To use or not to use Magento connect…that is the question
https://magento.stackexchange.com//questions/40359
-
12-12-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
A new "difference in opinions" has started on twitter.
A a few high valued developers are starting to remove their extensions from Magento Connect on the reason that non-technical people should not install extensions.
Other developers don't agree with this reason.
I'm asking this because I consider both sides somehow valid.
Since 140 characters are far fewer than needed to explain the reasons, why not centralize them in here.
This way technical and non technical people can read them.
I know that the answers will be primarily opinion based, but I promise to close this question once some views are expressed.
Or, if a moderator considers this would be better suited on meta, this can be moved on meta.
Solution
I think that removing extensions on MC is bit too extreme .. Connect is not just for mechants but for developers as well (I love the upgrade feature). But I agree that people without right skills should not install extension as they are seldom compatible with used themes, there are too many potential conflicts and more often than not it'll cause totally unnecessary bad blood between merchant and (free) extension provider. Or between merchant and site developer.
People, building stores is like making music -- best left for professionals.
OTHER TIPS
Extension Installation & the Consequences
The idea of having an extensible system is great, but as we developers know, its not that simple. Many things can (and, unfortunately, do) go wrong.
Overview
I'll start with a list of issues potentially caused by installing extensions. Then, I'll make my main point and state the conclusions I personally make from all that, and finally I'll suggest a solution. (This will probably get long, apologies in advance. I'll try to write as little as possible and still cover the topic.)
So to get started, here is a list of common issues found due to extension installation.
Security
No code review is done before an extension is accepted on Magento Connect. As a consequence, many extensions contain vulnerabilities. There are many reasons, such as inexperieneced or lazy developers, use of vulnerable third party code, and some extensions even contain maliciously harmful code. Remote code execution, SQL injections and downtime are a reality. The consequences are lost customer data, lost payment credentials, lost revenue, lost time and lost trust.
Performance
A extension can work fine on one site or on a developer instance, but with a different catalog or customer base, it can cause serious performance issues. There can be many concrete reasons ranging from inefficient loading of entities, unoptimized SQL joins, a high number of ajax requests, a high number of attribute options or attributes, and many more. As every merchant call tell us developers, performance matters. This costs a merchant revenue.
Conflicts
Even just two extensions, even when developed using best practices, can conflict. This is mostly due the way the Magento framework merges configuration XML. In the best case these conflicts are visible via a stack trace or a blank screen, in the worst case the site inhibits strange and hard to debug behaviour. A merchant won't be able to fix the issues and make conflicting extensions coexist without the help of a developer. This costs time and money.
Upgradability
Not upgrading is no option, if only for security reasons. Extensions need to be maintained, as individual code bases and as part of the Magento framework. If an extension is being used and the original developer happens not continue to maintain the extension, some other developer has to take over. Not having a developer often makes it impossible for a merchant to upgrade, which in turn leads to sites being slower then they have to, security issues being exploited and thus lost revenue.
Extensibility
Adding new features to an existing site gets more and more complex and thus expensive, because each extension in the system adds its technical debt. The overall debt is much larger then each individual extension since the combined complexity is also larger then each one on its own. Not being able to easily experiment with new features and changes causes a merchant a lot of lost revenue.
Uninstallation
The following things cause breakage in Magento when uninstalling an extension:
- Database records referring to a class in the uninstalled extension (for example indexers or attribute backend models). Even extensions following best practices are prone to this.
- Uninstalling extensions that overwrite core code leave Magento missing the original file. This of course only happens if a extension does not follow best practices, but it is a fact that many extensions are bad.
Site breakage of course costs money.
Magento Connect
Given the list of issues above, how on earth can anybody expect a non-developer to install an extension and evaluate if it works on a given site?
There is no guaranteed clean uninstall, so often a broken installation can't even be repaired. The only option is to make a complete backup beforehand, and then do a manual rollback if something goes wrong. Can a non-technical person do that? In my experience, no.
Lets assume everything looks okay. Does the merchant know everything is okay?
What about security? What about performance issues? What about upgrade issues?
There is no way a non-developer can evaluate these things.
The message Magento Connect communicates is that it is easy to extend your Magento store by installing Magento without a developer. It might be handy in a sales pitch to tell someone that is the case, but it simply isn't true.
What I experience mostly is that in communication the need for a developer is simply implied and not communicated. As a consequence many store owners break their store by installing extensions. That costs money, time, nerves, and Magento and developer reputation.
