1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Should xF absolve itself of add-on quality control? Are there options? What about the community?

Discussion in 'Resource and Add-on Discussions' started by haqzore, Feb 4, 2015.

  1. haqzore

    haqzore Member

    So I'm sure most know what this is stemming from.
    I think this is a good time to start discussion around what xF's controls could/should be, if anything at all.

    Disclaimer: I know & I've read, repeatedly, that xF doesn't audit any add-on code, doesn't host it, doesn't have the time/money/resources, etc etc etc.

    My question is around what could/should xF do to help their own community close this gap?

    Some FOSS scripts offer "add-ons" that are held to set standards, and approved by qualified community volunteers before being released:

    This eliminates the concern of xF developers being "pulled away" from core duties and not having "enough time" to keep up with it. The linked example doesn't handle it first party, its a community effort, and it works for them.

    CONCERN: What about paid add-on's?
    RESPONSE: A paid add-on developer could simply provide an "official" team member access to the add-on for the purpose of inspection.

    CONCERN: Giving free access to my paid add-on?!? PIRACY!
    RESPONSE: The example linked above are of a team is vetted & contained within the xF.com site. I don't think 1 free copy to 1 "internal" team to be reviewed will noticeably increase the risk of piracy.

    CONCERN: But I don't trust these people. What makes the qualified anyways?
    RESPONSE: edit: and of course these arent random members of the community. look at phpBB's selection process for example

    I will share a personal example:

    I bought an add-on for IPB. As we know, IPB hosts its payments and files all in-house at their site.

    • The add-on I purchased flat out did not perform a function it advertised.
    • I repeatedly contacted the author, posted in the support topic, referred to the add-on sales page, and pursued a solution.
    I never got anywhere, so after much effort and time opened a Marketplace support ticket with IPB. I explained the situation, and gave copies/proof of all the communication with the author, the add-on selling page (which still listed it), the support posts, etc.

    IPB refunded my purchase price of the add-on (as an in-store credit), and I was satisfied. Had it not been for IPB, I would've been out 100% of my money with 0% of the product I paid for.

    This also provides IPB customers a very robust 1-stop shop for add-ons. Add-ons have their own support topic generated (linked within the sales page). Authors still have the option of hosting their own site for sales/support if they so choose.

    CONCERN: IPB takes a cut of the sales.
    RESPONSE: A very valid point. A hit to developers, and likely a hit to end-users as they pass that cost on to us.

    CONCERN: xF doesn't currently have a commerce solution.
    RESPONSE: Very true :p

    What are some other options/ideas to close the gap?
    Should this even be considered? Should something (anything) be done to be proactive?
    Or do we leave the process reactive (as it is today)? Maybe we really don't need this?
    Alfa1 and Digital Doctor like this.
  2. Brogan

    Brogan XenForo Moderator Staff Member

    No thanks.

    I wouldn't allow random community members to audit and approve my code and I wouldn't trust any add-ons they did.

    There are only a handful of developers I would consider qualified to do that.
    Most of them work for XenForo.
  3. haqzore

    haqzore Member

    Fair response.
    But whose to say those few you trust couldn't be on the "team"?

    Also, the "audit" could be adjusted. Maybe it simply looks for malicious code & unethical callbacks, for example?

    Just thinking out loud.
  4. FredC

    FredC Well-Known Member

    IMO The community already does this you just can't be afraid to ask questions or raise concerns. I suppose if that were to be frowned upon then we could have problems.
  5. haqzore

    haqzore Member

    Good point & I agree.

    Perhaps the first scenario I posed is simply a more organized / controlled way of accomplishing what's already being done?
  6. Arty

    Arty Well-Known Member

    It won't work.

    Volunteer validation works for phpBB because phpBB is completely different from XenForo.

    phpBB is an open source project that is being ran by volunteers. All team members are investing huge amount of time because they love software and want to improve it. Commercial styles and add-ons are strictly prohibited from being published or supported on phpbb.com website. Therefore people have no problems sharing their code with others, there are no time constraints on code validation. If style or add-on fails validation, developer doesn't lose any money.

