Support forums : The Future

3rd party plugins and templates

The future of this project but not in a "I want a pony" sort of way. This is all about everything meta about Quam Plures. The general direction, the support tools, stuff like that.

Moderator: Dracones

3rd party plugins and templates

Postby EdB » Sun Sep 18, 2011 4:50 pm

Based on a bit of discussion in a branch merge, I wonder if we can figure out a smart way to apply some sort of "seal of approval" to 3rd party plugins and templates. I'm thinking of the checksum hash stuff I see here and there next to download buttons even though I'm pretty sure that's a different thing.

What I'm really thinking of is a way to help a user know that what we're saying is available elsewhere really is what we're pointing at. For example domain.tld/plugins wants us to put 3 plugins on our plugins page, but intends to keep the zip files to keep the resultant traffic. No problem right? We look at them and all 3 are good. Heck maybe even great but for now let's say nothing in them raises any red flags, so we do a blog post pointing to their works.

How does our visitor know that what they are getting is actually what we looked at? byte size of the zip is what comes to mind, and maybe a byte size for any php files in the zip?

Heck maybe it doesn't matter. Maybe it isn't our problem. Maybe I should have a cup of coffee then dig up my drip system because it's been watering the underground dirt and that probably isn't gonna grow.

Maybe Yabs would have come up with a really cool way for our blog to visit their blog and check the byte size and date stamp of their product and simply deprecate our item if the 3rd party changed anything. hm!
EdB
Dracone
User avatar
 
Posts: 2072
Joined: Sun Nov 22, 2009 7:20 am
Location: Maricopa Arizona

Re: 3rd party plugins and templates

Postby Tblue » Sun Sep 18, 2011 5:09 pm

One could use the hash of the zip file and include that on our pages. Some (actually, very few :|) users will then check the hash of the downloaded file against our site. If the two values match, it means that they downloaded the file we approved.

More info:


Actually, SHA1 is a stronger and genereally more secure hash than MD5. E. g., the SHA1 hash for apple-touch-icon.png in current trunk is:

Code: Select all
8d06b3fcc47ee998eb4ef555333a29fc67be8636
Tblue
Dracone
 
Posts: 340
Joined: Sat Nov 21, 2009 1:35 pm
Location: Berlin, Germany

Re: 3rd party plugins and templates

Postby EdB » Sun Sep 18, 2011 5:22 pm

Yeah same general idea: a way to know "the thing I get is the thing they said I'd get", but yeah most folk ain't gonna bother with anything technical. Heck most folk wouldn't bother checking byte sizes either. Just thinking out loud is all.

I do like the idea of a plugin that contacts the 3rd party site and checks (checksum, byte size, date stamp - whatever) and deprecates the post in the event of a mismatch. That would also mean it would deprecate if the 3rd party went away or whatever. Maybe run it on a cronjob once a day, or keep a table that asks for a check if the exact item hasn't been checked in X number of hours? Not that I know how to write such a thing...
EdB
Dracone
User avatar
 
Posts: 2072
Joined: Sun Nov 22, 2009 7:20 am
Location: Maricopa Arizona

Re: 3rd party plugins and templates

Postby Tblue » Sun Sep 18, 2011 5:44 pm

Checking the hash etc. of a plugin using a cronjob would certainly be possible, hm... However, it would also consume a lot of traffic if there are many plugins to check.
Tblue
Dracone
 
Posts: 340
Joined: Sat Nov 21, 2009 1:35 pm
Location: Berlin, Germany

Re: 3rd party plugins and templates

Postby Kimberly » Sun Sep 18, 2011 8:12 pm

This is certainly something that needs to be considered. If we gave a seal of approval on a third party plugin and later that plugin was changed to included some security issues, or do to some not so nice stuff, then people are going to come back and blame us. And then they will ditch QP and possibly say mean things about us and QP.
Kimberly
Dracone
User avatar
 
Posts: 842
Joined: Mon Jul 19, 2010 4:44 pm

Re: 3rd party plugins and templates

Postby Tblue » Sun Sep 18, 2011 8:19 pm

Alternatively we could just require plugins to be stored on our servers like e. g. Mozilla does it. Authors would submit new version of their plugins for approval and users would download them from us.
Tblue
Dracone
 
Posts: 340
Joined: Sat Nov 21, 2009 1:35 pm
Location: Berlin, Germany

Re: 3rd party plugins and templates

Postby Kimberly » Sun Sep 18, 2011 9:03 pm

Tblue wrote:Alternatively we could just require plugins to be stored on our servers like e. g. Mozilla does it. Authors would submit new version of their plugins for approval and users would download them from us.


