Download links are dead

[maia]

Come on - I say now. Have you ever heard of stable versions ? When a version becomes stable is up to the developer to work upon a new version, you can't impose that. Joomla Downloader is a perfect example: It works, period. Right now it's considered a dead project. Stable=dead  Not listed, game over. How about that ?

Developer don't care about it anymore ? That's up to him, I DO CARE and i wanted to use it ! See the problem ? Developers fault by some "standards" but it's the end user who suffers.

[AmyStephen]

Vizion2000 -
What are you waiting for?  No one is stopping you from building this site you are talking about where extensions are always available. Build it. Mirror it. Ensure it's always available for the community. But, quit wasting your time and everyone else's criticizing the very people who have done these things for us.

Do you do more than dance? Maia - perhaps you might help Vizion get his site rolling, too!

Come on, David! Let's see what you got! 
Amy

[MMMedia]

Come on - I say now. Have you ever heard of stable versions ? When a version becomes stable is up to the developer to work upon a new version, you can't impose that. Joomla Downloader is a perfect example: It works, period. Right now it's considered a dead project. Stable=dead  Not listed, game over. How about that ?

Developer don't care about it anymore ? That's up to him, I DO CARE and i wanted to use it ! See the problem ? Developers fault by some "standards" but it's the end user who suffers.

What do you mean by some "standards". There is no "standard" about it.  Developers are responsible for their work.  People that like their stuff are responsible to purchase or download it before it vanishes, or stops being available, or what ever happens sometimes.

PS:
The developer of Joomla Downloader Martin Porcheron and his site is : http://mpwebwizard.com/  found by searching on google. 

[LorenzoG]

Security is a major issue here.

We get regularly reports from members about different issues regarding extensions and we need to have a developer to contact. If we get, for example, reports that an extension is vulnerable, then the developer get notified and then they are able to fix it. Many times an upgraded version is out very fast. With abandoned projects, it's impossible.

I don't know if you remember what happened last year? Many sites got hacked because of vulnerable components and many of them, were abandoned and obsolete components. The ones that were maintainted, could be fixed.

One other criteria for to be listed, is that the extension works with the latest stable Joomla! version. I'm aware of another projects addon resource, which isn't active maintained. There you can find a lot of older components that don't work and are vulnerable. People get irritated and spend a lot of time because they don't work and if they have bad luck, their site get hacked. 

[mpettitt]

If the forge/joomlacode didn't exist, developers would have to host their own extensions. This isn't a problem where the developer remains interested in improving or updating their extensions, but if they stop, for whatever reason, the extension will eventually vanish when they use the server space for something else, or the domain expires, or whatever else.
If you rely on an extension, even a popular, regularly updated one, you should keep a copy of it locally, so even if it vanishes elsewhere, you can still use it. Of course, it might have vanished because it was full of security problems, or because a feature it used from the Joomla core has been removed or changed, but that isn't the problem of the developer, unless you've paid for support contracts covering this.

Why is moving from the forge to joomlacode any different? Alert developers will have migrated easily, and anyone who uses something that hasn't migrated should have their own copy. There are even alternative extension listings around, which keep copies available - can't say I approve of this, as they aren't always the most up-to-date versions (from looking at my own extensions on them, they seem to lag by anything from a week to several months behind the JED listings, which I keep up to date).

[Tonie]

On the topic of communication. Developers received three emails in the spam of six weeks before the migration started. The first email went out at march 18, that gave them six weeks to reply to anything we sent them. After the migration, the JED listed received a few more. There have been dev blogs on http://dev.joomla.org. All translation coordiator partners have been separately notified. If somebody can't reply to any of those, well.... There are still developers coming forward to migrate, which is no problem at all and done within five minutes now. The number of extensions that was not available any more, is still going down each day.

If Forge was behaving correctly, and we planned a migration to Joomlacode with two healty systems, the migration would be finished in two months (with 2 months of planning). With Forge being unavailable for 8-10 hours per day in it's waning days, we had to move as fast as possible. This meant using two development systems Forge/Joomlacode at the same time. This also made migrating that much harder, so it will rather be four months of migrating time and 3 months of preparing. Having both available at the same time for an extended period (say eight months), would have cost us a really large chunk of money (Forge wasn't cheap this year), something we didn't have available.

