Hide Old Themes

[FelicianoTech]

I suggest we hide themes that fit certain criteria. Here's two examples:

• themes that the source repo/submodule hasn't been updated for X amount of time. Maybe a year? 18 months?
• themes who's supported Hugo version is below a certain number. This is probably tricker to pull off though.

[onedrawingperday]

There are older themes that haven’t been updated for a year and still work with the current version of Hugo. So I am not in favor of an 18 month cut off time limit.

However there are also older themes that do not work with the current version of Hugo and throw errors. Currently there is no policy about these themes.

Maybe we should notify those theme authors about the need to update by opening issues in their theme repositories. If they don’t respond then we remove those themes from the website.

However this is a decision that needs to be made by @bep and @digitalcraftsman

If they agree with me I could task myself with opening these GitHub issues to the relevant theme repositories.

[bep]

I think we need to make this simple: If a theme has failed to build the demo site for some time (?), then remove it. Reaching out to the theme owner sounds like "too much work". If the theme is valuable, the theme owner will eventually come back with a new issue.

[onedrawingperday]

Ok @bep 👍

I also favor the simpler approach but I also think that we need to add a Note about this somewhere in the Themes Repo's README.

Something along the lines of:

Your theme's Example Site needs to be generated with the latest version of Hugo. You will need to keep an eye on current Hugo development and update your theme accordingly, otherwise if your theme's demo fails to generate for a while, we may remove your theme from the website, until you update it.

Anyway, I'm away at the moment but I will send the above in a PR once I can.

[digitalcraftsman]

Hi @FelicianoTech,

while I can understand your intention for this issue I agree with the others that an 18 month limit or a minimum version number as threshold are not good metrics to decide whether a theme is outdated or not.

Yes some themes are outdated, some only build with ancient versions of Hugo but some of them are just dead simple (e.g. blog or one-page-themes) in the sense that they do not make use of more advanced features of Hugo or have been affected by deprecated ones.

I think we need to make this simple: If a theme has failed to build the demo site for some time (?), then remove it.

Any ideas how we can track this easily without much overhead?

[onedrawingperday]

Any ideas how we can track this easily without much overhead?

I know that it is not easy to remove a submodule, since it needs to be done manually as described here

But it seems that the deinit command could simplify things slightly by doing:

git submodule deinit <path_to_submodule>
git rm <path_to_submodule>
git commit-m "Removed submodule "
rm -rf .git/modules/<path_to_submodule>

Of course the first 2 commands could be executed for multiple themes in the console and then make a single commit.

The downside is that we would need to init all theme submodules recursively locally (all 2GB) because otherwise it is impossible to get a comprehensive list of those themes that currently do not have a demo.

@digitalcraftsman I can send a PR that removes those themes that throw errors and don't have their Demo generated, but this will be done once I come back from my trip.

[FelicianoTech]

18 months was just a number, doesn't have to be specifically that.

Old themes are a problem and here's why.

Marketing / Public Perspective

Old themes look bad. It gives the wrong impression to new users that things in Hugo can be outdated, unmaintained, etc. Seeing themes reference Hugo v0.19 for example as far as what's supported or tested on looks bad.

Security

Many old themes are using old libraries, Particularly old versions of JavaScript libraries such as jQuery that will likely have security vulnerabilities.

For example, I checked out this repo and clones every single theme as well (my laptop wasn't happy). Then I ran grep -ri "jquery.min.js" . which showed that about 169 themes are using jQuery. Just to specifically call out one theme, Greyshade hasn't been updated since 2015 and is using jQuery v1.7.2. jQuery versions predating v3.0.0 all contain vulnerabilities. There's many more themes running old stuff.

I'm not saying that a recently updated theme means it's 100% safe, but the chances of newer software and less vulnerabilities goes way up.

Showcasing

Newer themes should also serve as a showcase. Older themes may use deprecated features or not even work and the build process just hasn't caught this. I know personally this has affected me many times when looking for a theme to use. It just doesn't work even though it's on the site.

