Jumped to the bottom of the queue today, and found http://drupal.org/node/1335872 sitting there.
Reviewing this particular application would likely require knowledge and/or experience with Aegir, ldap, drush, and Apache authentication configurations. I can provide a review and comments based on the code structure and coding standards ... but I suspect that our current base of reviewers does not have the depth of knowledge or experience to be able to flag it as 'secure' or not; and I know that I don't feel 100% comfortable reviewing a non-typical project of this complexity.
Based on this, my fear is that a complex and non-typical application such as this could end up sitting for a long while at the bottom of the queue. It's already gone a month without comments in the application thread itself.
So the question becomes, how to handle such an application? I had two initial thoughts ... the first is to simply allow it through, leaving the onus for security on the applicant himself (which could also be considered 'passing the buck' to the security team); and the second is to form a process by which we could flag similar applications to an 'elite team' with the advanced knowledge and experience required.
Personally, I feel the second options is moving us in the wrong direction ... in that we need to be removing manual effort from the process instead of adding it; especially since those with the requisite knowledge also tend to be busy with higher priority items - but wanted to open a discussion to gather other's thoughts as well.
Comments
I'd go with "review as much
I'd go with "review as much as you can and then just approve it."
We can do things like code style, license issues, help text, manual review (e.g. drupal_set_message(t("!user_data", array("!user_data" => $_GET['parameter']))); is obviously wrong) but beyond that I don't think we should expect reviewers to go through all the hurdles to review things like this.
knaddison blog | Morris Animal Foundation
From a reviewee's perspective
Well, I'm actually building a rather specific module (http://drupal.org/node/1396340) that is in "needs review" status for almost 4 weeks now.
I do not want a special treatment, but I would like some advice on how to deal with this, because the alternatives I've been thinking about do feel like cheating:
I do appreciate feedback from manual reviews, and the pareview automatic tool (which is unfortunately still changing, so code that was ok a few weeks ago now gets an error report) is great to improve one's code but the process just takes too long (yes, I know most - if not all - of the reviewers are doing this for free).
But there is a risk that a reviewer might find a minor code syntax issue (because of the changing pareview tool), sets the status to "needs work", adding weeks of wall time to the whole process. Which does seem unfair since some other "full project" modules (including core modules) do not pass the same automatic test.
In the mean time, what should I do ?
Any help / feedback is greatly appreciated.
Great thoughts captured here
Hi, you've done a great job of describing certain thoughts from the reviewee's perspective, and I for one think that they're worth talking about at some length. I'll start by just offering my own reactions:
Obviously a rhetorical example. Plainly a cheat. And such a dummy module probably wouldn't even pass a review, unless one actually put enough effort in, so that the module in fact appeared useful, novel and original, and it would still be in the queue for some weeks. that level of effort would certainly be better spent on the original application.
I actually sort of like this one. "Sponsored review", let's call it. I don't see "lead to a less strict review as a risk, because the entire community still has just as much opportunity as ever to be involved, and the ultimate git grant decision rests with certain individuals with drupal.org admin responsibilities, not with any old commercial shill we could hire.
This could be a satisfying way for a willing developer to enjoy an at-least modestly expedited review. I don't see it as a cheat or jumping the line.
As a sponsor of one's own review, one might even direct the hired developer to conduct, say, five other reviews of queued applications, as an exercise in community spirit. Or, heck, by now you might be aware that this is an activity which one can perform oneself, with the direct benefit of attracting reviewers' attention to one's own application.
*gets idea*... Coming soon, the "project application review services" page on my consultancy website! Low, low prices!
People do this. I think this is a good parallel strategy, particularly if one doesn't ignore the drupal.org process. We might want the freedom to continue work on our module, and distribute it to interested parties, yet meanwhile preserve a certain functional state for the sake of expediting the drupal.org process.
So, why do we want expedited reviews so badly?
This is another question worth asking and answering. "Worth it" because, while the code-review group has been trying to set expectations in order to placate, or at least speak to, applicants in this regard, I'm beginning to recognize that the subject of motivations is missing from our helpfiles for applicants.
Right now, drupal.org promises (rightly) a process, not an outcome. I can brainstorm a few reasons why applicants are so eager to complete the application process. Their desired outcomes might include (among many others):
Other motivations? Please, anybody, add more!
Motivations
Well, allow me to add a few notes :-)
Credibility: actually, the module is a (small) part of a public tender. Our contractor could of course review the module, or we could pay another company to do the review, but it is a strategic module and we want to gain some expertise ourselves. So that's why I'm co-maintainer / co-developer. Being actively involved in the community is one of my performance objectives in 2012.
So why start with a complex module instead of a simple one ? Because we need this functionality: our websites run just fine using existing modules (or with some patching), so currently I can't think of another simple module I could write.
I assume the same goes for some other contributors: they want to give something back to this wonderful community, but cannot justify spending time on building a simple module first.
Distribution channel: our other open source projects (Java-based) are hosted on code.google.com. But drupal.org is the place to be when searching for a Drupal module, it just makes sense. We really want to get feedback from other users, but not everyone wants / knows how to deal with git.
Localization: if I'm not mistaken, the localization server is only available for full projects. Of course, just using .po files also works, but it seems that the localization server is the way to go.
Review done
I'm having a look right now: installation and creating a new account works, more feedback at [#1396340].
I think the easiest is to freeze it for a couple days, so reviewers have the time to review/RTBC it.
Thanks
OK, thank you for the reply and review, appreciate it