We all have to work together. Together means that there are two parties communicating with each other. The Joomla project has to work with the community, as the community has to work with the project. The project can't do it all, and should not be responsible for all. In the case of Forge/Joomlacode/JED, this is no different. In exchange of being listed on JED, having a place for developers so they don't have to pay for the bandwidth of their downloads and a professional development surroundings, all we ask is a little accountability. If we send you an email, you have to be able to reply.

Security vs availability. MamboXchange had availability above security. We all saw where that went last summer as hackers systematically downloaded all extensions, found hacks, and started using their botpark to scan for insecure websites. If you check your Apache log, I'm sure that a lot of the automate attacks from that period can still be found. For any piece of software, arguably even more on web software, security is the start, beginning and the end of creating software. Extensions that have security problems, reflects badly on the software Joomla! and all other extensions around. To do any form of security, you need accountability. If we do a poll among developers what we should do with extensions which have been abandoned, I know what the outcome of that will be.

[vizion2000]

The implied promise of security is a red herring and a very dangerous route for JED to go.

In effect the comments made by JED can be seen as an implied warranty for which JED could become legally liable. I do not believe, for one moment, that JED would conciously intend to go down that route but that is where justification for their action on the grounds improved security is taking them. Watch out for future lawsuits . If that happens then we have problems.

Security is the web site owners responsibility any implied warranty is dangerous for operator, extension developer and JED. So lets kick this smelly red herring into touch 

It seems to me that the total community of CMS users needs it own non-profit web site for hosting extensions. 
The reasons for this are:

1. Policy can be driven by user need rather than any other consideration.

2. If their is another bust up in the Joomla team then the community does not find itself dependent upon JED controlled resources for access to extensions.

3. The policy for extension hosting can be independnent of JED priorities.

4. Arrangements for commercial extensions hosting can be established in the interests of users rather than JED.

5. Such a site could host extension ports so that extensions can be ported to other CMS. I see this as an essential long term reral security need for those of us who use a CMS. We need the security of an independent resource rather than being hog-tied to a single CMS brand. [Especially when the administrators of JED have shown themselves to have handled this issue so badly].

6. An effective site could concentrate on delivering:
(a) Maximum convenience and availability for users.
(b) Maintaining of a system of independent community driven extension bug reporting and beta testing facilities.
(c) Maintaining a mirrored extension hosting system. An open mirroring policy is essential to ensure the security the community needs for guaranteeing continuity of availability into the future. It would also protect the community from any movement towards extensions access pricing policies in the future.

7. What I am saying is that the community needs, in its own long term interests, to regard the collection of extensions as a community asset, managed by the community and in the interests of the community.

No more risks like the last mambo/joomla bust up scenario!!

my two pennorth

[Tonie]

1. We don't imply all software on JED is secure is secure. The only thing we do regarding security is to take extensions offline from JED as soon as there is a known security issue with it. The extensions can be published again when the issues are fixed.

2-7. Good luck.

[vizion2000]

Security vs availability. MamboXchange had availability above security. We all saw where that went last summer as hackers systematically downloaded all extensions, found hacks, and started using their botpark to scan for insecure websites. If you check your Apache log, I'm sure that a lot of the automate attacks from that period can still be found. For any piece of software, arguably even more on web software, security is the start, beginning and the end of creating software. Extensions that have security problems, reflects badly on the software Joomla! and all other extensions around. To do any form of security, you need accountability. If we do a poll among developers what we should do with extensions which have been abandoned, I know what the outcome of that will be.

This is ****

Do you realise this would amount to a policy by JED to take implied responsibility for insecure extensions and consequent damages arising from successful hacking of user web sites?  ???

If so the JED will soon be crippled by lawsuits!!

Get real. The security argument is ****.

Developer votes are not the same as user votes.

This demonstrates where policy priorities lie -- the priority for users is access. So who are you really thinking of?

David

[mpettitt]

Do you realise this would amount to a policy by JED to take implied responsibility for insecure extensions and consequent damages arising from successful hacking of user web sites? 

