NOC, certified modules ... and development pledges :: Zikula Community

Download Zikula!Version 1.2.2 (stable)

NOC, certified modules ... and development pledges

Print topic

Goto page: 1 - 2 - 3 [+1]

uheweb

Rank: Professional

Registered: 16.09.04

last visit: 21.10.09

Posts: 724
Posted: 24.05.2007, 18:09

While I realize that the changeover to .8 is responsible for a bit of the problem, many in the forums seem to have trouble finding and getting support for modules.

I'd suggest having the NOC show more prominently on the Postnuke website - so many modules there that aren't found as easily in the forum or the wild web.

ALso, there should be a Postnuke Certification for modules with some criteria:

1. API compliant
2. Templated
3. Reviewed for security (ie, the basics)
4. Made available in the NOC by the developer
5. ?
6. .8 enhanced module (.8 cert only) - ie, OO and class abstraction.

These postnuke certified modules would be community developed, yet have some official status as fully-compliant with postnuke.

The certification could even be per Postnuke version - ie, .764 certified, .8 certified, etc.

This would clear up a LOT of confusion about what modules work with what versions, and point newbies to modules that will work well and have fewer support issues than many of the aging and mini-mods that are released without much support.

Perhaps also, an incentive / pledge program could be implemented in the NOC for a developer to assess the communities interest in different features. Users could pledge time / money /interest in certain features. I think it would help drive up the quality and quantity of modules if Postnuke facilitated community pledges to module developers.

I've paid for and plan to pay for many enhancements to module projects directly to developers, and would love to do more if I didn't have to take all the time / $ to do it one-on-one.

For example, if I had a feature I'd love to see, I would add it as a request, add my pledge in time / money / other to assist with the project, and then if others had a similar interest it would soon be completed as the pledge incentive increased.

IF a developer does not respond, and the pledge incentive appeals to another developer, they can ask to have the project moved to them.

The community would drive the development, thus providing for their needs, while the developers have an incentive that a single user could not provide alone (monetarily or otherwise), but en masse with many users, can offer what the code is worth to the community.

Of course, the developer could demonstrate the new functionality on a test site, and then make ask for the pledges to be submitted, or offer it as a paid module at the cost of some fraction of the pledge average.

Of course, what to do about deadbeats - those who would pledge, developer puts in the time, and then they never fulfill their pledge. Make it non-anonymous and real world identities? Credit card info so that you have to pledge $1-$5 held in escrow by Postnuke foundation? Any ideas on how to implement this?

Hmm....

Would be helpful to assess community needs, but implementation would take some thought.

Any suggestions? I think the ideas have merit - yet implementation should be worked out.

NCM
UHEweb
**unknown user**

Rank: Professional

Registered: 16.03.02

last visit: 21.10.09

Posts: 2334
Posted: 29.05.2007, 18:24

uheweb
While I realize that the changeover to .8 is responsible for a bit of the problem, many in the forums seem to have trouble finding and getting support for modules.

I'd suggest having the NOC show more prominently on the Postnuke website - so many modules there that aren't found as easily in the forum or the wild web.

Yes, a more prominent link would definitely be a good addition so that people could at least find the NOC easily. On the other hand, the NOC has turned out to be info-overkill for quite a few people who I've directed there and overall an overwhelming experience. And the NOC has a major issue: many projects are set up under "Some Dev Name", which hinders Trove categorization. On that note, though, the Trove list is loaded with many categories that are of no consequence to PostNuke. If this were cleaned up, I believe it would be more intuitive.

Quote
ALso, there should be a Postnuke Certification for modules with some criteria:
1. API compliant
2. Templated
3. Reviewed for security (ie, the basics)
4. Made available in the NOC by the developer
5. ?
6. .8 enhanced module (.8 cert only) - ie, OO and class abstraction.

Though I'm not doing much PN'ing these days, I like the idea of certification too. It seems that it would be quite a job to review titles for (ie) security and compliance... and too, it would take a non-newbie-level developer to make such inspections ... would you have any ideas on how to compensate such a person...or how to qualify such a person? I guess it would rely on volunteers?

In my ever-commercial-oriented opinion, :) ... official certification could be a valuable source of (perhaps even recurring) income for the Foundation, provided that it was carefully managed, and most importantly, respected by both developers and the community alike.

Quote
These postnuke certified modules would be community developed, yet have some official status as fully-compliant with postnuke. The certification could even be per Postnuke version - ie, .764 certified, .8 certified, etc.

I would like to also see certification extended to modules that are non community developed...and per-version would be ideal. I've released some mini-mods, as you mentioned, but have provided full support for them as well; I wouldn't want to be excluded from certification simply for developing in-house! :)

Quote
This would clear up a LOT of confusion about what modules work with what versions, and point newbies to modules that will work well and have fewer support issues than many of the aging and mini-mods that are released without much support.

