Page 1 of 1

Suggestion: Remove All Extensions WIth No Updates in 2 Years

Posted: Wed Nov 09, 2011 2:38 pm
by alledia
After talking with some Joomla devs, this idea came up: remove all extension with no updates in 2 years.

This would be great help in terms of security and making sure that abandoned, insecure software isn't still being used.

I tweeted the idea and the feedback was good. Some of the most useful:

Question: What do you do about extensions that were never updated because they "just worked"?

Possible answer: Give the devs a warning before their 2 years are up. If there aren't any changes, they can login and tick a box that is confirming that they still are around and haven't abandoned the suggestion.

Alternative suggestion: Given that in a few months 1.5 is EOL might make sense to wait then remove all 1.5 only extensions and that could have a similar effect.

Alternative suggestion: Leave the extension on the JED, but mark it as being "Unsupported". This I believe is how Drupal.org does things: http://drupal.org/node/99466

Re: Suggestion: Remove All Extensions WIth No Updates in 2 Y

Posted: Wed Nov 09, 2011 3:06 pm
by drmmr763
I think I would almost prefer just being able to filter/sort based on last updated results. Many times I've found myself in the unique position of needing a simple extension that only was released once just to piece together a larger piece of a puzzle.

In any case I definitely like the idea of giving a warning. Regarding the EOL for 1.5, I would hope that extensions for 1.5 remain in the JED for a few months after the EOL as people transition.

I do like the 'unsupported' idea as well, except many people might skip over the 'gold mine' extension they're looking for because the read an unsupported tag and dismiss it without a second thought.

Re: Suggestion: Remove All Extensions WIth No Updates in 2 Y

Posted: Wed Nov 09, 2011 3:06 pm
by nikosdion
+1 from me. I would say that after 1 year of no updates the entry should be marked as "outdated" and an automatic email shoot out to the developer of the extension to warn him. If the developer doesn't respond in 45 days by updating his extension, it should be unpublished automatically with the reason "No longer maintained".

Re: Suggestion: Remove All Extensions WIth No Updates in 2 Y

Posted: Wed Nov 09, 2011 3:12 pm
by David-Andrew
+1 from me as well.
nikosdion wrote:After 1 year of no updates the entry should be marked as "outdated" and an automatic email shoot out to the developer of the extension to warn him. If the developer doesn't respond in 45 days by updating his extension, it should be unpublished automatically with the reason "No longer maintained".
I would like to see 1.5 extensions still online after 1.5 is EOL. Wait for a certain period maybe. A lot of us also use the JED as reference etc, and reality is people will also be updating/migrating after EOL.

Re: Suggestion: Remove All Extensions WIth No Updates in 2 Y

Posted: Wed Nov 09, 2011 3:17 pm
by jen4web
Hey Steve, I think this is a great idea.

For those who are new to Joomla and without experience in distinguishing one extension from another, it's hard to tell which extensions are still backed by an active developer, vs. which were a college student's project, posted to the JED, and forgotten.

Many new site builders do adopt old(er) or potentially abandoned extensions, then wonder why there is no support. I completely recognize that is a problem with specific 3rd party developers external to Joomla itself -- but many people take this to be a problem with Joomla as a project in that it has "no support."

It's in Joomla's interest to make sure extensions on the JED represent the best of Joomla, and that they enhance Joomla's standing as a great CMS.

To that end, perhaps a solution is a combination of what you list above.

- After 2 years with no changes to a given extension, an email is sent with a 30 day warning that the extension will be marked as "unsupported". Developer must log in and indicate that the extension is still supported for it to continue as a standard listing.

- Unsupported extensions will be clearly marked as such, with a definition of what unsupported means (use at your own risk, no updates available, no tech support available). It might make sense to not show these in standard JED listings, making them available to show only through a specific advanced search (check a box to show unsupported extensions, otherwise only supported extensions are returned).

- Perhaps after 2 years as an "unsupported" extension, the listing will be removed from the JED entirely.

