Should xF absolve itself of add-on quality control? Are there options? What about the community?

haqzore

haqzore

Active member
So I'm sure most know what this is stemming from.
I think this is a good time to start discussion around what xF's controls could/should be, if anything at all.

Disclaimer: I know & I've read, repeatedly, that xF doesn't audit any add-on code, doesn't host it, doesn't have the time/money/resources, etc etc etc.

My question is around what could/should xF do to help their own community close this gap?


SCENARIO 1
Some FOSS scripts offer "add-ons" that are held to set standards, and approved by qualified community volunteers before being released:

This eliminates the concern of xF developers being "pulled away" from core duties and not having "enough time" to keep up with it. The linked example doesn't handle it first party, its a community effort, and it works for them.

CONCERN: What about paid add-on's?
RESPONSE: A paid add-on developer could simply provide an "official" team member access to the add-on for the purpose of inspection.

CONCERN: Giving free access to my paid add-on?!? PIRACY!
RESPONSE: The example linked above are of a team is vetted & contained within the xF.com site. I don't think 1 free copy to 1 "internal" team to be reviewed will noticeably increase the risk of piracy.

CONCERN: But I don't trust these people. What makes the qualified anyways?
RESPONSE: edit: and of course these arent random members of the community. look at phpBB's selection process for example


SCENARIO 2
I will share a personal example:

I bought an add-on for IPB. As we know, IPB hosts its payments and files all in-house at their site.
  • The add-on I purchased flat out did not perform a function it advertised.
  • I repeatedly contacted the author, posted in the support topic, referred to the add-on sales page, and pursued a solution.
I never got anywhere, so after much effort and time opened a Marketplace support ticket with IPB. I explained the situation, and gave copies/proof of all the communication with the author, the add-on selling page (which still listed it), the support posts, etc.

IPB refunded my purchase price of the add-on (as an in-store credit), and I was satisfied. Had it not been for IPB, I would've been out 100% of my money with 0% of the product I paid for.

This also provides IPB customers a very robust 1-stop shop for add-ons. Add-ons have their own support topic generated (linked within the sales page). Authors still have the option of hosting their own site for sales/support if they so choose.

CONCERN: IPB takes a cut of the sales.
RESPONSE: A very valid point. A hit to developers, and likely a hit to end-users as they pass that cost on to us.

CONCERN: xF doesn't currently have a commerce solution.
RESPONSE: Very true :p




What are some other options/ideas to close the gap?
Should this even be considered? Should something (anything) be done to be proactive?
Or do we leave the process reactive (as it is today)? Maybe we really don't need this?
 
No thanks.

I wouldn't allow random community members to audit and approve my code and I wouldn't trust any add-ons they did.

There are only a handful of developers I would consider qualified to do that.
Most of them work for XenForo.
 
Brogan said:
No thanks.

I wouldn't allow random community members to audit and approve my code and I wouldn't trust any add-ons they did.

There are only a handful of developers I would consider qualified to do that.
Most of them work for XenForo.
Click to expand...
Fair response.
But whose to say those few you trust couldn't be on the "team"?

Also, the "audit" could be adjusted. Maybe it simply looks for malicious code & unethical callbacks, for example?

Just thinking out loud.
 
IMO The community already does this you just can't be afraid to ask questions or raise concerns. I suppose if that were to be frowned upon then we could have problems.
 
FredC said:
IMO The community already does this you just can't be afraid to ask questions or raise concerns. I suppose if that were to be frowned upon then we could have problems.
Click to expand...
Good point & I agree.

Perhaps the first scenario I posed is simply a more organized / controlled way of accomplishing what's already being done?
 
It won't work.

Volunteer validation works for phpBB because phpBB is completely different from XenForo.

phpBB is an open source project that is being ran by volunteers. All team members are investing huge amount of time because they love software and want to improve it. Commercial styles and add-ons are strictly prohibited from being published or supported on phpbb.com website. Therefore people have no problems sharing their code with others, there are no time constraints on code validation. If style or add-on fails validation, developer doesn't lose any money.

XenForo is a commercial project. There are many commercial styles and add-ons. Losing time equals losing money. With validation there would be time loss for everyone: developers waiting for their product to be validated, validators spending time validating other people's work instead of improving their own products. Style or add-on failing validation means developer losing money, so validation guidelines must be very very strict and validators must be very competent at their job.

The only way to do it is to have full team of competent developers validating releases as their paid job. That works very well for ThemeForest, but they do have big incentive to do that - they take huge cut from all sales.

I think resource manager already does its job very well. It has rating system where users can see everyone who voted and their comments. It has support thread for every release, allowing users to see what problems other users are running into and how fast developer fixes those issues. So no need for validation.
 
Great post and good points @Arty.

To all: any other ideas? I only posted 2 examples I thought of.

Of course it's legit to want to "stay the course".
 
