App Certification for NethServer 8

Hi folks

We need to organize the apps currently present in the software center.

If an administrator wants to install an app, they must be clear about who created it and how robust it is, certified by others.

At the moment there is no clear path for certification, and I would like to create an howto to clarify the matter a bit

Characteristics/Requirements for an app to belong to one of the three categories:

1. Official: Supported\Created and certified by Nethesis.
2. Certified: Supported\Created by others but certified by Nethesis.
3. Community: Supported\Created and certified by the community.

Software Center Checklist

Certification requirements valid for all to enter the Software Center - in NethForge/Default/Subscription repository:

• Does not break anything.
• Does not crash during usage.
• LDAP integration (if possible).
• Optional backup/restore, but if included, must work well.
• Functional clone/move.
• Functional update management.
• Translation support.
• In the About page:
  • Contact information for the supporting company/person (name, website, email).
  • Links to the original project and app’s source repository.
  • Link to the manual/documentation page.
  • Clarification on support duration, update management, and upstream upgrade (update frequency, major release).

App Info page

The App Info page of each app in the software center should display:

• The list of certified requirements.
• The certifier (Nethesis, another company, or entity).
• Author.
• Version date.
• [Number of installations / Rating].

Staging (Level 0) :

Apps created by the community and residing in authors’ personal repositories:

• Not required to meet the Software Center Checklist.
• Each app generally has a reference discussion in the App category.
• These apps remain outside the Software Center; we assume no responsibility for their functioning.
• Level 0 because it has no entry barrier; creating a new topic and providing installation information is sufficient.

Community (Level 1)

Apps produced by the community and authorized to enter NethForge. It’s a sort of community self-certification with minimum requirements:

Must meet the Software Center Checklist.

• Tested and certified by (at least 2-3?) community members.
• Support from the app creator in the community ( with link to the reference discussion).
• App entry in the manual’s table (generated by PR or automatically).

Certified (Level 2)

Apps produced by third-party (e.g., Software Company Name) but certified by Nethesis (Or people on our behalf).

Requirements:

• Developed and supported by another company.
• Request for a manual page with essential information.
• It must be clear:
  • who to ask for support.
  • how long the app will be supported
  • how updates will be delivered.

Official (Level 3)

Apps produced by Nethesis and certified by Nethesis. Includes Software Center Requirements + Level 1 + and Level 2 requirements. Developed and supported by Nethesis, e.g. WebTop, NethVoice, NethSecurity Controller.

• Request for a comprehensive manual page.
• English and Italian translations.

What do you think?

I wonder why 3 categories/levels. I mean, if it is in Software Center (via controlled repo’s) the module is certified. Who made the module to me is a minor detail, but not worth categories. Next to that, everybody can add a repo just like with NS7.

What exactly are you trying to achieve for the proposal is full of mandatory requirements that could limit the feeling of being free to create a module and release to whomever want’s to install is.

IF you would like to categorize stuff, then would suggest you only endorse the official repo’s. Anything else is ‘use at your own risk’, which it is anyway, despite categories or not.

It has always been Nethesis repo or community member repo. Crystal clear to me.

So what I think? Too much mandatory, over-regulated and useless for nobody takes responsibility of a module anyway. Why would Nethesis want to control community work?

BTW, calling community repo’s ‘Jungle’ and level 0 and represented by a monkey avatar is not done imho and I find it very offensive.

HTH

This is a very welcome move
@alefattorini there is also something i would you to take note of, which I have experienced

as with level 0, true there could be apps built and jut sitting on the developer repo. and by not being in software centre, meaning does not have a published app repo.

there is also instances for apps built, shared by community, but because it may not have traction by community, and the developer has users with use cases for it, may choose to publish the app in their own software repository.

We currently have Genforge repo available, that has a number of apps.

While our goal is to have mot of those apps published on nethforge repo, so that they are widely available to more users, there are apps that i am not sure would be possible to have them listed on nethforge.

why do i say this.

1. will community test all the apps, even if they dont use them?
2. will nethserver/nethesis, provide the resources for testing non convectional apps and iterete on the tests tilll the app meet the required test conditions.

Assuming i am building a technical engineering app. the community will have no need to test that app, since no one uses it.

Equally, i am not sure if nethserver, unless it changes, would dedicate resources and time to test the solution if no single community member has tested the app.