What does everyone think?
Jen

Re: Suggestion: Remove All Extensions WIth No Updates in 2 Y

Posted: Wed Nov 09, 2011 3:26 pm
by David-Andrew
jen4web wrote: It might make sense to not show these in standard JED listings, making them available to show only through a specific advanced search (check a box to show unsupported extensions, otherwise only supported extensions are returned).
Also a great idea.

Re: Suggestion: Remove All Extensions WIth No Updates in 2 Y

Posted: Wed Nov 09, 2011 4:12 pm
by brian
Jus because it hasn't been updated doesn't mean it's broken. Many extensions on the JED are so basic that they just work and don't need any updates

Re: Suggestion: Remove All Extensions WIth No Updates in 2 Y

Posted: Wed Nov 09, 2011 4:19 pm
by Vimes
I agree with Brian. Perhaps a good compromise is, as Jen suggests, email the developer periodically to ask them to confirm (somehow, TBC) that they're still monitoring and supporting the plugin. If we were going to go down that route, then a shorter time period might be in order, say every 6 months.

Re: Suggestion: Remove All Extensions WIth No Updates in 2 Y

Posted: Wed Nov 09, 2011 4:44 pm
by nonumber
brian wrote:Just because it hasn't been updated doesn't mean it's broken. Many extensions on the JED are so basic that they just work and don't need any updates
In theory that sounds plausible. But in practice I have yet to come across an extension that truly needs no updates.
Joomla is changing too. And functions/methods get depreciated. Only that is enough reason to update code in extensions. The extension may not be broken, but it is using outdated code. This can have performance and even security issues as a result.

Also more often than not - also speaking from my own experience as a dev - when an extension does not get touched for more than a few months, it means that support goes downhill too.
That is my main concern!

Extensions that no longer have an active development and support strategy behind it, should not be used on live sites. Only to protect its users. What if it does show up on the Vulnerability radar? how long will it take before it gets fixed... if ever?

So I think - as an extension developer - you do have the responsibility to keep your code updated. If that means you have to reply to an email once every so often if you don't update it, then I'm all for that.

But as I said earlier, I have yet to come across a 1+ year old extension that isn't in need of some form of updating.

Re: Suggestion: Remove All Extensions WIth No Updates in 2 Y

Posted: Wed Nov 09, 2011 4:50 pm
by nonumber
jen4web wrote:- Unsupported extensions will be clearly marked as such, with a definition of what unsupported means (use at your own risk, no updates available, no tech support available). It might make sense to not show these in standard JED listings, making them available to show only through a specific advanced search (check a box to show unsupported extensions, otherwise only supported extensions are returned).
I think that unsupported extensions have no place on the JED whatsoever.
Extensions get removed from the JED for far lesser sins than that.

IMO support is more important than the actual code.

Re: Suggestion: Remove All Extensions WIth No Updates in 2 Y

Posted: Wed Nov 09, 2011 6:34 pm
by nikosdion
FWIW, given the release schedule of Joomla! (a new STS every 6 months and a new LTS every 18 months), by definition, any extension over 18 months old will be broken and uninstallable. This wasn't necessarily true with Joomla! 1.5 and I plea guilty of having written an extension which was last updated 20 months ago and is still working.

In any case, I agree that some tiny module/plugin may be so trivial that it needs zero maintenance for years. That's why I suggested in my first post that after 12 months of no updates an email should be shoot out to the developer and give him/her 45 days to update the listing (edit and save, no need to change the version number). What we should be interested in is having some "proof of life" from the developer. Is he still interested? If something breaks, does he intend to fix it? If someone hasn't bothered editing his listing for 13 and a half months, he/she probably is no longer interested in maintaining the extension and these extensions specifically are what we need to root out from the JED.

Re: Suggestion: Remove All Extensions WIth No Updates in 2 Y

Posted: Wed Nov 09, 2011 7:06 pm
by Nick Savov
Just an FYI for the discussion, the way the current JED works the "last update on..." is only updated if the version number of the extension changes.

For example, there are some extensions on the JED that are listed as 1.7 native but the "last update on..." is over a year (even though obviously Joomla 1.7 hasn't been around that long), because the developer chose to keep the same version number for the extension.

