October: Provide a marketplace plugin's best practise guide for plugin authors

Each of these notes would be best suited in the documentation where applicable. Any issues with current plugins on the marketplace have to be taken up with their authors or reported to [email protected] if the author is unresponsive / there is a serious issue.

@LukeTowers Will have a think how best to proceed as I think the issue is epidemic in the marketplace! I just don't want the October marketplace to turn into the same as wordpress, with a ton of bad plugins. Most authors ignore the request as well, so that's a real issue. There are only a dozen authors I know that that reply and fix their issues (big respect out to them).

By the way even your plugins are included in the above, see example:

https://github.com/LukeTowers/oc-googledomainverification-plugin/blob/6eb0dd90e97a03550b24ba8625832bee2319098b/routes.php#L6

Pluck should be value, as it was deprecated in Laravel 5.1

[edit] Would it not be a good idea, for October to automate the checking process and have bots check the Laravel compatibility and basic security settings before they get uploaded to the marketplace, that way 99.99% of these basic bugs could be flagged and fixed before the plugins are distrusted and saves me contacting authors and getting ignored in most cases!

@ayumi-cloud pluck exists in laravel 6 https://laravel.com/docs/5.8/collections#method-pluck

@ayumi-cloud pluck was deprecated in 5.1, then lists was renamed to pluck in 5.2, so pluck does exist.

It's sad the focus is on Luke's plugin and not the issue at hand.

e.g.

Would it not be a good idea, for October to automate the checking process and have bots check the Laravel compatibility and basic security settings before they get uploaded to the marketplace, that way 99.99% of these basic bugs could be flagged and fixed before the plugins are distrusted and saves me contacting authors and getting ignored in most cases!

• Not gonna happen.

Sorry for my lack of enthusiasm, but here's a couple of quick little stories of my experience of october's marketplace.

A few months ago I bought a plugin and straight after installing it I could see many Stack Trace errors, I contacted the author and the author promised to fix the issues. Two months passed and nothing happened, so I contacted the author again and sent them details how to fix and all the Stack Trace reports. A day later the plugin gets removed from the marketplace. I thought great, steal my money and run!

Another story I install a plugin from the marketplace and it's not escaped at all and has many bugs, I contacted the author and 3 months pass and nothing happens, though they reply to other people's comments, they just ignore me.

I could go on and on ...

My point is that the marketplace is truly flawed and I would like to try and raise the quality of it.

I don't care about quantity saying wow the marketplace has 700+ themes and plugins (I quote the home page). I rather care about the quality of the plugins! Just read their reviews or GitHub issues on many plugins and you will see a sorry state.

I download the plugin, check the code for any bugs, contact the author, no reply, I end up hard forking it and fixing the bugs and add more features. I've given up emailing [email protected] I never got any resolution emailing.

@ayumi-cloud Yep something like demo will be great where it will run plugin in sandbox where you can test it out and it even shows if its broken in current version or something, but issue is who will host that many "websites".

@Samuell1 @LukeTowers

I was thinking more like a Travis setup, the testing program can scan the plugins (for basic security issues, bug issues and laravel compatibility issues) and be hosted on the octobercms website or this github repo website as a tool.

All new plugins and updated versions will be scanned by default.

If a plugin fails the scan it gets flagged. Flags can look like this (see part 3): https://github.com/octobercms/october/issues/4765#issue-522314062

If a plugin passes it's available to download and install. The plugin version gets a Subresource Integrity (SRI) hash for that version number for added protection. If a hacker changes the plugin versions code the system will know and stop the spread of any malicious code being spread through a bunch of websites using that plugin. Octobercms website only needs to store the sri hash numbers.

This way we can install clean working plugins into our websites as they have been tested in a sandbox environment beforehand.

(This way saves me downloading a plugin, testing it, finding out it's flawed and removing it from a working website - which is not ideal).

~That's my thinking anyway.

Hey @ayumi-cloud, a developer guide exists already, found here:
https://octobercms.com/help/guidelines/developer

Unfortunately, your contribution is not in a usable format where we can just copy and paste your suggestions to the guide. If you'd like us to add anything to the developer guide or quality guidelines, feel free to get in touch via email with your proposed content additions.

@daftspunk thanks for the link, I will have a read through the developer guidelines and see if we could offer anything of value?

By the way, we had a private discussion at our company today about this issue and have decided to try and add plugin checking to our October virus scanning software we are currently building. So it will automatically scan plugins for any:

• Plugin escape issues such as non-escaped trans() or adding |raw tags etc. and flag them to the user.
• Plugin CRON Jobs suggestions and automatically move over-lapping schedules throughout the day spacing them between 30 minute intervals.
• Check plugin laravel compatibility issues, to help future proof things.
• Warn any missing CRSF Tag to all forms.

It already scans for security issues, so we will just update our definitions file and add some more menu features to scan the installed plugins for common issues.

We are going to look into trying to create a Sandbox environment like Sandboxie for October as well.

@ayumi-cloud note that @petehalverson already has built us a "sandboxing" environment for October using docker, it's primary purpose right now is for us to use when testing PRs to the core and rainlab plugins.

We've had discussions about integrating it with the marketplace to provide live demos for all marketplace products, so that is something that might happen in the future but there aren't any guarantees for it right now.

@LukeTowers interesting thanks for the info, will check out his repo. 👍