The new Extensions area has versioning information onboard, as well as the ability to search the database by core version ... Also, the the addition of dependency data (via pnversion.php) seems to squash any remaining compatibility issues?
chance1376

Rank: Softmore

Registered: 23.01.05

last visit: 21.10.09

Posts: 70
Posted: 29.05.2007, 20:43

I do like the idea about an pledge system. I think the Wine project used to have something like that to get various programs working faster. I looked a few days ago when I read this thread but couldn't find the system so they may have abandoned it.

One way to work it out could be for the PNSF to act as an Escrow service and take a % off the top. So a little could go to the foundation plus some interest from holding the money in escrow. This may help some of the those projects where people there are plenty of people willing to throw money into the ring but developers might be afraid people will back out once the module is complete and released.

I don't know how viable of an idea it is but none the less its a good idea. If it could be implemented and gain some traction it could be a good thing for PN.
uheweb

Rank: Professional

Registered: 16.09.04

last visit: 21.10.09

Posts: 724
Posted: 29.05.2007, 20:51

Alar,

Thanks for the comments.

As for certification, a paid certification process would probably work. IE, a developer pays to have their module certified, thus lending credibility for those willing to purchase commercial modules.

Non-commercial modules perhaps could have a certification fund - for users to donate to if they'd like to have the code reviewed. Thus, community demand drives it.

As for non-community developed - are you meaning if developed in-house and not released? Yet still certified (ie, as a code review perhaps for internal business certification)? That would be a good service, too - but would probably be a higher certification cost as the code is not helping to build the community directly. Indirectly, though, it would increase the professionalism of Postnuke, widen the user base (via users that would like to see some level of security in modules reviewed), etc., and put money in the foundation's hand while helping users be sure their code is up to snuff.

Dependency checks will help in this regard, but only after a user has downloaded and attempted to install. Up-front indicators of compatibility would be great - even just a dump of the dependency variables for review. A developer should offer this as this feature gains more traction.

NCM
UHEweb
**unknown user**

Rank: Professional

Registered: 16.03.02

last visit: 21.10.09

Posts: 2334
Posted: 30.05.2007, 05:16

uheweb
As for certification, a paid certification process would probably work. IE, a developer pays to have their module certified, thus lending credibility for those willing to purchase commercial modules.

Precisely.

Quote
As for non-community developed - are you meaning if developed in-house and not released?

I'm referring to code that is developed in-house, but publicly released.

Quote
...code review perhaps for internal business certification...would be a good service, too - but would probably be a higher certification cost as the code is not helping to build the community directly. Indirectly, though, it would increase the professionalism of Postnuke, widen the user base (via users that would like to see some level of security in modules reviewed), etc., and put money in the foundation's hand while helping users be sure their code is up to snuff.

A premium offering perhaps.

Quote
Dependency checks will help in this regard, but only after a user has downloaded and attempted to install. Up-front indicators of compatibility would be great - even just a dump of the dependency variables for review. A developer should offer this as this feature gains more traction.

I see your point.

:)
JørnWildt

Rank: Helper

Registered: 02.07.02

last visit: 21.10.09

Posts: 240
Posted: 30.05.2007, 07:24

Certification is an interesting thing ... who should be allowed to do the certification and who should certify the certifiers? The core-devs? Forget it, they are already have their hands full.

If you want certification then why not start doing it yourself? Nothings right or wrong in this kind of bussiness! Put up your own company and make your own PostNuke certifying polices and go ahead - certify people and modules. "You" (who ever that is), AlarConcepts, or any one else, might probably be as good as anyone to do certification.

If you think certification is good bussiness, well, please go ahead - and I'm not stating this as a joke. I mean it.

If one company starts doing this then others will probably follow (if it turns out to be a good idea). Then, for some period, we will have trouble deciding which certification to go for. But sooner or later one or the other gets the best public image and win - or these company goes together to create a certifying authority of some kind.

That's what happend to the outdoor sports - climbing, sea kayaking, diving etc. It all starts with an initiative somewhere - and not necessarily among the core devs in this case, more probably the opposite.

PostNuke is open source, so why should certification not be?

Just some thoughts from a wednessday morning
**unknown user**

Rank: Professional

Registered: 16.03.02

last visit: 21.10.09

Posts: 2334
Posted: 30.05.2007, 13:51

JørnWildt
Certification is an interesting thing ... who should be allowed to do the certification and who should certify the certifiers? The core-devs? Forget it, they are already have their hands full.

That's understandable. I wouldn't want to put any more
tasks on the backs of core-devs...they've got more than
enough to contend with.

