Rather than belittle others contributions to an issue that concerns us all, I would like to hear your ideas on how to best regulate bad coding practices.
I'm not belittling his contribution, I simply don't agree with it and am expressing that opinion.
What would you do? Let everyone just develop and post add-ons and hope that we do not see this
On Jan 1, 2016 version 1.3 of this add-on was released to address an exploitable SQL injection vulnerability. If you are still using a version of this add-on which is below 1.3 or released before Jan 1, 2016 then it is essential that you update to the latest version of the add-on as soon as possible to fix this security issue. If you have any further questions, please ask.
to many times in the RM and hope no one got hit by it. On forums we like to compair with cars, some one driving needs a driving license, why so you know the rules and know you to have minimum control of the car, if not in control you can do damages. But in the digital world it let them go unprepared do what ever the want it does not matter. Well next year people in the EU it will matter because we will get General Data Protection Regulation that every EU country must have. So these kind of trouble we cant have anymore it can cost you money as owner and your reputation. So do we want developers that know the basic rules or nothing at all.
Good question. As some here have acknowledged, this isn't a black and white issue like some people in here are making it out to be. Any regulation you do comes at a cost, and this isn't really a rich marketplace filled with competition where any losses in development by regulation can be easily disregarded.
I've seen 'marketplaces' (considering the RM a marketplace here) with half-arsed resource/product moderation. They're complete crap. You either let free markets fix up the problems, and the review system is a relatively successful way to do that (it works one way, though), or you become fully involved in the moderation of the content on the marketplace. Anything in the middle just annoys the developers, in my experience.
I don't see too many add-ons, especially the larger ones, suffering from SQL injections or critical security vulnerabilities - it's pretty hard to, assuming you correctly use the APIs within XenForo. The ones creating vulnerable code are probably newer developers if anything, and they're probably just applying some flawed logic from experience outside of XenForo. And honestly, if vulnerable code is your problem, then it's incorrect to assign the blame to developers alone. XenForo doesn't have *any* documentation for XF1 at all. For developers wanting to get the hang of XF1 APIs to write add-ons, you're forced to download and reverse engineer existing add-ons, browse the forums and analyse snippets and whatnot rather than be able to read some documentation and jump straight into programming. I didn't find that method difficult myself, and I think it makes you a better developer, but if you're going to say that developers are unable to properly use the functions within XF, most of that blame should be assigned to XF for having no developer documentation at all since release. I see that's changing with XF2, and I'm hoping comprehensive, well-written developer documentation will attract developers and be a partial solution to the problems discussed in this thread.
I don't think car licensing is a fair analogy. The biggest reasonable threat from unsafe driving is death, the biggest reasonable threat from incompetent developers is loss of secure data or exploitation of websites. There are lots of drivers (because there are lots of people), you can impose regulation and unfair requirements for driving that people will have to meet, and it really won't make that big of a difference, you do that in a relatively small market of < 25 active developers, it just doesn't work the same. A better comparison is buying a 2nd hand car. There is no legal regulation on car sales, you don't need a license or need to be certified and display a sign of certification. The car could be faulty or poorly handled and the seller could mislead you in regards to that. It's your job to analyse the documents and have the car checked out by your mechanic and ensure it meets your requirements. It may end up being more expensive, but you can always buy a product, have a developer check it out and refund it if it doesn't meet your requirements (I do find it unreasonable, having to do that for every add-on, but the option remains available to you and it does illustrate why analogies to completely different sectors don't work here). Since you're familiar with EU law it seems, all EU residents are to be allowed a 14-day refund guarantee on all online purchases, regardless of the location of the seller.
The GDPR is pretty strict, but I honestly doubt many forums are going to adhere to it. Small businesses aren't exactly the most legally compliant people around. For example, I think we're the only developers on this site (except M2N's add-ons and XenForo itself of course) that charge VAT and adhere to VAT MOSS regulations, even though every single developer selling any paid add-on here located anywhere in the world should be VAT/VAT MOSS registered and charging VAT and issuing VAT invoices. The GDPR is going to require a lot more businesses, every single forum except types like 4chan, to register as data controllers. Do you think forums are going to register? I doubt it. They aren't going to remove user data on demand either, as they perhaps should. Hence, I don't think the introduction of new laws is going to change the developer situation here.
Back onto topic, resources, I don't think security vulnerabilities are the biggest problem caused by non-regulation. The example you cited is from the beginning of 2016, and it's one out of thousands of add-ons on the RM. I don't think many have existing critical vulnerabilities in them. The biggest issue is buggy code that's just not properly tested. A typical worst case scenario of such is board downtime or altered pages, I think, rather than actual vulnerabilities. Obviously, this is unacceptable. I still think most (active) developers here would fix major issues like that when reported, especially if/when XenForo intervention happens, which it does for add-ons that are reported to cause more major issues.
So that being said, is the problem here more minor bugs like functionality that doesn't completely work, or cosmetic problems?