New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Hide Old Themes #430

Open
felicianotech opened this Issue Sep 21, 2018 · 14 comments

Comments

Projects
None yet
5 participants
@felicianotech

felicianotech commented Sep 21, 2018

I suggest we hide themes that fit certain criteria. Here's two examples:

  • themes that the source repo/submodule hasn't been updated for X amount of time. Maybe a year? 18 months?
  • themes who's supported Hugo version is below a certain number. This is probably tricker to pull off though.
@onedrawingperday

This comment has been minimized.

Show comment
Hide comment
@onedrawingperday

onedrawingperday Sep 22, 2018

Contributor

There are older themes that haven’t been updated for a year and still work with the current version of Hugo. So I am not in favor of an 18 month cut off time limit.

However there are also older themes that do not work with the current version of Hugo and throw errors. Currently there is no policy about these themes.

Maybe we should notify those theme authors about the need to update by opening issues in their theme repositories. If they don’t respond then we remove those themes from the website.

However this is a decision that needs to be made by @bep and @digitalcraftsman

If they agree with me I could task myself with opening these GitHub issues to the relevant theme repositories.

Contributor

onedrawingperday commented Sep 22, 2018

There are older themes that haven’t been updated for a year and still work with the current version of Hugo. So I am not in favor of an 18 month cut off time limit.

However there are also older themes that do not work with the current version of Hugo and throw errors. Currently there is no policy about these themes.

Maybe we should notify those theme authors about the need to update by opening issues in their theme repositories. If they don’t respond then we remove those themes from the website.

However this is a decision that needs to be made by @bep and @digitalcraftsman

If they agree with me I could task myself with opening these GitHub issues to the relevant theme repositories.

@bep

This comment has been minimized.

Show comment
Hide comment
@bep

bep Sep 22, 2018

Member

I think we need to make this simple: If a theme has failed to build the demo site for some time (?), then remove it. Reaching out to the theme owner sounds like "too much work". If the theme is valuable, the theme owner will eventually come back with a new issue.

Member

bep commented Sep 22, 2018

I think we need to make this simple: If a theme has failed to build the demo site for some time (?), then remove it. Reaching out to the theme owner sounds like "too much work". If the theme is valuable, the theme owner will eventually come back with a new issue.

@onedrawingperday

This comment has been minimized.

Show comment
Hide comment
@onedrawingperday

onedrawingperday Sep 22, 2018

Contributor

Ok @bep 👍

I also favor the simpler approach but I also think that we need to add a Note about this somewhere in the Themes Repo's README.

Something along the lines of:

Your theme's Example Site needs to be generated with the latest version of Hugo. You will need to keep an eye on current Hugo development and update your theme accordingly, otherwise if your theme's demo fails to generate for a while, we may remove your theme from the website, until you update it.

Anyway, I'm away at the moment but I will send the above in a PR once I can.

Contributor

onedrawingperday commented Sep 22, 2018

Ok @bep 👍

I also favor the simpler approach but I also think that we need to add a Note about this somewhere in the Themes Repo's README.

Something along the lines of:

Your theme's Example Site needs to be generated with the latest version of Hugo. You will need to keep an eye on current Hugo development and update your theme accordingly, otherwise if your theme's demo fails to generate for a while, we may remove your theme from the website, until you update it.

Anyway, I'm away at the moment but I will send the above in a PR once I can.

@digitalcraftsman

This comment has been minimized.

Show comment
Hide comment
@digitalcraftsman

digitalcraftsman Sep 22, 2018

Member

Hi @felicianotech,

while I can understand your intention for this issue I agree with the others that an 18 month limit or a minimum version number as threshold are not good metrics to decide whether a theme is outdated or not.

Yes some themes are outdated, some only build with ancient versions of Hugo but some of them are just dead simple (e.g. blog or one-page-themes) in the sense that they do not make use of more advanced features of Hugo or have been affected by deprecated ones.

I think we need to make this simple: If a theme has failed to build the demo site for some time (?), then remove it.

Any ideas how we can track this easily without much overhead?