Quote
If you want certification then why not start doing it yourself? Nothings right or wrong in this kind of bussiness! Put up your own company and make your own PostNuke certifying polices and go ahead - certify people and modules. "You" (who ever that is), AlarConcepts, or any one else, might probably be as good as anyone to do certification.

I suppose it just boils down to finding the time to think it through and make it happen, success or not. I like your attitude on it ("nothins right or wrong...")

Quote
If you think certification is good bussiness...

It seems that the time it would take to properly inspect a work for compliance,
security, etc. might make it cost ineffective when laid out on a pricing scale.
I wonder if there are any ideas out there in this regard? ie, any tips on how to price it both
affordably and respectedly.

Quote
If one company starts doing this then others will probably follow (if it turns out to be a good idea)...

You know you have something when clone-sites start popping up...!

Quote
PostNuke is open source, so why should certification not be?

Sometimes, things are so obvious that they go un-noticed.

Quote
Just some thoughts from a wednessday morning

Thanks for adding your thoughts on this.
uheweb

Rank: Professional

Registered: 16.09.04

last visit: 21.10.09

Posts: 724
Posted: 30.05.2007, 17:25

Jorn,

Thanks for the thoughts -

My original intention was to start a discussion on how to re-enliven module development. Certification is interesting. If Postnuke is becoming a framework only, then its security weakpoint comes in the modules. Organizations that will be using the postnuke framework might have an interest in seeing certified modules as a way to ensure some level of security and code-reviewed modules.

Who does it? While the core-devs are busy...shouldn't something like this be driven by the Postnuke Foundation? And any certification criteria set by a steering group? ie, bullet list of "important" coding/security considerations such as always using pnprepforhtml, pnprepforstore, etc.

As for the time, if the Postnuke foundation didn't want to take on the time (and paid time) it would take, if the criteria were set by them then others could check off and verify as a third-party - perhaps sharing revenue with the foundation. Providing a revenue stream would be nice, yes? This way, a developer OR users could have a 3rd party verify and certify modules. Perhaps the core team just maintains a list of certifiers and modules that have been certified and happily accepts any share of payment that might come their way.

Do I want certification? Personally, I don't need it. I know what module devs to trust, and can dig into the code enough to fix problems and verify the code is doing what it should in a secure manner. My thoughts were merely on how to elevate Postnuke modules to a level where business' and organizations that need some sort of quality control could adopt postnuke and certified modules and be confident in their ability to work together. More adoption means more interest in postnuke, and more interest in postnuke lends to more module creation and community involvement.

Also, new users often start downloading ancient, poorly maintained code that then leads to dissatisfaction with postnuke. Why should postnuke's reputation rely on module code that was written 5 years ago, with no support and little or no compatibility going forward? They are "Postnuke modules" (circa .72!) but a certification would help weed out the less maintained modules and direct users to modules that will provide satisfaction and an allegiance to postnuke.

Is it something that SHOULD be done? I don't know. But, it was a brainstorm to try and identify what can be done to enhance interest in developing for and using postnuke modules that leads to satisfaction with the system, rather than semi-broken sites that are hobbled together using out-dated modules.

NCM
UHEweb
kaffeeringe.de

Rank: Professional

Registered: 03.09.02

last visit: 12.02.10

Posts: 902
Posted: 30.05.2007, 18:00

There are many great ideas in this thread. And I would like to see at least some of them implemented. But as nobody in the current team is bored it will only be done if you not only make suggestion but also organize their implementation. If you want a certification process find people who are willing and able to be certifiers. The team will certainly support everything you do. But don't expect man power - as their is currently none available.

A first step towards certification would be a list of "suggested modules" - i.e. modules that many people use: Pagesetter, pnForum, Formicula - to name only a few. You can put together a list like that in the Wiki for a start. There you could start a page for every of these modules and enter a short description, give the download link and some demo links.

And if you find people who are able to check for security ASO. you can start the second step.

UHEweb, Postnuke needs your help. And these are things for which you don't have to be a good coder - only an interested user.

--
best regards from Kiel, sailing city

Steffen Voss

Member of the Zikula Steering Committee
Read The Zikulan's Blog "If you want people to RTFM, make a better FM!"
uheweb

Rank: Professional

Registered: 16.09.04

last visit: 21.10.09

Posts: 724
Posted: 31.05.2007, 01:19

Maybe I just will!

Actually had plans to get more involved. Would love to help hasten .8 as .764 modules are DRUDGE work compared to using the OO aspect of .8!

NCM
UHEweb
Topiatic

Rank: Professional

Registered: 23.11.03

last visit: 13.12.09

Posts: 1486
Posted: 31.05.2007, 04:01

alarconcepts
Quote
If you think certification is good bussiness...

It seems that the time it would take to properly inspect a work for compliance,
security, etc. might make it cost ineffective when laid out on a pricing scale.
I wonder if there are any ideas out there in this regard? ie, any tips on how to price it both
affordable and respectedly.

