"No Sender" is a module that suppresses the inclusion of a Sender header on outgoing email. The main purpose is to avoid the often-unsightly "Sent by [sender header] on behalf of [from header]" style messaging that some mail clients show when there is both a Sender header and a From header. drupal_mail() always sets the former to the site email address, while the latter can often be a dynamic value populated by Webform and the like. In many cases, with support from relevant email RFCs, it's desirable to have only a From header.

Project page: https://www.drupal.org/project/nosender

git clone --branch 7.x-1.x https://git.drupal.org/project/nosender.git
cd nosender

I have not yet had a chance to participate in the Review Bonus program, but I am otherwise active in the community with a relatively solid understanding of web security. Being a trivial module, I understand if this is insufficient for the vetted role to be granted, but please do consider things like adherence to Drupal coding standards in this small sample.

Thanks,
Mike

Comments

mforbes created an issue. See original summary.

mforbes’s picture

Issue summary: View changes
mario steinitz’s picture

Status: Needs review » Needs work

Just some (semi-)automated tests:

Git errors:

Review of the 7.x-1.x branch (commit 80599bd):

  • Coder Sniffer has found some issues with your code (please check the Drupal coding standards).
    
    FILE: ./nosender.module
    --------------------------------------------------------------------------
    FOUND 2 ERRORS AFFECTING 2 LINES
    --------------------------------------------------------------------------
     1 | ERROR | [x] The PHP open tag must be followed by exactly one blank
       |       |     line
     5 | ERROR | [x] Doc comment short description must be on the first line
    --------------------------------------------------------------------------
    PHPCBF CAN FIX THE 2 MARKED SNIFF VIOLATIONS AUTOMATICALLY
    --------------------------------------------------------------------------
    
    Time: 117ms; Memory: 4Mb
    
  • No automated test cases were found, did you consider writing Simpletests or PHPUnit tests? This is not a requirement but encouraged for professional software development.
mforbes’s picture

Status: Needs work » Needs review

Thanks for the quick turnaround, Mario.

I unfortunately ran into some environment issues installing PAReview.sh and its dependencies myself (macOS; will try again on Ubuntu), and the online version prominently linked from Coder's project page seems to be registered but not currently resolving.

The fixes are committed now. I had considered tests, but concluded that a lack thereof would be acceptable due to the trivial nature of the module combined with the fact that a good test involves receiving email (not something a headless browser engine might do).

mario steinitz’s picture

Yes, the PAReview.sh service is currently down. I'm working on a refurbished solution for it and was using your application for testing the script. - Feel free to open an issue in the PAReview.sh issue queue for your installation problems.

mario steinitz’s picture

Issue summary: View changes

Altered git clone command to be used by non-maintainers.

mario steinitz’s picture

Status: Needs review » Needs work

And this is the result of the current check. The module documentation needs some fixes.

Review of the 7.x-1.x branch (commit aca8d45):

This automated report was generated with PAReview.sh, your friendly project application review script.

mforbes’s picture

I precisely followed some other conflicting documentation on building my README.txt:

I don't believe it's right for https://www.drupal.org/docs/develop/documenting-your-project/module-docu... to use the word "should" if opting out yields reverting to "Needs review" status. Let's replace "should" with "must" on that page if that is the case! Or if not "must," then at least "should -- if you want security coverage!"

Please don't get me wrong, I am a strong believer in standards and clean code; I am happy to use the template if that is expected. "Should" is just an awkward way to set expectations that are then enforced.

mforbes’s picture

Similarly, https://www.drupal.org/docs/develop/documenting-your-project/module-docu... goes on to say "All but the most trivial modules should implement hook_help()."

Not only is "should" used, but even if it were "must" instead, this module is almost certainly one of "the most trivial modules," no?

I can certainly fix both of these issues with this module, but I can't help but voice my concern that the documentation on what is expected should (hah!) be as forceful as the review process.

mforbes’s picture

Status: Needs work » Needs review

Addressed README.txt and hook_help() issues. See comment #4 regarding tests. Anything else you think this needs please let me know! Thanks.

mario steinitz’s picture

Ok. Let's say the interpretation on whether there is a need for hook_help() or not is kind of fuzzy (and obviously also dependent on the final reviewer). The review suggestion to adding it comes up a lot of times. - Personally, I'd say it doesn't hurt adding it and definitely should be considered best practice for any matured module. (Probably we really have to ask within the best practices group to finally make sure.)

However, with the README we have an explicit requirement for Security Advisory Coverage in https://www.drupal.org/node/1587704, Section 5.3:

Please make sure you have a README-file that follows the guidelines for in-project documentation and is based upon the README Template.

I don't know what was first, the project page template or the README documentation that suggests using the content of the project pages. But Security Advisory Coverage want's you to use the README template, as it's the most recent agreed on schema (even it differs from the project page template).

mario steinitz’s picture

Status: Needs review » Reviewed & tested by the community

Reviewed and did not find any further issues. (It's a small module anyway.)

mforbes’s picture

Ah, that makes sense. Hooray, RTBC!

mforbes’s picture

Priority: Normal » Major

"awaiting response from a reviewer for 2+ weeks"

mario steinitz’s picture

Welcome to the club. ;) - No honestly, the final reviews take a long while to being processed. The Git admins seem not to being too active with final reviews or just too busy with other tasks. A final review includes checking the entire code base for obvious flaws, probably installing it on a test environment, and finally agreeing that the developer met all QA requirements. Above semi-automated checks and manual community reviews are just the first stage to not letting them have to start with low-quality code.

Sometimes there are batch accepts to clean the queue. Otherwise we just need to be patient till one of the admins has enough spare time to spend on the final review.

PS.: After a decent enough waiting time (a month+), you may gradually increase the priority of your issue. It might help in RTBC status. And meanwhile feel free to review other module applications for RTBC suitability.

mforbes’s picture

Yep I get it, no problem at all. Just going through the motions, following the guidelines at https://www.drupal.org/node/539608 -- they say Major at 2+wks (Critical at 4+wks) but are you saying I should've waited until a month+ for Major despite the guidelines?

mforbes’s picture

Priority: Major » Normal

Aha! After re-reading the guidelines, that 2wk/4wk timeline is only for issues in "Needs review" status, not RTBC... I somehow missed that bit. Back to normal.

rajveergangwar’s picture

Hi,
Its better to have maintainer email id and name in README.

Module looks good for me

RTBC+

mforbes’s picture

Thanks for the review!

https://www.drupal.org/node/2181737 says "This section is optional" regarding maintainers. The template ought to say "You should have this section" if having it will be recommended. If I dissent on a "should," having a discussion is great and I would be hard-pressed to argue my position; if I omit something that is "optional," isn't that perfectly agreeable?

rajveergangwar’s picture

@mforbes

Yes, it is optional, But if you put your email id or profile link, so users can directly contact to you.

The module is working perfectly. Nice job

avpaderno’s picture

Assigned: Unassigned » avpaderno
Status: Reviewed & tested by the community » Fixed

Thank you for your contribution!
I am going to update your account so you can opt into security advisory coverage now.
These are some recommended readings to help with excellent maintainership:

You can find more contributors chatting on the IRC #drupal-contribute channel. So, come hang out and stay involved.
Thank you, also, for your patience with the review process.
Anyone is welcome to participate in the review process. Please consider reviewing other projects that are pending review. I encourage you to learn more about that process and join the group of reviewers.

I thank all the dedicated reviewers as well.

avpaderno’s picture

mforbes’s picture

Thanks kiamlaluno!

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.