As the title says, We would all like easier plugin installs, I mean, It's a big headache installing a BIG plugin such as an Arcade Plugin especially when you're using a web host.
I would like to see any feedback!
Thank you! <3
(2015-08-18, 12:32 AM)TheEpicCooldeal Wrote: [ -> ]As the title says, We would all like easier plugin installs, I mean, It's a big headache installing a BIG plugin such as an Arcade Plugin especially when you're using a web host.
I would like to see any feedback!
Thank you! <3
I would like to know what you mean by make it easier. Please provide more details on what you think needs to be improved on for plugin installations, what makes installing Arcade Plugin so hard, etc. I've never used Arcade Plugin, so for you to ask MyBB to make it easier to install plugins because the Arcade Plugin is a headache to install, doesn't exactly help your suggestion/feedback from my point of view. I've installed other plugins before, and they were pretty straight forward, so for my experience I don't think it can get any easier than uploading them to the proper folders. logging into the ACP, and clicking the install link on the plugins section in the ACP. As far as I know, all 1.6 and 1.8 specific plugins that needed to change templates or other modifications used the "install" hook and the "enable" hook. I have yet to install a plugin that required me to modify core files like some forum software in the past. I've yet to run into a plugin that required me to edit templates myself.
I would also like to see an autoinstall-like process happen too, and I can think of a way for us to do it, but it requires a lot of *constant* attention from the team, which has historically been a bit unstable activity-wise because we're all volunteers.
I'd like to see us move the mods site to some HTTPS-secured system. Then, require the sign-off of multiple team members for a plugin to be approved for automatic download/install from the ACP. One approval (as it is right now) could put it on the site, but multiple would allow for it to be autoinstalled.
The idea is here that multiple people have to agree that something is safe, which avoids the threat of someone missing a major vulnerability/exploit (plugins can totally drop your database if they want). Then, sending the download package over HTTPS avoids the risk of a man-in-the-middle attack compromising the files.
Additionally, we could make the core create a backup before running any migrations or installation functions, which allows for a way to fall back if things go awry.
I think these three things would avoid the threats that have been used as arguments against this kind of feature before.
Multiple approval will just mean that instead of taking weeks, plugin approval will take months. It's pretty damn slow at the minute with only one member of staff needed to approve a plugin
You should get rid of the plugin approval process altogether.
(2015-08-18, 08:42 AM)frostschutz Wrote: [ -> ]You should get rid of the plugin approval process altogether.
The mod submission system is likely to change due to 2.0 release and we are considering number of options, including a
verified flag for plugins that were audited by staff members instead of keeping them hidden until this happens - the general idea is to allow the publication of mods without unnecessary delays while maintaining a reasonable level of security precautions (e.g. unverified plugins wouldn't be promoted on index pages, rankings or the ACP).
(2015-08-18, 08:42 AM)frostschutz Wrote: [ -> ]You should get rid of the plugin approval process altogether.
(2015-08-18, 08:56 AM)Devilshakerz Wrote: [ -> ] (2015-08-18, 08:42 AM)frostschutz Wrote: [ -> ]You should get rid of the plugin approval process altogether.
The mod submission system is likely to change due to 2.0 release and we are considering number of options, including a verified flag for plugins that were audited by staff members instead of keeping them hidden until this happens - the general idea is to allow the publication of mods without unnecessary delays while maintaining a reasonable level of security precautions (e.g. unverified plugins wouldn't be promoted on index pages, rankings or the ACP).
Yep, that's the plan. I'd also like to see integration with version control (such as GitHub so that pushing a tag can create a new release on the mods site automatically).
I was stating something that would work in an ideal situation. However, our time to approve plugins has been disgustingly slow, which, I would agree, necessitates the removal of the approvals process altogether, and the replacement of it with something else.
The "something else" is already there.
Each plugin already shows a count of downloads and recommendations. It also shows the creator so you can check out the author's user profile (registration date, number of posts, etc.). It's not a guarantee for quality but it's a strong indicator nevertheless. Webmasters who download addons for their sites can use this information to decide whether or not to trust this thing or how closely to look at it before installing it.
There already is a report button for malicious/vulnerable plugins. I don't know what happens when you actually do report a plugin - if it displayed publicly that the plugin was reported, even before someone actually gets around to reading that report, it would be perfect.
I don't know how many submissions you're actually rejecting or for what reasons. I'm sure there are tons of crap plugins (even among the approved ones). But I'm hoping the outright malicious ones will be a minority and you can leave it to the webmasters to filter the good from bad stuff.
If it takes weeks to get something approved, people will simply use forum attachments or external resources instead, with no way to report, and no way to rate/recommend/...
What did you make the new mods site for, if it has the same problems as the old one? (It seems great, otherwise)
(2015-08-18, 04:13 PM)frostschutz Wrote: [ -> ]Each plugin already shows a count of downloads and recommendations. It also shows the creator so you can check out the author's user profile (registration date, number of posts, etc.). It's not a guarantee for quality but it's a strong indicator nevertheless. Webmasters who download addons for their sites can use this information to decide whether or not to trust this thing or how closely to look at it before installing it.
Recommendations come from the general public rather than developers that can properly audit the code in terms of security.
Quote:There already is a report button for malicious/vulnerable plugins. I don't know what happens when you actually do report a plugin - if it displayed publicly that the plugin was reported, even before someone actually gets around to reading that report, it would be perfect.
This should be handled behind the curtain as it could easily become a subject of abuse.
Quote:I don't know how many submissions you're actually rejecting or for what reasons. I'm sure there are tons of crap plugins (even among the approved ones). But I'm hoping the outright malicious ones will be a minority and you can leave it to the webmasters to filter the good from bad stuff.
As Josh mentioned, all our staff members are volunteers and our time is often limited, nonetheless in my perception the main cause of the approval backlog is the low code quality, including incorrect formatting and violations of the
DRY rule. Most common mistakes and vulnerabilities can be spotted somewhat easily.
Quote:If it takes weeks to get something approved, people will simply use forum attachments or external resources instead, with no way to report, and no way to rate/recommend/...
What did you make the new mods site for, if it has the same problems as the old one? (It seems great, otherwise)
We do agree that the current system is far from being perfect, especially given we submit and maintain our plugins as well
All plugins will have to be rewritten for 2.0 and it's a great opportunity to redesign our system.
As I said, we'll definitely take our capabilities and users' (and developers') experience into consideration.