Here's what's popping into my head as I read this thread, I could probably offer to certify certain aspects of a PostNuke compliant module but not others. For instance I could certify and make helpful suggestions and/or fix modules regarding pnAPI compliance, proper methods of defining API vs. display functions, correct return values, ADODB usage, Smarty usage etc. But ask me to ensure it's secure? Not confident enough.

So maybe break down the services available into 'packages' or levels. Level 1 cert. can be pnAPI complaint, level 2 adds ADODB usage, level 3 for pnRendered output etc. Or even classes of certs. so that a module can have an API cert. and a pnRender cert. but not an ADODB cert. That way a few different price points can be achieved helping to generate a more immediate and diverse revenue stream.

And then there's the potential certification of themes to be considered. Doctype compatibility,
CSS, accessibility, UA specific compatibility, etc.

This would of course rely on PostNukes secondary circle being able to agree on some sort of standardisation of certification regarding modules, themes, blocks (which are really just becoming utility modules), and plugins.

And one aspect of module writing that is totaly beyond me is certifying that the license is appropriate. I'm sure that in the case where it is critically important (such as pn8 business/corperate specific 'releases' where many modules/themes/plugins will be implemented in packages) the module devs, package creators, and implementers may be interested in a 'premium service'.

I think there's a lot of room to play with here and it's one of those things that will hash itself out... but... standardisation is needed for anything like this to become viable.

--
Under Construction!
uheweb

Rank: Professional

Registered: 16.09.04

last visit: 21.10.09

Posts: 724
Posted: 31.05.2007, 08:26

Cert levels sound good. Or maybe just a Cert that gives a grade for each category. then, users could search via the cert categories to find modules that meet whatever criteria they need - security, templated, API compliant, .8 OO code, etc.

NCM
UHEWEb
eckerl

Rank: Helper

Registered: 26.04.02

last visit: 21.10.09

Posts: 165
Posted: 31.05.2007, 13:16

as i found out: With a little bugfixing in PN's internal cachin structure its easy possible to see if a module installs and deinstalls without a flaw.
The tests can be generated from commandline and can be executed by anybody ... a simple works or works not thingie.
Actually i am coding on a ~20k lines module that needs to be installed on win and linux and mysql 5 and 4 . That is what i use it for.

My Idea: Automated script to see if a module installa and deinstalls
JørnWildt

Rank: Helper

Registered: 02.07.02

last visit: 21.10.09

Posts: 240
Posted: 24.06.2007, 23:16

This certification idea had been tumbling around in my head for some time now. I like the concept of an Open Source Certification Process. So here's my suggestion for what a PostNuke certificate is - the proposal contains not only requirements for the modules but also for the certification process (at the bottom).

Here we go - let the fun begin

PostNuke .8 Certification
-------------------------

Requirements
* Module must specify required PostNuke version
* Module must specify required PHP addons
* Module must specify other required PostNuke modules on which it depends
* Module should specify required PHP version
* Module should specify database requirement if different than that for PostNuke

Installation and upgrade
* Module must install via PostNuke's module installer
* Module must uninstall via PostNuke's module installer
* Module should upgrade via PostNuke's module installer

pnAPI compliancy
* Module must be coded for PostNuke's API standard (*)
* Module should support searching through PostNuke's search API
* Module should support hooks

Templating
* Module must be templateable through the use of pnRender
* Module should depend on PostNuke's CSS loader if CSS is used

Language
* Module must use PostNuke's standard way of translating module output into other languages

HTML
* Module should use Cascading Style Sheets for styling
* Module should specify relevant HTML standards it complies to
* Module should specify relevant accesibility standards it complies to

documentation
* Module must state distribution license
* Module should include a readme file
* Module should include a changelog file
* Documentatino should include installation instruktions
* documentation should state where support can be found
* documentation should state the official download location
* documentation should include a link to an eventual module certificate for it
* Module author may supply a demo site

Security
* Module should be reviewed for Cross Site Scripting and SQL injection bugs

Certification
* A module must state name and version of the module covered by the certificate
* Certificate must state who made the certificate
* There is no official certification authority. Anyone can certify a module according to the above criteria - even the module author himself.
* A certificate must state which of all the above criteria are met
* A certificate should be published on a specific internet URL such that the module author can refer to it in the documentation.
* The owner of the website where the certificate is published is responsible for the correctness of the certificate

(*) How do you say the module must use the normal pnuser/pnuserapi/pnadmin/pnadminapi setup?
JørnWildt

Rank: Helper

Registered: 02.07.02

last visit: 21.10.09

Posts: 240
Posted: 24.06.2007, 23:17

If it possible to gain some consensus then I suggest we put this in the Wiki when it's ready. No matter how ends it should still be a handy list for module developers.