Review resources before approving them (XF Community)

Martok

Well-known member
  • #161
If Xenforo would review resources then likely a large number of addons would never have been approved. For example: themehouse recently marked a very large number as unsupported or deleted them because those did not meet their own quality standards.
Not all of the add-ons were unsupported/deleted due to not meeting their standard. Whilst some were, Themehouse simply can't support that number of add-ons. Also not meeting their standards doesn't necessarily mean that the add-ons are badly coded or harmful. Whilst some could be coded better, it may be that the standards relate to how they set out their code (one of the team recently stated that they use PSR-2 coding style http://www.php-fig.org/psr/psr-2/) and to redo the add-ons to meet that format would just be too much work.

There are also a lot of malfunctioning add-ons in that total of 2000. The issue there is that such add-ons do occupy a slot that may otherwise have been filled by another developer.
If there are malfunctioning add-ons, they should be reported to the XenForo team so they can be removed if they cause any harm. If you mean they don't work properly with later versions of XenForo (e.g. they work with 1.3 but not properly with 1.5) then that's not really malfunctioning, it's just working with a particular XenForo version.

@Martok why do you think that additional costs would require a raise in price? Has this been stated by xenforo somewhere or are you just assuming this?
Software is not a tangible good with a solid production price . Instead it has a variable production price per license which is dependent upon total licenses sold, which is dependent upon optimal price mark.
XenForo prices have not changed since 2010. In those 7 years, inflation has been around 2.7% average per year, so that's around 20% rise in that time. So other goods have gone up in price whilst XenForo has remained static in price. The developers need to cover their costs and live off the income from sales. Yes there are license sales but likely less now per year than in the starting years when people moved from other software to XenForo. Many sites now will only be paying the renewal fees and, as we will have seen quite a few times in posts on here, some admins don't pay these annually, only when they feel there is an update with new features that they want (I bet there's quite a few admins who haven't paid for a while whilst waiting for XenForo 2.0 and may then wait until the add-ons they use are rewritten for 2.0 before they pay and make the jump). So for the developers to continue with pricing set 7 years ago, take on more staff to review all add-ons and not raise prices I think is not possible.

It feels to me (and apologies if I have got the wrong impression) that some of this discussion on reviewing code is blown out of proportion. There are hardly any add-ons that have had vulnerability issues and those that have have been swiftly dealt with. The dodgy developer of add-ons was banned from this site (yet people still buy his add-ons!!) From what is left, I would say that add-ons are safe to use. Some could definitely be coded better but to be honest many of us know which developers we would use add-ons from and which ones we wouldn't touch with a barge pole.

BTW don't get me wrong, I'm not against any reviewing the code of add-ons. It just seems to me that there may be some who expect this to happen and haven't considered the consequences and, IMO, one of those is a price increase to cover additional staff, and another is that certain developers could just make their (potentially badly coded) add-ons available on their own site and not here and, as we know, people will still use them even when there are dire warnings not to do so on XenForo.
 

Alfa1

Well-known member
  • #162
Malfunctioning does not equal harmful or vulnerable. That's not the argument I was making in the post you replied to.
Malfunctioning means that an addon does not work properly. Addons that are partly or fully malfunctioning are allowed in the xenforo resource manager. They do not need to be reported. The recourse is to make the issues (often privately) known and if not resolved leave a rating.

Malfunctioning addons are large part of the reason why I lost over $5000 on funding addons and addon functionality.
It feels to me (and apologies if I have got the wrong impression) that some of this discussion on reviewing code is blown out of proportion. There are hardly any add-ons that have had vulnerability issues and those that have have been swiftly dealt with.
There is no review. No one knows except those few that really do an audit.

In general audits are not shared or publicly posted because there is backlash. See the comment by HWS about him no longer posting audits. Developers do not want to be seen as scorching the competition. Instead they just tell the people they trust to stay away from certain developers. And there are quite a few developers to stay away from.
The dodgy developer of add-ons was banned from this site
Are you are certain that its not possible to just open up new accounts and submit new dodgy addons? There is no review process.
Dodgy addons stay available until they are exposed as such. IF someone becomes aware of such then they may choose report it.
You´d be surprised how current this topic is.
 

we_are_borg

Well-known member
  • #163
I think it's important to note that reviewing code is going to be nowhere near the bit that takes the most time. Instead it will be the inevitable back and forth after you reject an add-on. It might take no more than 5 minutes to ascertain that an add-on doesn't meet the expected standard. But it will take a lot longer to explain why it doesn't meet the expected standard and what actions are required to meet that standard.
You did the check manual i presume just scrolling trough the code. So 5 minutes is not really much if its a average code lenght.

