[wp-hackers] Plugin update & security / privacy
hovercrafter at earthlink.net
Mon Sep 24 21:42:37 GMT 2007
Very simple patch attached:
If option check_updates is not set then no checks will be done. The nag screen asks the user (with manage_options permission) to select if they would like this feature enabled or not. It links to the privacy options page (where I put the option). Selecting yes or no will make the nag go away. I didn't separate options for core and plugins. That can easily be 2.3.1 or 2.4, but this quick and simple patch should be easy to get into 2.3 and help curve any problems.
I also included a little paragraph under the option saying what will be sent to the server to insure full transparency.
>From: wp-hackers-bounces at lists.automattic.com [mailto:wp-hackers-
>bounces at lists.automattic.com] On Behalf Of Computer Guru
>Sent: Monday, September 24, 2007 5:13 PM
>To: wp-hackers at lists.automattic.com
>Subject: RE: [wp-hackers] Plugin update & security / privacy
>> -----Original Message-----
>> From: wp-hackers-bounces at lists.automattic.com [mailto:wp-hackers-
>> bounces at lists.automattic.com] On Behalf Of Otto
>> Sent: Monday, September 24, 2007 11:58 PM
>> To: wp-hackers at lists.automattic.com
>> Subject: Re: [wp-hackers] Plugin update & security / privacy
>> I fail to grasp your argument. The reasons for the data being sent are
>> straightforward and obvious, to notify the blogger about upgrades
>> being available for both WordPress and plugins. With all the security
>> issues lately, and so many people bitchin' about WordPress having
>> security problems, then keeping people in the know about upgrades is
>> an important thing to do.
>I guess I mustn't have been very clear: I have no problem per-say with
>what's being sent, only how it's done and what's said about it.
>I'm sorry, but even notifying people about upgrades doesn't stop their
>installs from being insecure. The sheer number of posts on Planet and
>everywhere else aren’t that different from anything...
>And there are a million ways of doing this without sending any info
>(getting the remote version and *locally* comparing it and seeing if an
>update is needed), but that's not my point.
>My ONLY point is with the lack of a visible option to disable this
>functionality, and why someone seems to think it's OK for WP to do this
>silently and secretly and it's not for other
>companies/software/organizations. (and, no, just because you can name
>someone else that does it doesn't make it OK :-)
>wp-hackers mailing list
>wp-hackers at lists.automattic.com
More information about the wp-hackers