Kind regards,
Nick

Re: Suggestion: Remove All Extensions WIth No Updates in 2 Y

Posted: Wed Nov 09, 2011 8:13 pm
by mlipscomb
I don't see an immediate need to remove extensions based on "last updated" dates. The new development timelines basically take care of that. When one version reaches EOL, the JED follows suit, removing that version from the JED after a waiting period. So in that light, anything unmaintained would, by default, get archived. So my question is: Why do the extra work when it will be done automatically based on versions?

Re: Suggestion: Remove All Extensions WIth No Updates in 2 Y

Posted: Wed Nov 09, 2011 8:26 pm
by nonumber
We are talking about 6-12 months after taking action.
The versions of Joomla are supported much longer than that. Extensions are kept on the JED longer than the end of support date. So that means probably somewhere around 2 - 2.5 years before these extensions would drop of via the J version method.

Re: Suggestion: Remove All Extensions WIth No Updates in 2 Y

Posted: Wed Nov 09, 2011 9:08 pm
by sweup
Wouldn't it be possible just to create an archive section? - the users will (hopefully) understand that the extension is not maintained, but can still choose to download the extension.

Also, i´m not a dev myself, but if I was looking for to make a new extension I would search JED for similar extensions. Even if older extensions are not maintained they probably have a value for inspiration and reference.

Re: Suggestion: Remove All Extensions WIth No Updates in 2 Y

Posted: Thu Nov 10, 2011 1:58 pm
by Marcus Stafford
I'd like to see older extensions remain but maybe with a note that they are considered Unsupported as previously suggested. It means we can still find and use them when required but at a risk of no support.

Also useful would be commercial extensions being listed with their price as either a single purchase or a membership.

Re: Suggestion: Remove All Extensions WIth No Updates in 2 Y

Posted: Sat Jan 07, 2012 9:45 pm
by David-Andrew
mlipscomb wrote:I don't see an immediate need to remove extensions based on "last updated" dates. The new development timelines basically take care of that. When one version reaches EOL, the JED follows suit, removing that version from the JED after a waiting period. So in that light, anything unmaintained would, by default, get archived. So my question is: Why do the extra work when it will be done automatically based on versions?
That is great to hear Matt! I think this topic got posted mostly because we where not aware yet how the JED team would follow the new development strategy as mentioned here:
http://developer.joomla.org/strategy.html

Has the JED team decided how long this waiting period is? Eg. when do Joomla! 2.5 extensions get removed?

Re: Suggestion: Remove All Extensions WIth No Updates in 2 Y

Posted: Mon Jan 23, 2012 1:36 pm
by dubois
mlipscomb wrote:Why do the extra work when it will be done automatically based on versions?
is it me or most of your answers are about saving precious volunteer time ?
if you guys don't have time or are tired by free volunteers i'm sure there are many others willing to join and help.

Re: Suggestion: Remove All Extensions WIth No Updates in 2 Y

Posted: Sat Feb 04, 2012 5:32 pm
by pearlcaviar
Would be great if we can subscribe to particular extension update. So will never miss when the developer update the extension.

Regards,

Re: Suggestion: Remove All Extensions WIth No Updates in 2 Y

Posted: Fri Jun 15, 2012 2:48 pm
by David-Andrew
Just came across this video from Matt (Wordpress leader) on mark 15.10, where he announces the same for Wordpress plugins as we are discussing here for Joomla!.
http://wordpress.tv/2011/08/14/matt-mul ... word-2011/
Screen shot 2012-06-15 at 4.42.12 PM.png

Re: Suggestion: Remove All Extensions WIth No Updates in 2 Y

Posted: Fri Jun 15, 2012 3:02 pm
by Paul007
This is a brilliant idea. It will surely help reduce the risk of increased security issue created by old plugins .

But what would a user do if there is no alternative available for that plugin?