Please don't see this as a precedent but over the last 24 hours I actually reviewed the code of an add-on. This was actually more of a coincidence more than anything. It wasn't a conscious decision that I wanted to review it, it was just something I spotted. There were some issues with how the extension of our code was taking place that would likely cause problems down the line. It took maybe 3 minutes for me to ascertain why it didn't meet the standards and why. However it took maybe 15-30 minutes for me to convey in appropriate terms what needed to be changed. The initial concerns were resolved, but after reviewing the changes again I had some other changes to recommend and that, again, took another 15-30 minutes and it's possible that there could be further queries off the back of that.
Well you suspected something that it was not right else you would not review the code. Its good you found it now it can be repaired. The issue it toke 30 minutes to report is that you are not setup for this task. If for example you want to do this sort of work preperation is everything so the first thing is made sure you can copy and past from a repository so it will take less and less time. Also now people go into discussion with you why the need to be excepted even the quality is not 100%. In time they know better so even that will take less and less time.

Which brings me on to this:

I disagree. That large number of add-ons would have been approved. Eventually. To get there, it would likely take many hours of discussion and further reviews. You might think that perhaps it would just be a case of rejecting something and giving a high level reason, but that explanation likely won't be detailed enough for the developer to know what actions are required. Even if we're strict on that, there'll always be some level of subjectiveness to our reasons which I'm sure will result in some lengthy conversations probably exceeding the paltry few minutes it would take to review the code in the first place.
Why does it take WBB not that much time they all ready said that two years ago, so they they either have better rules then you think off or people dont disscuse as much about it. Its not about subjectiveness but all about doing they same checks time and time again also it the minimium what you check. But to start somewhere i would adopt the rules of Wordpress with basic rules to start with developers know what is expected at the very least.
 

Alfa1

Well-known member
  • #164
I disagree. That large number of add-ons would have been approved. Eventually. To get there, it would likely take many hours of discussion and further reviews. You might think that perhaps it would just be a case of rejecting something and giving a high level reason, but that explanation likely won't be detailed enough for the developer to know what actions are required. Even if we're strict on that, there'll always be some level of subjectiveness to our reasons which I'm sure will result in some lengthy conversations probably exceeding the paltry few minutes it would take to review the code in the first place.
Those are really good points. I think that you have a less sceptical worldview than me. There have been plenty of addons that I funded which never came to functional state. The developer simply was not able to deliver something that can be run fully functional on a live site. No matter how often bugs were reported. The bugs in those cases were part of a deeper more structural problem.
 

Martok

Well-known member
  • #165
Malfunctioning means that an addon does not work properly. Addons that are partly or fully malfunctioning are allowed in the xenforo resource manager. They do not need to be reported. The recourse is to make the issues (often privately) known and if not resolved leave a rating.
TBH it really depends on the malfunction. Some are minor annoyances which, though not ideal, don't break a forum. Should any add-on that has any type of malfunction whatsoever be removed from the RM? Probably not. Should the ones with serious malfunctions that cause major issues to forums be removed? Definitely. Ideally no add-on should malfunction, but old ones that aren't maintained and mostly do their job could still be used by some people if they are aware of the issues (which, really, an admin should have found out by a quick skim through the discussion thread for the add-on, at least the last few posts would reveal any issues).


There is no review. No one knows except those few that really do an audit.

In general audits are not shared or publicly posted because there is backlash. See the comment by HWS about him no longer posting audits. Developers do not want to be seen as scorching the competition. Instead they just tell the people they trust to stay away from certain developers. And there are quite a few developers to stay away from.
I think you misinterpreted what I said. I meant that this call for the XenForo devs to review all code appears to me a bit blown out of proportion for the reasons I stated in my last post.

Are you are certain that its not possible to just open up new accounts and submit new dodgy addons? There is no review process.
Dodgy addons stay available until they are exposed as such. IF someone becomes aware of such then they may choose report it.
You´d be surprised how current this topic is.
I guess it's possible for a banned member to register with a new account and publish add-ons. Admins would be rather foolish to blindly install add-ons from someone who has only been registered for a very short time, especially if the add-ons are very similar to those of a previously banned author. We, as admins, do need to take some responsibility for what we install on our sites, we can't pass the buck onto XenForo for everything (whether they check the code of add-ons or not).

You did the check manual i presume just scrolling trough the code. So 5 minutes is not really much if its a average code lenght.

Well you suspected something that it was not right else you would not review the code. Its good you found it now it can be repaired. The issue it toke 30 minutes to report is that you are not setup for this task. If for example you want to do this sort of work preperation is everything so the first thing is made sure you can copy and past from a repository so it will take less and less time. Also now people go into discussion with you why the need to be excepted even the quality is not 100%. In time they know better so even that will take less and less time.
In the last 7 days there were 99 resources submitted to the RM (either new or updates). If this is any sort of average week (who knows, it may be lower or even higher than this) and let's assume it takes an average of 20 mins to review an add-on and communicate issues with a developer (some will pass, some will fail and will need communication and then further review, some will need multiple reviews). That's 1980 mins or 33 hours per week purely on reviewing code (and that's non-stop). That's another coder/developer needed to take on this task.
 

Alfa1

Well-known member
  • #170
Should the ones with serious malfunctions that cause major issues to forums be removed? Definitely.
I am not sure this is realistic. I surely do not expect the XF team to make sure that addons are fully functional. I would be really happy to see some ground rules and a basic check that sets standards. I am convinced that a lot of addons would not make it trough a first check. Even an automated check. And I also suspect that some coder hobbyists are not able to make it through any such review because it would raise the bar a little and therefore beyond their reach.
I guess it's possible for a banned member to register with a new account and publish add-ons. Admins would be rather foolish to blindly install add-ons from someone who has only been registered for a very short time, especially if the add-ons are very similar to those of a previously banned author.
I think this is not something that admins should have to do. If a developer is banned for dodgy activity and strange callbacks in their addons, then new admins will not be aware what addons the banned developer offers. It happened years ago, so they dont know about it and cannot compare it.
If the XF team would review new addons in any way then it will probably set off alarm bells when a new developer offers the strikingly similar addons. They can stop trouble at the gate instead of having to rely upon admins to report the issue well after the potentially malicious addons are offered on xenforo.com
 

RobinHood

Well-known member
  • #171
I also suspect that some coder hobbyists are not able to make it through any such review because it would raise the bar a little and therefore beyond their reach.
Or it may encourage more learners to get better at a faster rate if there is a comprehensive codex with best practices and examples, as there is with WordPress.

The existing dev docs is a great start. I hope someone continues to maintain and expand it. It might be time to get them ported over to the main XF site?
 

RobinHood

Well-known member
  • #172
Perhaps add some more examples on how to use particular classes to achieve certain goals, or even if someone had the inclination, to do a best practice video series on setting up your dev environment properly and getting stuck into the code. A video series would be a great way to introduce more beginner devs to the ecosystem and guide them as to certain best practices, as suggested and explained by the people who wrote the software (or at least some other experienced devs who know what they're doing).

You can actually comment as your coding, talking about your thought process and why you're doing what you're doing. It's much easier to talk about certain things like that on video as opposed to writing a wall of text in a concise written guide.

Get them started out on the right foot so they can get a good grounding and the confidence to get stuck in and and over time build more complex add ons by doing more research and self learning themselves. Give them that foundation though.

I think the video tutorials would give lot more beginner devs the confidence to go ahead and try it by following along. Look at the success of Lynda.com, Treehouse.com, ITPro.tv, all those great YouTube coding channels. People love to learn via video and it works really well.

Figure out an XF curriculum and give new devs the tools and guidance they need to build some basic add ons from start to finish and understand how best to use all the nooks and crannies of XF so they can go on to build bigger and better plugins.

You could include security best practices, plugin options pages best practices, uninstalling and cleaning up best practices, integrating with styles best practices, all sorts.

Set the bar for how you think plugins should be written and developed, show us, and let the responsible, and eager to learn devs pick it up and carry on from there.
 
Last edited:
Top