Just to set a couple of meaningful scope parameters:<div><br></div><div>1) This is the *Theme* review list, and the Theme Review Team is tasked with reviewing *Themes*. We are simple folk, and try to work within the boundaries of our commission. Thus, any question or statement that begins with, "But Plugins do/don't..." or "But why can/can't Plugins..." is going to be out of scope. We have zero control over the Plugin submission/approval process; and quite frankly, we have enough on our hands just dealing with Themes.</div>
<div><br></div><div>2) The fopen() question is above our pay grade. That decision goes higher up than the Theme Review Team members, and we merely enforce that decision. It has also been debated ad nauseum on this list already. Suffice it to say: at least until we get notice otherwise, that decision is not going to change.</div>
<div><br></div><div>I don't want to discount any of your questions or issues; however, I *do* want to help ensure that discussion continues in a productive direction.</div><div><br></div><div>Chip<br><br><div class="gmail_quote">
On Sat, Jun 25, 2011 at 8:57 PM, Bruce Wampler <span dir="ltr"><<a href="mailto:brucewampler@gmail.com">brucewampler@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
I've read some comments that well implemented shared hosting sites don't have a problem with file ownership, which seems to be at the heart of the fopen issue.<br>
<br>
So, out of curiosity, why is it OK for the standard WP media library loader to upload files and have them owned by apache and not the user. Why doesn't it insist on using FTP as necessary? Seriously, why not?<br>
<br>
Why should themes be held to a higher standard than a fundamental part of WP - the media library?<br>
<br>
And in the big picture of the WP world, why have security issues taken over theme submission, when there are no controls whatsoever for plugins? The simple answer is that you have to start somewhere, but why are theme authors bearing the brunt of the issue? Why do I have to spend hours and hours of my (volunteer) time to understand the confusing WP file library, and then rewriting hundreds of lined of perfectly good code that uses fopen handles in creative ways (like to easily switch between file output and "echo" output with the same code), when many of the most popular plugins are subject to absolutely no reviews or standards whatsoever. If security is such an issue, then I suggest at least a little energy be diverted to getting control of plugins.<br>
<br>
-- <br>
-----------<br>
Bruce Wampler, Ph.D.<br>
<br>
Software developer<br>
Creator of first spelling checker for a PC<br>
Creator of Grammatik(tm), first true grammar checker<br>
e-mail: bw at <a href="http://brucewampler.com" target="_blank">brucewampler.com</a><br>
blog: <a href="http://brucewampler.wordpress.com" target="_blank">brucewampler.wordpress.com</a><br>
<br>
______________________________<u></u>_________________<br>
theme-reviewers mailing list<br>
<a href="mailto:theme-reviewers@lists.wordpress.org" target="_blank">theme-reviewers@lists.<u></u>wordpress.org</a><br>
<a href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers" target="_blank">http://lists.wordpress.org/<u></u>mailman/listinfo/theme-<u></u>reviewers</a><br>
</blockquote></div><br></div>