If so the JED will soon be crippled by lawsuits!!

Why would it amount to that? If you link to a page from your website, which then gets compromised with malicious software, are you responsible for any damage caused to users who followed your link? Of course not. Likewise, if you link to software which turns out to have a flaw in it, it's the software author that is responsible, not the people who have linked to it. Do you take responsibility if you proactively remove links to pages or software which you have been told contain problems? No, you're just behaving sensibly. It's exactly the same with the JED - the link is removed, and restored when problems have been resolved.
That's a much more lenient policy than most spam blacklists, for example, have...

[vizion2000]

Do you realise this would amount to a policy by JED to take implied responsibility for insecure extensions and consequent damages arising from successful hacking of user web sites? 

If so the JED will soon be crippled by lawsuits!!

Why would it amount to that? If you link to a page from your website, which then gets compromised with malicious software, are you responsible for any damage caused to users who followed your link? Of course not. Likewise, if you link to software which turns out to have a flaw in it, it's the software author that is responsible, not the people who have linked to it. Do you take responsibility if you proactively remove links to pages or software which you have been told contain problems? No, you're just behaving sensibly. It's exactly the same with the JED - the link is removed, and restored when problems have been resolved.
That's a much more lenient policy than most spam blacklists, for example, have...

I know it sounds crazy but I honestly suggest you read the case law.

JED here are going further than providing a link to another site. I believe they are saying to the community, that the reasons driving their policy is to provide users more security.

In law the parallel is with libel.

That is why mailings lists do not edit contributions - to make it clear the responsibility lies with the contributor rather than the web site publisher.

With code the moment you establish a policy of removing third party code contributions on the grounds of a known insecurity there remains the possibility of a smart lawyer arguing you are legally liable in negligence for the consequences that arise from not having tested the code before publishing it in the first case!!

The legally safe bet is to publish all but allow user feedback. That way you do not "take responsibity" for such failings. The responsibnility for security stays with the downloading user. The moment you decide content is dependent upon the degree of code security one enters a legal minefield. So for JED to say their reasons are based upon security is IMHO either plain *** or, at best, quirky & thoughtless rationalisation.

Remember it is not me that is crazy; but the law sure can give some very strange results.

david

[Vimes]

You're making argument for argument's sake because you have a need to kick up a fuss. I don't know why, maybe you're just trolling or in the mood for a fight, but either way your statements don't hold water.

Google themselves freely admit that they unlist sites that are hacked, which is a direct parallel to what we do here, which is refusing to list some sites until reported issues can be either rectified or confirmed bogus.

http://www.mattcutts.com/blog/how-googl ... ked-sites/

Please, either come up with some sensible arguments or slink back to usenet where your trolling is appreciated.

[vizion2000]

You're making argument for argument's sake because you have a need to kick up a fuss. I don't know why, maybe you're just trolling or in the mood for a fight, but either way your statements don't hold water.

Google themselves freely admit that they unlist sites that are hacked, which is a direct parallel to what we do here, which is refusing to list some sites until reported issues can be either rectified or confirmed bogus.

http://www.mattcutts.com/blog/how-googl ... ked-sites/

Please, either come up with some sensible arguments or slink back to usenet where your trolling is appreciated.

I am a user that has been seriously inconvenienced by tghe way in which the change over was handled and by the earlier screw up resulting from the mambo/joomla hassle. So please do not try to red herring an issue which is really important to this community. As I have said before, I would be delighted to be in a position to praise JED for the way it has handled this issue but the facts do not support the notion that things have been well handled.


Now to the logic of  your contribution. I think you are well meaning but the parallel you draw is  IMHO not really relevant.

When someone is pointed to a website the responsibility for what happens on that website remains the responsibility of the web site owner. The parallel is if I tell you the  name of a department store in town there would be no grounds for legal action against me if it subsequently turned out the dishwasher you bought from them is faulty. This is the position that google are in.

However when I host code on my web site, with a published or implied policy about hosting that suggests I decide what to host and what not to host upon grounds that a smart lawyer could interpret as having an implied warranty, then I am in danger of being found liable in negligence for consequences.

