That plugin approval

Discussion in 'BukkitDev Information and Feedback' started by blint66, Jul 16, 2014.

Thread Status:
Not open for further replies.
  1. Offline

    blint66

    Hi Bukkit team,

    I really like and even admire what you're doing, the way and the time you spend doing this, it's totally bright. So bright maybe that us, plugin developers, melt away in frustration born into this consideration that we all could be serious offenders to server owners.

    Couldn't there be an error in this consideration from the beginning? When I wait for 4 days waiting for a validation whereas I already had time to make a new release on my plugin's early beta, I wonder if we still are in these old early 2000's. Bukkit relies on developpers' good will. There obviously are some offenders that will steal plugins or post fork bombs, but most of us want to help promoting the Bukkit community and in a broader way, the Minecraft community.


    I don't come hands empty, PFB my suggestion:
    1. Stop blocking file uploads before approval, even projects creation
    2. Continue checking on plugin updates, but correct the problem if it's quite simple and warn the plugin developer. Not taking more time.
    3. If a developer receives too much warns, sanction him/her (disable public view, disable downloads...). Like now actually.
    4. Instead of blocking uploads, you could put a "warning" icon in front of new uploads that are not validated, and/or a green check in front of validated ones
    5. Let the community help you.
      As I said, we have a good will to promote the Minecraft open spirit. Downloaders could vote up or down plugins, statistically giving an opinion (Stackoverflow's system). Draw attention to server owners on flagging projects that are offending or invalid. Trust a plugin that has many valid releases and which caused no problems. Trust serious developers, which proved they what they're capable of. They won't want to disappoint anyone anyway.
    I know this could seem idyllic but remember: you rely on us, we also rely on you. Please think about working together.

    Best regards,
    blint


    Edit, enriching from further suggestions:
     
    knoxcorner and jthort like this.
  2. Offline

    TnT

    blint66
    Those are some great ideas. Unfortunately, BukkitDev was not programmed to work that way and the current platform is in break fix mode only. This means there will be no changes pushed to that platform for BukkitDev by Curse to accommodate those ideas.

    That said, given the rather large amount of malicious plugins we find uploaded to BukkitDev, I believe a proactive approach to plugin approvals, rather than a reactive approach still provides the best safety for our community. I do understand that waiting for your plugins or projects to be approved can be inconvenient for the developers, but the proactive approach is best for the consumers of the content created by those developers.

    Towards your 5th point, the best way to let our community help is for them to volunteer countless hours of their time every day to handling plugin and project approvals. Everyone who handles project and plugin approvals are community members helping out. We could always use more interested, dedicated individuals.
     
  3. Offline

    blint66

    TnT

    (I think) I perfectly understand the need and the motives of the current process, which are very honourable.

    However, it creates some restricted atmosphere of control and repression. I'm only mentioning we could fix the cause of the problem by changing minds. The more you'll try to control, the more "illegal" will be the offends, for example just look back in History for alcohol prohibition.

    Ok for bukkit platform changes & Curse. Anyway, if something appears that it needs to be changed (after some study), we/Curse can.

    It's an investment that can be quickly returned. There sadly are many misbehaving people, in Minecraft community. Is this the cause of such a moderation? Or couldn't it be the consequence?

    Ok I'm getting philosofical but I really want to make my point. Please talk about it as much as possible. This isn't meant to involve huge changes (including technically) but could provide so much to all of us.

    You Bukkit will be the first to take the benefits: there is so much pressure for you with project creations approvals, file uploads (which you really fully check? From deployment to network and hard disk traffic analysis?), and even forum posts!! I almost felt like in a prison while seeing my post moderated...

    Please consider this, together we could make it way better.
     
  4. Offline

    Necrodoom

    Problem is that unlike forums, where rule breaking content is simply disposed of without harm and is obvious to detect, a malicious plugin will not be noticeable for most server owners, and varies from having an OP backdoor, to viruses, containing keyloggers, ability to wipe your hard drive, and even turn your server to a part of a bot net, if you download one of these malicious plugins and run it, its already too late.
     
  5. Offline

    TnT

    The reason our policies are in place is because of the malicious files we saw in excess when projects were solely on the Bukkit Forums. BukkitDev gave us the ability to proactively check. This was not a moral stance (such as Alcohol Prohibition) but rather a response to a very real issue.

    Unfortunately, its an investment that is multiple years away from being a reality if we were to go down that path. The misbehaving people, as stated above, is the cause of the moderation. The moderation didn't cause people to misbehave.

    Forum posts are moderated for new members, or members who have returned after they left for a long time. This quickly goes away after the person becomes an active, quality contributor to our forums. Take a tour of your local prison and ask for them to put you up for the night. You might be able to get a better comparison between spam moderation on our forums and being in a prison.

    Files are fully checked for malicious code. We do not do quality assurance.

