Simon Coggins

I'm not sure if there is an official policy, but it seems fairly common to use hardcoded values in unit tests in Moodle, for example:

https://github.com/moodle/moodle/blob/master/lib/tests/accesslib_test.php#L724-L747

Hardcoded values cause us problems at Totara because we have to customise Moodle tests to get them passing.

It also makes the tests brittle to changes in Moodle itself, if the number of default roles are updated then the tests need to be updated to pass.

In cases where you want to check data is being created it is possible to refactor this to assert against the difference before/after an action, which removes the dependency on the absolute number of items.

Are the use of hardcoded values like this encouraged or discouraged? Would Moodle be open to accepting a patch that converted them into relative values?

Simon

Hi Vijay,

Yes you can, although once you do that you will obviously need to support the ported code yourself.

Overall our preference is for Totara features that are suitable for Moodle to be integrated into Moodle core, as this avoid unnecessary duplication of effort on everyone's part.

In terms of the reporting features you mentioned, we had a good effort at trying to get them into Moodle which unfortunately has stalled for some time:

https://tracker.moodle.org/browse/MDL-30193

We are still open to making the contribution and willing to put effort into integration, if agreement can be reached that our code is suitable for Moodle's requirements in this area.

Simon

I agree that the email address (like the name) is likely to change. Unfortunately until the backpack supports multiple email addresses there isn't really anything we can do to handle that as the email is baked into the badge at the time of issue.

I wouldn't say using the moodle user id number provides better verification of the badge because it is specific to the moodle site that awarded the badge, which may not even be accessible to the person attempting to verify a badge.

In the end we have decided to take two steps:

1. Remove the email address from the badge award page. This will be treated as a bug and backported to older stable releases too.

2. Create a new improvement bug to add a form to the badge page. A user can insert an email address and the page will tell them if the badge was awarded to that email address or not. That way someone who knows the email can still verify it, but they can't discover the email unless they already know it. This will be a new feature in a subsequent release when we have time to implement it.

Hopefully that will provide an acceptable balance between privacy and accountability. FYI, I have started a discussion about this topic on the open badges dev group here:

https://groups.google.com/forum/#!topic/openbadges-dev/F1EPz9HsUQ0

Simon

I think I do understand the core issue, and I don't think it's trivial, which is why I said:

I agree that at the very least we should give the user a choice about if their email is displayed, and ideally avoid displaying it all together.

When you say replace the email address with a serial number, what would the serial number be? How would it help the user to prove that they earnt the badge?

To give an example, here are a couple of badges I earnt recently for presenting at a Mahara Conference:

http://backpack.openbadges.org/share/102d9e69f989168a46e3ff52c3100c7b/

If you follow that link you will notice that nowhere on that page is my name mentioned. In fact you would have to follow the evidence link:

https://maharahui.org.nz/badges/badge.php?hash=f2042d6b666bcae453f822fbe6e6e1d78341c21b

To see that the badge was actually issued to Yuliya (I never presented at the conference, she did).

If people want to use badges as digital certificates, this is actually quite a serious problem (in my view it is more a problem with the open badges system than its implementation in moodle).

Now what I'm saying is, by removing the email address we will make it harder to verify that the person claiming the badge did in fact earn it, as all you are left with is the users name (which is much less unique than an email, particularly in some parts of the world).

As I said before, given the choice I agree that privacy should trump verifiability, but can we have both? I'd like to hear more about your serial number idea and how that could help with verification.

Simon

Hi Sue,

 I've read the MZ privacy statement and it says: "Each badge you push to the Mozilla Badge Backpack contains your Persona username and data about what the badge means and who issued it."  It does not say your Persona email address will be published in order to ensure you are who you say you are. 

I don't think that their privacy statement is very clear about this, but a "persona username" is an email address (see here - it says "usually" but I'm not sure how it could be anything else). You can also see in their terms of use:

Badges may only contain the user’s email address, the issuer’s name, the badge name and specific data about what the badge means such as the badge description and criteria URL, which is a URL pointing to a page hosted by the issuer that details all the criteria required for earning the badge.

However despite this, I agree that at the very least we should give the user a choice about if their email is displayed, and ideally avoid displaying it all together.

The only reason I'm giving any push back at all is that we also want badges to be verifiable. To be clear, given a choice between good privacy and verifiable badges I would still choose good privacy, but what I'm wondering is, is there a way for us to have our cake and eat it too.

Unfortunately as of right now I can't think of another way, and ultimately this is a problem that needs to be solved by the badges infrastructure rather than us. If anyone has any thoughts then please share!

that we have a unique email address for all learning experiences and that it will stay with us forever and ever

Again I agree this is definitely not the case. Unfortunately this is a limitation of the current badges infrastructure. I have already been involved in the discussions with Mozilla about this issue here:

https://github.com/mozilla/openbadges/issues/42

Unfortunately there hasn't been any progress on this issue, and we've done just about all we can to mitigate it in moodle by allowing users to at least pick which email they connect with.

Anyway, I will discuss some more with Yuliya and we will try to do something soon.

Simon