To use or not to use Magento connect...that is the question
Extension Installation & the Consequences
The idea of having an extensible system is great, but as we developers know, its not that simple. Many things can (and, unfortunately, do) go wrong.
Overview
I'll start with a list of issues potentially caused by installing extensions. Then, I'll make my main point and state the conclusions I personally make from all that, and finally I'll suggest a solution. (This will probably get long, apologies in advance. I'll try to write as little as possible and still cover the topic.)
So to get started, here is a list of common issues found due to extension installation.
Security
No code review is done before an extension is accepted on Magento Connect. As a consequence, many extensions contain vulnerabilities. There are many reasons, such as inexperieneced or lazy developers, use of vulnerable third party code, and some extensions even contain maliciously harmful code. Remote code execution, SQL injections and downtime are a reality. The consequences are lost customer data, lost payment credentials, lost revenue, lost time and lost trust.
Performance
A extension can work fine on one site or on a developer instance, but with a different catalog or customer base, it can cause serious performance issues. There can be many concrete reasons ranging from inefficient loading of entities, unoptimized SQL joins, a high number of ajax requests, a high number of attribute options or attributes, and many more. As every merchant call tell us developers, performance matters. This costs a merchant revenue.
Conflicts
Even just two extensions, even when developed using best practices, can conflict. This is mostly due the way the Magento framework merges configuration XML. In the best case these conflicts are visible via a stack trace or a blank screen, in the worst case the site inhibits strange and hard to debug behaviour. A merchant won't be able to fix the issues and make conflicting extensions coexist without the help of a developer. This costs time and money.
Upgradability
Not upgrading is no option, if only for security reasons. Extensions need to be maintained, as individual code bases and as part of the Magento framework. If an extension is being used and the original developer happens not continue to maintain the extension, some other developer has to take over. Not having a developer often makes it impossible for a merchant to upgrade, which in turn leads to sites being slower then they have to, security issues being exploited and thus lost revenue.
Extensibility
Adding new features to an existing site gets more and more complex and thus expensive, because each extension in the system adds its technical debt. The overall debt is much larger then each individual extension since the combined complexity is also larger then each one on its own. Not being able to easily experiment with new features and changes causes a merchant a lot of lost revenue.
Uninstallation
The following things cause breakage in Magento when uninstalling an extension:
- Database records referring to a class in the uninstalled extension (for example indexers or attribute backend models). Even extensions following best practices are prone to this.
- Uninstalling extensions that overwrite core code leave Magento missing the original file. This of course only happens if a extension does not follow best practices, but it is a fact that many extensions are bad.
Site breakage of course costs money.
Magento Connect
Given the list of issues above, how on earth can anybody expect a non-developer to install an extension and evaluate if it works on a given site?
There is no guaranteed clean uninstall, so often a broken installation can't even be repaired. The only option is to make a complete backup beforehand, and then do a manual rollback if something goes wrong. Can a non-technical person do that? In my experience, no.
Lets assume everything looks okay. Does the merchant know everything is okay?
What about security? What about performance issues? What about upgrade issues?
There is no way a non-developer can evaluate these things.
The message Magento Connect communicates is that it is easy to extend your Magento store by installing Magento without a developer. It might be handy in a sales pitch to tell someone that is the case, but it simply isn't true.
What I experience mostly is that in communication the need for a developer is simply implied and not communicated. As a consequence many store owners break their store by installing extensions. That costs money, time, nerves, and Magento and developer reputation.
I like my classes to have an explicit interface, and I believe it would be good if the developer requirement for Magento would be communicated explicitly, too.
Conclusions
This is not good for the ecosystem at all, even if fixing broken sites provides income for some Magento developers. The same money could be used to create real value for the merchants customers.
On Twitter someone said that merchants are grown-ups, who can decide on their own if they install an extension or not. I disagree. If a merchant isn't a developer at the same time, he can not decide on his own.
Magento Connect shouldn't make it easy for non-technical people to shoot themselves in the foot.
Personally I'm sick and tired of seeing Magento installations due to extensions. I much prefer to create things that just clean up a mess.
I'm thinking about removing my extensions from Magento Connect because I don't want to support the flawed idea any longer.
Solution
In my opinion the solution is easy and cheap. It is not about creating yet another new Extension Marketplace, commercial or free. This is not a technical issue, it is all about communication.
If Magento Connect would state it is a developer resource, and that extensions should be reviewed before installation, and that only developers should install extensions, this would be a non-issue. Merchants that still install extensions do so knowing the risks.
So here are three simple steps that would make Magento more merchant friendly:
- Remove the option to install extensions via the Magento Admin interface (e.g. the downloader).
- State clearly and visibly on Magento Connect that it is a developer's job to download, review and install any extension.
- Educate developers to do a full review of any extension to be installed on a site.
Finishing words
I love sharing extensions. I love open source. I think the Magento Developer Community is awesome!!
Reviewing extensions is a great way to learn. Magento Connect isn't bad, just the message it projects to non-technical people.
Each Magento site is a application. It is unique and needs to be treated as a unique development effort.
It should be the general consensus in the ecosystem that extensions can be useful, but installing them more often then not will require code to be written or modified, and thus require a developer.
EDIT: I posted some less technical background information on my blog.
I think that removing extensions on MC is bit too extreme .. Connect is not just for mechants but for developers as well (I love the upgrade feature). But I agree that people without right skills should not install extension as they are seldom compatible with used themes, there are too many potential conflicts and more often than not it'll cause totally unnecessary bad blood between merchant and (free) extension provider. Or between merchant and site developer.
People, building stores is like making music -- best left for professionals.
We have had many clients install extensions via Connect, and I'm aware of many thousands of sites using our extension successfully as a result. Connect needs a revamp, everyone is aware of that. But as technology solution providers we should be making our products ever easier, and my ultimate goal at WebShopApps is to reach a point where a merchant can install,uninstall and use an extension without having a developer involved, and I would hope the next version of Connect goes some way to support that goal.
We need an App Store. Because then it will enable developers to be developers, focus on our strengths there, rather than having to build out our own website, support, marketing, etc when we first start up. And this will encourage innovation, and ensure a central place for merchants to learn about the newest, best and all in between.
Clearly there are a great number of extns that need developer help, and indeed extn provider help, if we could explain that in an easier way would be great (e.g. difficulty of install/setup/target market/etc). But there are many plug/play extns aswell, we should not stifle these.
Maybe this is Utopia, I'm not sure, but shouldn't we always be aiming for better? I personally truly believe in enabling merchants. They want to do this, they want to be more in control sometimes (not always), and if you have to pay a developer every time you want to try something out thats wrong IMO. This should be at the very heart of SME growth strategy for Magento.
I could go on but I won't. I don't think there is a war going on tho ;)