Important changes on our marketplace

At the begining, allow me to share some thoughts, as I`m here new. One of my customers start using nopCommerce and order customization. So here I am, starting working with nopCommerce. My post will be review of changes. If you take under cosideration, will be glad to help, as I`m big enthusiastic of Open Source.

Nop-Templates.com wrote:
But it will be sell on vendors websites! Read requirements by nopTeam again:
[quote]If the plugin is paid, then you should process payments on your website (we do no process payments for you). So a customer will complete the payment on your website. The price entered here is for information purposes only.[/quote]
So in the fact, as nop4you and NewYork wrote, if plugin will be sell via third party page, sources send to nopTeam may be different! That is nothing to add at this point, as @NewYork post solution of it.

Nop-Templates.com wrote:
As see, most of your work is themes, which are open source so that is not big deal for you. In case of plugins, that is different, as customers got dlls. So that is for secure own business by each vendor.

Nop-Templates.com wrote:
What about respect nopTeam of vendors work? Why Apple or Google does not require to share sources to sell apps? Because companies know how complicated is copyright law. Let me point one more thing - even companies like Apple does not ask for sources, but host ready apps on own servers and provide payments among own vendors. nopCommerce does not do this step (well, maybe yet does not) but asking for sources! Very bad practice.

To fully test any plugin, nopTeam may run platform in test mode and fully test trial versions, just like Apple/Google do.

nopAdvance.com wrote:
Do not practice this kind of actions. I mean "reading" source code by staff.

ilich_x86 wrote:
The only PSD files I get, when customer asking for custom theme. However that is required by ThemeForest to add.

nopAdvance.com wrote:
Are you really sure, nopCommerce platform is ready for this step? Does small companies or start ups got such a number of sale that will cover all expencies? I`m a bit sceptic at this point, but maybe sale is much more than I suspect among last few days of board activity. What is more, I`m not alone at this point of view:
rajupaladiya wrote:

Of course, you may fully ignore my post. If such a solution will be added, will do what customer paid for and gone far away of nopCommerce. No big deal, worst if more vendors will go away because of this. Think, if it will not kill this software.

a.m. wrote:
From my opinion, this one is better idea regarding source code share.

But this is not the solution when we are talking about viruses, malwares or vulnerabilities. Vendors can easily show you one thing and deliver another, if they have bad intention.

Nice ...!!!
It will really help for develop and store owner to find best plugin accross the marketplace.

a.m. wrote:

Actually I don't think reviewing code is necessary for this - you over-control this.
1. vendors can simply submit one copy and sell another copy of plugin - you can't control, but you have to take responsibilities - e.g you guaranteed to the public that this plugin is viruses-free and if customers found the virus, you need to explain, it will become your fault.

2. most of the vendors don't like to submit the code - although you replied "code won't get published", or "only I review the code", you have to explain "how will you protect other company's asset?" "will the code be stored safely? how to prove it if you say yes?" "How will you prevent the code won't get leaked to outside? will the approach be audited by 3rd party?" "How can you guarantee the nop team won't use my code?"
I don't talk about if you have time to review all code - I assume you have tool to do it, but you have to explain all these kind of questions, in addition, you have to prepare the NDA to all vendors to sign, agree that the vendors can take legal actions when nop team leak or use vendor's company asset.

3. suggestion: the intention is good, but to achieve the "without viruses, malware, or vulnerabilities", I think nop team only can do limited things within the nop site only, you can't control the plugins on other site or on the internet, so I suggest you set up a resolution center, allow customers to submit a dispute, just like PayPal does, by doing this you can give vendors lower ranking or higher ranking, or totally block vendors to this site, you can't control vendor's site but you can control this site.

Regarding the source code requirement. It's not just about malware. During the last several years we've seen many attempts to copy (steal) plugins. Very often vendors used disassembly to create the same extension and sell it cheaper. As part of our technical review process we check that each uploaded extension is not copied (stolen) from some other extension.

Before submitting a plugin please note that nopCommerce strongly discourages code cloning. Cloned plugins will be removed, and authors or submitters of such plugins would face the consequences from banning from the nopCommerce community up to legal action. The same will happen to vendor who submits a "source code" package that distinguishes from the "ready to deploy" version

We've just added this information to the "upload extension" page.

We're not going to cancel this requirement.

By the way, other CMS such as magento, shopify and even marketplaces such as themeforest require vendors to share source code (and even PSD files). And all extension vendors for these platforms meet this requirement

Hello everyone,

FYI, after carefully looking at what nopCommerce is trying to achieve, we have started co-operating with them as per their requirements.

Thank you,
Atul

a.m. wrote:

But those marketplace host/sell the extensions directly, not though the vendor's own web site.  Thus, as mentioned before, there is no "... guarantee that customer won’t get virus/malware etc. Because vendors can upload anything they want on their websites. ..."

New York wrote:

Fully agree with New York. Also would like to mention,
a.m. wrote:
Both are php, which are not delivered as compiled dll. Are you able to provide php solution with closed compiled file? Suppose, it would be much better to compare with other marketplaces with compiled files. @GPF mentioned AppStore and Google Play, both enabled to host solution on own servers, both does not require to provide sources. Both marketplaces require to pass verification of given solution.

a.m. wrote:
That is fully understandable, and fully support by vendors. Many times vendors submit posts when discovered possible cloning. And as you may see, it was done without sources. Remember our case, when we was able to detect cloning based on trial version. So if we was able to detect cloning, why you can not do this same? Maybe that is much easier in case of sources, but you may still do this without.

Regards,
Tom

I think it's understandable that many of us developers are worried about the source code of our projects, but with that said I think it's also a good idea from a customer standpoint to help build more trust and confidence within the marketplace. I also like the idea of nopCommerce preventing stolen plugins as much as possible within the marketplace.

There are security concerns, but as long as the code is reviewed in house by nopCommerce which Andrei said he'll do personally then it shouldn't be much of a problem. I do think an NDA is a good idea within the marketplace process however.

nop365.com wrote:

Yes, NDA is still needed, as long as another party (be a company or a person) is holding your code, it has the responsibility to protect the code and should not use the code or you have the rights to take legal action.
if nop team wants vendors to provide code, I think they need to consider at least these 2 points:
1. how to protect the code and make sure it won't get leaked at the company level (e.g developer left the company may have the copy? or reviewer's PC has backdoor or virus, the code will be sent to the hacker?)
2. how to guarantee nop team NOT use vendor's code?

nop team need to highlight these to let vendors trust you.

a.m. wrote:
as I suggested: setup a resolution centre: if vendor A thinks that vendor B clones their plugin, A should submit a dispute to nop team, only at this point nop team can ask the code from both sides to decide if the code is cloned, at this point the code will be used as investigation purpose.