Will there be a dedicated person from nethserver who’se purpose is to test apps and approve them, i must admit, i have gotten some rather harsh response on the testing of submitted apps for listing on nethforge.(that’s old news anyways)

Testing is the biggest problem. the developer might test most workings, but might for one reason or another overlook some other aspects, it does not mean they intended to submit a subpar app, that being the case, alot in terms of testing need to be put into consideration.

Note:
NEthDev have more experience with the platform than anyone else, and equally given, a significant support and effort is required to help app dev test and refine apps, its an iterative process,
so in the testing process, if coming from internal, or certified testers, it would be good if there is proper feedback on something like below

• We can not add your app to the repo, because it does not implement backup and restore, yet it can be supported.
• Kindly implement feature A and B first then request to relook.
• FUnction this is not well implemented look into it… and so on…

Basically more clearer would help foster better development for future app developers, otherwise its a learning experience and a great move

Yep, just edited with a new name

Actually we never use properly NethForge on 7.
I’d like to give more visibility to a community member and the possibility to add his app to a certified repo. Not only on his personal repo. But we need to check his work, and check an app requires time.

Yes but it won’t be an open app store to everyone.

You misunderstood the move, at the contrary, we need to open. I’d like to give the chance to everyone to create is own app, certified by others (clone, move, backup, and so on…)

Who certifies the testing community members? Is a ‘it works for me’ ok? Is it 2 or 3?
Mandatory support?
What is PR?

Pull Request–it’s how you propose changes to a GitHub repository.

Since I can’t judge it myself in the slightest, it would be important to me to have a certificate that basic security standards are not being violated and that the app can be considered secure according to the state of the technology.

+1, this is very important for a server facing the internet.

@Lucia_A @andre8244 and I are working on the Software Center mockup, and we would love to get your impressions and feedback on this working draft of the future app list appearance.

Main changes in the app list are:

1. Certification Level “badge” , with a tooltip explanation shown when clicking on it.
2. The badge Level count starts from 1, there is no level zero. Levels are five.
3. Multiple app categories are displayed.
4. App descriptions have been removed.

image1920×1080 150 KB

As said, the badge levels are five. These levels give a concise description of various aspects of the app, so an explanation is necessary.

• Origin: Is it from a nethserver.org repository (i.e., subscription, default, nethforge) or not? If the repository is not official, the app is Level 1.
• Certification: Is it certified by the Community or by Nethesis? Community certification brings Level 2, and Nethesis certification brings Level 3.
• Author: Applications made by Nethesis are Level 4.
• Support: If the cluster has an active subscription and the application support is included in the subscription, the app is Level 5.

We appreciate any feedback you can provide on these changes.

Thank you!

I would like to be able to ALWAYS see what origin was used to install the module/app. Not just the ones from Nethserver controlled repo’s represented by a number. Even if the original repo is no longer defined as a repo but was in the past. Things change, and authors/maintainers change…

Anyway, community apps/modules are always level 1 or 2 in this proposal.

So Odoo is L3, Zammad is L1 or L2 , Mail is L4 and anything covered by a subscription is L5 right? Where does Dokuwiki fit in?

To me (I am not interested in a subscription) the most important insight is ‘made by whom, and installed from where and when’ So, an install date would be welcomed too.

It would also be nice and very handy if a list can be ‘printed, exported, PDF’ed, save locally with date in naming’ from the separate tabs with the various info in columns.

ps. It would also be nice/wise to have info available on HOW a module got installed. Via Software Center or manually like currently many. Also sys admins change so this is all valuable info.

HTH

I think that numbers are complicated to understand and remember. Let me explain, I never remember trust levels on discourse but always the name attached…

Numbers don’t speak, they don’t say anything.
Otherwise, you would use numbers instead of words in product pricing plans.
It’s hard to remember numbers, that’s for sure.

Thanks for your suggestion, as for now the goal of the new software center is properly filtering apps based on their “aspects”

A simple pop-up upon hover would be sufficient I guess.

There is alot of white spaces on the app listing especially on the left and right padding, could that be improved.

I think it would be nice to still retain app description, even if not on the Main page, but somewhere somehow, we need to see description of the app.

In relation to certification, would nethesis/ Nethserver work on certifying apps not initially posted on nehtforge, that way.
If an app is certified, even when in external repo, upon submission to nehtforge approval are easier since the verification has been done.

