Official Guidelines for XenForo 3rd Party Resources

Discussion in 'XenForo' started by Chris D, Jul 11, 2018.

  1. Chris D

    Chris D XenForo Developer

    708
    952
    +1,582
    We've added some clarification on XF.com about the minimum standards we expect from developers who release resources and clarified that we will take action against any resources found to be falling short of the standards expected.

    https://xenforo.com/community/threads/resource-standards-guidelines-published.150017/

    It's not the full code review that a few people are pushing towards, but it's a start, and provides a much more clear reference point for developers to understand what the expectations are.
     
    • Like Like x 8
    • Appreciation Appreciation x 5
    • Informative! Informative! x 4
    • List
  2. The Sandman

    The Sandman Administrator

    28,879
    1,822
    +5,462
    Does this represent a change in the way 3rd party resources are being handled by Team Xenforo, or is it simply a clarification (or amplification) of things that were already in place?
     
  3. Chris D

    Chris D XenForo Developer

    708
    952
    +1,582
    Just a clarification.
     
  4. Freelancer

    Freelancer Aspirant

    24
    8
    +44
    Well received. I criticized the XF team directly for the missing clarification and rules in the past and therefore I can also express my appreciation for this change. A step into the right direction.
     
  5. we_are_borg

    we_are_borg Moderator

    4,628
    807
    +1,809
    If its a clarification then this was all ready in place. But its good to see some rules out there now a customer has at least something that developers need to keep track off. Chris DChris D i only have one question, what about paid add-ons that are listed on XF but where you have no access to how are these looked at? Rules on paper are good but if their not in forced then its not worth anything.
     
  6. Chris D

    Chris D XenForo Developer

    708
    952
    +1,582
    If we needed to, we would ask an author to provide the code to us. If they refused this, they wouldn't be welcome to list their add-on(s) with us anymore.
     
    • Like Like x 7
    • Winner Winner x 1
    • List
  7. we_are_borg

    we_are_borg Moderator

    4,628
    807
    +1,809
    Thank you Chris that's real clear language.
     
    • Like Like x 1
    • Agree Agree x 1
    • List
  8. Mouth

    Mouth Enthusiast

    188
    93
    +104
    Will the same basic principles be expected of dev's that spruik their services via https://xenforo.com/community/forums/third-party-services-offers.42/ or https://xenforo.com/community/forums/custom-service-development-requests.69/ ?
    E.g. If concerns are raised with XF about the quality of work from a dev that advertises their services on XenForo.com, but doesn't actually have any resources listed in the RM, will the dev be approached and their thread/post potentially be actioned in the same way a resource(s) might?
     
  9. Chris D

    Chris D XenForo Developer

    708
    952
    +1,582
    Yes, we would, if there was evidence of it.

    What we wouldn’t want to see something which we’ve seen recently whereby someone new comes along and they’re absolutely annhilated by a welcome committee of finger pointing and accusations and demands to prove themselves.

    There’s a few members at the minute who are creating a fairly hostile environment especially towards new comers.
     
    • Like Like x 3
    • Agree Agree x 2
    • Informative! Informative! x 1
    • List
  10. we_are_borg

    we_are_borg Moderator

    4,628
    807
    +1,809
    Chris DChris D its not the code review people are asking for as you said in the first post. But has XF thought about the following, a certificate that developers can get when they submit their add-on for code review. It will cost some money to get that certificate but there are benefits like a badge on XF in XFRM a special seal etc and bragging rights. So when developers have that certificate they are in a better position then without. The only thing you’ll need to do is by making a price so you don’t lose money as company.
     
  11. Chris D

    Chris D XenForo Developer

    708
    952
    +1,582
    We've thought about lots of approaches, including something very similar to that. These guidelines aren't the end of it. It will likely evolve into something else, one day.
     
  12. The Sandman

    The Sandman Administrator

    28,879
    1,822
    +5,462
    Once bitten, twice shy.
     
  13. LeadCrow

    LeadCrow Apocalypse Admin

    6,269
    1,232
    +2,065
    And making sure these certifications are not transferable, wether to someone acquiring control of the forum account or accounts merging, and addons changing ownership have to earn back reputation from that point since the quality and safety assurance of certification would be lost.
    Otherwise, what's to stop a newbie from buying a popular addon from a certified developper and running it into the ground while its still riding its still unaffected high ratings?
     
    • Agree Agree x 3
    • Like Like x 1
    • List
  14. we_are_borg

    we_are_borg Moderator

    4,628
    807
    +1,809
    If you make something like this then the certificate is governed by lots of rules and the one that you say would make perfect sense. Also don’t for get new updates of the addon are also checked not as heavy as the first one but a diff and highlight what changed. So it would be a no no to transfer a certificate trying to do so would mean you lose certificate and you can’t apply for another one. It also means that add-on can be checked at random a full audit if you break the rules you only get one warning after that its over. Certificate rules need to be strict and uphold else its worth nothing.
     