Re: Suggestion: Remove All Extensions WIth No Updates in 2 Y

Posted: Fri Jun 15, 2012 8:57 pm
by captjay
I am with paul007 I am running 1.5 and there is not a lot of free plugins / mods/ components and in most cases i relie on some old stuff, having no money for extensions/ freeish hosting/ etc... That is why i chose open source in the first place... freedom! It did not cost me millions to offer a free site! some of the best extensions i have are free and as soon as i can i donate what i can, most of the time it is only a beer... Since when has open source focused how much u can pay? It should be set at a (at you own risk / out of date / unsupported) and marked with all relevant marks, as well as all the good points. Other developers take over if the need is there.... if it is a good or widely used, it should be integrated, like Ubuntu, and others... don't just throw it away or disregard it. but it must meet some requirements... seems like there is little to no requirements as it stands now. Free should be free, or removed and banned if it dose not meet this requirement. Payed extensions should have to meet there own list of requirements, per the field that it apples to, same for the free extensions.

Re: Suggestion: Remove All Extensions WIth No Updates in 2 Y

Posted: Sat Jun 16, 2012 9:26 am
by nonumber
What extensions are you using that have actually not seen an update in 2 years time?

Re: Suggestion: Remove All Extensions WIth No Updates in 2 Y

Posted: Sun Jun 17, 2012 7:14 pm
by captjay
+1 for me as well!
brian wrote:Jus because it hasn't been updated doesn't mean it's broken. Many extensions on the JED are so basic that they just work and don't need any updates
But i think there is a lot more here to consider, as i have said. I have come a cross a lot of " in my mind" crap, some don't work, some with no support, some that support just the admin. on the front side and not users, but they are mixed in with some really good ones-but u cant make heads or tails of what is what and i my self have wasted countless hours no this problem, find it, click, click, click, register, download, install, find out it is not what it says it is and have to disable it, and or uninstall. I cant say this anuff REQUIREMENTS, REQUIREMENTS, REQUIREMENTS!!! 8)

Re: Suggestion: Remove All Extensions WIth No Updates in 2 Y

Posted: Sun Jun 17, 2012 7:52 pm
by captjay
nonumber wrote:What extensions are you using that have actually not seen an update in 2 years time?
Look i am not singling out anyone or anyone extension. Look there is a real need for all the things i have said and my motives are to better Joomla, developers, Admins, and front side users! end of story! If u read it u would see that, and there are a lot of Grate Ideas there! look deeper! :geek:

P.S. Ty for the link will check u out! 8)

Re: Suggestion: Remove All Extensions WIth No Updates in 2 Y

Posted: Mon Jun 18, 2012 7:45 am
by nonumber
I wasn't trying to attack extensions or developers.
I just want to know how big this problem actually is.

I've heard a couple of people say in discussions about this topic: "What about extensions that don't need updating".
But I haven't had one example of an extension that fits that point yet.

I strongly believe that if an extension has not been updated for over 2 years, that development and support is also non-existent anymore. And in that case it is a BAD idea to use them!

In the cases that extensions are still actively supported but didn't need any form of update (even though Joomla is constantly changing), then the developer just needs to push out an update every 1.5 - 2 years. I see no problem in that whatsoever.

Re: Suggestion: Remove All Extensions WIth No Updates in 2 Y

Posted: Mon Jun 18, 2012 7:58 am
by Vimes
Makes sense to me too.

Re: Suggestion: Remove All Extensions WIth No Updates in 2 Y

Posted: Tue Jun 19, 2012 12:02 am
by MoonfireArt
The simplest solution is that when a LTS Joomla version reaches end of life, pull out all extensions that do not comply with the new LTS version of Joomla. That's every 18 months, and should solve your problem easily (I think they are doing this with all the 1.5 extensions.)

Re: Suggestion: Remove All Extensions WIth No Updates in 2 Y

Posted: Thu Aug 16, 2012 4:46 pm
by NestorAcevedo
i think another solution -and what's happening in my case- is to have the option to unublish/remove an own-extension in edit option.

in some cases, the author doesn't want to give more support and wants to discontinue that extension, so i think that person could to have an option for unpublish, and doing this, write the reasons, and have "published" the extension but without download option, and showing the author's reasons