As Hugo grows, there will forever be more themes. Showcasing good ones is important for an ecosystem.

---

Even if older themes weren't removed, I think it was be smart to downplay older themes and feature newer themes.

[onedrawingperday]

@FelicianoTech

You raise a lot of issues and I will try to be as brief as possible:

RE: Marketing / Public Perspective / Showcasing
Newer themes always go on top. They are rendered by lastmod.

I don't agree with your perspective about older themes. For example the Newsprint theme hasn't been updated since August 2017 but it still looks pretty good in my opinion and I just don't see why it should be removed/hidden/downplayed because it lists Hugo 0.25.1 as a minimum version. If its Demo didn't generate then that would be an issue but currently it works fine.

RE: Security
That is the more important issue you raise and this is something that the others need to think about.

In my opinion Hugo Themes with jQuery should not be accepted, but that also means that the number of themes in this repository will reduce dramatically.

Also funky JS loading mechanisms (e.g. Web Assembly, asm.js etc.) should not be permitted for security reasons.

Anyway I'll keep my eyes in this issue for any big policy changes.

[FelicianoTech]

@onedrawingperday If you click the download button for the Newsprint theme it 404s. That's the problem.

I don't know much about Web Assembly but jQuery and others are important for modern themes. Especially for static websites since there's no backend to do work. Browser side JavaScript becomes all the more important.

That jQuery CVE page you linked to is exactly what I was looking at when I mentioned security. We're literally on the same page there.

[onedrawingperday]

@FelicianoTech

It seems that the Newsprint theme lives here: https://github.com/SamWhited/newsprint

OK. I will try to notify the author here.

---

@SamWhited it seems that you have deleted your theme's Bitbucket repository. Furthermore you have closed the GitHub issue tracker for your theme and moved it to Soquee, but I am not opening an account there.

You really need to update your theme's toml to point to the correct theme repository. Please do this otherwise at some point we will have to remove your theme from the Hugo website. Also please have a look at the updated README for guidance regarding updating your theme.

Also this came up in the Forum today and it is relevant to your theme.

Thank you.

---

CC / @digitalcraftsman

[onedrawingperday]

jQuery and others are important for modern themes

It depends. But for the kind of functionality I see in Hugo Themes usually jQuery is not needed at all.

To be quite frank jQuery is a bit of a crutch for lazy people. It was useful once upon a time but in 2018 it's not important at all.

Anyway the above is my personal (harsh) opinion.

---

However the real reason I am proposing that we should not permit Hugo Themes with jQuery and WASM is security.

The way this repo is structured whenever the theme submodules are updated it is almost next to impossible to know what gets pushed.

Also this is a matter of trust between theme authors and users but as @FelicianoTech pointed out every jQuery version below v.3 is vulnerable and a lot of themes use the old and vulnerable versions of jQuery.

We simply cannot keep an eye on upcoming jQuery vulnerabilities ourselves and even if we do we would have to manually notify theme authors and tell them to upgrade their library and that is simply not possible.

However these security concerns about jQuery need to be addressed.

Regarding WASM as I posted above this technology introduces a new attack vector in the browser. There was at least one Hugo theme in the past that used this sort of thing. In my opinion this should also not be allowed.

CC / @bep @digitalcraftsman

[SamWhited]

You really need to update your theme's toml to point to the correct theme repository. Please do this otherwise at some point we will have to remove your theme from the Hugo website. Also please have a look at the updated README for guidance regarding updating your theme.

That's okay; I probably shouldn't have added it to the themes page repo since I don't really want to maintain anything outside my own theme repo. Thanks for letting me know.

EDIT: Oh, I see, this is something in my repo, not in the themes repo. Also fixed.

Also this came up in the Forum today and it is relevant to your theme.

Thanks for the heads up! I'll push a fix.

EDIT:

Also please have a look at the updated README for guidance regarding updating your theme.

I didn't really see any information in that readme to help me update my theme; is there something broken or something in particular you wanted me to do? Thanks.