That sounds like a good approach. Third party plugins on our server are the ones that have our approval; at least as far as any issues with the plugin such as security. If someone goes to a site with third party plugins then it is buyer beware and we are not responsible for any harm that a third party plugin off of the QP site does.
Kimberly
Dracone
User avatar
 
Posts: 842
Joined: Mon Jul 19, 2010 4:44 pm

Re: 3rd party plugins and templates

Postby EdB » Sun Sep 18, 2011 9:14 pm

Tblue wrote:Alternatively we could just require plugins to be stored on our servers like e. g. Mozilla does it. Authors would submit new version of their plugins for approval and users would download them from us.

Personally you'd never see plugins from me if that was the rule. I'd still do plugins, but I just wouldn't bother telling QP I have them. I'm a control freak is the thing, but for sure I want the traffic. I want the feedback and discussion in one tidy little place, and I want that place to be where I benefit from the increased traffic.

Anyway that's what I thought of when I thought of this. I'd rather we as QP be totally open about where the plugin lies, but saying "go get this" is a bit of a seal of approval eh? Heck we could even spell out what listing with us requires and means so it really is a "seal of approval", but then we would even more want to know that it isn't changing.

Tblue do you really think the traffic hit would be that high? What I'm thinking is like this. To get a download link for a 3rd party requires clicking through to permalink. We then check (only once in 24 hours) that the bytes and date and checksum match what we think. Kinda like a little feed read only it scans a directory and looks for a file name to get the smart bits.

@Lee perhaps one day when things get not busy we can work on this? We build a plugin together that we test by hitting each other's path. The less we expect of each other the better, and we can monitor for traffic and so forth.
EdB
Dracone
User avatar
 
Posts: 2072
Joined: Sun Nov 22, 2009 7:20 am
Location: Maricopa Arizona

Re: 3rd party plugins and templates

Postby Tblue » Sun Sep 18, 2011 9:24 pm

EdB wrote:Tblue do you really think the traffic hit would be that high? What I'm thinking is like this. To get a download link for a 3rd party requires clicking through to permalink. We then check (only once in 24 hours) that the bytes and date and checksum match what we think. Kinda like a little feed read only it scans a directory and looks for a file name to get the smart bits.


So you mean we should only trigger the check on demand? Hmm. Well, we could do that, I think -- still, IF we have many plugins someday, the checks WILL certainly show up in our traffic statistics. On the other hand, plugins are usually not that big in terms of file size... Hm, anyway, we could give it a try. :)
Tblue
Dracone
 
Posts: 340
Joined: Sat Nov 21, 2009 1:35 pm
Location: Berlin, Germany

Re: 3rd party plugins and templates

Postby Kimberly » Sun Sep 18, 2011 10:46 pm

Traffic means bandwidth and bandwidth means money; someone does have to pay for it. So we do need to make sure we are not doing something that eats too much bandwidth from someone else, namely the kind person(s) who is hosting for us.

We could do this, we could not approve any third party app at all. Why take on the responsibility? Just let people know we are not responsible for any third-party plugins at other sites. We could allow people to list their plugin repository on QP.

Seems we are again going in circles with this :D . I can understand wanting traffic to one's site. So listing links will do that. However, we don't have to approve anyone else's plugins.
Kimberly
Dracone
User avatar
 
Posts: 842
Joined: Mon Jul 19, 2010 4:44 pm

Next

Return to The Future

Who is online

Users browsing this forum: No registered users and 2 guests

cron