I like my classes to have an explicit interface, and I believe it would be good if the developer requirement for Magento would be communicated explicitly, too.
Conclusions
This is not good for the ecosystem at all, even if fixing broken sites provides income for some Magento developers. The same money could be used to create real value for the merchants customers.
On Twitter someone said that merchants are grown-ups, who can decide on their own if they install an extension or not. I disagree. If a merchant isn't a developer at the same time, he can not decide on his own.
Magento Connect shouldn't make it easy for non-technical people to shoot themselves in the foot.
Personally I'm sick and tired of seeing fucked up Magento installations due to extensions. I much prefer to create things that just clean up a mess.
I'm thinking about removing my extensions from Magento Connect because I don't want to support the flawed idea any longer.
Solution
In my opinion the solution is easy and cheap. It is not about creating yet another new Extension Marketplace, commercial or free. This is not a technical issue, it is all about communication.
If Magento Connect would state it is a developer resource, and that extensions should be reviewed before installation, and that only developers should install extensions, this would be a non-issue. Merchants that still install extensions do so knowing the risks.
So here are three simple steps that would make Magento more merchant friendly:
- Remove the option to install extensions via the Magento Admin interface (e.g. the downloader).
- State clearly and visibly on Magento Connect that it is a developer's job to download, review and install any extension.
- Educate developers to do a full review of any extension to be installed on a site.
Finishing words
I love sharing extensions. I love open source. I think the Magento Developer Community is awesome!!
Reviewing extensions is a great way to learn. Magento Connect isn't bad, just the message it projects to non-technical people.
Each Magento site is a application. It is unique and needs to be treated as a unique development effort.
It should be the general consensus in the ecosystem that extensions can be useful, but installing them more often then not will require code to be written or modified, and thus require a developer.
EDIT: I posted some less technical background information on my blog.
We have had many clients install extensions via Connect, and I'm aware of many thousands of sites using our extension successfully as a result. Connect needs a revamp, everyone is aware of that. But as technology solution providers we should be making our products ever easier, and my ultimate goal at WebShopApps is to reach a point where a merchant can install,uninstall and use an extension without having a developer involved, and I would hope the next version of Connect goes some way to support that goal.
We need an App Store. Because then it will enable developers to be developers, focus on our strengths there, rather than having to build out our own website, support, marketing, etc when we first start up. And this will encourage innovation, and ensure a central place for merchants to learn about the newest, best and all in between.
Clearly there are a great number of extns that need developer help, and indeed extn provider help, if we could explain that in an easier way would be great (e.g. difficulty of install/setup/target market/etc). But there are many plug/play extns aswell, we should not stifle these.
Maybe this is Utopia, I'm not sure, but shouldn't we always be aiming for better? I personally truly believe in enabling merchants. They want to do this, they want to be more in control sometimes (not always), and if you have to pay a developer every time you want to try something out thats wrong IMO. This should be at the very heart of SME growth strategy for Magento.
I could go on but I won't. I don't think there is a war going on tho ;)
After reading other people's opinion I decided to write my own.
I will not accept this answer because I promised so. :)
I only have on extension published on Magento Connect (MC), because of latest policy it has.
I'm a developer and I only know how to develop.
I have no artistic skills at all, the only thing I know about Photoshop is that it exists and you can do "stuff" with it.
In my opinion, MC has become to merchant oriented. When submitting an extension I have to upload a nice picture as the extension logo. I have no idea how to create one and no one offered to do them for free.
So I'm limited to publish my extensions on github. Non technical people don't go on github.
I agree that there is a problem with the way MC works and it is presented right now, but it represents a respected authority and a valid source of extensions.
I know there are a lot of shitty extensions, but for sure the people that created them will not take them off just because non technical people install them.
I see that trusted developers like Vinai or Tim are taking the extensions down. This is not a solution for the ecosystem. It makes it worse. But indeed there is a solution for the individual that is tired of getting complaints about they extensions from people that don't even read a "how to" file or at least what the extension does.
In my opinion education is better than restriction.
Specially education about restriction. :). Developers should disable Magento Connect when deploying a website. It's simple. Just create a file app/etc/modules/Z_z.xml with this content.
<?xml version="1.0"?>
<config>
<modules>
<Mage_Connect>
<active>false</active>
</Mage_Connect>
</modules>
</config>
Then just remove the downloader folder from the magento instance.
Teach clients that using an extension does not mean to just install it. It requires a review from a technical person.
