Looks like some people are trying to be overnight millionaires selling Xenforo 2 mods!

Alfa1

Administrator
Joined
May 28, 2007
Messages
3,916
Paying & installing twice to get quality code is a bit weird. It would make more sense to me to just offer one addon with quality code that can be run without performance issues.
 

Xon

Adherent
Joined
Feb 15, 2015
Messages
307
I've got a paid add-on with that feature (post areas) for XF1, and it is a heck of a lot larger than that. It'll have that feature in XF2

And it has decent performance!
 

PoetJC

⚧ Jacquii: Chenyneh Kween ⚧
Joined
Jul 9, 2006
Messages
21,018
I've got a paid add-on with that feature (post areas) for XF1, and it is a heck of a lot larger than that. It'll have that feature in XF2

And it has decent performance!
I'd say pretty damn decent performance. TAZ uses it. And TAZ is known for making use of the best-made add-ons
It's a great functionality addition :tup:

J.
 

Shimei

Fan
Joined
Oct 11, 2015
Messages
514
I would think that at first, with competition relatively narrow, prices will be higher. As competition grows, this will drive prices down. Often we pay a premium to be on the leading edge. :)
Four people agree with your capitalist dribble.

Communist/Socialist/Liberal/Democrats suggest that Xenforo should regulate pricing.
 

cheat_master30

Moderator
Joined
Jan 16, 2010
Messages
3,846
Well, you have to admit vBulletin only allowing free plugins on vBulletin.org and WordPress only allowing free and open source plugins in their plugin directory likely helped their community a lot. In that sense, it does seem like restricting what types of plugins and themes people can post does in fact create a less profit obsessed community than allowing paid ones.
 

R0binHood

Habitué
Joined
Nov 23, 2011
Messages
1,343
Dev's can charge whatever they like. They put the time into developing them and if they want to charge $5, $50 or $500 for an add on, let them do so and the market will decide whether or not it gets sold. It's a waste of time asking them to regulate pricing.

What XF really needs is access to the plugin directory from within the XF ACP.

That way users can search, read about, install, upgrade and manage any and all free plugins from an XF repo, as with Wordpress.

This would give the free ones the focus and better exposure. Discoverability would be much better from within the control panel if it had a dedicated section, with top downloads etc. Combine that with a tweaked version of the install and upgrade system in the core and it makes the whole process of trying new ones much easier.
Paid ones can still be sourced from the resource manager in XF.com where at least they can be discussed and reviewed on a non-bias platform, whatever the price may be.

The easier it is for admins to discover and install new plugins, the more each admin will use, the better it is for devs and everyone as the market and demand for them grows.

That would also compliment the two tiered system discussed earlier where you have to pay for features to make the plugin big board compatible. Release a basic or core version for free for small sites to use, this could be listed and downloaded for free in the repo for maximum exposure and distribution. Then have the option to pay to upgrade to the premium one if you have a large site that needs the advanced features or optimisations for very busy forums.
 

Alfa1

Administrator
Joined
May 28, 2007
Messages
3,916
Well, you have to admit vBulletin only allowing free plugins on vBulletin.org and WordPress only allowing free and open source plugins in their plugin directory likely helped their community a lot.
It took me years to find out where the paid addons for vbulletin were and it was very hard for developers to monetize on vb. It was nice to have so many free addons, but I dont mind paying for quality. Unfortunately the current situation means that we are often paying for poor quality. In this sense the concept of paid addon marketplace does not necessarily lead to better addons.

In some cases it definitely does lead to better addons. Much better. I use addons on XenForo that I could have only dreamt about when I was using vbulletin.

In many cases the existence of one low quality addon will deter other developers from investing time in creating a quality addon in for similar functionality. It happens frequently that someone suggests I use an addon from a low quality developer and that therefore the demand for my need is already filled.

I really hope that this aspect of the XenForo marketplace will improve in coming years.
 

Fillip H.

Developer
Joined
Mar 13, 2006
Messages
208
What XF really needs is access to the plugin directory from within the XF ACP.

That way users can search, read about, install, upgrade and manage any and all free plugins from an XF repo, as with Wordpress.
I’m not sure I fully agree with this. It sounds good on paper, but that system is also part of the reason why WP makes security conscious people cry and/or turn to alcoholism.

