[wp-hackers] Richer metadata for plugin versions
david at wordshell.net
Wed Jul 11 20:14:20 UTC 2012
> I'm just saying that it's a bad idea to suggest that not-updating is a
> viable strategy. If you don't want to update, then fine, but also be
> aware of the consequences as well.
> It's better to update than to not-update and become increasingly
> behind and increasingly insecure. The time between exploits becoming
> public and those exploits being actively used for evil is as close to
> zero as you can imagine.
I think this is an argument *for* the extra meta-data. Personally I was
imagining choosing between "update now" and "update in 3 or 4 days time
when the early adopters have done some testing for me". If the plugin
update is marked as a security update, then that gives me extra
information to persuade me to upgrade *sooner* rather than later.
"This is a security update" has other uses too. If such meta-data were
made compulsory, then it would greatly help hosting companies. They
could auto-inform their clients of insecure sites. They could offer them
commercial update services. They could complete audits with a reasonable
level of assurance.
Here's a way to make them compulsory - have two tags in the readme.txt,
"Secure versions" and "Insecure versions". The plugin author would have
to list every version in one of the two. An unlisted version would not
be offered up by the WordPress plugins directory (and insecure ones
could be removed or made harder to reach).
At present, the meta-data can only help you answer the question "am I
running the highest-numbered version?" But "highest numbered" and "best
for me" are not identical questions. "Don't fix what is not broken" is
good advice. Adding security information would be a big step forward IMO
so that you can actually know whether something is broken.
WordShell - WordPress fast from the CLI - www.wordshell.net
More information about the wp-hackers