[theme-reviewers] Guidance on theme security

Chip Bennett chip at chipbennett.net
Wed Oct 20 14:30:27 UTC 2010


It's definitely something that needs to be looked at in the future. I don't
imagine any immediate Guidelines revisions will result; as you'll quickly
discover: we use this list to kick around thoughts, ideas, and concerns -
some of which end up impacting the Guidelines, and some that don't. :)

Chip

On Wed, Oct 20, 2010 at 9:27 AM, Marty Martin <m at seoserpent.com> wrote:

> Forgot to add, maybe tabling this for the next release would be a good idea
> and at that point, maybe 3.0 adoption will be higher.
>
> M
>
>
> On Wed, Oct 20, 2010 at 10:27 AM, Marty Martin <m at seoserpent.com> wrote:
>
>> I'm fine with themes being backward-compatible, I am just balking at us
>> (read: *me*) having to check it.  ;)
>>
>> Marty
>>
>>
>> On Wed, Oct 20, 2010 at 10:25 AM, Chip Bennett <chip at chipbennett.net>wrote:
>>
>>> Interestingly, the stats indicate:
>>>
>>> 3.0: 49.1%
>>> 2.9: 27.3%
>>> 2.8: 10.6%
>>>
>>> So, basically:
>>>
>>> 3.0: 50%
>>> 2.9+: 76%
>>> 2.8+: 87%
>>>
>>> That probably gives us a pretty good indication of where the overall
>>> userbase is.
>>>
>>> While I would *prefer* that we say *no* backward-compatibility, it is *reasonable
>>> *to allow backward-compatibility for up to one major revision, as it
>>> would cover 3/4 of the overall userbase.
>>>
>>> Of course, this is a strange release cycle, since we basically skipped an
>>> entire development cycle. So, maybe we revisit this after 3.1 and then again
>>> after 3.2?
>>>
>>> Chip
>>>
>>>
>>> On Wed, Oct 20, 2010 at 9:17 AM, Marty Martin <m at seoserpent.com> wrote:
>>>
>>>> Wait, other people use WordPress?  :P
>>>>
>>>> Yeah, I get what you're saying, but it's kind of like IE6
>>>> backward-compatibility.  At some point, you've just got to quit offering it.
>>>>  It's a process and security issue that we don't want to encourage.  I
>>>> understand that if I personally want to run Windows 3.11 on my machine, I
>>>> can, but I'm not going to be able to get the "latest and greatest" software
>>>> to run on it.
>>>>
>>>> I will join you in between this rock and hard place.  :D
>>>>
>>>> M
>>>>
>>>> On Wed, Oct 20, 2010 at 10:12 AM, Chip Bennett <chip at chipbennett.net>wrote:
>>>>
>>>>> Oh, in principle and in general, I agree. And, the official Theme
>>>>> Repository should not be encouraging users' procrastination in keeping their
>>>>> WP installs up-to-date.
>>>>>
>>>>> But, we're also, as a subset of the overall WP install base, much more
>>>>> likely to be early adopters of each new WP version. We do have to keep in
>>>>> mind that 50% of the WP install base is currently using pre-3.0 versions of
>>>>> WP.
>>>>>
>>>>> Personally, I would like to see Repository-hosted Themes have no
>>>>> backward compatibility prior to the current major version - and I would like
>>>>> to see Extend display "Requires" and "Tested Up To" tags like the ones
>>>>> displayed for Plugins. But, we have to balance our population-subset desires
>>>>> with the realities of the overall population.
>>>>>
>>>>> Chip
>>>>>
>>>>> On Wed, Oct 20, 2010 at 9:07 AM, Marty Martin <m at seoserpent.com>wrote:
>>>>>
>>>>>> Personally I don't give a crap if other users aren't upgrading their
>>>>>> WP, but upgrades to core happen for many reasons (security is a good one)
>>>>>> and there's not much point in releasing a theme for a version of WP you
>>>>>> can't (easily) get any more.  Plus, I don't want to have to deal with trying