Member

digitalcraftsman commented Sep 22, 2018

Hi @felicianotech,

while I can understand your intention for this issue I agree with the others that an 18 month limit or a minimum version number as threshold are not good metrics to decide whether a theme is outdated or not.

Yes some themes are outdated, some only build with ancient versions of Hugo but some of them are just dead simple (e.g. blog or one-page-themes) in the sense that they do not make use of more advanced features of Hugo or have been affected by deprecated ones.

I think we need to make this simple: If a theme has failed to build the demo site for some time (?), then remove it.

Any ideas how we can track this easily without much overhead?

@onedrawingperday

This comment has been minimized.

Show comment
Hide comment
@onedrawingperday

onedrawingperday Sep 22, 2018

Contributor

Any ideas how we can track this easily without much overhead?

I know that it is not easy to remove a submodule, since it needs to be done manually as described here

But it seems that the deinit command could simplify things slightly by doing:

git submodule deinit <path_to_submodule>
git rm <path_to_submodule>
git commit-m "Removed submodule "
rm -rf .git/modules/<path_to_submodule>

Of course the first 2 commands could be executed for multiple themes in the console and then make a single commit.

The downside is that we would need to init all theme submodules recursively locally (all 2GB) because otherwise it is impossible to get a comprehensive list of those themes that currently do not have a demo.

@digitalcraftsman I can send a PR that removes those themes that throw errors and don't have their Demo generated, but this will be done once I come back from my trip.

Contributor

onedrawingperday commented Sep 22, 2018

Any ideas how we can track this easily without much overhead?

I know that it is not easy to remove a submodule, since it needs to be done manually as described here

But it seems that the deinit command could simplify things slightly by doing:

git submodule deinit <path_to_submodule>
git rm <path_to_submodule>
git commit-m "Removed submodule "
rm -rf .git/modules/<path_to_submodule>

Of course the first 2 commands could be executed for multiple themes in the console and then make a single commit.

The downside is that we would need to init all theme submodules recursively locally (all 2GB) because otherwise it is impossible to get a comprehensive list of those themes that currently do not have a demo.

@digitalcraftsman I can send a PR that removes those themes that throw errors and don't have their Demo generated, but this will be done once I come back from my trip.

@felicianotech

This comment has been minimized.

Show comment
Hide comment
@felicianotech

felicianotech Sep 22, 2018

18 months was just a number, doesn't have to be specifically that.

Old themes are a problem and here's why.

Marketing / Public Perspective

Old themes look bad. It gives the wrong impression to new users that things in Hugo can be outdated, unmaintained, etc. Seeing themes reference Hugo v0.19 for example as far as what's supported or tested on looks bad.

Security

Many old themes are using old libraries, Particularly old versions of JavaScript libraries such as jQuery that will likely have security vulnerabilities.

For example, I checked out this repo and clones every single theme as well (my laptop wasn't happy). Then I ran grep -ri "jquery.min.js" . which showed that about 169 themes are using jQuery. Just to specifically call out one theme, Greyshade hasn't been updated since 2015 and is using jQuery v1.7.2. jQuery versions predating v3.0.0 all contain vulnerabilities. There's many more themes running old stuff.

I'm not saying that a recently updated theme means it's 100% safe, but the chances of newer software and less vulnerabilities goes way up.

Showcasing

Newer themes should also serve as a showcase. Older themes may use deprecated features or not even work and the build process just hasn't caught this. I know personally this has affected me many times when looking for a theme to use. It just doesn't work even though it's on the site.

As Hugo grows, there will forever be more themes. Showcasing good ones is important for an ecosystem.


Even if older themes weren't removed, I think it was be smart to downplay older themes and feature newer themes.

felicianotech commented Sep 22, 2018

18 months was just a number, doesn't have to be specifically that.

Old themes are a problem and here's why.

Marketing / Public Perspective

Old themes look bad. It gives the wrong impression to new users that things in Hugo can be outdated, unmaintained, etc. Seeing themes reference Hugo v0.19 for example as far as what's supported or tested on looks bad.