These are my 2 cents.
I think it's really up to the developer - removing your extensions from connect attempts to force people to better manage their codebase as they can't install from admin, but at the same time means they are that much less likely to actually find the extension in the first place. Ultimately people are going to have their stores developed exactly how they want whether that be using connect or FTP to install extensions, or using the better repository -> deployment setup and the lack of extensions on connect is not going to force their hand either way. I'm essentially of the opinion that you are just rather shooting yourself in the foot by removing them from connect.
We are forgetting how excellent 'Connect' was when Magento first came out. It showed that Magento was a developer platform rather than one of those open source projects that nobody uses. Although 'Connect' was useful for ensuring Magento gained adoption, time has moved on and I think that people expect to be a little less 'happy go lucky' with extensions nowadays.
Personally - as a 'developer' - I prefer to check over an extension's code and check it in on version control. 'Connect' should be more like that - you download the tarball or git clone.
I am with @karen in enabling the retail end users and not 'hiding' developer things from them. Apart from anything else, a little bit of transparency keeps developers honest - 'it is going to take a week to develop this module with another week to test...' this might be true but the reality check is when a similar module is available on 'Connect' it then becomes harder to justify xxx hours on something.
With modules such as those written by @karen's team I would prefer these written and tested by others modules on 'connect' installed by an 'end user' to any random developer code (unless written by Vinai) that requires a 'developer' to install.
We (ebizmarts) have removed extensions from MagentoConnect in the past, over the years we've only kept the ones we are willing to support and are financially viable to us. By accepting these basic rules, we were able to keep support under control and merchants/developers happy.
MagentoConnect as it is right now, only works for listing, discovery, and eventually developer rating (gray area here, Karen left it clear at MMNYC). We need a better Marketplace, curated, validated, and with strong quality policies, and even having that, we'll still face issues like the ones described here, it's in our nature creating problems, for whatever reason, bad things will keep happening, and not necessary because of merchants' fault, we all know that a bad developer is 100x worse than a "Magento illiterate" merchant.
I believe in free will and free market. Developers are free to use or not use MagentoConnect, merchants (as long as they are aware of consequences), should not mess up with developer exclusive tasks (like installing extensions). Removing an extension from MagentoConnect will make the market to promptly replace it (yes, Magento is that big), and the new option, might or might not be better or cause less trouble to merchants than the previous one.
There's no simple nor unique solution to this issue, but I agree that improving communication and putting some restrictions in place to make it a little bit harder to merchants to install an extension would help (a simple check list of tasks to do before installation like backups, developer code review, test on DEV site, etc... would do the trick).
I don't think that removing extensions from MagentoConnect would help to make this world a better place for merchants, but we, developers, should keep only the extensions that we are eager to support and improve, and, we have to take the lead on communicating good practices, that's on us as a community.
Non technical stakeholders should not install extensions in my opinion.
Magento Connect is not the App Store and the approval process is not as consistent as I think it should be regarding quality.
Magento Connect might be a good place of reference, but most of the times an extension does not provide a 100% match of the requirements. Maybe a good idea is to control Magento Connect via ACL so we don't go to the extreme of removing the extensions from the official platform marketplace.
In my personal experience I have a couple of paid extensions and one free which is both in Connect and in GitHub, being the one in GitHub more advances in terms of features. GitHub repo is in the description in Magento Connect. It has not stopped the users to download the extension and see the code at the same time and also to make forks and pull requests with new features.
It really depends on how much work a developer wants to put into making his extension fool proof, how much time they are willing to spent with support and whether or not they demand a fee for the extension. So if you think your extension should not be installed by non-technical people, take it off connect if you like, but I cannot agre to a general notions that all extensions would be too demanding of technical skill for average users.
Some merchants/amateur developers are confused by Magento Connect (MC) into thinking that MC serves as a sort of app store for Magento.
For example, at MC they can find and install extensions which may claim to add some feature to their Magento site but MC/extensions typically say little to nothing regarding the potential extension/module conflicts, security risks, speed issues, later developer costs and loss of revenue that installing the extension may cause to their Magento store.
The ignorant merchant installs WHATEVER extension to their live site to add some feature. Eventually at some upgrade cycle or new business need, some future developer has to be called in to sort through the resulting mess of code, potential security risks, and tangled extensions. The developer must then inform the merchant that all of the extensions he/she installed on MC were conflicting with each other, slowing the site to a crawl, potentially exposing customer data, destroying the site's UX all while killing sales.
