Marketplace, PACL, and Community Plugins

If you've been developing plugins for the Liferay Marketplace, you're undoubtedly aware of the issues surrounding the development and publication process for apps.  The main issues are around the required use of the Security Manager (aka PACL), which has proven challenging to get right (or not even possible to make work, depending on the nature of the app, and the use of certain frameworks/libraries). This, plus other issues in the most recent release (such as LPS-29103) has meant that many of our most valued community members have been prevented from publishing to the Marketplace through no fault of their own, and they have not been shy about letting us know of their concerns (see here, and here). I personally find it very encouraging to see such passion and constructive criticism from our community, and I'm happy to report that we're making significant changes to the Marketplace to address these concerns and make Marketplace the high quality, go-to place for Liferay apps.

Here's what the team is working on right now:
  • Remove the requirement for Security Manager (aka PACL) to be enabled
  • Improve the "Denial Reasons" given when apps are rejected (usually because they fail a test case)
  • Document the environments in which apps are tested and more clearly specify requirements for metadata
  • Improve the Security Manager developer experience
The first item in particular is intended to bring back the kind of functionality we had in the legacy community plugins repository, but still ensure that the Marketplace contains quality apps that actually work as advertised (since apps will still be run through anti-virus checks and basic smoke tests). App developers will have a choice to publish their app with or without the use of PACL, and apps will be marked as such when viewed on the Marketplace. This will also make it less ambiguous for developers looking to enter the Marketplace App Contest with apps that otherwise work without PACL. PACL will still be required for apps offered for sale (once that feature is available). 
 
The other items relate to improving the developer experience of developing for Marketplace. We now have hundreds of apps and registered developers (not including Liferay itself) who are publishing to the Marketplace, and it's critical that the development and publishing process be as smooth, intuitive, and informative as possible. This is foremost on the team's mind, and if you have any additional feedback (besides those mentioned above), don't hesitate to make yourself heard either in the comments below, or in the Marketplace Developer forums.   We are hoping to implement these changes in the next couple of months, to resolve the difficulties with Marketplace development.
 
As far as the PACL experience, in the next Liferay releases (for both 6.1 and 6.2) will be a new PACL policy generator tool ( LPS-32200) which will vastly simplify the creation of a PACL-enabled app. If you want to test-drive it now, go grab the 6.2 Milestone 5 build - it's fully implemented and ready for you to try out ( here's how).
 
Finally, I want to let you know that we (as a company) make every effort to listen and respond to the open source community. We don't always get everything perfect right out of the gate, and sometimes it takes a while to make a change, but please know that Liferay depends on its community to point out the good and the bad, and make corrections as necessary. This is another example of why open source and open development processes are vastly superior to the alternative.
Blogs
Great news!!! Thumbs up to the decision about the possibility to disable the Security Manager for non-paid apps.
We will test our apps and let you know.
Cheers.
Yesssss!! 10 completely ready plugins coming up and we have a pipeline of about 8 more including a working integration with VMWare conductor and Plesk! This is the best Liferay news in a year!
I will be keep in touch with this thread and with your company website to be the first to be informed of these great news!
Thanks everyone for the feedback. We're certainly doing our best to make iterative improvements as we go along. And specifically, we hope to push this out sooner than later.
Hi James,

Does this mean we can now already submit a portlet with security manager disabled? Or should we wait until further notice?
@Peter yeah, you have to wait -- right now, during the app submission process, it'll fail if PACL is disabled.
James:

I am sorry to be the negative person here but i can't believe that after 8 months from the GA2 publication date we still don't have a solution for this issue. According to this blog we still have to wait almost an extra month. I am completely disappointed. I have no other choice to see this as one more of many promises already done.

Just to show that i am really trying to make this work, i tested with the 6.2.0 M5 as you suggested and of course, it didn't work as expected but i will post this in the right place.

I really hope LR start helping its community and not the other way around.

Marcelo
Hi Marcelo,

Just to keep you in the loop, I met with our engineers last week and this week also. The changes that James describes (removing the PACL requirement) is now code complete. We're now trying to get the changes pushed live even sooner and are hoping to get it out in ~1 week. Thanks for being patient with us.
Our developers are already working on the change. We don't imagine the change to take much work, but then we have a 2-4 week window of testing before the change is pushed live. So hopefully within the next month!
Just tried to upload my plugin. Failed because I don't have security manager enabled. When are the upload restrictions going to be removed?
Hi David,

Sorry if I wasn't clear in my last comment, but the changes won't be live for another week. I'll make sure to update everyone here when everything is live.
@BrianKim Do you think this week the upload restrictions will be removed?

Thanks in advance.
Hi everyone,

You should be happy to hear that they're now live. Thank you for being patient with us while we made the necessary changes. The only change you should see when adding an app is that you can now submit apps without PACL enabled. Specifically, please check the checkbox at the bottom that states: "This app does not use Liferay's PACL Security Manager." Again, thanks again for all the feedback and please keep the app submissions coming!
Brian,

Are you only removed the PACL requirement or you also published a new version?
I mean, most of our portlets are based on Spring/Spring MVC and the GA 2 version has a lot problems related to them. Most of them are already fixed according to the LPS issues. So, if the new version GA3 is published all of our portlets will work. If not, we will still have to wait up to the GA3 is released to upload and share them.
TIA,
Marcelo (RCS)