All I am saying is that if the argument is about security v availability then JED are in danger of treading into a legal minefield by telling users that it decides its policies on the basis of being able to deliver secure code. 

I am arguing it is safer for JED  to favor availability rather then security and ooffer good feedback mechanisms. neither I nor anyonw else will thank JED if its policies open itself to legal risk.

A thoughtful reaction that would bring about a degree of credibility would be.. somehing on the lines of

.. interesting point.. we must look into this to see where we can go.

Do you really believe that personal abuse advances your case or brings it any credibility?

A little more thoughtfulness might go down better.

Thanks

David

[Vimes]

JED has always been about providing the best possible quality listing of current components. If a component has been abandoned by the developer then it is not possible to confirm that it is constantly being reviewed for security issues (as is the responsibility of any developer) therefore we err on the side of caution and remove those listings. If you cannot see the logic of this then I'm sorry, but you're best off creating your own, independent listing as we have nothing more to offer you.

[vizion2000]

JED has always been about providing the best possible quality listing of current components. If a component has been abandoned by the developer then it is not possible to confirm that it is constantly being reviewed for security issues (as is the responsibility of any developer) therefore we err on the side of caution and remove those listings. If you cannot see the logic of this then I'm sorry, but you're best off creating your own, independent listing as we have nothing more to offer you.

Arguments "ad personam" , defensiveness or avoiding issues does not make them go away.

Joomla users have a need for reliability of sources and consistent availability of extensions.

Joomla users need to know that their needs comes first.

The core question is how can those neeeds be met?

This is an important discussion and redherrings, personal abuse, or topic avoidance does not help.

Open and constructive responses from some of your colleagues have earned well deserved praised from me and other contributors in this dialogue.

I hope you can find a way to move in that direction. 

David

[Vimes]

I refer you to my previous response.

[MMMedia]

Joomla users have a need for reliability of sources and consistent availability of extensions. Popcorn
Joomla users need to know that their needs comes first. Cry
The core question is how can those neeeds be met? Undecided

These needs are being met by the JED.  If you feel that the JED is not the right solution for you, you are free to create what ever solution suits you.  No one is stopping you from creating what you specifically want.

Enough already, you are repeating yourself and abusing the forums and other users by masking profanity and misstating law.

[AmyStephen]

I hope you can find a way to move in that direction. 

David -
What happened to all that talk about you creating a server for us?  Your adoring community awaits! 

Amy

[vizion2000]

Joomla users have a need for reliability of sources and consistent availability of extensions. Popcorn
Joomla users need to know that their needs comes first. Cry
The core question is how can those neeeds be met? Undecided

These needs are being met by the JED.  If you feel that the JED is not the right solution for you, you are free to create what ever solution suits you.  No one is stopping you from creating what you specifically want.

Enough already, you are repeating yourself and abusing the forums and other users by masking profanity and misstating law.

You are right because.

1. My needs for a CMS are being met by Joomla at the present but, in view of past problems, feel users need to watch every move carefully.

2. I do want Joomla to carry on meeting those needs - therefore I want Joomla to ensure that:
   (a) all extensions will be made available without further interruption.
   (b) the community controls the extension library for future proof security following the recent debacle.

3. Interpretations of the legal position should always be challenged in the open and be substantiated. I look forward to seeing a reasoned response rather than an attack ad personam.

4. You are entitled to be thoughtful and express your views in any way you choose.

Thanks -

I am probably as much  committed to  joomla as anyone else here -- it takes committment to advocate some appropriate rethinking about priorities which, IMHO, is long overdue.

lets not have an important & constructive  discussion, focussed on keeping download links alive diverted away from the topic by personalisation.

david

[vizion2000]

I hope you can find a way to move in that direction. 

David -
What happened to all that talk about you creating a server for us?  Your adoring community awaits! 

Amy

I amy

I am into that -- when I said I would be willing to do it I also said I would not do it on my own.

If we can find another two like minded people I am willing for four of us to go ahead and create a core team.

Doing things solo is not a good idea - and it presumes too much

This has to be a community thing.

