Publish page 'Sharing third-party distributions'

[matks]

Questions	Answers
Description	Publish a page to reduce the risk of damage caused by links sharing un-official thus untrustworthy resources
Fixed ticket

[Hlavtox]

Oh okay, so now you will even ban links to other ZIPs other than the company one.

[matks]

On PrestaShop digital space (GitHub, the blog, etc…) there are people who do not understand exactly what is a PrestaShop distribution and there is a risk they would simply follow anyone’s link to a downloadable archive and download garbage or virus-loaded code.

I refuse to let this happen on this digital space at least, so I would like only official distributions to be mentioned. If someone wishes to showcase his own distribution he can do this on his own digital space, not here.

[Hlavtox]

@matks

I can't find any reason why me or @ShaiMagal, maintainers of the project, can't link to our builds of Prestashop. Builds that are absolutely safe, built from official sources and transparent. They are not misleading or harmful in any way.

I fully understand the intention to protect users from malicious third-party links. However, enforcing a blanket ban also ends up hurting those who are genuinely trying to support the ecosystem by offering practical, community-driven alternatives. If maintainers and trusted contributors can’t even reference their own clean and helpful packages, it sends a clear message that PrestaShop’s digital space is closed to contributions that don’t come from the corporate entity - even if those contributions are better for the users.

[matks]

I can't find any reason why me or @ShaiMagal, maintainers of the project, can't link to our builds of Prestashop. Builds that are absolutely safe, built from official sources and transparent. They are not misleading or harmful in any way.

Who says your builds are absolutely safe, built from official sources and transparent? You, yourself? It does not work.

The only way to say something is safe would be to have someone else review it. Just like we don't review our own Pull Requests, test our own Pull Requests, merge our own Pull Requests. There's always another person, and on the Core it's 2 approvals we need not one, because the Core is critical.

I'm not going to start complexifying the rule 😅 "so only official distributions are safe UNLESS it's a distribution from a maintainer BUT it has to be reviewed by..." : there is one official distribution of PrestaShop 9.0.0, verified, tested, reviewed, I don't go further. Plain and simple.

[Touxten]

It's easy to check though, if the build uses the PrestaShop/PrestaShop repo on a tag it's very easy to check if the files have been modified.

The distribution has been tested and validated by PrestaShop 🤷

[Hlavtox]

@matks

If a maintainer like me or @ShaiMagal isn't trusted to provide a safe ZIP, even one verifiably built from PrestaShop/PrestaShop without modification - then what's the point of being a maintainer at all? You trust us not to break the project, but you don’t trust us to link to a clean build?

If you don’t want to allow links on official PrestaShop channels - fine. That’s your decision. But please be transparent that this is not just about "security", it’s about control.

We are not bound by arbitrary rules made up without discussion or consensus. I will continue to support merchants and developers in the best way I can, with or without your approval.

[matks]

If a maintainer like me or @ShaiMagal isn't trusted to provide a safe ZIP, even one verifiably built from PrestaShop/PrestaShop without modification - then what's the point of being a maintainer at all? You trust us not to break the project, but you don’t trust us to link to a clean build?

It seems you got it wrong. As a committer you are trusted to be able to help the project team through multiple activities, including code review which is very important for an open source project. But no I don't trust you to do everything this is not a free pass to do whatever you want. Else I could just put you admin of the project, yes? It is a limited level of trust, not zero, not one hundred.

We are not bound by arbitrary rules made up without discussion or consensus.

Actually yes you are. If you read https://www.prestashop-project.org/maintainers-guide/how-to-become-a-committer/ it says:

Requirements to continue being a committer

(...)
Respect & enforce the project’s issue and code review workflow.
Respect & enforce convergence with the project’s goals.
Put the best interest of the project before one’s own (in case of conflict of interests).

So if you don't respect convergence with the project goal, and this policy includes it, you cannot remain a committer.

If you're not willing to work with the group following the group rules 🤷 you cannot be part of it. I've seen it before and I know that a group where different people don't want the same thing is bound to fail.

[Hlavtox]

@matks Wasn't I a maintainer of the project, or something changed?

So you introduce a group rule, without discussing it with anyone from the group, and suddenly I am wrong for not following it?

You know which group is bound to fail? A group where certain individuals promote their own interests for their benefit.

[Touxten]

I think like Daniel!

Why not just write for the future of PrestaShopCorp we will remove links to other distributions?

That would be clear.

Assume your position matks! On the other hand, taking contributors for smurfs is not cool. I understand my decision more and more, yet I continue to contribute because I believe in the project.

[matks]

I will not continue answering you two because I think you have your own ideas of how things should work 🤷‍♂️ you heard my position, you don't like it and whatever I say will not convince you.