Suggestion: WHMCS approved mods database

[openmind]

OK I'm thinking off the top of my head with this but I think this would be quite a good idea.

 

We are seeing more and more mods and addons being written for WHMCS, many of which are excellent extensions to the system, and they are all grouped into two separate forum areas.

 

My suggestion is a simple one and carries a couple of big benefits in my eyes.

 

Firstly I suggest that they are all categorised into a database style system to make locating a mod or addon easier.

 

Secondly, and this I feel is the important one, mods that are encrypted are verified as safe to install by WHMCS staff. This will give users who want to implement the mod peace of mind, especially with admin side mods, and it would also give the developers extra kudos by showing that their mod has been approved by WHMCS.

 

I have no problem at all with encrypted/encoded mods but I'm daily seeing some good stuff coming out that will not see the light of day in our admin area because I have no way of knowing if the code is doing "something naughty" in the background

 

In 99.999999% of cases the mods will be genuine and I'm not in the slightest suggesting that any of the existing mods are anything but genuine but this would really give the developers and users that stamp of approval that carries a lot of weight.

 

Thoughts?

[Zorro67]

Excellent ideas all. Perhaps a new category within the WIKI could could be used for "WHMCS Approved"/"Compliant"/ fill-in your own adjective, for downloads -along with instructions by the developer for their application, installation and use. (which would set a standard for inclusion in the wiki)

 

In saying this, I'm suddenly not sure if the wiki is the best place - if I place a file in it, can some-one come along later and replace the file with one of the same name but with a different purpose?

 

Then again, the wkli would just be a repository of the purpose of the mod, with a link to actual download site, wouldn't it.

 

Thoughts?

Edited May 19, 2009 by Zorro67

[openmind]

The Wiki would be a sensible place but I would have said if a new release of the mod came out, only whmcs staff could edit the article. If the download was hosted on the whmcs server and could only be updated by whmcs staff then that would also protect th integrity of the file.

 

I realise this means a slight increase in workload for whmcs staff but they would be able to verify a file a lot quicker than most as they already know the system backwards...

[Zorro67]

That works for free mods, but not paid ones, of course.

 

The other obstacle that i see is some mod creators have a mix of free and paid - a method which, by the way I fully support. Often the paid mods support the development f free mods, or are "loss leaders", or might be developed whilst a paid one is being worked on.

 

So giving fair recognition if worthwhile.

 

I note that Joomla does it well - just lists all, in categories, and defines the licence type (GPL, commercia etc) lin both the short summary, and in the full description. check out http://extensions.joomla.org.

 

I cannot say if the Joomla mods are in any way tested or approved, although I think they rely on a certain level of authority/activity for submitting a mod.

[Redsign]

That works for free mods, but not paid ones, of course.

 

The WHMCS team could verify the code, encrypt it and put the md5 of the files in the wiki.

 

The developer can then distribute the code as they wish, and users can verify it against the WHMCS checksums for it's validity..

 

Not 100% secure, but offers an extra level of protection.

 

However I'd expect WHMCS to charge a fee for this

[openmind]

Well if it was a commercial addon I don't think the developer would begrudge a percentage to whmcs for having them validate and approve it...

[dkent]

This is needed, and would allow WHMCS to expand, allowing it's community to also grow - making it more appealing to a wider range of audiences. It doesn't even have to be limited to modules related to WHMCS.

[Redsign]

Well if it was a commercial addon I don't think the developer would begrudge a percentage to whmcs for having them validate and approve it...

 

I entirely agree- if it wasn't for WHMCS they wouldn't have an addon in the first place

[sparky]

Well if it was a commercial addon I don't think the developer would begrudge a percentage to whmcs for having them validate and approve it...

Your dam right there... particularly when most are very low priced to start with. Paypal and other Merchant fees takes enough of the payments now.

 

Unless everyone wants to pay extra for mods or addons because any costs incurred would have to be passed on obviously.

[Zorro67]

The WHMCS team could verify the code, encrypt it and put the md5 of the files in the wiki.

 

The developer can then distribute the code as they wish, and users can verify it against the WHMCS checksums for it's validity..

 

Valid, but still I fail to see how the developer gets paid. Looking at Sparky as an example, about half his stuff his free and half is paid. Contributions like his accelerate the development of WHMCS in a whole range of areas. Just take a look at the number of available invoicing and statement options available

 

However, these guys aren't going to do all their dev for free, just as Matt doesn't.

 

Personally, I'm happy to spend some dollars to get extra functionality that adds value to my customers or my business, especially as that instead leaves me free to make more money by focussing my time in other areas.

