Thanks, @mbabker. I didn't know that the J! Statistics plugin sent a token.
I don't think it is significant to compare what is used by the J! Statistics plugin and the token idea I've suggested. I also don't think it's too important to over-egg [security] mechanics that might be used in "verifying" the authenticity of reviews. My code snippet example was merely an example, for illustrative purposes. If someone has a better idea then I'm keen to see it.
If the new mechanism adopts a token generation feature, and it uses MD5 or SHA1 or some other encryption, it's probably a case of "So what?". To use SHA1 instead of MD5, the generator function in my code would merely return a different value, in other words, change the line (in my example) like this:
Code: Select all
return sha1($unencoded_extn_string); // return the SHA-1 hashed token
But, again, so what?
I agree that no "automated" verification approach will catch everything; it's not bulletproof (and neither should it be). There's always a requirement for human intervention (or arbitration) where people report fake/dishonest/spam reviews.
hdouglas wrote: ↑Tue Jul 16, 2019 2:43 pm
Don't lose sight of the time it might take, or the hoops to jump through to be able to post a review ... Ask yourself how much time you would spend posting a ... review?
It generally takes me about 15 minutes to write a review.
Generally my reviews are fairly "positive"—I wouldn't say that I'm fawning in my praise or hyper-critical in my assessment—but I would like to think that my reviews are honest and justifiable. I am lucky; I'm not among the cohort of people who currently spend time only to be disappointed that the process fails because of the current [IP/keyword-based] filter.
I don't know how many extensions I've reviewed over the years—the number is around twenty, I think—and it's hard for me to condense my opinions to 140 characters for each of the five metrics (and 280 characters for an overall assessment/final comment). However, the review submission process has become easier with the introduction of the "star" scores. Swings and roundabouts.
I don't know whether it's a good idea to, at this time, disable the existing review system. I think it is a good idea, however, for the JED team to engage with the community, acknowledge that the current system is imperfect and keep us appraised of what their plans are to remediate the current problems.
Personally, I think that the current "anti-spam" mechanism is a wasted effort. Personally, I think that the level of "spam" is insufficient to justify the JED team running up the white flag and, effectively, say that it's all too hard to juggle the value of reviews against the volume of fake ones that make their way into the system. That's just my opinion.
But let's be completely clear about what the JED is all about. The JED is loosely based around helping developers, giving developers some recognition, and [of secondary importance] allowing the developers' work to be shared with the community. If the community as a whole benefits from it then so much the better.
The process is based on a simple premise: someone thinks of an idea about how to improve a website's functionality. That "someone" is a "developer". It starts with someone saying to themselves, "I need something to do something." Now the genesis of that thought may be because they want something for themselves or they may need something to satisfy a client. It doesn't matter. After they've built that "something" they may want to announce to the world, "Hey, world, I've built something. Maybe this 'something' would be something you might like to use?"
Now, maybe other people would find these "somethings" useful to them, and maybe they won't. Everyone is different and everyone seems to want something different to what's on offer.
The whole point of the JED is to showcase the work of developers. Some developers are happy enough to obtain a pat-on-the-back and other developers actually want to earn some money. The motivation is different.
It's nice to get feedback. It's nicer to earn some pocket money. It's even better if we could live off the earnings.
(Apologies for the rambling. I've been feeling out-of-sorts lately because, it seems to me, much of the "feedback" I've received has been fairly negative. So, maybe, I should just leave it at that. )
sozzled wrote: ↑Fri Jul 12, 2019 8:25 pm
- Retain the ability to post reviews; reviews are an important part of the JED ecosystem.
- Ensure that the people can only submit a review based on the principle that the reviewer has actually installed the extension they're reviewing; leave it to the JED4 development team to implement a mechanism to ensure that reviewers can establish they've installed the extension they're reviewing. Some of the ideas in this discussion may contribute to that implementation.
- Get rid of the current IP/keyword-based checking algorithm.