>>>>>> to figure out if a theme is compatible with 2.9 when I run 3.0.1 on all of
>>>>>> my sites, including my theme checking site.  :o)
>>>>>>
>>>>>> My $0.02.
>>>>>>
>>>>>> Marty
>>>>>>
>>>>>>
>>>>>> On Wed, Oct 20, 2010 at 10:02 AM, Chip Bennett <chip at chipbennett.net>wrote:
>>>>>>
>>>>>>> Perhaps we should indicate an allowable age of backward-compatibility
>>>>>>> support? What's the right answer here?
>>>>>>>
>>>>>>> 1) Themes must support current major WP version only (e.g. 3.0, not
>>>>>>> 2.9.x)
>>>>>>> 2) Themes may support a certain number of previous major WP versions
>>>>>>> (e.g. for 3.0, Themes may provide backward-compatibility for 2.9.x, or
>>>>>>> 2.8.x)
>>>>>>> 3) Themes may provide backward-compatibility as old as the Developer
>>>>>>> wishes to support
>>>>>>>
>>>>>>> I think One might be a bit restrictive, and difficult to enforce (WP
>>>>>>> 3.0 adoption is at just over 49%, 4 months after release), but certainly
>>>>>>> easiest on the Review Team. I think Three would be way too difficult to
>>>>>>> manage, and would end up causing nightmares for the automated checks (Theme
>>>>>>> Check and the Uploader Script), due to backward-compatibility support for
>>>>>>> deprecated functions. So, it would seem to me that Two is the most viable
>>>>>>> option.
>>>>>>>
>>>>>>> The question is: how far back?
>>>>>>>
>>>>>>> Chip
>>>>>>>
>>>>>>>
>>>>>>> On Wed, Oct 20, 2010 at 8:28 AM, Gene Robinson <emhr at submersible.me>wrote:
>>>>>>>
>>>>>>>>
>>>>>>>> A quick draft item has been added to the Theme Review ...
>>>>>>>>
>>>>>>>> http://codex.wordpress.org/Theme_Review#Site_Information
>>>>>>>>
>>>>>>>>
>>>>>>>> Looks good. I think it would be a service to theme developers to
>>>>>>>> state that bloginfo('url') is a wrapper for home('url') that provides
>>>>>>>> backward compatibility for versions <  3.0 Although an opposing argument
>>>>>>>> might view this as enabling people to hold out on upgrading WP.
>>>>>>>>
>>>>>>>> @Nacin -  When you review Simply Works Core 1.3.3<http://themes.trac.wordpress.org/ticket/1596> ,
>>>>>>>> I'd appreciate your going-over my <http://themes.trac.wordpress.org/ticket/1566>previous
>>>>>>>> review's suggestions <http://themes.trac.wordpress.org/ticket/1566>
>>>>>>>> .
>>>>>>>>
>>>>>>>> -Gene (emhr)
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> theme-reviewers mailing list
>>>>>>>> theme-reviewers at lists.wordpress.org
>>>>>>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> theme-reviewers mailing list
>>>>>>> theme-reviewers at lists.wordpress.org
>>>>>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> theme-reviewers mailing list
>>>>>> theme-reviewers at lists.wordpress.org
>>>>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>>>>
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> theme-reviewers mailing list
>>>>> theme-reviewers at lists.wordpress.org
>>>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> theme-reviewers mailing list
>>>> theme-reviewers at lists.wordpress.org
>>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>>
>>>>
>>>
>>> _______________________________________________
>>> theme-reviewers mailing list
>>> theme-reviewers at lists.wordpress.org
>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>
>>>
>>
>
> _______________________________________________
> theme-reviewers mailing list
> theme-reviewers at lists.wordpress.org
> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wordpress.org/pipermail/theme-reviewers/attachments/20101020/0e072f09/attachment.htm>


More information about the theme-reviewers mailing list