Can we implement trusted updates in the styles database?

[PlanetStyles.net]

https://www.phpbb.com/customise/db/queue-stats/style

Few problems here:

• No one enjoys styles validation
• There doesn't appear to be much growth in the customisations team
• Queue submissions are made faster than they can be cleared, particularly in months where there is a maintenance update

This has not been a sustainable model for a long time.

What is necessary to persuade the phpBB team to adopt a system where: only the first x submissions / updates are validated, and then submissions or authors move to a 'trusted' state, where submissions and / or updates are approved automatically?

Is there anything else that could be considered to relieve the ever-worsening styles approval delays?

[warmweer]

...
What is necessary to persuade the phpBB team to adopt a system where: only the first x submissions / updates are validated, and then submissions or authors move to a 'trusted' state, where submissions and / or updates are approved automatically?

I think a "trusted" state comes by itself, but that shouldn't include automatic approval at all. The idea by itself isn't sound even (and with your experience, you must have come across situations where you didn't even notice your own small mistakes (typos, an oversight through habit, or just bad luck - it happens to everyone)

Looking at myself; I think I've built up some credit over the years and in quite a few support topics I've been able to give sound advice. However just yesterday or the day before I actually posted some dangerous advice (which could have been OK for really seasoned users but in this case was totally inappropriate - luckily an alert moderator noticed it and edited my post).
Doublechecking may be time-consuming, but shouldn't be skipped.

[PlanetStyles.net]

...
What is necessary to persuade the phpBB team to adopt a system where: only the first x submissions / updates are validated, and then submissions or authors move to a 'trusted' state, where submissions and / or updates are approved automatically?

that shouldn't include automatic approval at all. The idea by itself isn't sound even (and with your experience, you must have come across situations where you didn't even notice your own small mistakes (typos, an oversight through habit, or just bad luck - it happens to everyone)

Indeed. I published a Milk update a few days which contained a few bugs. Nothing dangerous, just a few oversights. People reported them, they got fixed.

ThemeForest operates on a basis that anyone who reaches Elite status ($75,000 gross sales) is able to update their products without review. I achieved this nearly a year ago, and it hasn't been to the detriment or quality of the product.

If we consider "trusted" in the context of "trusted to update their own items, and trusted to do something about it if a problem arises" , as opposed to "trusted to never make a single mistake", then the whole concept becomes much more workable.

There's very little that gets pulled up in styles validation that would open a vulnerability on a user's forum. But till, everything has go through a manual review process by unmotivated people who have no incentive to do that work (apart from a colourful username).

It seems like we either need to move to unrestricted updates, or scale up the CDB team. This state of limbo and month+ long validations is not sustainable.

[RMcGirr83]

This state of limbo and month+ long validations is not sustainable.

It isn't just styles.

https://www.phpbb.com/customise/db/queu ... /extension

But extensions should be validated as security issues can be introduced...it just shouldn't take a month for some action.

[GanstaZ]

Hmm.. don't know much about style validation part, but most style updates don't have many changes, so validation shouldn't take a lot of time. Specially, if it's just an update for latest phpBB release.. If it is some other update, like bug fixes or modifications or additions, then it's another story as it may take more time to test it. Maybe with styles something could be done in so called auto way, but with extensions it is not that simple. There is always a way to lend a hand and help out the team with validations or to suggest an alternative way. Either people don't have much free time to test or there is not enough man-power to do it.. Hard to say.

[EA117]

I tend to agree with Christian's "trusted to want to release a quality product, and trusted to do something about it when an issue is found" as being a status that could warrant auto-approval. A status which of course could become revoked, too, when evidence to the contrary begins to exist.

I'm not sure whether the current prioritization is first-in-first-out or something else. But if auto-approval isn't something we're ready to warm up to, maybe total cumulative downloads of a style need to be treated as "votes" for what should be at the head of the validation queue? Meaning "If you only have time to validate one style submission, which one should it be?"

But auto-approval certainly seems like a lot less muss and fuss. We have a similar thing in Windows kernel-mode driver signing too, where we have to raise our right hand to Microsoft and promise that we will test everything to the best of our ability, and to be responsive to any issues that are found, in order for Microsoft to sign our drivers without actually going through the normal testing suite.

[david63]

One thing that has to be considered is that anyone can create a style (well anyone with the ability!) and post it anywhere on the Internet meaning that anyone else can download it and use it. Basically the same applies to any validated style.

The problem here is that we want to have it both ways - an approved style that can be updated quickly where there is a bug fix required. I also agree that with the majority of updates (not upgrades) that the changes to a style are minimal - in fact I suspect that in some instances it is literally changing the version number.

I would also hazard a guess that this is one of the reasons why some developers do not submit their styles to be validated.