[openmind]

Your dam right there... particularly when most are very low priced to start with. Paypal and other Merchant fees takes enough of the payments now.

 

Unless everyone wants to pay extra for mods or addons because any costs incurred would have to be passed on obviously.

But conversely I would pay more for an addon that had been approved by WHMCS. At the moment I won't even consider an encrypted addon for the admin area regardless of how good it is or the price.

 

I'm not expecting this to happen for free, everyone needs to make some margin, but a percentage paid to whmcs could be easily recouped by a stamp of approval.

[herpherp]

I personally do not think whmcs should allow encrypted addons...

 

When something goes wrong they can be held accountable as they are distributed on whmcs forums(which would be considered approval)....

 

It's not only a matter of security against the developer but who's to say how secure the code is from others and what vulnerabilities are there that we can not see.

 

Have nothing against people making money off mods but who's held responsible to ensure the code is safe, if the code is not encoded then of course the end user would be responsible as there is nothing hidden.

 

You could always purchase whmcs licensing addon to ensure only paid users are recieving the files...

 

 

Anyone could easily look at all the encrypted files and decide to make their own versions that are not encrypted and guess what? The encrypted ones will no longer sell. (If I had the time I would do it myself )

 

My point is, there really is more reason to not encrypt than there is to.

[openmind]

I personally do not think whmcs should allow encrypted addons...

 

When something goes wrong they can be held accountable as they are distributed on whmcs forums(which would be considered approval)....

 

It's not only a matter of security against the developer but who's to say how secure the code is from others and what vulnerabilities are there that we can not see.

Precisely the reason why being whamcs approved wouold increase security and trust.

Anyone could easily look at all the encrypted files and decide to make their own versions that are not encrypted and guess what? The encrypted ones will no longer sell. (If I had the time I would do it myself )

 

My point is, there really is more reason to not encrypt than there is to.

Possibly but why take the time to reverse engineer an application? The primary reason the mods are encrypted is to stop others ripping off their work. Hence why WHMCS itself is encrypted.

[merlinpa1969]

openmind,

you have been on the soapbox about this for awhile now and I asked you before how do you know that whmcs isnt calling home with your important information,

for that matter how do you know that the OS on your desktop isnt doing the same thing....

 

who is supposed to validate that whmcs or modernbill or any other software isnt doing naughty stuff in the backend.....

 

 

please remember that this is a computer, and the only way to be really safe is to unplug the thing, scoop out the guts and use the monitor as a fishbowl.....

[openmind]

I don't know that whmcs isn't doing something naughty in the background but the fact that they are a legitimate company serving thousands of users for the past several years is enough justification for me.

 

Plus it saves me wrapping my head in tin foil to "keep the voices out"

[FreddyKrueger]

scoop out the guts and use the monitor as a fishbowl.....

I have one of these... the fish love it.

 

I don't know that whmcs isn't doing something naughty in the background but the fact that they are a legitimate company serving thousands of users for the past several years is enough justification for me.

When was the last time you scanned through your server logs. If there was something naughty going on it will be logged on your server.

 

Don't you think that most of the other developers on this forum have a legitimate business as well. Have you actually checked them out.

 

Out of all the developers on this forum,

Who would you classify as fair dinkum and why?

[openmind]

I have one of these... the fish love it.

 

 

When was the last time you scanned through your server logs. If there was something naughty going on it will be logged on your server.

On a very regular basis believe me...

Don't you think that most of the other developers on this forum have a legitimate business as well. Have you actually checked them out.

 

Out of all the developers on this forum,

Who would you classify as fair dinkum and why?

I'm not saying they don't so please don't try and turn this into a personal issue. As I stated right at the top of this thread, I'm not doubting any of the developers in the slightest but until an encoded mod has been officially endorsed by the developers of the system, I personally wouldn't use it.

 

That is my view, I'm not saying everyone should agree. If anything this thread is to help development, not hinder it.

[Redsign]

Valid, but still I fail to see how the developer gets paid.

 

The developer distribute their app as they see fit, charging for it what they want etc..

 

Users of the app can verify it's files against the md5 whmcs produce after confirming the code as safe..

 

Sorry if I didn't make sense the first time,

 

Ben

[herpherp]

for that matter how do you know that the OS on your desktop isnt doing the same thing....

firewalls, spyware remover, virus scanners, updates, security patches, companies spending millions to deter virus's etc... etc...

 

 

The suggestions made are equivalent to a firewall...

