[wp-forums] Security and Accountability

[Vicki Frei]

Well, you're not going to get any disagreement or rebuttal from me, either of 
you.  I rather like Podz' suggestion to refer server stuff to the host... I DO 
know what I'm doing on my own account, but I am NOT comfortable advising other 
than files should remain 644, folders 755, and NOTHING world-writeable.

V

Scott Merrill wrote:
> Caution: inflammatory post follows.
> 
> Podz wrote:
>> There are many hosts with many setups and as such WordPress
>> documentation cannot cater for all - so it approaches this by catering
>> for none. It does this for the above reason and also for another - so WP
>> cannot be blamed.
>> The fault is pushed to the user.
>> Yet no page at wordpress.org carries any advice on permissions.
>> The readme.html with the package carries no advice on permissions.
>> Codex carries no specific advice on permissions.
> 
> I place the blame for this squarely on Matt's shoulders.
> 
> I wrote the bit about recommended file permissions.  My recommendation,
> absent any official information from the development team, was that the
> /wp-content/ directory be read-only, and specific sub-directories inside
> /wp-content/ have relaxed permissions on a case-by-case basis.  I
> recommended this in order to minimize the number of writable directories.
> 
> Those recommendations stayed in place, online, and linked to for a
> number of months.  It wasn't until the release of WP 2.0, with Matt's
> modified version of my wp-db-backup plugin, that Matt finally stated
> publicly that it was always his intention to have /wp-content/
> completely writable.  This was, as far as I can remember, the first time
> many (myself included) heard this news.
> 
> Not only do I disagree with the requirement for a writable /wp-content/,
> I disagree strongly with Matt's casual -- almost dimissive -- attitude
> regarding his involvement with the documentation.
> 
> I should point out, too, that I saw no effort from Matt to modify the
> official documentation for his project.  He merely criticized it in a
> trac comment, and left the documentation unmodified.  That's leadership
> for you.
> 
> I understand that writing code is more fun than writing docs.  But I
> feel that Matt, Ryan, and any other core developer has an _obligation_
> to provide proactive assistance with the finer points of documentation.
>  They know the code better than anyone else, and are _the_ authoritative
> body for questions or ambiguities.  That they choose to adbicate their
> responsibility explains a lot of the frustrations that have been
> percolating throughout the community.
> 
> Matt's living it up, going to conferences and glad-handing people, while
> the rest of us are left to struggle with confusing undocumented code,
> and to try to distill meaning from the madness for the other users who
> just want to use the damned thing.
> 
>> But sites either do not work because of permissions or are insecure
>> because of permissions. So they look to codex, they look to official
>> pages. And they find nothing because no-one will commit to writing
>> anything because they fear getting the blame.
> 
> It's not just a matter of blame, Podz.  It's a matter of competing
> interests.  Every time we try to write thorough documentation that
> addresses as many conflicting configurations as possible, we get slammed
> for making "confusing" documentation.
> 
> But Matt can sweep in and apply a new theme to the code which _breaks_ a
> lot of functionality, and renders complex pages completely useless,
> without so much as an "excuse me, please".
> 
> Rather than fix the codex (one mechanism of which would be to install a
> fresh MediaWiki installation into a new directory, and then manually
> copy-and-paste pages from old to new -- yes, we'd lose history, but we'd
> keep the damn docs usable), Matt wants to write a new plugin for
> WordPress to "solve" the problem.  This is perfectly acceptable from
> Matt's point of view, even though the documentation continues to suffer
> in the meantime.
> 
> But when others come along and volunteer to "solve" the problem of
> inline function references, Matt poo-poos the whole effort as a waste of
> time, saying instead that such documentation belongs on a publicly
> editable wiki.  Forgive me for not leaping to participate when the
> current wiki situation is abominable.
> 
>> But they ask in the forums don't they ?
>> They expect an answer from those of us there don't they ?
>> So devs and people who know all about perms and suchlike are content to
>> let forum helpers get it in the neck when things go wrong because they
>> won't write anything.
>> Nice.
> 
> The devs don't answer because they don't care.  The devs care about the
> fun stuff of writing code.  The care about making a revenue stream from
> all the ancillary services they've developed around WordPress:
> pingomatic, akismet, blicki, WordPress.com, and whatever other pokers
> Matt has in the fire.
> 
> My recent withdrawl from all things WordPress has helped put some things
> in perspective.  Matt and crew are poor project leaders.  Matt's
> egomaniacal Automattic stuff is hurting the WordPress community.  The
> code continues to grow hodge-podge without a clearly defined vision or
> roadmap being presented to would-be contributors.  Contributions that
> don't satisfy Matt's undocumented criteria are simply ignored.  Trac
> tickets are closed with terse "wontfix" messages, rather than useful
> explanations as to why it wont be fixed.
> 
> I would very much like to see WordPress thrive and succeed.  I would
> like for the autocratic development model to be relaxed.  I would like
> to read, and discuss, a plan for long-term development and vision.  I
> would like to see specific product release projections so that testing,
> documentation, and plugins can all be readied _prior_ to a release.  I
> would like to see contributions of all sorts being _encouraged_ rather
> than dismissed because they don't coincide with one person's particular
> preferences.  I would like to see infrastructure and site issues be
> dealt with in an open, responsive manner.
> 
> Basically, it Matt gets hit by the bus, much of WordPress's successs is
> screwed.  It doesn't need to be that way.
>