Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[Enhancement] Better extentions repository
#1

  1. I believe many pluggins and themes are in the need of a review and possible overhaul. Whatever can not be fixed should be moved to some kind of "obsolete archive" 
  2. Automated install of extensions just from admin panel. Without the need of downloading to your local PC and FTP to host. Something WordPress have for ages. 
  3. Possibly to include into repository premium plugin and premium themes section.
It's a win win. 
* MyBB could charge small percentage off sales and to raise some funds for development 
* Creators of premium plugins should boost their sales
* added trust factor to the end users and not to be coned by rouge websites 

Ideally every premium plugin or theme offered should have a free version as well. So buyers can familiarise, but with limited functionality.
My forum powered by MyBB https://alhimika.net/forum/
Reply
#2
(2021-02-04, 03:51 PM)Alhimika Wrote:
  1. I believe many pluggins and themes are in the need of a review and possible overhaul. Whatever can not be fixed should be moved to some kind of "obsolete archive" 
  2. Automated install of extensions just from admin panel. Without the need of downloading to your local PC and FTP to host. Something WordPress have for ages. 
  3. Possibly to include into repository premium plugin and premium themes section.
It's a win win. 
* MyBB could charge small percentage off sales and to raise some funds for development 
* Creators of premium plugins should boost their sales
* added trust factor to the end users and not to be coned by rouge websites 

Ideally every premium plugin or theme offered should have a free version as well. So buyers can familiarise, but with limited functionality.

For your first point, there is no way the MyBB team have time to review every single submission to check if it works if it is already up. If it is a new submission, it will be looked at and not just automatically approved unless it is from an approved developer which is a very small portion of the user base including me. One of the major things I did as staff was to review plugins for functionality and vulnerabilities. It takes a lot of time to do that. If they are written poorly where they are resource heavy, I would still approve them, but I would give them guidance on how to make them use less resources.

For the second point, there are multiple issues with what you are suggesting. First, it would require a lot more bandwidth for MyBB since it would have to serve a self extracting zip file that contains all files the plugin needs. This would increase the cost for MyBB which doesn't charge users for its product. How would the plugin file know which files belong to it so they could be removed during the uninstall? That would require a complete overhaul of the plugin system.

Another issue with serving a file like you are thinking about, is that you have to have a handler if the request size is too big for the environment because shared servers will likely have a lower request limit size and especially with themes, that can require a fair bit of space.

Regarding point 3, I have mixed feeling about it. The premium plugins would need to be reviewed by staff, approved developer or not. If users are going to pay for a plugin, they should be assured it is free from vulnerabilities and can work correctly in certain environments. This does indirectly mean that staff could theoretically download any plugin from this section and unless the author has some kind of licensing system, they would be able to use it without paying. I am not accusing anyone on the team of actually doing that, but I am just listing that as a side effect of what you are proposing.

For your final point, before I sell any custom plugins, I provide a personal test account to a person on my domain that has access to what the plugin needs for permissions. This protects me from the customer not paying up and having the product in hand. It also ensures they are able to use it. Plugins that I sell premium and are not custom have a generic username and password combination that have access to that plugin only.
Reply
#3
(2021-02-05, 03:18 AM)dragonexpert Wrote: If it is a new submission, it will be looked at and not just automatically approved unless it is from an approved developer

This requirement was removed some time ago as the Team didn't have enough resources to process the approval queue (similarly, the optional staff review of Builds doesn't take place).

There are some rough improvement ideas that relate to how extensions are managed (better directory structure, declaring resources in a manifest file), reviewed (code repository integration - easier code access, enforcing basic code quality rules) and allowing paid submissions in Extend (with clear distinction, filtering, and disclaimers).
devilshakerz.com/pgp (DF3A 34D9 A627 42E5 BC6A 6750 1F2F B8AA 28FF E1BC) ▪ keybase.io/devilshakerz
Reply
#4
There are many open source projects that have the resources for this sort of thing, but that's largely because of corporate backing, donations, and contributions from businesses and other developers. Wordpress, for example, powers 40% of the entire internet. They don't make a dime from sales (it's totally free and open source). Rather, the massive internet industry realizes its importance and helps to fund it.

Because of that, they have resources for this sort of thing. Server bandwidth, employees who review them periodically, among other things, for example.

Unfortunately, MyBB has always simply been a much smaller project. It doesn't really have this scale of donations or corporate/business funding. It never will unless there are people who step up to fill that gap, at which point we probably would see these sorts of things. But in the meantime, it's probably more costly to implement than it would seem.

