[theme-reviewers] Simple-Blue-Dashed 1.0

chip at chipbennett.net chip at chipbennett.net
Fri Jun 11 17:11:35 UTC 2010


Three thoughts:

1) I think the General review should go first, and the theme cleaned up as
appropriate, before it is reviewed for security. In order for an effective
security review, a theme needs to be as standards-compliant as possible,
with as efficient code as possible. Otherwise, the security-related
needles get harder and harder to find in the haystack.

2) Would having three separate teams negatively impact Joseph's goal of
completing theme review within 24 hours? Would the benefits of such
approach outweigh the benefits of theme turnaround in 24 hours? (I think
yes - within reason, of course.)

3) I really like the division-of-labor approach that could, ideally, suit
each person's best skills to the tasks at hand (while also providing some
cross-training opportunities). I would love to focus on "General" review,
while learning what I can from the Security and Design teams' reviews, if
we decide to go that route.

Cheers,
Chip


> Hi Chip,
>
> That's not a bad idea at all you know ... Maybe we should split each
> part of the review of each theme into different groups, and each Theme
> review passes from one group to the next.
>
> 1st) Theme must pass security team review with no major fails, then
> passes onto General;
>
> 2nd) Theme must pass functionality team with no major fails, then passes
> onto CrossBrowser/HTML/CSS testing;
>
> 3rd) Theme must pass browser team browser testing to reasonable levels
> (saw Tim Golen mention this a minute ago, personally I think this falls
> under "technical" rather than "design" - there are plenty of standards
> for this already defined).
>
> 4th) If at this point the total number of "advisories/minors" is below
> X, the theme gets approved.
>
> If one of the groups finds anything critical along the way the author is
> advised once that groups "checking" is complete, and theme doesn't get
> passed onto the next group. This saves everyone in every group testing
> everything twice, just because of a security fail.
>
> Then, all the volunteers who've offered here recently can decide what
> team their skills best fit into, and be put to best use. I know some
> people here would prefer to test cross-browser than security, and
> vice-versa of course.
>
> Gav
> //gavinpearce.com
>
>
> -----Original Message-----
> From: theme-reviewers-bounces at lists.wordpress.org
> [mailto:theme-reviewers-bounces at lists.wordpress.org] On Behalf Of
> chip at chipbennett.net
> Sent: 11 June 2010 17:50
> To: theme-reviewers at lists.wordpress.org
> Subject: Re: [theme-reviewers] Simple-Blue-Dashed 1.0
>
>> Security is a big item, themes mis-use any external data ($_GET,
>> $_POST, $_REQUEST, $_COOKIE, $_SERVER) must be addressed, no two ways
>> about it.  Direct DB queries must properly escape data in the query
>> (and if there is a WP function to do the same thing the direct DB
>> query should be replaced with the function call).  Those are the
>> basic, *minimum* things that every theme needs to address security
>> wise.
>
> For those of us who are less-than-expert in the SQL aspects of theme
> reviewing, can those who are more adept create a reasonably
> easy-to-follow
> security checklist?
>
> Or, maybe we should have some security-ninja theme reviewers, who can
> focus on the security aspects of themes? If so, we could divy up the
> review work, such that security concerns are handled separately - after
> the theme is initially reviewed (and cleaned up, if necessary) based on
> the "normal" criteria?
>
>> Sometimes the theme author just isn't aware of specific functions or
>> services in WordPress, so some hints and reference URLs for more info
>> are helpful there.
>
> Agreed. I tried to add in Codex references, where appropriate, in my
> first
> review.
>
> Speaking of which: the Theme Development Checklist entry in the Codex is
> sorely in need of cross-referencing to Codex entries for functions,
> template tags, and hooks/filters.
>
> _______________________________________________
> theme-reviewers mailing list
> theme-reviewers at lists.wordpress.org
> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
> _______________________________________________
> theme-reviewers mailing list
> theme-reviewers at lists.wordpress.org
> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>




More information about the theme-reviewers mailing list