Security

Many old themes are using old libraries, Particularly old versions of JavaScript libraries such as jQuery that will likely have security vulnerabilities.

For example, I checked out this repo and clones every single theme as well (my laptop wasn't happy). Then I ran grep -ri "jquery.min.js" . which showed that about 169 themes are using jQuery. Just to specifically call out one theme, Greyshade hasn't been updated since 2015 and is using jQuery v1.7.2. jQuery versions predating v3.0.0 all contain vulnerabilities. There's many more themes running old stuff.

I'm not saying that a recently updated theme means it's 100% safe, but the chances of newer software and less vulnerabilities goes way up.

Showcasing

Newer themes should also serve as a showcase. Older themes may use deprecated features or not even work and the build process just hasn't caught this. I know personally this has affected me many times when looking for a theme to use. It just doesn't work even though it's on the site.

As Hugo grows, there will forever be more themes. Showcasing good ones is important for an ecosystem.


Even if older themes weren't removed, I think it was be smart to downplay older themes and feature newer themes.

@onedrawingperday

This comment has been minimized.

Show comment
Hide comment
@onedrawingperday

onedrawingperday Sep 22, 2018

Contributor

@felicianotech

You raise a lot of issues and I will try to be as brief as possible:

RE: Marketing / Public Perspective / Showcasing
Newer themes always go on top. They are rendered by lastmod.

I don't agree with your perspective about older themes. For example the Newsprint theme hasn't been updated since August 2017 but it still looks pretty good in my opinion and I just don't see why it should be removed/hidden/downplayed because it lists Hugo 0.25.1 as a minimum version. If its Demo didn't generate then that would be an issue but currently it works fine.

RE: Security
That is the more important issue you raise and this is something that the others need to think about.

In my opinion Hugo Themes with jQuery should not be accepted, but that also means that the number of themes in this repository will reduce dramatically.

Also funky JS loading mechanisms (e.g. Web Assembly, asm.js etc.) should not be permitted for security reasons.

Anyway I'll keep my eyes in this issue for any big policy changes.

Contributor

onedrawingperday commented Sep 22, 2018

@felicianotech

You raise a lot of issues and I will try to be as brief as possible:

RE: Marketing / Public Perspective / Showcasing
Newer themes always go on top. They are rendered by lastmod.

I don't agree with your perspective about older themes. For example the Newsprint theme hasn't been updated since August 2017 but it still looks pretty good in my opinion and I just don't see why it should be removed/hidden/downplayed because it lists Hugo 0.25.1 as a minimum version. If its Demo didn't generate then that would be an issue but currently it works fine.

RE: Security
That is the more important issue you raise and this is something that the others need to think about.

In my opinion Hugo Themes with jQuery should not be accepted, but that also means that the number of themes in this repository will reduce dramatically.

Also funky JS loading mechanisms (e.g. Web Assembly, asm.js etc.) should not be permitted for security reasons.

Anyway I'll keep my eyes in this issue for any big policy changes.

@felicianotech

This comment has been minimized.

Show comment
Hide comment
@felicianotech

felicianotech Sep 23, 2018

@onedrawingperday If you click the download button for the Newsprint theme it 404s. That's the problem.

I don't know much about Web Assembly but jQuery and others are important for modern themes. Especially for static websites since there's no backend to do work. Browser side JavaScript becomes all the more important.

That jQuery CVE page you linked to is exactly what I was looking at when I mentioned security. We're literally on the same page there.

felicianotech commented Sep 23, 2018

@onedrawingperday If you click the download button for the Newsprint theme it 404s. That's the problem.

I don't know much about Web Assembly but jQuery and others are important for modern themes. Especially for static websites since there's no backend to do work. Browser side JavaScript becomes all the more important.

That jQuery CVE page you linked to is exactly what I was looking at when I mentioned security. We're literally on the same page there.

@onedrawingperday

This comment has been minimized.

Show comment
Hide comment
@onedrawingperday

onedrawingperday Sep 23, 2018

Contributor

@felicianotech

It seems that the Newsprint theme lives here: https://github.com/SamWhited/newsprint

OK. I will try to notify the author here.