Are you up for it?

david

[MMMedia]

What you are not understanding is that extensions don't belong to the community.  Extensions belong to their respective individual developers. 

You need to understand that.  It is your misunderstanding of that basic principle that is causing you to repeat yourself over and over again.

[vizion2000]

What you are not understanding is that extensions don't belong to the community.  Extensions belong to their respective individual developers. 

You need to understand that.  It is your misunderstanding of that basic principle that is causing you to repeat yourself over and over again.

Sorry

I am sorry you have been confused bythe discussion. What I previously said in an earlier posting:

"The collection of extensions" is something that should properly belong to the community. Its existence should not, IMHO, be subject to arbitrary changes of policy by JED. It should not depend upon whether JED continues to function as a cohesive group. Maybe one solution is for the new JED system to be capable of open mirroring. That way if JED's site is down users can get it from a mirror site. I am not wedded to a particular solution - but IMHO a solution is needed. A single site solutionn is tooooooo vulnerable for such an essential facility.

The ownership/management of collection of extensions is what  I was discussing and maybe you missed. I agree with you the copyright to each extension is determined by the developer and the ownership of the extension is also a matter for the developer to determine.

Have I made the difference clearer for you?

The collection of extensions is of special value to the comunity and IMHO it is the collection that would be best owned and managed by the community as a whole.

david

[Vimes]

MMMedia is not confused by the discussion, she's absolutely spot on with her observations. Let me spell this out simply so that we're clear that you understand:

Developers own their extensions, not Joomla. Joomla has neither the right nor desire to make this any different.

For the last time:

If you want to download ALL of the GPL components, upload them to a server and ensure that they are developed according to the individual feature requests, and ensure that they are secure, then that's your right within the constraints of the license. Trying to do that with any others that aren't subject to a GPL compatible license is going to buy you a whole bag of worms that you really cannot afford. If you do choose to go down this route then I wish you luck.

Eventually, people reading my sig will know that sometimes I don't always abide by my own advice.

[AmyStephen]

I am into that -- when I said I would be willing to do it I also said I would not do it on my own.
If we can find another two like minded people I am willing for four of us to go ahead and create a core team.

David -

It's always easy to say you'll do it, but apparently you're having a hard time even meeting your own starting requirements of finding three other like-minded people. What about a server? Do you know what kind of traffic the JED generates? How about issues that developers raise? Are you prepared to staff it? What about complaints from community members? Better write policy. Consult an attorney. Do you have a domain name? How do you plan on notifying the community that your resource is available? Backups? Disaster recovery? Don't forget you promised us mirrors.

Regardless of what you say about this system, it still meets my needs better than your plans and good ideas. Perhaps in a year's time, you'll have the system that never ever, ever has any challenges - but, until then, my needs are MORE THAN satisfied by the JED.

It sounds like you have been a member of the Mambo/Joomla! community for awhile. If that is true, then you no doubt remember the first JED - KenMcD's list. When I came to Joomla!, I copied that list because it was SO VERY PRECIOUS I never wanted to lose it. I couldn't believe anyone cared enough to collect that information and share it FREELY with others. It has been read 196,749 times!

You basically started with one issue - a difference of opinion on ONE issue - what to do with after nearly six months when a developer doesn't respond. You suggest acting on behalf of the developer and assuming they want the extension published - and automatically carrying it over to the JoomlaCode site. So, you are suggesting that code be shared where the editors are fairly confident there is no developer support. 

The JED team believes that this lack of response to SEVERAL queries serves as an abandoned GPL'ed extension. That makes sense to me. They have communicated their plan to list those for the community and, if the need and the desire is there, a developer MIGHT pick up the extension and begin to support it. I see this as a good thing and I believe in the community to take care of it's needs. I think what the JED team is doing is smart.

David - I look at the JED and I think "Man! Look at what these people have done with Ken's list."

Maybe in a year's time, you'll show us the way. But for now, please stop. You are attacking the people who ARE serving our community and doing a SERIOUSLY COMMENDABLE job because you feel differently about one issue. Please stop.

Amy

[Vimes]

Ok, this thread has run it's course and is now locked.