That being said, I'm sure it would be possible for someone to develop a third party plugin that installs plugins directly from the MyBB mod site (straight from the admin panel). The only downside is that you'd be relying on a third party plugin to do this, so there would be no guarantees.
Reply
#5
(2021-02-05, 12:36 PM)Devilshakerz Wrote:
(2021-02-05, 03:18 AM)dragonexpert Wrote: If it is a new submission, it will be looked at and not just automatically approved unless it is from an approved developer

This requirement was removed some time ago as the Team didn't have enough resources to process the approval queue (similarly, the optional staff review of Builds doesn't take place).

There are some rough improvement ideas that relate to how extensions are managed (better directory structure, declaring resources in a manifest file), reviewed (code repository integration - easier code access, enforcing basic code quality rules) and allowing paid submissions in Extend (with clear distinction, filtering, and disclaimers).

I guess that really surprises me to find out that submissions no longer require approval.  One thing I would like the team to take into consideration, is have approved developers look at plugin submissions to review for vulnerabilities.  At least this way a set of eyes can look at a submission.  If it is on the official site, it should definitely be safe because users trust the site.

Approved developers have proven their reputation by developing high quality extensions for MyBB.  Most things that happen in their extensions are bugs if something isn't working correctly rather than something obvious like a SQL Injection opportunity.

If there is an option to upload a zip file for a paid extension here, I would gladly consider using it.  I would accept MyBB getting a cut of extensions that would be offered in the section as a cost to reach a larger audience.  It would make my life a lot easier because I wouldn't have to develop a system that allows the download of files after payment is received.  Currently I manually have to send the file to the customer when they purchase it.
Reply
#6
Overall, I agree with your 3 points, and they have been brought on to the table before.

We appreciate your suggestions and they will be considered accordingly.

Quote:I guess that really surprises me to find out that submissions no longer require approval. One thing I would like the team to take into consideration, is have approved developers look at plugin submissions to review for vulnerabilities. At least this way a set of eyes can look at a submission. If it is on the official site, it should definitely be safe because users trust the site.

I personally review most plugins once a release thread has been been created (as I don't follow the release page of the Extend site, if any), but I agree with the reasoning for removing this requirement as at that time it was not possible to achieve as intended and it is still probably the case as of today (if implemented back).
Reply
#7
Auditing of plugins is a good thing, especially if on MyBB's official site, but it is human resource intensive. Perhaps have an option for a plugin developer request an audit. If the audit passes, display an icon in the extensions page; if the audit fails, the plugin deliver gets a gets a report of what failed and the submission doesn't show to the public.

Most plugins could be developed to use a standard layout within the ZIP to facilitate automated installation. There are a few gotchas to consider, though. It is recommended to rename your "admin" directory to lower your vulnerability. An automated installer would need to know the name of the admin directory in the ZIP and in the file system. Complicating this is a plugin for serving a mock ACP in the "admin" folder while serving the real ACP from a different folder. There would need to be a universal manifest file or extraction.php file.
Reply
#8
(2021-02-05, 09:59 PM)dragonexpert Wrote: One thing I would like the team to take into consideration, is have approved developers look at plugin submissions to review for vulnerabilities.  At least this way a set of eyes can look at a submission.
[...]
Approved developers have proven their reputation by developing high quality extensions for MyBB.  Most things that happen in their extensions are bugs if something isn't working correctly rather than something obvious like a SQL Injection opportunity.

Sounds good - Extend could allow, and list, multiple peer reviews for Project Builds.
Depending on the ratio of Reviewed Projects we could then periodically adjust (https://en.wikipedia.org/wiki/Alarm_fatigue) whether to:
  • show Build reputation warnings
  • show Project reputation warnings (Review status of any Build)
  • depend on Build or Project reputation to allow marking Builds as stable
  • require a review for new Projects (regular authors / everyone)

with a potential trust hierarchy:
  1. not Reviewed
  2. from an Approved Developer
  3. 1+ Reviews
  4. 1+ Reviews & from Approved Developer

It also looks like there should be a more prominent distinction between stable and dev Builds.

Quote:If there is an option to upload a zip file for a paid extension here, I would gladly consider using it.  I would accept MyBB getting a cut of extensions that would be offered in the section as a cost to reach a larger audience.  It would make my life a lot easier because I wouldn't have to develop a system that allows the download of files after payment is received.  Currently I manually have to send the file to the customer when they purchase it.

Having paid/private extensions on a central platform should also simplify notifications for new versions and vulnerabilities (even if hosted elsewhere), and invitations or access management, short of getting involved in payments, may be a reasonable end goal.
devilshakerz.com/pgp (DF3A 34D9 A627 42E5 BC6A 6750 1F2F B8AA 28FF E1BC) ▪ keybase.io/devilshakerz
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)