Perhaps the warnings directed towards merchants thinking of adding an extension from MC should be larger and more imposing, with another layer of disclaimers added.
The Magento community could really benefit much more from MC if there were an active, more visible extension review/discussion process in place. Extensions which are peer reviewed/tested or higher rated/reviewed should be promoted and displayed first. A more prominent honor/badge system, as we have here on SE would assist as well.
It is helpful for the community to have MC, but it needs definite refinement. Hopefully refinement happens before the reputable extension developers leave MC for good.
Always consider that Magento Community Edition itself is free for everyone without an officially given warranty and I think (as a merchant), it is one of the most important reasons for Magento's popularity to be the world's most comprehensive (free) shop software not least because of the great amount of easily accessible extensions at Magento Connect.
Magento-specialised developers might have an isolated view on their (not unrivalled!!) shop software, but as a little Start Up merchant you weight each shop software against another before starting your project and the largest danger for Magento would be to become unpopular, and that definitely happens, if access to the most important source for extensions Magento Connect would be restricted.
In this case never completely differentiate between professional developers and ("tech-savvy") merchants. You do not always have to study "10 years" computer science to run your own web shop (certainly, a lot of knowledge is needed indeed to be able to assess the whole system) but I for example work with two well made books to set up my own store. In those (developer-written) books many extensions are described with their advantages, disadvantages and risks for the system, so why prohibit me from those (well known) extensions?
It is also completely unrealistic to hire a developer each time you want to install extensions you perfectly know, only because you don't have access to them. A merchant has to work economically! It is your own store, it is your own responsibilty and it is NOT impossible to inform yourself about the risks of what you want to do.
So let´s keep Magento CE what it is: The world's most powerful ecommerce platform free to everybody. This is where Magento's popularity comes from.
For some time now, we will rarely install extensions via Magento Connect purely because a client could log into this, see that an extension is outdated and attempt to update potentially wiping any modifications or breaking parts of their website.
We only use Magento Connect to install extensions that we know would be 99% safe to upgrade without out intervention should a client happen to stumble across this.
The only benefit I see with using Magento Connect anyway is to quickly see if there is an upgrade to an extension available. Other than this, I don't see any benefit in installing via Magento Connect over manually dropping the files into the Magento install manually.
Even if a client is technically minded, I'd prefer not to give them that flexibility to potentially break their website especially if they conveniently forget to advise of anything they might have done themselves to cause the problem. This at least saves us debugging time and them, the extra cost for our time rectifying, a cost I'm sure in the long-run, they would prefer to avoid.
For what it's worth, I think this is a good discussion point and is something I've often wondered myself in terms of what everyone else does that works in Magento daily.
In my opinion removing extension from Magento Connect is not an ideal solution neither with developer nor with client perspective.
As a developer, whenever my client wants a new functionality implemented on his website the first thing I do is check if any of the extension maybe FREE or COMMERCIAL are available on Magento Connect which may fulfill the requirement of my client. Its like a google for me, where we can search for a query and irrespective of right or wrong it will suggest me the result. Its completely on me to choose the one suited.
Next, I get a chance to evaluate the best solution ie: I need to use FREE, go with COMMERCIAL or implement it myself. Most of the times I recommend all three options to my client with time frames and quote separately. Removing the extension from connect will snatch this option or make it tougher as i will have to search the web for searching the extensions.
Instead of removing the extension from connect we should try and make our client educated. What i do is Whenever my client opts for a FREE extension, I ask for extra hours in reviewing the code and thus ensure the code is clean. Moreover I explain the client regarding the drawbacks of using another persons code and most of the time client understands it and have no problem giving me time to optimize the code or recode it.
Moreover, whenever I make the website LIVE i remove the write permission from the downloader so even if accidently or out of curiosity if my client tries to install the extension he wont be able to do so. Thus it saves both client as well as me from unseen risks. When my client comes to me regarding it, i simply explain him the reason to do so and most of the time he is grateful for it.
From client perspective, The more FREE stuffs you get the more you are attracted towards it. A simple example is WORDPRESS. With such a great community and lots of free plugins wordpress is blossoming like anything. I think in the same way, if we want to keep the Magento community growing and blossoming, i would say instead of removing the extensions from connect we try and educate our clients.
However, if we tend to remove extension from Magento Connect the world of magento will be deserted. With no community forum, with removal of language packs, with extinction of extension it seems like a fall of a star.