@SamWhited it seems that you have deleted your theme's Bitbucket repository. Furthermore you have closed the GitHub issue tracker for your theme and moved it to Soquee, but I am not opening an account there.

You really need to update your theme's toml to point to the correct theme repository. Please do this otherwise at some point we will have to remove your theme from the Hugo website. Also please have a look at the updated README for guidance regarding updating your theme.

Also this came up in the Forum today and it is relevant to your theme.

Thank you.


CC / @digitalcraftsman

Contributor

onedrawingperday commented Sep 23, 2018

@felicianotech

It seems that the Newsprint theme lives here: https://github.com/SamWhited/newsprint

OK. I will try to notify the author here.


@SamWhited it seems that you have deleted your theme's Bitbucket repository. Furthermore you have closed the GitHub issue tracker for your theme and moved it to Soquee, but I am not opening an account there.

You really need to update your theme's toml to point to the correct theme repository. Please do this otherwise at some point we will have to remove your theme from the Hugo website. Also please have a look at the updated README for guidance regarding updating your theme.

Also this came up in the Forum today and it is relevant to your theme.

Thank you.


CC / @digitalcraftsman

@onedrawingperday

This comment has been minimized.

Show comment
Hide comment
@onedrawingperday

onedrawingperday Sep 23, 2018

Contributor

jQuery and others are important for modern themes

It depends. But for the kind of functionality I see in Hugo Themes usually jQuery is not needed at all.

To be quite frank jQuery is a bit of a crutch for lazy people. It was useful once upon a time but in 2018 it's not important at all.

Anyway the above is my personal (harsh) opinion.


However the real reason I am proposing that we should not permit Hugo Themes with jQuery and WASM is security.

The way this repo is structured whenever the theme submodules are updated it is almost next to impossible to know what gets pushed.

Also this is a matter of trust between theme authors and users but as @felicianotech pointed out every jQuery version below v.3 is vulnerable and a lot of themes use the old and vulnerable versions of jQuery.

We simply cannot keep an eye on upcoming jQuery vulnerabilities ourselves and even if we do we would have to manually notify theme authors and tell them to upgrade their library and that is simply not possible.

However these security concerns about jQuery need to be addressed.

Regarding WASM as I posted above this technology introduces a new attack vector in the browser. There was at least one Hugo theme in the past that used this sort of thing. In my opinion this should also not be allowed.

CC / @bep @digitalcraftsman

Contributor

onedrawingperday commented Sep 23, 2018

jQuery and others are important for modern themes

It depends. But for the kind of functionality I see in Hugo Themes usually jQuery is not needed at all.

To be quite frank jQuery is a bit of a crutch for lazy people. It was useful once upon a time but in 2018 it's not important at all.

Anyway the above is my personal (harsh) opinion.


However the real reason I am proposing that we should not permit Hugo Themes with jQuery and WASM is security.

The way this repo is structured whenever the theme submodules are updated it is almost next to impossible to know what gets pushed.

Also this is a matter of trust between theme authors and users but as @felicianotech pointed out every jQuery version below v.3 is vulnerable and a lot of themes use the old and vulnerable versions of jQuery.

We simply cannot keep an eye on upcoming jQuery vulnerabilities ourselves and even if we do we would have to manually notify theme authors and tell them to upgrade their library and that is simply not possible.

However these security concerns about jQuery need to be addressed.

Regarding WASM as I posted above this technology introduces a new attack vector in the browser. There was at least one Hugo theme in the past that used this sort of thing. In my opinion this should also not be allowed.

CC / @bep @digitalcraftsman

@SamWhited

This comment has been minimized.

Show comment
Hide comment
@SamWhited

SamWhited Sep 23, 2018

You really need to update your theme's toml to point to the correct theme repository. Please do this otherwise at some point we will have to remove your theme from the Hugo website. Also please have a look at the updated README for guidance regarding updating your theme.

That's okay; I probably shouldn't have added it to the themes page repo since I don't really want to maintain anything outside my own theme repo. Thanks for letting me know.