    • Informative! Informative! x 1
    • List
  15. Tracy Perry

    Tracy Perry Opinionated asshat

    5,150
    492
    +3,548
    But before hitting someone with that stick to prevent getting beaten again, please make SURE that it's a valid target.
    Assumptions are just that.

    And there goes two of the major advantages of XF... the price of the script and the cost of the add-ons. The cost of the script will likely go up to pay for an investigation/enforcement arm and then possibly the developers themselves may incur additional expenses that will be passed on.
    I guess XF could shoulder ALL the cost and simply pass that on with a license rate hike.

    The poor admin is standing at the bottom of that hill with his back to the wall... and all the poo that flows down ends up piling up around him when it comes to costs.
     
    Last edited: Jul 23, 2018
  16. we_are_borg

    we_are_borg Moderator

    4,628
    807
    +1,809
    People in the EU have GDPR to consider i rather pay a few bucks more for add-ons that have a certificate and have been vetted then running add-ons that have not been checked. Also a certificate for your add-on is the choice of the add-on developer he/she needs to make the choice for them selfs. Also the certificate is for add-on developers because it makes no sense for official add-ons like XFMG or XFRM because they would always get the certificate. So with XF and there add-ons there would be no price increase, this is pure the add-on of external developers not working for XF. I assume that developers would want to cover the cost if they want a certificate but in the end its there choice and not the clients they have.
     
  17. Pete

    Pete Flavours of Forums Forever

    1,773
    227
    +602
    But there would be a price increase: assuming not slowing down core development, someone has to be hired to actually do that vetting. The amount of addons that come through XF pretty much makes it a full time job for a developer if done properly.

    So unless the certification is annually renewable for plugin devs, the only way to fund that time and effort is to raise the licence price.
     
  18. we_are_borg

    we_are_borg Moderator

    4,628
    807
    +1,809
    If you are vetting then the cost need to cover the expenses, but people need to understand that lot of checks can be done automated there is software out there that cost little or is open source. If you have lots of work in vetting then you can hire people. The reason why you want to increase the price of the license of XF or the renewal is that you are seeking excuses not to implement something like this. The cost of such program is for the developer of the add-on. Do you vet the developer or the add-on for example because per add-on is more expensive then by developer but renewal on developer is easier then add-on. A certificate program is something when done right would be an asset not a burden and would take months to setup. In the mean time we have rules that are clear but its up to XF to up hold those rules, we know there developers that have had issues with there add-ons. Lets see if XF will check them first and uphold the rules they have set out, if they can’t or will not do that then the rule are worthless. A certificate program is for strengthening the assets you have external developers.
     
  19. Pete

    Pete Flavours of Forums Forever

    1,773
    227
    +602
    First up, you seem to be assuming I’m against this. I have no interest either way because I don’t have a history of using third party mods on my sites.

    Secondly, yes tools exist but i think the non programmers don’t really get what that means. There are tools such as PHPCS for coding style, PHPMD for some types of validation (mostly code complexity), and then we can talk about PHPUnit, Behat, Phpspec, Peridot and all the other testing toolkits out there, while all rely on the mod authors to write comprehensive test suites. Which from experience is rarer than you’d think given that to write a proper test suite usually takes 30-50% of the dev time (source: my day job is writing addons for Moodle where Behat and PHPUnit are standard and yet plenty of plugin authors don’t bother)

    There are few tools you could write that would tell with any real reliability if something is safe. You could, easonably, test for a few things in a specific environment to make sure obvious issues aren’t raised but the scope of test automation is massively less useful than people here seem to think for the kinds of things that such vetting would need to be for.

    Honestly, the bulk of test automation isn’t for security, it’s for logical correctness of behaviour and to verify a lack of regression. Though a mod author that bothers is usually better at detecting these things as a result, but even then it’s only ever as good as the test suite itself is.
     
  20. sanction9

    sanction9 Enthusiast

    134
    28
    +88
    My 2 cents is that a lot of potential buyers might not be as eager as some of the people in this thread to pay more as long as it makes them safer. I've seen too many people on the XF forums, a lot of them students or living in third-world countries, talking about having to save up money to cover the current prices. And IPB, probably their biggest competitor now, is already cheaper if you're just comparing their forum cost, sans all the other official components. (Yes, the renewal fee is more, but it takes a couple years before you've actually saved anything by going with XF, if you're not also comparing third-party addon costs.) So while all this sounds great in theory, I can understand why the decision might be a little more difficult for the XF team.
     
Verification:
Draft saved Draft deleted
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.