One of the things I've been talking a lot about is the way the plugin manager calls the different plugin servers in order to check for updates.
I'm not quite at the stage of implementing this yet so it's not like I can't change it but something occurred to me that I would like some feedback on.
Imagine a large repository, of a couple of thousand plugins - like sm.org has. It's realistic to expect that Wedge will get to that point sooner or later (preferably sooner!), and at that point it starts to be unviable to be requesting a list of everything the server has - it's not good for the server, it's not great for the client either.
So I conceived of the notion of having the request actually include a list of plugins that it has available, and the server responds with a list of what it has in it that matches by id, so you know whether to update or not. This idea is not unknown, WordPress does it, for example.
The difference is that WordPress only supports its own repository, not third party repos, in the core code - we expressly support third parties.
Here's the problem. While I can guarantee that my own server(s) won't log requests[1], I can't guarantee other servers won't do the same, so that if a list of plugins is sent, it would be possible to log what plugins you have.
And, naturally, there is a privacy concern here as a result.
I should note what I'm planning on logging as a core feature of the plugin server system (the actual server facility itself) - it should be able to log downloads (total and per day downloads), and if a plugin is secured by group access, i.e. it's not open to guests or regular members, I think it should also log the name and time of download as well as the user who downloaded it.
I think the above logging should be provided because it's useful to see how many people are downloading plugins, whether they're still being downloaded currently (or just historically), and if it's secured behind some kind of authorisation, it should be able to log who's downloading for the simple reason that you're offering a product behind some kind of restriction and you should be able to identify an account or accounts that are using that facility.
Thoughts?
I'm not quite at the stage of implementing this yet so it's not like I can't change it but something occurred to me that I would like some feedback on.
Imagine a large repository, of a couple of thousand plugins - like sm.org has. It's realistic to expect that Wedge will get to that point sooner or later (preferably sooner!), and at that point it starts to be unviable to be requesting a list of everything the server has - it's not good for the server, it's not great for the client either.
So I conceived of the notion of having the request actually include a list of plugins that it has available, and the server responds with a list of what it has in it that matches by id, so you know whether to update or not. This idea is not unknown, WordPress does it, for example.
The difference is that WordPress only supports its own repository, not third party repos, in the core code - we expressly support third parties.
Here's the problem. While I can guarantee that my own server(s) won't log requests[1], I can't guarantee other servers won't do the same, so that if a list of plugins is sent, it would be possible to log what plugins you have.
And, naturally, there is a privacy concern here as a result.
I should note what I'm planning on logging as a core feature of the plugin server system (the actual server facility itself) - it should be able to log downloads (total and per day downloads), and if a plugin is secured by group access, i.e. it's not open to guests or regular members, I think it should also log the name and time of download as well as the user who downloaded it.
I think the above logging should be provided because it's useful to see how many people are downloading plugins, whether they're still being downloaded currently (or just historically), and if it's secured behind some kind of authorisation, it should be able to log who's downloading for the simple reason that you're offering a product behind some kind of restriction and you should be able to identify an account or accounts that are using that facility.
Thoughts?
1. | This should include wedge.org, though there is a valid logic behind doing it here too, which if done anonymously allows us to see which plugins are popular, not just downloaded but what is downloaded *and still being used*. |