[onedrawingperday]

I didn't really see any information in that readme to help me update my theme; is there something broken or something in particular you wanted me to do? Thanks.

Nothing seems broken. I only directed you to the updated README so that you can have a look to the new section about Common Permalink Issues. We have seen older themes being updated with newer Hugo features only to have their Demos broken. This was just a side note.

[onedrawingperday]

Ok... I had a cursory look at the Hugo themes that use jQuery and it seems that not permitting it at all would affect many high profile Hugo themes such as Academic etc. (It doesn't really help that frameworks such as Foundation and Bootstrap utilize jQuery.)

Anyway I will water down my proposal and suggest that Hugo Themes that depend on jQuery should use version 3.0 as a minimum. Any themes that use an older version of jQuery should be removed from the Hugo Themes Site because of the security vulnerabilities mentioned above.

If these themes are upgraded they could be submitted again.

---

@FelicianoTech It would help the others to decide what to do about the security concerns you raised if you could compile a list with the Hugo themes that use jQuery versions below v.3.0

I could do this myself but I am away at the moment and I don't have the time for this until next week.

[bep]

Please, please keep this discussion to the topic title: This is about age and not jquery versions. We have no current way of keeping track of the latter.

[onedrawingperday]

@bep @digitalcraftsman

Actually I think that the repository is becoming unmanageable because there are plenty of unmaintained themes that no longer have working demos. I understand that some of these themes are for older versions of Hugo but I think that a Hugo Theme that no longer has a working Demo generated for a while needs to be removed from the list.

If a theme author cares then they will notice the removal and work to have their theme added back again to the list.

[onedrawingperday]

Ok here is the definitive list so that you can view the extent of the problem.

Note: This comment will be updated as I check the status of each theme, that currently has no Demo.

---

Hugo Themes with no Demo Button

❌ Removed https://themes.gohugo.io/greyshade/ Unmaintained Last Update was on Jul 19, 2015

✔️ Whitelisted https://themes.gohugo.io/hugo-finite/ see all the details here

❌ Removed https://themes.gohugo.io/hugo-incorporated/ demo disabled Unmaintained Last Update was on Sep 22, 2016

❌ Removed https://themes.gohugo.io/hugo-sp-minimal/ Unmaintained Last Update was on Nov 16, 2016

❌ Removed https://themes.gohugo.io/simple-a/ Unmaintained Last Update was on Feb 16, 2017

❌ Removed https://themes.gohugo.io/hugo-theme-geppaku/ Unmaintained Last Update was on Feb 13, 2017 Opened masa0221/hugo-theme-geppaku#11 with a fix for the missing demo but I didn't get a reply.

❌ Removed https://themes.gohugo.io/hucore/ Unmaintained Last Update was on Jul 3, 2017 | 6 Open GitHub Issues | 6 Open Pull Requests

❌ Removed https://themes.gohugo.io/hemingway2/ Unmaintained Last Update was on Jul 31, 2017 | Wrong instructions in the README github should be gitlab (there is a 6 month old open issue about this)

❌ Removed https://themes.gohugo.io/hugo-smpl-theme/ demo disabled also see #311

❌ Removed https://themes.gohugo.io/bootstrap/ Unmaintained Last update was on Nov 9, 2017. Build Script ERROR: execute of template failed: template: _default/list.html:7:31: executing "_default/list.html" at <.Paginator.Pages>: undefined variable: $index

❌ Removed https://themes.gohugo.io/crisp/ Unmaintained Last update was on Nov 7, 2017. There is an open issue since March 20, 2018 about error calling Paginate: Paginators not supported for pages of type "page". This same ERROR breaks the theme's demo on the Hugo Themes website.

❌ Removed https://themes.gohugo.io/hugo-smorg/ Unmaintained Last update was on Apr 27, 2018. There is an open issue since the 3rd of September about a mediaTypes ERROR. This same ERROR breaks the demo on the Themes website.

❌ Removed https://themes.gohugo.io/tinyce/ Opened roperzh/tinyce-hugo-theme#22 with a fix but I didn't get a reply.