 

Let's face it most people are utilizing whmcs for business purposes, with a brick and mortar business we wouldn't have packages sitting around that we don't know what's inside, we wouldn't leave people in the store alone, we wouldn't leave the doors unlocked all night.

 

Using an encoded addon to me would be the equivalent of letting someone that walked in my store and said hey if you let me sleep here tonight I will clean up some.

 

Do you trust the guy? What happens when you go into your store in the morning and it's cleaned out?

 

What happens if the place is burnt to the ground because he dropped a cigarette?

 

These addons usually have access to the admin area or the client details, which in turn have acccess to payment gateways, financial records, servers etc...

 

To me it's not a matter of being paranoid, it's a matter of being online long enough or in business long enough to know, you don't just trust anyone.

Most businesses now do background checks even to get a job what measures are we talking to ensure user contributed code is secure?

[othellotech]

I'd rather the WHMCS team spent their time on support, developments and the paid enhancements to their system, not getting involved with 3rd parties

[merlinpa1969]

I dont trust anyone blindly,

 

we run ALL mods through a development site thats totally seperate from our live site, with its on dummy database and we do the smartest thing that you can imagine..

we monitor whats going on,

we also dont keep the admin in a common area, or under a common name,

we only let IP validated users into the admin areas......

 

So YES I trust the author of the enom mod... and I trust his mod.....

 

rather than whine about the fact that its encrypted, monitor what it does or DONT use it....

 

Life is simple, no one is twisting your arm....

 

 

firewalls, spyware remover, virus scanners, updates, security patches, companies spending millions to deter virus's etc... etc...

 

 

The suggestions made are equivalent to a firewall...

 

Let's face it most people are utilizing whmcs for business purposes, with a brick and mortar business we wouldn't have packages sitting around that we don't know what's inside, we wouldn't leave people in the store alone, we wouldn't leave the doors unlocked all night.

 

Using an encoded addon to me would be the equivalent of letting someone that walked in my store and said hey if you let me sleep here tonight I will clean up some.

 

Do you trust the guy? What happens when you go into your store in the morning and it's cleaned out?

 

What happens if the place is burnt to the ground because he dropped a cigarette?

 

These addons usually have access to the admin area or the client details, which in turn have acccess to payment gateways, financial records, servers etc...

 

To me it's not a matter of being paranoid, it's a matter of being online long enough or in business long enough to know, you don't just trust anyone.

Most businesses now do background checks even to get a job what measures are we talking to ensure user contributed code is secure?

[herpherp]

So YES I trust the author of the enom mod... and I trust his mod.....

rather than whine about the fact that its encrypted, monitor what it does or DONT use it....

 

Do what you wish, this thread had nothing to do with a specific mod...

 

Trust is one thing...

 

A year down the road when your customers have you in a lawsuit because of a vulnerability that was in one of the mods left access to a hacker that now has all the credit card information, you can come back and tell us how you monitored it before putting it on a live environment. Are you gullable enough to think that there is no way that there could be code in the files that would even two years down the road when the "person" decided they've collected enough.

 

If you think that monitoring something is going to make it safe you need to do some research. I suppose that all those sites that get hacked every day haven't monitored the site.

 

This really isn't an argument they are known facts that things DO happen and WILL happen continously....

 

If there are extra security measures that can be put in place to ensure that it is less likely to happen to me then why would I not be smart enough to take those measures?

[merlinpa1969]

my question is,

IF they give you the code are you even able to see if it has a vulnerability...

 

and for the record,. EVERY THING that happens in the server in and out is recorded IF you know how to read the log,

 

and Please note that we run everything on a test site FIRST.....

[Shaun]

I have a simple answer to all the "tin hats";

*dons flame suit*

 

I have better things to do with my time (and company reputation) than try and steal your data. My mods are as they are, and my experence and 300odd no 400 post count should count for something. I Encrypt them to protect myself, Just like people get patents.

 

Every one craps on about how whmcs is developed to slow and how you never get what you want when you want it. Do you thinkg that giving matt et al extra work will speed this up some more?

 

You have a choice;

buy it, get the benefit and be greatful.

Don't and stop craping on that we're all out to get ya!

 

tbh this is all getting a bit petty lately.....

 

</rant>

[herpherp]

my question is,

IF they give you the code are you even able to see if it has a vulnerability...

 

and for the record,. EVERY THING that happens in the server in and out is recorded IF you know how to read the log,

.

Of course I would see the vulnerabilities

 

Log entries can be deleted as well so your ultimate protection of seeing what happened after the fact is not all that impressive either.