WOuldnt it also be nicer if, App develoeprs would write the documentations in the wiki before submissions, then it could be added into the Official Docs, to me its semes abit more cumbersome Having to do PR for the Docs of apps developed… too much overhead at the moment.

I came accross this link here NetBox Plugins - NetBox Labs
Which lists community and Official plugins developed for Netbox

And i Thought to Myself, whiel we are working on improving the Software center and apps listed on it, wouldnt some of their ideas work for us as well?

image1178×607 69 KB

Take Note of the Badges and how they have bene applied. Apps with SUpport

Apps that are certificed

other kinds of badhes

We can still retain the Number system, since the dev teamhas worked alot on that, However in addition to that, wouldn’t it be great to have badges like these on the software center apps. More visual and easier to understand.

Nice suggestion Martin, I guess that devs will consider this example.

I’m testing the new Software Center, and everyone is invited to test it as well. You can do this by installing the core from a specific development branch with the following command:

bash install.sh ghcr.io/nethserver/core:feat-sci

This feat-sci branch introduces several improvements, including the idea of defining a certification path for NS8 applications. Here are the basic rules that have been translated into code so far:

1. Private repositories are considered untrusted. When an additional repository is created, a warning is displayed. Applications hosted by custom repositories are assigned a trust level of 1 out of 5.

   

   image929×724 39.3 KB

2. The NethForge repository is considered to have medium trust. If an app is hosted on NethForge, it is “certified by the community” and given a trust level of 2 out of 5. Rootfull modules are displayed with a warning if the trust level is less than 3.

   

   image1649×831 63.1 KB

   Note that the App info modal window now displays the repository that contains the application.

   

   image1627×837 39.1 KB

   Rootfull app warning is displayed also in the install window.

3. Applications hosted by the default or subscription repositories have the highest level of trust, “certified by Nethesis,” and are assigned a trust level of 3, 4, or 5 out of 5. A level 5 trust is visible only if the cluster has an active subscription.

   

   image1657×838 86.2 KB

In addition to the app certification system, this development branch includes other improvements, such as limiting the installation of the Mail app to a single instance on any given node.

Looking ahead, we must address important security aspects related to app distribution. Beyond evaluating the work of app developers—who, at this stage of the project, are personally known and trusted—we must also consider the container images that compose the app. These are listed in the App Info modal window, as shown in this detail from previous screenshots:

image970×101 3.35 KB

The Software Center we plan to release in the coming weeks, after testing is complete, still doesn’t fully realize our vision. However, it is a step toward the goal of having an NS8 Software Center with many quality applications, open to contributions from everyone.

Questions, doubts… Any feedback is welcome. Thank you in advance!

I’d like a PR, as a formal submission request to include an app in NethForge. We can work on simplifying the PR complexity as much as possible. I think it is something we’ve to do.

This is something that we have to define. How the verification is communicated, attached to the PR?

I understand, we can lower this requirement for NethForge apps. Maybe a community Wiki page is acceptable, too. In my opinion, the important things are

• documentation links point to community wiki, or admin’s manual page
• the linked resource contain contact information and a statement about the app author commitment to release future application updates
• links to the upstream software documentation and other useful information should be placed there too

Other app contributors, e.g. @mrmarkuz and @stephdl, please chime in

We need to help the developer to get the best way, the best secure way of development for a module to nethforge

• do not be rootfull
• backup & restore action
• clone action to move the module among the cluster
• documentation well designed to configure/interact with the module from the CLI API
• a wiki where the community can add tips and use cases
• be available to fix bugs and issues
• no redundant apps, if you have ideas, or enhancements, try to do a PR to the apps, do not ask to fork it.
• the apps must be updated, follow the version of the apps
• listening to the needs of the community

Indeed to pass the certification it will need a work between the responsible guy and the developer, like we do at Nethesis among all developers. We ask to another or a group of developers, what do you think, please argue and comment

This is the only way to get the best code and to be sure to think to all possible problems or issues. It is not a harsh talk, nor a a police interrogation but the good way to do things. For sure it is always easier to code alone, you go faster, but together we go further

so

• ask the need to the community
• code the apps (possibly in your repo)
• test the apps with the community
• ask to be certified to NethForge
• do a PR to NethForge
• work together with NethServer team to complete the validation
• be happy you have been accepted

Let’s work on this jointly here please.