EDIT: Oh, I see, this is something in my repo, not in the themes repo. Also fixed.

Also this came up in the Forum today and it is relevant to your theme.

Thanks for the heads up! I'll push a fix.

EDIT:

Also please have a look at the updated README for guidance regarding updating your theme.

I didn't really see any information in that readme to help me update my theme; is there something broken or something in particular you wanted me to do? Thanks.

SamWhited commented Sep 23, 2018

You really need to update your theme's toml to point to the correct theme repository. Please do this otherwise at some point we will have to remove your theme from the Hugo website. Also please have a look at the updated README for guidance regarding updating your theme.

That's okay; I probably shouldn't have added it to the themes page repo since I don't really want to maintain anything outside my own theme repo. Thanks for letting me know.

EDIT: Oh, I see, this is something in my repo, not in the themes repo. Also fixed.

Also this came up in the Forum today and it is relevant to your theme.

Thanks for the heads up! I'll push a fix.

EDIT:

Also please have a look at the updated README for guidance regarding updating your theme.

I didn't really see any information in that readme to help me update my theme; is there something broken or something in particular you wanted me to do? Thanks.

@onedrawingperday

This comment has been minimized.

Show comment
Hide comment
@onedrawingperday

onedrawingperday Sep 23, 2018

Contributor

I didn't really see any information in that readme to help me update my theme; is there something broken or something in particular you wanted me to do? Thanks.

Nothing seems broken. I only directed you to the updated README so that you can have a look to the new section about Common Permalink Issues. We have seen older themes being updated with newer Hugo features only to have their Demos broken. This was just a side note.

Contributor

onedrawingperday commented Sep 23, 2018

I didn't really see any information in that readme to help me update my theme; is there something broken or something in particular you wanted me to do? Thanks.

Nothing seems broken. I only directed you to the updated README so that you can have a look to the new section about Common Permalink Issues. We have seen older themes being updated with newer Hugo features only to have their Demos broken. This was just a side note.

@onedrawingperday

This comment has been minimized.

Show comment
Hide comment
@onedrawingperday

onedrawingperday Sep 23, 2018

Contributor

Ok... I had a cursory look at the Hugo themes that use jQuery and it seems that not permitting it at all would affect many high profile Hugo themes such as Academic etc. (It doesn't really help that frameworks such as Foundation and Bootstrap utilize jQuery.)

Anyway I will water down my proposal and suggest that Hugo Themes that depend on jQuery should use version 3.0 as a minimum. Any themes that use an older version of jQuery should be removed from the Hugo Themes Site because of the security vulnerabilities mentioned above.

If these themes are upgraded they could be submitted again.


@felicianotech It would help the others to decide what to do about the security concerns you raised if you could compile a list with the Hugo themes that use jQuery versions below v.3.0

I could do this myself but I am away at the moment and I don't have the time for this until next week.

Contributor

onedrawingperday commented Sep 23, 2018

Ok... I had a cursory look at the Hugo themes that use jQuery and it seems that not permitting it at all would affect many high profile Hugo themes such as Academic etc. (It doesn't really help that frameworks such as Foundation and Bootstrap utilize jQuery.)

Anyway I will water down my proposal and suggest that Hugo Themes that depend on jQuery should use version 3.0 as a minimum. Any themes that use an older version of jQuery should be removed from the Hugo Themes Site because of the security vulnerabilities mentioned above.

If these themes are upgraded they could be submitted again.


@felicianotech It would help the others to decide what to do about the security concerns you raised if you could compile a list with the Hugo themes that use jQuery versions below v.3.0

I could do this myself but I am away at the moment and I don't have the time for this until next week.

@bep

This comment has been minimized.

Show comment
Hide comment
@bep

bep Sep 23, 2018

Member

Please, please keep this discussion to the topic title: This is about age and not jquery versions. We have no current way of keeping track of the latter.

Member

bep commented Sep 23, 2018

Please, please keep this discussion to the topic title: This is about age and not jquery versions. We have no current way of keeping track of the latter.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment