Mikkel Høgh

Drupal is still a gated community

One of the things the Drupal community prides itself on, is how open the community is. And that is generally true, but there's one exception.

And that is the Kafkaesque horror-show we subject any newcomers that would like to publish their code on Drupal.org to. It goes by the name of “Project Applications“.

Never ending reviews

I know several people who've hit this wall when trying to contribute code. It's not uncommon to wait several months to get someone to review your code. And when it does happen, people are often rejected for tiny code style issues, like not ending their comments with a period or similar.

And even if you manage to satisfy all the reviewers (many of whom are just reviewing to earn “Review Bonus”, see below), you can still wait several months for the powers that be to give you the magic stamp of approval.

Consequently, people give up. Who knows how many valuable contributors we lose, because they feel unwelcome and unappreciated? Most of the criticism in this issue from 2010 is still true.

“Review Bonus”

As mentioned before, the common answer to people that are frustrated with the waiting time, is that they should go get some brownie points to expect getting reviewed any time soon.

Basically, the messaging goes a bit like this:

Oh, you're unsatisfied with having to jump through all these hoops to contribute to our open source project? Here's some more hoops to jump through.

If there's a more efficient way to make people angry, I can't really think of it.

And as another problem, because of this sweat-equity requirement, you now have newbies reviewing each other's code, with all sorts of perverse incentives to just review quickly and cursorily to get the review bonus, futher exacerbating the problem.

Only applies to newbies

I've never had to gone through this. Neither have many Drupal developers I know. Because we were grandfathered in from the old CVS access system. It also had reviews, but to my memory, these were a lot less strict.

And once you pass the initial review, you're given the keys to the kingdom. After that, you can create as many new project, and publish as much terrible code on Drupal.org as you want to.

Does it work?

Not really. At the time of this writing, there were about 300 open requests in the Project applications queue, most of them more than a month old.

Is this even necessary?

In a word, no. I think Drupal is pretty unique in this regard. All other big open source communities I know of have no such requirements.

Packagist for Composer, GitHub, npm, Bower, etc. all allow anyone and everyone to create packages.

I imagine that some would argue that scary things can happen if you allow people to publish code without review. But if someone had sinister intentions, it would not be hard to wait with publishing malicious code until after the review, would it?

It's a bit like we're trying to achieve Apple's model for their App Store on Drupal.org, where everything is reviewed and safe to install. With the important difference that we don't have hundreds of full-time employees to make such reviews in a timely and professional manner.

End the madness

We can end the madness. We have the new community role on Drupal.org. How about we just require that for code publication, rather than trying to boil the ocean.

To my great shame, I was part of the initial discussions about this system, at DrupalCon Copenhagen in 2010. Back then, we were concerned about review times, and time has proven us right.

It was a valiant attempt. I think it's pretty clear that it does not, and will never, work to the degree we need it to. So let's change, make new people feel welcome again.

Update, June 4th, 2015

There has been some discussion about a change of these policies at Drupal.org. If you're interested in this matter, that would be the place to go make your voice heard. I have posted a follow up of my own on that thread.