Plugins traffic

Getting in touch with plugin users

 
Picture of Justin Hunt
Getting in touch with plugin users
Particularly helpful MoodlersPlugin developers

One of the shortcomings I see with the Moodle plugins database is the inability of plugin maintainers to get in touch with their users, other than by posting in a forum or pushing an update. 

The reason I say this is that recently I was made aware of a security flaw in one of my free plugins. I patched and updated on Moodle.org as quickly as possible. I wondered if I should post about it in one of the forum threads dedicated to it, but for the most part the users subscribed to those would be updaters, and I would risk alerting less good people to a flaw they might exploit. I am still not sure what the best course of action is to be honest.

Ideally I would have access to a list of subscribed users to which I could send a direct message (email or message). Is there a best practice here, or some way we can implement a notification feature. After all Moodle alerts registered Moodle site admins of security issues in Moodle in advance of any public release of such information, so it seems like plugins should be no different in this respect.

 
Average of ratings: Useful (4)
portrait
Re: Getting in touch with plugin users
 

I think this is a good idea, if you add this to the tracker I'll certainly vote for it.

 
Average of ratings: -
Yes, that's me
Re: Getting in touch with plugin users
Particularly helpful MoodlersPlugin developers

We had exactly the same situation and I also think it would be really great if plugin maintainers could inform their users directly.

Even if there is no such important thing as a security flaw I thing it should be possible that plugin maintainers can get in touch with their users by mail or notifications in the systems which use the plugin.




 
Average of ratings: -
Picture of Justin Hunt
Re: Getting in touch with plugin users
Particularly helpful MoodlersPlugin developers

I have posted a tracker issue for this now. Please vote at: https://tracker.moodle.org/browse/MDLSITE-5543


 
Average of ratings: -
Picture of Mike Churchward
Re: Getting in touch with plugin users
Core developersParticularly helpful MoodlersPlugin developersPlugins guardiansTesters

In the interim, you could always set up existing methods, inviting plugin users to subscribe to:

  • Set up a twitter account and hashtag for users to follow.
  • Set up a Telegram and/or a Slack discussion.
  • Set up an email newsletter type subscription.
Then, on the plugin page, provide a link for users to subscribe to update notices.

 
Average of ratings: Useful (1)
Picture of Justin Hunt
Re: Getting in touch with plugin users
Particularly helpful MoodlersPlugin developers

Good suggestion Mike. For now that probably is the way. I think this discussion should continue in tracker, so please watch that.

 
Average of ratings: -
Picture of Dan Marsden
Re: Getting in touch with plugin users
Core developersMoodle Course Creator Certificate holdersParticularly helpful MoodlersPlugin developersPlugins guardiansTestersTranslators

With my "developer" hat on I agree it would be nice to be able to contact all users of my plugins..

But I don't think that using Moodle site registration data is the right method for this. Site admins that "register" with Moodle are not really expecting that their information will be "shared" with the developers of all 3rd party plugins they use on their site - the data is also covered by Moodle's 
Privacy Notice and Data Processing Agreement

Implementing a way for users to do this based on site registration data would be pretty complex - first we'd need to adjust the moodle.org privacy notice, then we'd need to implement a way for admins to explicitly reject notifications related to specific plugins and receive notifications from other plugins... Personally I don't think this would be viable to do within the plugins db.

There might be a way we could identify specific plugin releases as containing a security update though, so that in the plugins update screen a bigger warning is displayed when there is a release that contains a security fix - but I'm not sure how useful that would really be.

I think Mike has the right idea here - it would be better for you to implement your own "registration" tool within your plugins or provide some form of new subscription service where users elect-in to receive communication from you.

 
Average of ratings: -
Picture of Justin Hunt
Re: Getting in touch with plugin users
Particularly helpful MoodlersPlugin developers

Thanks. Lets all continue discussion on tracker ...

 
Average of ratings: -
Picture of David Mudrák
Re: Getting in touch with plugin users
Core developersDocumentation writersMoodle HQParticularly helpful MoodlersPlugin developersPlugins guardiansTestersTranslators

I wondered if I should post about it in one of the forum threads dedicated to it, but for the most part the users subscribed to those would be updaters, and I would risk alerting less good people to a flaw they might exploit.

That is what every software producer has to deal with. Generally, security by obscurity does not work, particularly not in the open source world. If there is a solution / fix available, it works best to notify users loudly in an open and transparent way. So feel encouraged to inform about the security release via all the communication channels (twitter, forums etc) to highlight the importance of the upgrade.

 
Average of ratings: -