Suggestion Free Resource Guidelines

Discussion in 'Community Feedback and Suggestions' started by ShaneBee, May 15, 2019.

  1. I would like to suggest the implementation of guidelines for posting free resources.

    Something similar to how paid resources have guidelines, but maybe a little simpler.
    Something like:
    • 4 week old account
    • 50 posts + 10 positive ratings
    Why am I suggesting this?
    A few reasons:

    1) The main one in my opinion is to deter malicious plugins. I have noticed recently a few malicious plugins being posted, and of the ones I have seen they have either been from a brand new account (Im guessing a previous member created a new "alt" account, to post malicious code, in hopes of hurting other members but protecting their current account) or from older accounts with 0 activity since the creation of their account.
    I believe implementing this would help deter some of these new users. Who wants to make a new account and wait 4 weeks and have to post 50 messages just to be able to post malicious code? Probably none of them.

    2) I feel this will help deter a lot of the low quality/low effort resources. I have seen a fair bit of new plugins/scripts being posted lately that are just useless. Most of these come from brand new accounts. I think this is very common in the Skript community especially. These people create a new SpigotMC account and immediately post scripts with less than 1KB of data. This also happens for plugins as well.
    I feel that implementing this will help deter some of these people.
    I also feel that implementing this will help get "new devs" a little (or a lot) more active in the community.

    Thank you for reading,

    • Agree Agree x 9
  2. Send them to me ;)
    The more i have the better i can make my AntiMalware.
    As for the whole them not wanting to wait the time to post malicious plugins, you'd be surprised.
    • Like Like x 1
  3. I usually report them, and they get deleted right away

    Very true. I just feel like it would help deter them and weed them out.
  4. oof
    I mean, possibly? but lets remember that whole ForSoft thing
  5. Phoenix616

    Resource Staff

    I personally am not against some improvements around free resources and their submission (especially if it cuts down moderation work ;D) but am a bit sceptical if that would actually work with the suggested restrictions and not do more harm (e.g. by discouraging new devs to share their work and become part of the community). The requirements that you suggest are actually above what premium requirements used to be originally (30 posts and 2 weeks old account iirc) and I feel that even if you lower that requirement (e.g. to a week) it would still be awkward for new devs that just didn't have an account yet. (e.g. I wasn't active on the forum at all before my first resources)

    I think an alternative approach that could tackle at least some of the described issues a bit better would be to show a warning on resources/when clicking download if the resource author is new/not active in the community. (That would probably require a custom xenforo addon though) That way a user could be more aware that the resource might be malicious. (Of course that wouldn't remove small/spam resources but I personally don't see the harm in them. They would still be encouraged to be more active to get the warning removed already)
    • Agree Agree x 6
  6. I mean ya, some people might still wait, but the whole point is to try deter and cut down the amount of malicious as well as low end resources.
  7. Free resources do have to follow some of the rules that premium resources have to follow, but I agree that we need to have similar time/post requirements before allowing free resources to be posted.
    • Agree Agree x 1
  8. I totally get where you are coming from but here is something else I noticed

    1 - Person joins Spigot today, and posts a resource today.
    2 - Person logs off and never updates resource ever again.

    We are now left with an abandoned resource. I have seen this many MANY times.

    I totally get that you feel it might deter new devs from posting, but I do feel, if you are wanting to start developing new plugins, you MOST LIKELY already have a spigot account.
  9. Agreed, things like plugins that do nothing, only print enable/disable messages and that's litterally it, straight up don't work, etc..etc..etc..
    Stuff like that should be dealt with
    • Agree Agree x 1
  10. 1 - Person joins Spigot today, sees resource requirements
    2 - Leaves spigot due to not wanting to wait that long
    1 - Person joins Spigot today, sees resource requirements
    2 - waits until requirements are met
    3 - posts resource
    4 - never updates it again
  11. Not even necessary posting a resource, but posting a preview. There was one a while back that was a very small .zip file as the download and inside had a text file that said coming soon. I asked about it and they said they’d upload it later that day. A couple months later and it’s still a placeholder.
    • Agree Agree x 1
  12. As this is 100% a possibility, I personally think that percentage would be very small.
    Like I said, I really feel if you are planning on developing new plugins, you most likely already have a spigot account.
    I personally do not understand why someone would start working with developing for MC and the BukkitAPI without ever having a Spigot account... to me that makes 0 sense.

    Very true, could very well happen, I just feel this would help deter/cut down some of these issues.
  13. or it would cause more issues *shrug*

    Edit: Another thing, when it comes to free plugins, i try checking every update & new resource. The main reason malicious resources stay as long as they do is because of slow response times. I've seen TWO malicious resources stay on spigot a day+
    Like, if i were a staff that could ban users & delete resources, i'd be able to deal with those quickly, and the chances of you ever finding a malicious resource would go down considerably, however due to me only being able to report a resource, you'll end up seeing them, at least until a staff member gets around to deleting it..
    #13 Optic_Fusion1, May 15, 2019
    Last edited: May 15, 2019
  14. I personally don't think low quality resources is the main problem. After all, them just sitting in the database doesn't really hurt for the end-user. The only time it is annoying is when you're looking for a good quality plugin and need to go to page twelve to actually find a decent one.