    XenForo is a commercial project. There are many commercial styles and add-ons. Losing time equals losing money. With validation there would be time loss for everyone: developers waiting for their product to be validated, validators spending time validating other people's work instead of improving their own products. Style or add-on failing validation means developer losing money, so validation guidelines must be very very strict and validators must be very competent at their job.

    The only way to do it is to have full team of competent developers validating releases as their paid job. That works very well for ThemeForest, but they do have big incentive to do that - they take huge cut from all sales.

    I think resource manager already does its job very well. It has rating system where users can see everyone who voted and their comments. It has support thread for every release, allowing users to see what problems other users are running into and how fast developer fixes those issues. So no need for validation.
    gfc, Steve F, haqzore and 3 others like this.
  7. haqzore

    haqzore Member

    Great post and good points @Arty.

    To all: any other ideas? I only posted 2 examples I thought of.

    Of course it's legit to want to "stay the course".
    Steve F likes this.
  8. Xon

    Xon Well-Known Member

    XenForo's resource manager for addons is fundamentally non-curated a walled garden. I can understand why XF doesn't want todo checks, and trying to keep a hands-off approach; but it does have an impact on customers.

    The rating system in resource manager is really not useful for determine addon quality. At all.
    Last edited: Feb 5, 2015
    tajhay, Alfa1, haqzore and 1 other person like this.
  9. Digital Doctor

    Digital Doctor Well-Known Member

    Are you volunteering them ?

    What about someone not assessing quality .. but assessing security.
    Last edited: Feb 5, 2015
  10. Digital Doctor

    Digital Doctor Well-Known Member

  11. Newt

    Newt Active Member

    In business in general, authors are usually very happy to provide a review copy to (large) publishers who are going/willing to get them free publicity, so that wouldn't fall into "piracy".
    Trading (even a few) digital licenses for mass exposure and a credibility boost? Hell yeah.
    Steve F likes this.
  12. EQnoble

    EQnoble Well-Known Member

    Sure and pay by the byte for code review, mind you this would also apply to people providing free resources (who might be willing to work for free, but they are not going to pay someone so they can work for free).

    Most of the suggestions that will come from this kind of talk will be useless just for the fact that most people look at things from one angle when they speak and it is usually the only the angle they see things from at the moment and sometimes at all.

    The people who would have to make a decision and be responsible for implementing something have to consider all angles, cost/benefit, and most of all liability of which could create the need for certain actions to be taken which could leave a foul taste in peoples mouths. It does not make sense to stand in the line of fire for little to no benefit while also lowering operating efficiency and raising overhead.
    Last edited: Feb 5, 2015
  13. haqzore

    haqzore Member

  14. batpool52!

    batpool52! Well-Known Member

    Anyone who tries to read my dirty codes will probably end up having eye cancer (if that exists).
    haqzore likes this.
  15. Jeremy

    Jeremy Well-Known Member

    Assessing code for security issues takes a vast amount of time to do it properly.
    Xon likes this.
  16. Xon

    Xon Well-Known Member

    Like I said, I understand why XF doesn't want todo it. Code analysis is a rather hard task.

    Google and Apple with automated scanners and manual verification can't keep malware out of their mobile application stores.
  17. Alfa1

    Alfa1 Well-Known Member

    I do think that it would do the XenForo platform great good if it would be easier to see if addons and developers have issues. Currently its extremely likely that problems stay under the radar.
    The current reviews system is pretty much useless. Bugs are invisible. Bad track records are invisible.
    Xon likes this.
  18. Newt

    Newt Active Member

    I think you quoted the wrong message. Or missed my point, but you're welcome to carry on in private if you wish for I think it's going to go off topic.
  19. EQnoble

    EQnoble Well-Known Member

    no its completely on topic and I was specifically responding to ...
    ...because it would not just be a couple of licenses (which of course wouldn't really be licenses so to speak because you wouldn't be authorizing auditors to use these in production environments...just review/test) as the cost of the audit has to be picked up somewhere.
  20. Newt

    Newt Active Member

    Oh, right.
    But I never meant that publishers or users have to blindly accept everything that is being thrown at them. My point was, it's not piracy if you are willing to submit your ressource for a review/test, especially if you have nothing to hide. It comes with benefits... if accepted.

Share This Page