    Finally, please search these forums. You will see multiple examples of these same ideas presented in the past. It has been considered and investigated as a possibility multiple times.

    If you wish to help out, I will gladly look for your BukkitDev staff application.
     
  6. Offline

    blint66

    That's why I suggested a Bukkit check "label" with an "approved" icon. Moreover, I sadly doubt backdoors can effciently checked from closed source submitted plugins.


    I'm meaning your response actually made the issue real. Struggling against offenders is a great honour, but I think it's bad if that way everybody have to pay for it. It's a choice, it works, I'm just contesting some points from it.

    I'm not here to be right, nobody is right. I'm just attempting to bring what could have not be considered. If you don't want to consider, too bad.

    I totally could apply, and I'm a recognized Java professional. I sadly don't promote community splitting, which encourages excluded people from being excluded. This is a common social issue, perfectly replicable in our societies.

    I'd really like to help, not sure if I like the spirit around all this, maybe need my vacations starting tonight to make my idea. I'll keep you informed after some stay in my our tiny prison.
     
  7. Offline

    TnT

    Any label would require a change to the site which is not possible right now.

    Java is a wonderful thing. Anyone can decompile a jar file with the proper tools. We never trust the source. Feel free to doubt it, but its a reality.

    On the contrary, only developers really see the delays in plugin and project approvals. Consumers of those plugins benefit from the proactive approach we take. We have weighed the benefits and drawbacks, but until people stop being malicious and everyone is a model citizen every time, we will do what we can to aid in the protection of the general server admin community. Keep in mind, for every developer there are multiple server administrators. The needs of the many outweigh the needs of the few.

    I have explained why your ideas have not been implemented. Please do not do this conversation a disservice by dismissing our reasons and saying we have not considered your ideas.

    We don't split our community by proactively checking for malicious code. Everyone is checked equally, no exceptions. It looks like you've gone off on a tangent trying to compare us to some social injustice you feel is occurring.

    If you would really like to help, I look forward to seeing your application. Otherwise I think you mean "I would only like to help if BukkitDev was handled the way I suggest." Lets not dilute this conversation with empty platitudes.
     
    garbagemule, CaptainBern and lol768 like this.
  8. Offline

    blint66

    You don't get it. The more you separate people hierachically (thick separation between developers and validators), the more people "underneath" will feel excluded, that's a big part of my point. And I'm not excluding that at least first releases shouldn't have to be checked.

    So you proactively considered my ideas with the whole team? Nice, did you have to decompile them?


    It could happen that we need time to ourselves an idea, that's what I'm doing, and you should consider it. I'm sad I have to leave this fascinating debate, but I really won't be back before 10 days once I'm relaxed.

    Bye!
     
  9. Offline

    TnT

    Just like separating politicians from the public, firemen from the public, receptionists from the public, children from their parents, priests from the church members, dogs from cats. You're right, I guess I don't get your point. Separation exists in every single aspect of our society, which manages to function quite well. In a utopia where there need not be any separation of society, or specialization in skill set, your idea may work. Unfortunately we do not live in any such utopia.

    Considering every single one of your ideas has been suggested before, yes, I proactively considered them with the whole team. Can you clarify how you would decompile a team member? That sounds rather violent.

    As mentioned above, your ideas have been considered. Sounds like most of the consideration into both sides of this debate has happened on our side, since you have regularly dismissed what I have stated and have responded as such. Perhaps you need to take your own advice? Enjoy your time away considering this fascinating discussion.
     
  10. TnT I have an idea you may like or dislike it, but what if you did the normal approval and if a plugin developer has uploaded 4 plugins without them being force ops or viruses ect then make the approval instant and if they get flagged then take down there account plugin developers wouldn't make 4 plugins then ruin it by making a virus, also if a project has 5 or more files uploaded and approved do the same thing.

    As a side note if you don't like the idea of them just being approved instantly what if they were approved (without getting looked at) but also added to the list of plugins to approve but behind those with less than 4 plugins or 5 uploads.
     
  11. Offline

    Necrodoom

    bwfcwalshy all it would take is one popular plugin developer with a weak password to ruin it all.
     
  12. Offline

    TnT

    People would then look to upload 4 or 5 plugins without malicious code in them, just to get around our approvals, then upload plugins with that malicious code. We've seen it in the past where someone starts off uploading perfectly reasonable plugins then eventually uploads one with a malicious intent.

    Unfortunately we don't have any system that could accommodate that idea, wouldn't solve the scenario above, and give people a false notion that the plugin is safe for use.
     
  13. Offline

    StealthBravo

    I'd also like to make an argument against the "warning icon saying that this plugin build hasn't been approved yet" idea:

    There will always be stupid people that will say "OOOOOOOOH NEW VERSION OMG" and download it right away, not even taking into account the fact that the build isn't approved and could contain malicious code. When their server gets hacked and has a bunch of problems, the first thing they do is blame Bukkit because they allowed people to download it (even though there is a very obvious warning) before it was actually scanned and approved. This would be a real mess for the team to cleanup, and I'm sure they wouldn't want to deal with it. It would be nice but can create a mess for both sides.
     
