I strongly believe the JED and the VEL functions should be more tightly integrated. The VEL's usability and visibility would escalate incredibly with such a change, and adding the VEL as a "feature" OF the JED would allow both teams to have a greater positive impact on the joomla community as a whole.
Currently "vulnerability" information for extensions is not maintained where that extension is most prominently accessed. Instead vulnerability information is stored on the VEL, in a static like format with no connection to the JED listing.
Appending VEL information to a JED listing would mean that the extension has only one record within the Joomla.org family sites, and users would be able to review that extension’s past and current vulnerabilities within the context of the JED, where they most likely found the extension in the first place.
The VEL property is less functional than the JED. Searching, filtering, and ordering are all features that the JED has implemented well. Any record searching utility, like the VEL portrays itself to be, should have these features.
One major reason that the VEL is not part of the JED is because the VEL is able to then “track” non-JED distributed extensions. This is counter productive to the way Joomla has positioned itself to developers.
The community of Joomla decided many years ago to support developers who play by the community’s rules. The VEL is doing a disservice to very intentional decisions the community has made to support our community by tracking non-JED extensions. Joomla.org property sites should not be inconsistent.
The Joomla Install from Web feature, although controversial, is a huge move forward for our community. Yet that feature is less useful, and detrimental to the image and brand of Joomla if it has poorly maintained, but one-click-install accessible extensions on it. Having an extension’s VEL history log within the record would increase usefulness and functionality to install from web users considerably.
Because the VEL has relatively low visibility in comparison to the JED, extension searches on search engines like Google don’t contain VEL information. Extension developers with security vulnerabilities are not held responsible because of this low visibility. By allowing quick and easy access to VEL information from a JED listing page, extension developers will be encouraged to react more quickly, and code more responsibly with security in mind.
Maintaining a Joomla site is a huge amount of effort for any team. Updating extensions, updating Joomla, etc… all require a ton of effort. By removing the VEL, the joomla community allows the VEL team to be more productive with managing VEL information, and spend less time on website maintenance.
I wrote a very clear post on why I think it's a good idea...
It could in theory imply all of those things. That's up to the consumer to decide, I'm just saying it would be a nice, transparent and open way of presenting the facts.
You could be right. the only thing that matters is whether or not the current version is vulnerability free. BUT, the length of time it takes for a developer to release an update to a security issue DOES demonstrate their attentiveness. It demonstrates that they care about their users and keep their best interests at heart. The only time that such a log would be bad for a developer would be if they take a long period of time to resolve issues. And quite frankly that's a good thing to know about.
Fair enough, extensions with known issues shouldn't be visible on the JED. But why manage that information in two places? If its vulnerable and we know it, we should track it ON the JED, where the publishing / unpublishing happens. Not on a completely different website. It should all be in one, single unified place.
I will never be convinced that two websites are a more effective solution than one in this case. A single source for managing all of this would be far better for productivity, and for Joomla's users. What logical arguments are there for two teams? How is that better from a productivity standpoint? How does two sources of information help Joomla users? Please tell me how that is better.
Better communication could be established by merging the teams, putting them all in the same room, site, and working with the same dataset. Thats the holy grail we should be going after. Tell me why that doesn't make sense.
Glad to hear an API is coming, but its a completely new set of endpoints that could have just as easily, and more efficiently lived under the ALREADY EXISTING JED API. So we've now done the same work twice, yet again.
Unfortunately I think you're wrong - if the JED features things like "reviews" and "download", I think just as fitting a button would be "Vulnerabilities"
You can't possible argue that something like this:
https://www.evernote.com/l/ACrTQyv9JedHxrHS_o2od7wUlUyZcl47atEB/image.png
Is LESS visible than the current solution. It adds the button to every single JED extension (+9000 links!).
It should support the JED because that is where most of the users of Joomla go to add extensions to their website. Extensions can live without the VEL, the VEL needs extensions, and the JED is the number one source for those extensions. Those should be coupled extremely tightly, to make joomla better for everyone.
Joomla users don't care about the internal politics of Joomla teams, or people playing nice to work together, they care about a simplified and usable infrastrucutre to publish content.
Unfortunately this conflicts heavily with the decision that was made years ago in the Joomla community. You're essentially saying that decision was either wrong / incorrect, or that regardless of that decision you don't care about the decisions the Joomla community made, and you're just going to do your own thing anyway. That's a huge disrespect to the community who made a decision for GPL and to only support GPL extensions on our property websites.
This has nothing to do with advertising, except that it does look good to be fast to respond to security issues. (Having the vulnerability is just life, how fast you deal with it is how you determine developers who care from those who do not).
The JED is the only thing we have to hold developers accountable. The JED IS the stick. Being unpublished from the JED is the only punishment that one gets from having a vulnerable extension. So tracking non-JED extensions is pointless in that regard as well. You can't do anything to them anyway.