[theme-reviewers] Guidance on theme security

Chip Bennett chip at chipbennett.net
Wed Oct 20 14:12:26 UTC 2010


Oh, in principle and in general, I agree. And, the official Theme Repository
should not be encouraging users' procrastination in keeping their WP
installs up-to-date.

But, we're also, as a subset of the overall WP install base, much more
likely to be early adopters of each new WP version. We do have to keep in
mind that 50% of the WP install base is currently using pre-3.0 versions of
WP.

Personally, I would like to see Repository-hosted Themes have no backward
compatibility prior to the current major version - and I would like to see
Extend display "Requires" and "Tested Up To" tags like the ones displayed
for Plugins. But, we have to balance our population-subset desires with the
realities of the overall population.

Chip

On Wed, Oct 20, 2010 at 9:07 AM, Marty Martin <m at seoserpent.com> wrote:

> Personally I don't give a crap if other users aren't upgrading their WP,
> but upgrades to core happen for many reasons (security is a good one) and
> there's not much point in releasing a theme for a version of WP you can't
> (easily) get any more.  Plus, I don't want to have to deal with trying to
> figure out if a theme is compatible with 2.9 when I run 3.0.1 on all of my
> sites, including my theme checking site.  :o)
>
> My $0.02.
>
> Marty
>
>
> On Wed, Oct 20, 2010 at 10:02 AM, Chip Bennett <chip at chipbennett.net>wrote:
>
>> Perhaps we should indicate an allowable age of backward-compatibility
>> support? What's the right answer here?
>>
>> 1) Themes must support current major WP version only (e.g. 3.0, not 2.9.x)
>> 2) Themes may support a certain number of previous major WP versions (e.g.
>> for 3.0, Themes may provide backward-compatibility for 2.9.x, or 2.8.x)
>> 3) Themes may provide backward-compatibility as old as the Developer
>> wishes to support
>>
>> I think One might be a bit restrictive, and difficult to enforce (WP 3.0
>> adoption is at just over 49%, 4 months after release), but certainly easiest
>> on the Review Team. I think Three would be way too difficult to manage, and
>> would end up causing nightmares for the automated checks (Theme Check and
>> the Uploader Script), due to backward-compatibility support for deprecated
>> functions. So, it would seem to me that Two is the most viable option.
>>
>> The question is: how far back?
>>
>> Chip
>>
>>
>> On Wed, Oct 20, 2010 at 8:28 AM, Gene Robinson <emhr at submersible.me>wrote:
>>
>>>
>>> A quick draft item has been added to the Theme Review ...
>>>
>>> http://codex.wordpress.org/Theme_Review#Site_Information
>>>
>>>
>>> Looks good. I think it would be a service to theme developers to state
>>> that bloginfo('url') is a wrapper for home('url') that provides backward
>>> compatibility for versions <  3.0 Although an opposing argument might view
>>> this as enabling people to hold out on upgrading WP.
>>>
>>> @Nacin -  When you review Simply Works Core 1.3.3<http://themes.trac.wordpress.org/ticket/1596> ,
>>> I'd appreciate your going-over my <http://themes.trac.wordpress.org/ticket/1566>previous
>>> review's suggestions <http://themes.trac.wordpress.org/ticket/1566>.
>>>
>>> -Gene (emhr)
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> theme-reviewers mailing list
>>> theme-reviewers at lists.wordpress.org
>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>
>>>
>>
>> _______________________________________________
>> theme-reviewers mailing list
>> theme-reviewers at lists.wordpress.org
>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>
>>
>
> _______________________________________________
> theme-reviewers mailing list
> theme-reviewers at lists.wordpress.org
> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wordpress.org/pipermail/theme-reviewers/attachments/20101020/048736c4/attachment-0001.htm>


More information about the theme-reviewers mailing list