I strongly believe the JED and the VEL functions should be more tightly integrated. The VEL's usability and visibility would escalate incredibly with such a change, and adding the VEL as a "feature" OF the JED would allow both teams to have a greater positive impact on the joomla community as a whole.
Currently "vulnerability" information for extensions is not maintained where that extension is most prominently accessed. Instead vulnerability information is stored on the VEL, in a static like format with no connection to the JED listing.
Appending VEL information to a JED listing would mean that the extension has only one record within the Joomla.org family sites, and users would be able to review that extension’s past and current vulnerabilities within the context of the JED, where they most likely found the extension in the first place.
The VEL property is less functional than the JED. Searching, filtering, and ordering are all features that the JED has implemented well. Any record searching utility, like the VEL portrays itself to be, should have these features.
One major reason that the VEL is not part of the JED is because the VEL is able to then “track” non-JED distributed extensions. This is counter productive to the way Joomla has positioned itself to developers.
The community of Joomla decided many years ago to support developers who play by the community’s rules. The VEL is doing a disservice to very intentional decisions the community has made to support our community by tracking non-JED extensions. Joomla.org property sites should not be inconsistent.
The Joomla Install from Web feature, although controversial, is a huge move forward for our community. Yet that feature is less useful, and detrimental to the image and brand of Joomla if it has poorly maintained, but one-click-install accessible extensions on it. Having an extension’s VEL history log within the record would increase usefulness and functionality to install from web users considerably.
Because the VEL has relatively low visibility in comparison to the JED, extension searches on search engines like Google don’t contain VEL information. Extension developers with security vulnerabilities are not held responsible because of this low visibility. By allowing quick and easy access to VEL information from a JED listing page, extension developers will be encouraged to react more quickly, and code more responsibly with security in mind.
Maintaining a Joomla site is a huge amount of effort for any team. Updating extensions, updating Joomla, etc… all require a ton of effort. By removing the VEL, the joomla community allows the VEL team to be more productive with managing VEL information, and spend less time on website maintenance.
I want to try to be a little clear and explain some of the words / intended meanings behind what I said, because I think perhaps there's a language barrier here. I'm not being prentetious when I say that either, I just am trying to communicate clearly:
When I said "supporting", I'm not referring to ads, or you "helping" or "hurting" an extension developer. I mean support as in, the community has decided that the Joomla project will only address, and reference, extensions that follow our community-agreed-upon rules.
I didn't say that your job was to do this. Its actually the JEDs job to do this, they're the only ones who can do it. But the VEL is a subset of doing that. When the VEL finds a vulnerable extension, that team goes to the JED, and the JED will un-publish the extension. So the VEL is involved in holding extension developers accountable in that way.
It may not be the VELs primary purpose, but it is a task that the VEL team does do. You can't dispute that fact.
I apologize if you found this insulting. I didn't mean for it to be insulting; I'm just pointing out the inconsistency. Let's look at some other Joomla.org properties:
The Joomla community culture is one that is designed to only deal on-property with those who've agreed to play by our rules. The VEL is inconsistent in this way when it publishes information on non-GPL extensions. Don't you agree that the VEL behaves differently that the other Joomla.org sites in this way?
Now it's my turn to be a tad offended. I actually do know how Joomla teams work. I have been a member of the following teams:
I have a lot of joomla team experience. Please don't write my opinion off here - It comes with nearly 5 years of experience of contributing to Joomla in various ways. I know Joomla has politics, and I know there are politics in the VEL. Let's not pretend there aren't.
I think this is where the language barrier may have come in -- When I said "in the same room", I didn't mean literally. I meant figuratively, like a chatroom (Glip), or mailing list, basically any form of team-based communication. I'm sorry if I confused you there!
I totally get that you're volunteers -- I wish you could see that I'm actually campaigning to make your job easier by reducing your responsibilities, increasing productivity, and giving you direct access to the most of the data you actually work with on a regular basis. I'm really trying to help! Please hear me -- I'm just trying to be helpful. Not harmful.
Please believe me when I say, I'm not arrogant, if you felt something I said was arrogant, then I sincerely apologize. I'm trying to fix something I see as a problem, and I want so desperately for you to see that I want the best for everyone: the users, the JED, and the VEL team.