That’s a cool idea.
I think that the 3rd option would be the best… First check if a developer isn’t going to backdoor. If not, make them able to release plugins instant!
Another possibility is to enforce plugin signing via a correct certificate I know it won’t stop it happening but it should be easier to control enforce and reduce chances also you could have the plugin show a list of events or etc much like Android/etc
Honestly I don’t feel this is really feasible on multiple levels. On the one hand that makes it so that you guys are forcing open source regardless of whether the developer wants it that way or not. That isn’t really you guys place to decide how a developer licenses their code or releases it.
The second way is the sheer bandwidth involved in something like this. Unless you guys are going to approach someone like Curse to get some sort of tool setup for this (which is another consideration, the amount of time/code required to set this up) the bandwidth requirements just aren’t a reality for you guys to self host outside of on a large scale networks system.
1 Like
No, but it is their place to decide how code released on their hosting platform is licensed.
+1 for not reading the entire thing and taking it entirely out of context.
If they forced an open source or specific license for any plugins hosted on their system then they are taking away the freedom of the developers to program how they feel best. They might as well force all plugins to conform to specific style and naming practices while they are at it also.
1 Like
The time to code this wouldn’t be much longer than it would the way bukkit had this. I could even do this in my spare time in one day.
It is their right though. Sponge can determine what gets posted to their directory. It’s their resources and if an invalid license is uploaded they can sue or take proper actions for damages.
This is the original, started two weeks ago… the topic you link is 20 hours young.
I believe I linked a similar thread to this one at some point since this one was started by a moderator. Although I think this thread and the one you linked are vaguely different. This one discusses technical aspects of plugin validation as well as how they’d be hosted. The other you linked is more about a web site for people to access hosted mods that are being validated.
Then you get down with your bad self and program this in your spare time in one day. I expect a fully realized, completely UI’d, fully functional DBO replica within less than 6 hours.
As to your other comment, yes it is within their right. That does not make it right though. And no, they could not sue for damages if someone uploaded a closed source mod to their open source hosting directory. They could remove it yes, seek legal action, highly unlikely. Please troll elsewhere.
I’m guessing you have the same complaint again SourceForge or Google Code? What about Travis/GitHub’s model?
How about asking curse to host sponge plugins, similar to how they already host bukkit plugins and minecraft mods? They already have a really nice platform for this. So that would mean no need to additionally recreate all of this.
Regarding file approval I vote for proposal 3: instant available to the users but marked as ‘attention, not yet approved’.
1 Like
I am really in for Proposal 1. I liked BukkitDev. I think SpongeDev would be awesome.
Following Suggestion 3; What about adaptive quantities for trust values with set minimums and maximums, to keep it all in balance and to keep the managing staff from having to dig up and modify values from months if not years before.
I think it is extremely important to have a very clean and well functioning system. I’m totally all in for proposal one. I know a lot of people would disagree, but really it was quite an undefeatable system (sure it had a few faults, but what doesn’t?)
I, personally, applied multiple times (as did others) to help review plugins on BukkitDev but not once was I ever contacted back (even when I inquired about it) about receiving a position on the team. I even offered to have a voice-chat interview and present my skills, but still no. I think if there was a better hiring and auditing process of potential review volunteers, then this system could possibly be a lot better than how BukkitDev was.
Now, I know it does mentally drain those volunteers but I think it is the safest and possibly the best way to carry this out. I’m not quite sure how well a community-run verification process would blow over, given that most of the community when Sponge is rolled out completely is mostly going to be server owners. Most server owners (going by who I’ve come in contact with) do NOT code, or at least not very often. They often can’t see back-doors, however obvious they may be. This isn’t entirely their fault, it does take some expertise for sure.
Proposal three could work. But if that system is to be used, I don’t think people should know exactly how it works. If they did, then take a scenario where an uploader could upload a clean and non-malicious file to be accepted by the system and then only after that upload another file that is extremely malicious. This could, obviously, be disastrous.
To be honest, I think proposal one is the greatest. Feel free to compete with me here, but I feel that if the hiring and auditing of potential volunteers was improved that this system could be the best way to go.
Just my two, or three, cents. 
I’m still in favor of option 3. I think the issue of re-uploading malicous code after the previous clean code is approved can be automatically managed by the repo server (just a md5 check and flag it for re-review, since generally every version needs to be re-validated anyways). There’s probably also tools reviewers can use to locate changes made to the file if that’s done to more quickly realize if there’s an issue with the changes.
It’s not just about skills. Why would anyone trust you (or any other random applicant)?
Not trying to insult you here, but that’s really the downside of any reviewed system; unless a bunch of very established and trusted people (sk89q IMO, for example) have the exclusive reviewing responsibility then all it’s going to lead to is a false sense of security. And even if that was the case then these people have a chance to betray that trust.
Take a look at that.
I can see where @teozkr is coming from there. As a server owner, when I’m in need of more staff, I don’t like to simply go off how experienced they sound. I like to get to know them for a while and make sure they seem like a decent person so they don’t turn around and try to destroy the server.
2 Likes