responsibility to each developer?

Honestly, XF better puts time into 2.1 rather than doing anything else. Forums are dead. We need features, new inventions, new stuff. XF already took many years to release XF 2, which isn't released technically yet anyway (gold release). There is no time for such massive undertakings like reviewing all addons. Instead release more features, so we need less addons.

Sorry, no offense to anyone, just being direct here.
 
Slavik said:
We could implement an external (or internal) code audit on an hourly basis very easily. But who would pick up the cost?
Click to expand...

Why not a yearly developer fee? Both Apple and Google require this to release add-ons in their store. At this point for XF2, the majority of add-ons are paid, so only a few sales at most would counter the yearly cost of this.
 
we_are_borg said:
So you want to let developer develop add-ons and let people install those add-ons while the developer cant pass the certification. What if the new developer did something like not using the security systems that XF uses or something i heard use raw queries. With a certification you at least know he should not do that.

Yes we want more developers but they need to know what to do and not release add-ons for just that without care what they did was correct or not.
Click to expand...
Sounds to me like you want to force certification onto people - which is definitely *not* a good idea.
 
Mike Edge said:
Why not a yearly developer fee? Both Apple and Google require this to release add-ons in their store. At this point for XF2, the majority of add-ons are paid, so only a few sales at most would counter the yearly cost of this.
Click to expand...
Apple and Google offer a lot more value for the buck, and there's high competition on the App Stores. In comparison, there's a lot of gaps in the RM for potential add-ons. This is not a time you want to limit the markets, and the potential profits for XF are minimal. ~25 developers at the most will be paying a fee (probably closer to 15).
 
we_are_borg said:
Like i said above you as developer knows that file that is generated for a customer in ungenerated form will pass the check at Chris. Now it gets a bit tricky i as customer go to your site and goto downloads i click want filenamev1.0.0.zip that file after its generated is send to Chris and is checked, you know it will not fail because the ungenerated one did not fail if you altered to much and did alter something that is checked it will fail if you did something wrong. After Chris checked it that checksum is in the system of Chris your customer gets a warning that the download is ready for download and downloads it. He goes to Chris does the checksum and its either good or fail good when its the same that you provided after generation and check or fail if you tried to add something after the check at Chris. If you did something that let the check fail the checksum is not in Chris system at that point the customer knows something is wrong. I called this the API developer sends file that is generated and gets checked.
Click to expand...
Okay, so you have no idea how checksums work and you have no idea how easily exploitable and customer-unfriendly your "system" is, gotcha. Sorry for the confusion, I thought you'd maybe consider googling this and gaining a basic understanding of how these systems work, and realising the flaws in your own system when they're pointed out to you.

Robust said:
My issues with certification is that it hurts newer developers entering the community. It'll kinda reduce their sales or deincentivise them from joining the community as a developer, and really we probably want more developers in the community than less.

Also if it costs money it'll end up doing the same thing, hurt new developers from entering the community.
Click to expand...
That's very true, but I can also see the opposing side where you really want to know if someone's addons are of actual worth or if they're just one-liners that were more or less actually coded by someone else.

What about instead of requiring certification, someone from the XF team reaches out to the developer in question, asks to gain access to their paid mods (if the mods are paid) and reviews them that way, assigning a badge of certification if everything is above board? Perhaps doing it that way would ensure it isn't as intimidating?


Fillip
 
Status
Not open for further replies.

Similar threads

A
  • Suggestion Suggestion
Option to crop image in moderation before approving
Replies
0
Views
322
Ankur Gupta
A
R
XF 2.2 Edit Review Resources
Replies
1
Views
419
Robert9
R
egorych
  • Question Question
RM 1.2 Can guests review resources?
Replies
1
Views
812
Paul B
Paul B
Bellinis
  • Suggestion Suggestion
Lack of interest View attachment before approving?
Replies
3
Views
2K
Mike
Mike
Top Bottom