Out of curiosity, does Backdrop have a similar vetting process for modules as on drupal.org? I'm trying to rework this section of Drupal for Humanists and I'm not sure how much of it is still relevant, or what separate assurances can be made for modules on backdropcms.org.
Relatedly, am I right in getting the sense that, given this smaller community, there's fewer people publishing modules separately on Github? (There's at least one major digital humanities Drupal development company that publishes its modules only on Github; I may end up trying my hand at porting some of those modules to Backdrop.)
The text for the section is below:
----
As a general rule, you should only install modules that you have downloaded from backdropcms.org. For a module to be listed on backdropcms.org, it has to meet the Backdrop coding standards (which require, among other things, that the code be well-commented to make it easier for other programmers to understand), pass a series of automated tests, and be free of identified security holes (which could put your site in jeopardy of being hacked). While the degree to which modules are actively maintained does vary, if a security hole is found in a module, the module will be removed from backdropcms.org if it is not updated to address the problem in a timely manner.
[...]
There are many modules that are published on Github, or on project websites. In some cases, the developers don’t feel like it’s worth publishing the module on backdropcms.org because it’s designed for a niche audience. In other cases, publishing the module on Github is a way to make a module available while it is waiting to be reviewed on backdropcms.org. Many well-known Backdrop modules that have been developed for digital humanities are not distributed on backdropcms.org. For modules that aren’t distributed on backdropcms.org, it’s harder to get information on how many people have the module installed, and it may be more difficult to find out how well the module works, depending on whether there’s a pointer to an active issue queue. There’s also no guarantee that the code meets Backdrop coding standards. Nonetheless, at least for modules developed within the digital humanities community, you may be able to alleviate your concerns through typical communication channels (e.g. inquiring on Twitter or DH Answers), or even asking the developers directly. You can also send an email to the Backdrop for Humanists mailing list, linked from the Backdrop for Humanists site. Particularly since these modules are designed specifically to address digital humanities use cases, they should not be considered off-limits due to the way they are distributed, but a little extra caution is beneficial.
yes, and no. There is very little vetting for modules in either location.
Anyone can post a module on drupal.org with no vetting at all (this has changed recently). The review process for Backdrop projects happens at the time someone's FIRST project is added, and is really only there so we can welcome people, and offer assistance if needed.
> it has to meet the Drupal/Backdrop coding standards
These standards are guidelines, not requirements. There are many popular modules that do not meet coding standards.
> pass a series of automated tests,
Automated testing is optional on Drupal.org. For Backdrop, automated testing is possible using both Travis CI and ZenCI, but neither are automatically running at the moment. (And the tests themselves are provided by module maintainers, so any automated testing will only cover what is specifically tested.)
> While the degree to which modules are actively maintained does vary, if a security hole is found in a module, the module will be removed from backdropcms.org if it is not updated to address the problem in a timely manner.
This part is nearly the same, only the Backdrop Security Team will not only identify an issue with your project, but help you solve it, if needed.
The rest looks spot-on!