calling home from within a theme

Orangine · July 15, 2012, 09:58:04 AM

I am making a custom theme I would like to publish here. Am I allowed to call home from within the theme files? I would like to display if the theme version is up to date with latest release, would that be acceptable?

Arantor · July 15, 2012, 02:11:48 PM

It's generally considered not acceptable because if your site gets compromised, depending on the type of compromise it could infect anyone who uses your themes.

No server is 100% secure.

(In any case, the best way to call home is to set up a scheduled task in the admin panel, which can't be done in a theme, as it's a database change and the theme code never has any opportunity to do the scheduled task... while you 'could' do so by abusing one of the admin templates, it wouldn't then pass the review stage which requires no database calls in templates out of simple good practice)

Orangine · July 15, 2012, 02:17:07 PM

I'm not asking for anything too sophisticated, I just want to read the theme version. And I cannot find anything about this in the guidelines, that's why I'm asking.
I can understand your point of view, but for example SimplePortal seems to call home to check the most current version, and I can still see it listed on the Mod site. And I cannot find anything about this in the guidelines.

Arantor · July 15, 2012, 02:21:20 PM

The guidelines are not the final and definitive set of rules that things must be built to. You can't write a series of rules about how everything must work. So some things are left out and a little intelligence is applied at the time.

There are a few mods that do call home, and it generally isn't appreciated for the reasons I mention, and I see little reason to assume themes will be favoured any more. Back when I was on the customisation team, I know full well I would not have appreciated it too much, and the current incarnation of the team does feel the same way.

If the theme does it and it doesn't violate any other rules, it'll just have to pass the 'is it really necessary' stage? Do you plan to update your theme very often? Do you expect users to keep installing them? Do you expect users to have to uninstall their mods to reinstall them on your themes?

Orangine · July 15, 2012, 02:28:12 PM

Quote from: Arantor on July 15, 2012, 02:21:20 PM
The guidelines are not the final and definitive set of rules that things must be built to. You can't write a series of rules about how everything must work. So some things are left out and a little intelligence is applied at the time.

That's why I'm asking for the official answer. I don't want to spend time doing something that would let to disprove my work.

QuoteThere are a few mods that do call home, and it generally isn't appreciated for the reasons I mention, and I see little reason to assume themes will be favoured any more. Back when I was on the customisation team, I know full well I would not have appreciated it too much, and the current incarnation of the team does feel the same way.

If the theme does it and it doesn't violate any other rules, it'll just have to pass the 'is it really necessary' stage? Do you plan to update your theme very often? Do you expect users to keep installing them? Do you expect users to have to uninstall their mods to reinstall them on your themes?

Irrelevant. I need to know if I am allowed to do something or not. That simple. Are you saying that the theme/mod may be dissaproved because someone 'feels' some sort of functionality is not necessary? Are you for real now?

Arantor · July 15, 2012, 02:34:18 PM

QuoteThat's why I'm asking for the official answer. I don't want to spend time doing something that would let to disprove my work.

It is doubtful you will receive an official answer until you actually try it. If you were to ask about everything that isn't in the rules, you'll be waiting until Hell freezes over because the rules are deliberately not that strict.

QuoteAre you saying that the theme/mod may be dissaproved because someone 'feels' some sort of functionality is not necessary? Are you for real now?

No, I'm asking you if you feel the functionality is actually necessary. Most people don't update a theme much after it's been installed unless the theme is buggy, and even then they come back here to report the bug and see if there's been an update.

Plus there are a lot of issues related to updating themes so people don't bother - and thus having a 'has this been updated' check is often unnecessary.

The 'is it really necessary' stage is important because it's balancing a trade-off. If there is a problem with the theme, people come back here, and it reflects on SMF and its team, especially if they approve something that is potentially dangerous.

What happens if your site is compromised and people get their forums hacked? (This is not entirely a hypothetical question. It can and has happened before) Are you going to be the one who the users come after for help? No, they're going to come here and not really after you. On the basis of that, the team are the ones who have to make a judgement call whether this should be done.