Of course, I don’t doubt that the XF team would come up with a much more secure solution, that’s not the issue. The issue is two-fold: WP gave autoinstallers a bad rep, and there are inherent security vs usability concerns that from my perspective can not be reconciled without making significant sacrifices one way or another.

For instance, if you open the code XF files to be writable by your web server, a malicious script now has the ability to modify and subtly change your entire installation, and if it also overwrites the hash file, file health check becomes worthless.

If instead you require FTP information and use a FTP wrapper so the credentials never leave your site, you have to account for a LOT of strange server configs. Even with SSL support, you cannot guarantee usability.

Users will also be more likely to pick a weaker password if they have to provide it every time they update or install.

Not to mention it doesn’t work with paid mods for obvious reasons, so you have to add “display-only” entry support.

In short, I don’t disagree with you but there are some significant concerns. I wrote an internal paper on this, to research the possibility of using it to update DBTech mods. The security or usability trade-offs were judged too high to be worth the risk.

That being said, I would be in favour of a system where it was entirely read-only. You could have a directory with links to the resource (and links to the purchase page if one was defined). IMO that would be the best of both worlds.
 

R0binHood

Habitué
Joined
Nov 23, 2011
Messages
1,343
For instance, if you open the code XF files to be writable by your web server, a malicious script now has the ability to modify and subtly change your entire installation, and if it also overwrites the hash file, file health check becomes worthless.
How is that different from an admin downloading any old code from a free resource on XF.com and uploading it themselves? Genuinely curious.

99.9% of people aren't going to bother checking the files before just uploading the entire directory to their site and it could easily have rogue code in it. Is that any different from pulling code from a public XF plugins repo through the ACP?

In short, I don’t disagree with you but there are some significant concerns.
It definitely wouldn't be a simple or easy system to get right, but I feel it's something that will have to be implemented at some point and it's only a matter of time of who can execute it right and do it first. It has lots of potential pitfalls that need to be addressed, but the benefits to admins and add on developers are immense.

I admin a few wordpress sites and can't imagine going back to the manual FTP updating method. It would take bloody forever just keeping up with weekly updates from all the plugins and themes I use on each site.

Some of the security plugins, like Wordfence simply update themselves too. I'm completely fine with that.

If I were to take a guess, I would bet that Discourse will be the first company to roll out something like this, seeing as their goal is to become the wordpress of communities. They seem to be growing quite quickly as a company and their forum has a lot of really nice features now.
 

Fillip H.

Developer
Joined
Mar 13, 2006
Messages
208
How is that different from an admin downloading any old code from a free resource on XF.com and uploading it themselves? Genuinely curious.

99.9% of people aren't going to bother checking the files before just uploading the entire directory to their site and it could easily have rogue code in it. Is that any different from pulling code from a public XF plugins repo through the ACP?
Oh, I didn't mean code from XF.com, sorry I should have clarified! I was typing on mobile.

What I meant was; if an exploit existed somewhere that ended up allowing an attacker to deliver a payload, security scripts like ConfigServer eXploit Scanner have much less of a chance to catch it if it's not the payload itself that contains the c99 shell. For instance, if the payload was "open index.php and write a line at the top of the file after <?php" that is less likely to be caught than if the payload was the c99 shell itself.

You're right in thinking that there's no functional difference between manual and automatic uploads, the only difference is that I would consider making your entire forum writable by web is a bigger security risk rather than only writable by FTP.

Hopefully that made a bit more sense :D

It definitely wouldn't be a simple or easy system to get right, but I feel it's something that will have to be implemented at some point and it's only a matter of time of who can execute it right and do it first. It has lots of potential pitfalls that need to be addressed, but the benefits to admins and add on developers are immense.
Agreed. I do feel like this sort of updating / installation would need to be in some way powered by the actual server itself, rather than being done in raw PHP, in order to mitigate some of the security risks.

You mention Discourse, which does run as as a server process. You need to launch a VM on your server in order to "boot up" the forum, otherwise you have nothing. You need look no further than the Q&A forum over @ XenForo (or vBulletin, or indeed any other mainstream forum platform) as to why this type of installation is not going to be mainstream.

Since Discourse runs as a process on your server, updating it in the background would not pose a security risk, even less so because it runs in a VM, so any exploits in Discourse cannot affect your actual server. I feel like if XF were to implement this, it should be done via a server-side companion process that actually handles the installation/update commands.
 
Top