✔️ https://themes.gohugo.io/lanyon/ Demo Fixed tummychow/lanyon-hugo#25

✔️ https://themes.gohugo.io/hugo-now/ Demo Fixed see: mikeblum/hugo-now#4

❌ Removed https://themes.gohugo.io/internet-weblog/ Unmaintained Last update was on Feb 3, 2018. There is an unaddressed open issue since March 20, 2018 about the same ERROR that breaks this theme's demo on the website by throwing a panic.

✔️ https://themes.gohugo.io/hyde-hyde/ Demo Fixed See: htr3n/hyde-hyde#53

✔️ https://themes.gohugo.io/simplicity/ Demo Fixed See: eshlox/simplicity#8

✔️ https://themes.gohugo.io/hugo-nuo/ Demo Fixed see: laozhu/hugo-nuo#88

✔️ https://themes.gohugo.io/docdock/ Demo Fixed see: vjeantet/hugo-theme-docdock#169

✔️ https://themes.gohugo.io/reveal-hugo/ Demo Fixed see: joshed-io/reveal-hugo#11

✔️ https://themes.gohugo.io/bilberry-hugo-theme/ Fix in progress. See: Lednerb/bilberry-hugo-theme#148 (comment)

✔️ https://themes.gohugo.io/hugo-dream-plus/ Demo Fixed see: UtkarshVerma/hugo-dream-plus#50

✔️ PR Merged https://themes.gohugo.io/hugo-bare-min-theme/ was added to the Build Script's noDemo array. The lack of demo for this theme is due to #463

❌ Removed https://themes.gohugo.io/bleak/ Unmaintained This is a theme with multiple problems like missing assets and currently in its repo there are 13 unresolved GitHub Issues. This issue in particular stands out. Last theme update was on Jul 4,2018

❌ Removed https://themes.gohugo.io/aglaus/ The theme author has responded in the issues that I opened for his other 2 themes (solit and robust) that he no longer uses Hugo so this theme will also be removed.

❌ Removed https://themes.gohugo.io/hugo_theme_solit/ The author responded that he no longer uses Hugo and wishes to have the theme removed see: dim0627/hugo_theme_solit#9 (comment)

❌ Removed https://themes.gohugo.io/robust/ The author responded that he no longer uses Hugo and wishes to have the theme removed see: dim0627/hugo_theme_robust#37 (comment)

❌ Removed https://themes.gohugo.io/bluestnight/ This theme renders blank when I test it with the Hugo Basic Example. The Themes Build Script only throws WARN and no ERROR but still there is no Demo button. Also the author has shut down the theme's issue tracker (see: #473 )

❌ Removed https://themes.gohugo.io/hemingway/ may have its Demo generated but it is Unmaintained last update was on on Nov 11, 2016. Also this theme outputs invalid HTML. There is an unaddressed PR about this issue.

❌ Removed https://themes.gohugo.io/hugo-paper-now/ may have its Demo generated but everything renders blank. There is a long standing open issue in the theme repo about this problem, the theme author has replied that he won't fix this issue. Also this theme's last update was on on Dec 18, 2016.

The following themes also have broken demos they're by:

@digitalcraftsman
➖ Nothing to do https://themes.gohugo.io/hugo-alabaster-theme/ (I will not address this theme's broken demo since this is by the Hugo Themes maintainer)
➖ Nothing to do https://themes.gohugo.io/material-docs/ (same as above)

@spf13
➖ Nothing to do https://themes.gohugo.io/herring-cove/ (I will not address this theme's broken demo since it is by the creator of Hugo)

[digitalcraftsman]

➖ Nothing to do themes.gohugo.io/hugo-alabaster-theme (I will not address this theme's broken demo since this is by the Hugo Themes maintainer)
➖ Nothing to do themes.gohugo.io/material-docs (same as above)

Some of my themes didn't got much attention in the past. I eventually clean up my own mess as well, firstly, by removing my themes that are broken. I'll try to find some time to fix them.