There's no rule for it because it's not possible to write a rule book for every single thing that someone could or could not do. Thus a little intelligence is applied, and if there is code that generates a security risk, it's going to fail approval. And if that code is a lot of work for a feature that is impractical and no-one is going to use it, is it worth the effort?

Here's the thing: I've been on the approval team, seen some insanity in what people do and I'm trying to help you avoid burning a lot of time and effort on something that probably won't be appreciated in the real world out here, rather than your black and white hypothetical one.

Orangine · July 15, 2012, 02:39:50 PM

QuoteIt is doubtful you will receive an official answer until you actually try it. If you were to ask about everything that isn't in the rules, you'll be waiting until Hell freezes over because the rules are deliberately not that strict.

Now you're making me cry. After all it's just a simple question, I'm still hoping someone will jump in and say 'hell yeah, just do it'.
Thanks for your time thou:)

Arantor · July 15, 2012, 02:43:25 PM

QuoteNow you're making me cry. After all it's just a simple question, I'm still hoping someone will jump in and say 'hell yeah, just do it'.
Thanks for your time thou:)

You mean the time I spent after you asked me if I was for real?

It's not a simple question, that's the point. I personally think you're looking to burn a lot of time on something that really isn't necessary, but if you feel you need to (because you think you're going to update it a lot and don't give two hoots about the inconvenience on users), go do it. How you go about it may be a secure method, it may not, but we won't know until you try it.

(Hint: SimplePortal updates quite regularly. I do not think it is likely your theme will do so as regularly, and I do not think people will be willing to update their theme as regularly as SimplePortal does.)

Orangine · July 15, 2012, 02:47:25 PM

So far the plans are extensive, and I want to roll the updates over time. And as for the SP 'regular' updates:
2.3.3 released Nov 5th, 2010
2.3.4 released Nov 25th, 2011
2.3.5 released Mar 27th, 2012

Regularly - yes. Often - no.

Arantor · July 15, 2012, 02:50:27 PM

*shrug* I can remember when it was more regular.

Here's the thing: people customise their themes. They will not want to keep reinstalling their theme which will require them to reinstall the mods they have onto those themes. Also, people get their site looking a certain way, they don't want it to change, they want it to stay how it is.

The history of how people use themes on their sites does not agree with your plan, and it will put people off over time, rather than encourage them to use your work.

Someone uninstalling and updating SP is a relatively minor task. Someone updating their theme potentially makes a LOT more work for users. (It was not all that long ago, for example, that mods had to update index.template.php to add a menu button. Now imagine that people have to re-edit their theme every time you do an update, for every mod they have like that.)

Orangine · July 15, 2012, 02:53:41 PM

I get your point. I'll guess I will have to rethink it once again. In the meantime, I won't make it as [Solved], unless I get definite answer for someone on the team

Thank you once again.

kat · July 15, 2012, 03:14:57 PM

Let me chip-in by putting it this way...

If I knew that the theme was phoning home, I'd avoid it, like the plague.

HTH.

I'll give the cust team a wave, though, so you can get the official line.

busterone · July 15, 2012, 05:49:28 PM

I am not on the team, but have used maybe 30 to 40 different themes over the years. I have 14 installed on one of my sites at this time. I agree with both Arantor and K@. If a theme was calling home on me, I would uninstall, delete it from my server, and probably make a not so good review post here warning others of it. Although very few mods have any effect on 2.0 themes, I still do not want to have to keep reinstalling, changing, or updating them. On 1.1.x, there is a real potential issue there, since many mods do make template edits.

I do not want to discourage your theme making at all. I hope you do and look forward to seeing them. I just may like them and use them.

IchBin™ · July 15, 2012, 07:09:50 PM

I recall rejecting some themes that have done this in the past. It's not an official rule, but a theme doesn'st really need to phone home IMO.

News:

calling home from within a theme

kat