However I can see the problem from phpBB's perspective that if they are putting their name to something then it has to meet their standards as even with "trusted" developers errors can creep in.

maybe total cumulative downloads of a style need to be treated as "votes" for what should be at the head of the validation queue?

Cannot agree with that. It would mean that someone creating a new style, be that a trusted developer or a new developer, could have to wait months to get validated which only leads to frustration.

The bottom line here is that there needs to be more testers/validators to get through the load quicker. Whether this is a problem with members volunteering or whether it is the selection process I cannot say.

Incidentally the same issues relate to the validation of extensions.

[PlanetStyles.net]

The problem here is that we want to have it both ways - an approved style that can be updated quickly where there is a bug fix required. I also agree that with the majority of updates (not upgrades) that the changes to a style are minimal - in fact I suspect that in some instances it is literally changing the version number.

I would also hazard a guess that this is one of the reasons why some developers do not submit their styles to be validated.

Absolutely. There are a few authors who submit their works to 3rd party download sites but don't bother submitting to the CDB.

And I'm not surprised. The most painful part of any phpBB release is not updating my themes, but trying to get them through the CDB. It is a long wait time, compounded by inconsistent reviewing where someone will find a colour that's slightly wrong, or a margin slightly out of line that's been present for the last 3 versions, or the logo.psd file was in the root directory instead of the contrib folder. Really big issues

It makes me wonder: In the context of styles only (I'm not qualified to comment on extension approvals), what is the purpose of the customisations team? I've sold over 5,400 commercial theme licenses with an average 5* rating. My free styles have amassed well over 400,000 downloads from the CDB alone (not counting phpBB3styles.net and others). So I consider myself competent enough to fix any issue that is raised and don't require coding guidance. And if the purpose is bug-finding, the power of many users will achieve that much faster than one single reviewer. Let's cut out the middle man and streamline the process for everyone. Please! Nobody is benefitting from the current arrangement.

However I can see the problem from phpBB's perspective that if they are putting their name to something then it has to meet their standards as even with "trusted" developers errors can creep in.

Well, unless it's an official phpBB style, I'm not sure what phpBB would be putting their name to. It's my name that goes in overall_footer for style attribution ¯\_(ツ)_/¯

[PlanetStyles.net]

It seems even the phpBB team have lost interest in reading the forums, as well as styles validation

[KaileyT]

It seems even the phpBB team have lost interest in reading the forums

Just because we don't post doesn't mean we aren't reading the forums.

[3Di]

It makes me wonder: In the context of styles only (I'm not qualified to comment on extension approvals), what is the purpose of the customisations team?

To approve or not to approve your submissions?

No one is better than another, whether or not they have sold a million copies or are the first to emerge in this free space.
If we then talk about "styles" I would have much more to add but I prefer to avoid useless and counterproductive comments.

[PlanetStyles.net]

To approve or not to approve your submissions?

Did you read the original post? Legitimate question.

[GTI]

You have a website, why not just publish your latest updates on it while waiting for them to be approved here.

I don't think the number of downloads can be relied upon as the number can be manipulated.

Things could do with going a little faster but letting people validate their own works under the phpBB brand is not the answer.

More validators is the solution but without any incentives it's hard to imagine many people wanting to do it.

[Gumboots]

You have a website, why not just publish your latest updates on it while waiting for them to be approved here.

Sounds like a practical solution, if policy on this site isn't going to change. The updates can even be linked from your sig.

More validators is the solution but without any incentives it's hard to imagine many people wanting to do it.

It's an excruciatingly tedious job.

[PlanetStyles.net]

You have a website, why not just publish your latest updates on it while waiting for them to be approved here.

It's something I've considered, along with also re-opening a styles in development topic to release styles while the others are waiting for validation. The problems are:

- Duplication of work
- It's not really a solution to the problem which is: Month+ long validations and no incentive for people to do the validation work

Things could do with going a little faster but letting people validate their own works under the phpBB brand is not the answer.
More validators is the solution but without any incentives it's hard to imagine many people wanting to do it.

I have to respectfully disagree. Consider ThemeForest as an example. Anybody who has sold over $75,000 is trusted with automatic updates, no approval. They sell themes for more or less any open-source platform (notably Wordpress), where the potential for security vulnerabilities is significantly higher than phpBB styles. If issues are reported and not removed, the items are removed from sale until the problems are resolved.

'Trusted' means: Trusted to update without approval, and trusted to resolve problems when they're reported.

If the CDB's report button is given a bit more prominence, then the role of the CDB team (at least for styles) can be re-scoped from reading lines of code, to: validating user reports and checking if the Author is doing something about that. Draft up some policies for when / how to engage with Authors, and define deadlines for item disablement if people are reporting bugs (actual bugs...like missing template events) that aren't fixed in a timely manner.

It is a proven concept that I have witnessed from nearly 5 years working at ThemeForest as a Customer Success Manager.

Literally everyone wins.