Better Security for custom extensions with a "Quality" attribute
Many extensions are created by duplicating an existing one. As one result they will never get updated with its original. I'm not shure about the best way, but i want more security ;-). The only independant way, i'm aware of is to check the code automatically and handle a "quality" attribute. Maybe there is a chance by adding unit tests to any extension
AdminRouven Weßling (Admin, Joomla!) commented
Simon, this has been discussed (quite recently actually) on the mailing lists. The idea has its merits but is hard to do in practice. The current volunteer(!) staff of the JED is already quite busy. Adding a more trough review of extensions would increase the time requirements quite a bit.
Also many of the reviewers aren't developers. To do a more in depth review we need people who develop themselves to look at extensions. We don't really have a surplus of developers in the project.
I agree - The poor security and quality of Joomla extensions is a major issue that should be urgently addressed and made a high priority - this is really holding Joomla back.
All extensions should be carefully checked to ensure they are secure before they can appear on http://extensions.joomla.org/ and any updates also reviewed.
Another major issue is the poor quality of construction and code in extensions. I feel that coding guidelines should urgently be created that extension writers must follow.
Extensions should then be graded according to how well they meet the criteria in the coding guidelines. For example there could be a 5 star extension quality grading system. With the work required to obtain each of the 5 stars clearly detailed in the coding guidelines.
This will improve the quality of extensions and also avoid the costly and time consuming mistake of purchasing poorly written extensions that may not be possible to easily customize / extend. The ideal would be for extensions to be written with hooks to allow easy insertion of additional code without having to hack the code and get wiped out when the extension is updated etc.
Update: This could solve also another big enhancement wish, that i'd like to exist: That there is an criteria, how secure an extension is