  14. Offline

    Shevchik

    Current approval system is fine.
    If the user wants to get unapproved file he is able to do that by going to the download url directly, and it is not that hard to get the correct url.
    Also links continiuos integration servers are allowed, so user can get the latest builds from them.

    BukkitDev doesn't have any problems unlike other parts of bukkit.
     
  15. Offline

    Zettelkasten

    You could automate a lot of plugin-approving: Sending the file to virustotal and checking it, monitor network communication of the plugin to check if it sends / retrieves bad data and checking what files a plugin edits. These are things that are not to difficult to automate and combined with some other safety provisions (needing multiple "good" plugins or such) it could work.
    Maybe just more people working at approving files would fix the problem without needing to take the risk of malicious plugins.
     
  16. Offline

    _LB

    A malicious plugin is generally not going to contain a virus; it may instead contain a backdoor that gives one or more users operator status or additional permissions, which a virus checker would be just fine with.
     
  17. Offline

    Necrodoom

    _LB I dont see how a tradional virus scanner would find minecraftian backdoors.
     
  18. Offline

    _LB

    I think you misread my post because that's exactly what I was trying to say.
     
  19. Offline

    Necrodoom

    _LB Oh, i see, sorry.
     
  20. Offline

    biel

    OMG, TnT i know a community as big as Bukkit has do be handled correctly and making only a single mistake can make a mess, but let people interact with the community. I completely upvote this:

    Please re-read it and consider it. I'm really tired of it, every time i post suggestions to bukkit, a plugin or the community, there always come TnT to kick it to the moon. Also i've seen it happens everytime. Thats 99% of the suggestion threads:
    :) People: My suggestion is... (+ some kind and deatiled stuff)
    [tnt] TnT: NO! Never!
    :eek: People: Can you reconsider?
    [tnt] TnT: NO! Shut up, thread closed, problem solved, next!
    How can we MOVE FORWARD then?
     
  21. Offline

    Lolmewn

    biel You forgot the part where he explains in detail WHY the suggestion doesn't work. I suggest you read that again, since I'm pretty sure it explains everything that needs explaining. TnT is nice like that ;)
     
  22. Offline

    Bobcat00

    suggestion.gif
     
  23. Offline

    Necrodoom

    Yes, because instead we should accept every suggestion without thinking if its a good idea to add it.
    If people voice their opinion against the suggestion, its fine, but if TnT does so, its suddenly bad?
     
    _LB likes this.
  24. Offline

    Bobcat00

    Now who said that? Show me someone who did. I dare you. Go ahead. Show me.
     
  25. Offline

    Necrodoom

    Bobcat00 As you can see in this very thread, there has been quite a lot of counter-arguments against the suggestion. However, instead of you explaining why you think this is a good suggestion, you just copy-paste a comic and suggest the point that TnT ignores the suggestion, despite the thread it self being evidence to the contrary.

    So yes, if you claim that an idea is good, but yet cannot explain why the counter-arguments are wrong, you are suggesting we should accept this suggestion without thinking if its a good idea to add it.

    Note im not talking about blint66 here, but you and biel.
     
  26. Offline

    Bobcat00

    I never claimed this idea was good. But you claimed that someone said suggestions should be accepted "without thinking". So who said that? Hint: NOBODY. So stop trying to shoot down peoples' ideas by claiming they said something they didnt say.
     
  27. Offline

    Necrodoom

    Bobcat00 Explain to me whats the purpose of your comic then. What point does it has?
    If you think that the suggestion isnt good, and that you dont think it should be added, then why are you then complaining though the comic that TnT didnt consider the idea?
     
  28. Offline

    _LB

    The implications of your comic conflict with this request. Even if you were trying to just take something a random person said and add a funny comic to it, it sure seemed like you were taking it out on TnT.
     
  29. Offline

    fromgate

    TnT

    What the reason of increased approval time period? Is bukkit-team members number decreased (or they in vacations, etc.) or number of plugins are totally increased?
    I remember first time approval period was about hour or two, now I'm waiting for four days (and it only to project approval - I think there will be additional waiting period for file...)
     
  30. Offline

    StealthBravo

    Please take note at how I, DBO Staff, and other regular users are kicking it to the moon as well. TnT isn't the only one who doesn't think it's a good idea.
    Maybe if people actually offered some intelligent and well thought out suggestions, this wouldn't be an issue.

    Keep the community the same it has been for the past 3 years. It's obviously working, as you can see by the extensive userbase and amount of posts here.
     
    ZeusAllMighty11 and Pizza371 like this.
Thread Status:
Not open for further replies.

Share This Page