XenForo's resource manager for addons is fundamentally non-curated a walled garden. I can understand why XF doesn't want todo checks, and trying to keep a hands-off approach; but it does have an impact on customers.

Arty said:
I think resource manager already does its job very well. It has rating system where users can see everyone who voted and their comments. It has support thread for every release, allowing users to see what problems other users are running into and how fast developer fixes those issues. So no need for validation.
Click to expand...
The rating system in resource manager is really not useful for determine addon quality. At all.
 
Last edited:
Giving free access to my paid add-on?!? PIRACY!
Click to expand...
In business in general, authors are usually very happy to provide a review copy to (large) publishers who are going/willing to get them free publicity, so that wouldn't fall into "piracy".
Trading (even a few) digital licenses for mass exposure and a credibility boost? Hell yeah.
 
Newt said:
In business in general, authors are usually very happy to provide a review copy to (large) publishers who are going/willing to get them free publicity, so that wouldn't fall into "piracy".
Trading (even a few) digital licenses for mass exposure and a credibility boost? Hell yeah.
Click to expand...

Sure and pay by the byte for code review, mind you this would also apply to people providing free resources (who might be willing to work for free, but they are not going to pay someone so they can work for free).

Most of the suggestions that will come from this kind of talk will be useless just for the fact that most people look at things from one angle when they speak and it is usually the only the angle they see things from at the moment and sometimes at all.

The people who would have to make a decision and be responsible for implementing something have to consider all angles, cost/benefit, and most of all liability of which could create the need for certain actions to be taken which could leave a foul taste in peoples mouths. It does not make sense to stand in the line of fire for little to no benefit while also lowering operating efficiency and raising overhead.
 
Last edited:
Digital Doctor said:
What about someone not assessing quality .. but assessing security.
Click to expand...
Exactly!
Newt said:
In business in general, authors are usually very happy to provide a review copy to (large) publishers who are going/willing to get them free publicity, so that wouldn't fall into "piracy".
Trading (even a few) digital licenses for mass exposure and a credibility boost? Hell yeah.
Click to expand...
Exactly!
 
Jeremy said:
Assessing code for security issues takes a vast amount of time to do it properly.
Click to expand...
Like I said, I understand why XF doesn't want todo it. Code analysis is a rather hard task.

Google and Apple with automated scanners and manual verification can't keep malware out of their mobile application stores.
 
I do think that it would do the XenForo platform great good if it would be easier to see if addons and developers have issues. Currently its extremely likely that problems stay under the radar.
The current reviews system is pretty much useless. Bugs are invisible. Bad track records are invisible.
 
  • Like
Reactions: Xon
EQnoble said:
Sure and pay by the byte for code review, mind you this would also apply to people providing free resources (who might be willing to work for free, but they are not going to pay someone so they can work for free).

Most of the suggestions that will come from this kind of talk will be useless just for the fact that most people look at things from one angle when they speak and it is usually the only the angle they see things from at the moment and sometimes at all.

The people who would have to make a decision and be responsible for implementing something have to consider all angles, cost/benefit, and most of all liability of which could create the need for certain actions to be taken which could leave a foul taste in peoples mouths. It does not make sense to stand in the line of fire for little to no benefit while also lowering operating efficiency and raising overhead.
Click to expand...
I think you quoted the wrong message. Or missed my point, but you're welcome to carry on in private if you wish for I think it's going to go off topic.
 
Newt said:
I think you quoted the wrong message. Or missed my point, but you're welcome to carry on in private if you wish for I think it's going to go off topic.
Click to expand...
no its completely on topic and I was specifically responding to ...
Newt said:
Trading (even a few) digital licenses for mass exposure and a credibility boost? Hell yeah.
Click to expand...
...because it would not just be a couple of licenses (which of course wouldn't really be licenses so to speak because you wouldn't be authorizing auditors to use these in production environments...just review/test) as the cost of the audit has to be picked up somewhere.
 
Oh, right.
But I never meant that publishers or users have to blindly accept everything that is being thrown at them. My point was, it's not piracy if you are willing to submit your ressource for a review/test, especially if you have nothing to hide. It comes with benefits... if accepted.
 
You must log in or register to reply here.

Similar threads

K
  • Suggestion Suggestion
Add options to control client-side image processing
Replies
0
Views
341
Kirby
K
Ryan Kent
Best Add-ons for XF Forum
Replies
11
Views
1K
KensonPlays
KensonPlays
X
Inline documentation on "Route format" on add routes page
Replies
0
Views
145
Xon
X
Wildcat Media
XF 2.2 Why would my add-on not be working?
Replies
8
Views
445
Wildcat Media
Wildcat Media
X
XF\Mvc\Entity\Manager\getFinder does not reliably return the same type depending on class extensions
Replies
0
Views
421
Xon
X
Top Bottom