[wp-hackers] Plugin update & security / privacy

Otto otto at ottodestruct.com
Mon Sep 24 21:40:38 GMT 2007


On 9/24/07, Computer Guru <computerguru at neosmart.net> wrote:
> I'm sorry, but even notifying people about upgrades doesn't stop their installs from being insecure. The sheer number of posts on Planet and everywhere else aren't that different from anything...

Well, this is much more intrusive, for one thing. Also it's much more
specific. And it's considering plugins as well, which is nice, since a
lot of plugins were recently found to have security issues too.

> And there are a million ways of doing this without sending any info (getting the remote version and *locally* comparing it and seeing if an update is needed), but that's not my point.

Agreed, but Matt already addressed this in his thread, and I actually
agree with him on the reasoning there. It's possible to make it
smarter in one place instead of having to distribute your
intelligence. I tend to like having my servers do things too instead
of my clients. But that's just my opinion, of course.

> My ONLY point is with the lack of a visible option to disable this functionality, and why someone seems to think it's OK for WP to do this silently and secretly and it's not for other companies/software/organizations. (and, no, just because you can name someone else that does it doesn't make it OK :-)

I agree with the need for an option, but I'm inclined to say that the
lack of it is an oversight, not an evil conspiracy. The functionality
shows that it has other deficiencies as well, and I think that lack of
this is more because they wanted to get working functionality out the
door and start getting blogs upgraded and making them more secure.
WordPress has been receiving a *lot* of criticism for being insecure
lately, a lot of which is somewhat unfounded. Getting the installed
base up to date would relieve a lot of that.

Anyway, if that's all your reaction is to, then I'd say you're
over-reacting somewhat, or at least it seems that way when you put it
into ASCII. ;)

-Otto


More information about the wp-hackers mailing list