    I personally think better searching options would be a much better alternative than blocking plugins by some abstract criteria. After all, it's definitely possible that a user joins Spigot and uploads the best resource mankind has ever seen, it's just not that common. If you can more precisely specify what type of plugin you want, e.g. specify when the last update should have been, how many downloads it should have at the minimum, when the plugin was posted, etc. would fix the problem. After all if I'm then looking for, say a skywars plugin, I can just specify that it should be older than a year, have at least a 1,000 downloads and the last update should have been between now and one month ago. That way I know that in the list of resources I get presented, they are at least actively maintained (unless this was their last update, but I don't really see a way to prevent that), the plugin has been in development for some time and it has gained a decent amount of downloaders. You can probably come up with more filter options, but these are just some I came up with.

    This way, you can still easily find good plugins and people can still upload their plugins, even if they are low effort. You also don't get additional spam on the forums, because people need 50 posts to upload their plugin.
    • Agree Agree x 1
  15. Spigot really needs something like this to act as a buffer against poorly-made or malicious resources.

    I definitely see this as an especially good idea for 'Skript' resources.

    Currently, under most recent updated for Skript, I see:
    • 17 resources that are under 20 lines
    • 8 resources that are under 5 lines
    • 2 resources that are actually just uploads of the examples generated when you run the plugin (this happens a LOT)
    • Even more that flout basic conventions
    While, yes, it is a problem for plugins, I see this as being a larger problem for the Skript section since it is SO quick to make one, and it requires only a basic understanding of the English language (and not even that, if you're copypasting).

    Lots of Skript resources get uploaded by people who are new to the system, think they've had a brilliant idea, upload it, get bored and then forget about it.
    People then download them, complain about them, and flood the Skript support discords asking why they aren't working. What's more, these resources often encourage people to download outdated dependencies, use bad methods and otherwise cause trouble.

    Obviously, even if you had to wait a couple of weeks before posting, some bad Skript resources could get into the system. But a delay would allow people to lose interest and move on without posting their new 4-line "command blocker" that stops people using /plugins and nothing else.

    On top of this, it's so easy to make a malicious plugin/skript.

    Somebody could bury a force-op or some sort of command running method deep inside a complex Utils class that nobody scrolls through, triggered by some special circumstances inside an event-listener. Even better, they could make a "servers using this plugin" list to get a list of vulnerable servers. That technique could go undisturbed for months before somebody reported it.
    What if they get banned? They can just rinse and repeat on an alt.

    Clearly, this wouldn't keep out all the trolls, but it would at least slow them down if they had to get a minimum rep on all their alts.
  16. Only if there was an AntiMalware that would detect this stuff *looks at AntiMalware resource*
    Only if there was someone who vetted free plugins *looks at self*

    Edit: All i need is the ability to delete resources and ban people xD
    #16 Optic_Fusion1, May 16, 2019
    Last edited: May 16, 2019
  17. While a policy like this may cut down on low-effort resources, it's also important to acknowledge that many resource authors only have accounts here specifically to post their resources. So if a threshold to post free resources is implemented, I would hope it only applies to newly created accounts and existing resource authors be allowed to continue under the current guidelines. I also think it would be appropriate to have exceptions for open source developers who aren't necessarily interested in posting to the forums (hello lurkers).
    • Like Like x 1
  18. What should be implemented is something similar to what Phoenix616 stated; in addition to warning users if the author is not generally active or new, the abandoned/graveyard/inactive status should be applicable to free plugins just like premium ones. They shouldn't be removed after some time, but abandoned/graveyard/inactive plugins shouldn't show up when searching for plugins, unless explicitly specified. If an author's plugin were marked as abandoned/graveyard/inactive, then they should have the option to make it "active" somehow without having to push out an update.

    This would make sure plugins that are being cared for are easily accessible to the public, and ones that are abandoned/graveyard/inactive will not clutter up search pages. Plugin authors should also have the option to move their plugin to the graveyard, and plugins shouldn't stay active just because the author goes online every once in a while.
    • Agree Agree x 3
  19. What if this plugin works perfectly fine, even after updates?
    • Agree Agree x 1
  20. Why doesn't Spigot just use something like Virus Total or something else that have an API for automated free resource moderation? They are free so I would trackling it from the back is the way to go. While the staffs have more time to dedicate for free ones that are "flagged" and/or to divert to "paid" resources. There just you would have to pay a dev for the add on, put up thesholds and boom goes the dynamite as they says.