[theme-reviewers] Guidance on theme security
Marty Martin
m at seoserpent.com
Wed Oct 20 14:31:54 UTC 2010
Great round up post also on the review process. Nicely done.
M
On Wed, Oct 20, 2010 at 10:30 AM, Chip Bennett <chip at chipbennett.net> wrote:
> It's definitely something that needs to be looked at in the future. I don't
> imagine any immediate Guidelines revisions will result; as you'll quickly
> discover: we use this list to kick around thoughts, ideas, and concerns -
> some of which end up impacting the Guidelines, and some that don't. :)
>
> Chip
>
>
> On Wed, Oct 20, 2010 at 9:27 AM, Marty Martin <m at seoserpent.com> wrote:
>
>> Forgot to add, maybe tabling this for the next release would be a good
>> idea and at that point, maybe 3.0 adoption will be higher.
>>
>> M
>>
>>
>> On Wed, Oct 20, 2010 at 10:27 AM, Marty Martin <m at seoserpent.com> wrote:
>>
>>> I'm fine with themes being backward-compatible, I am just balking at us
>>> (read: *me*) having to check it. ;)
>>>
>>> Marty
>>>
>>>
>>> On Wed, Oct 20, 2010 at 10:25 AM, Chip Bennett <chip at chipbennett.net>wrote:
>>>
>>>> Interestingly, the stats indicate:
>>>>
>>>> 3.0: 49.1%
>>>> 2.9: 27.3%
>>>> 2.8: 10.6%
>>>>
>>>> So, basically:
>>>>
>>>> 3.0: 50%
>>>> 2.9+: 76%
>>>> 2.8+: 87%
>>>>
>>>> That probably gives us a pretty good indication of where the overall
>>>> userbase is.
>>>>
>>>> While I would *prefer* that we say *no* backward-compatibility, it is *reasonable
>>>> *to allow backward-compatibility for up to one major revision, as it
>>>> would cover 3/4 of the overall userbase.
>>>>
>>>> Of course, this is a strange release cycle, since we basically skipped
>>>> an entire development cycle. So, maybe we revisit this after 3.1 and then
>>>> again after 3.2?
>>>>
>>>> Chip
>>>>
>>>>
>>>> On Wed, Oct 20, 2010 at 9:17 AM, Marty Martin <m at seoserpent.com> wrote:
>>>>
>>>>> Wait, other people use WordPress? :P
>>>>>
>>>>> Yeah, I get what you're saying, but it's kind of like IE6
>>>>> backward-compatibility. At some point, you've just got to quit offering it.
>>>>> It's a process and security issue that we don't want to encourage. I
>>>>> understand that if I personally want to run Windows 3.11 on my machine, I
>>>>> can, but I'm not going to be able to get the "latest and greatest" software
>>>>> to run on it.
>>>>>
>>>>> I will join you in between this rock and hard place. :D
>>>>>
>>>>> M
>>>>>
>>>>> On Wed, Oct 20, 2010 at 10:12 AM, Chip Bennett <chip at chipbennett.net>wrote:
>>>>>
>>>>>> Oh, in principle and in general, I agree. And, the official Theme
>>>>>> Repository should not be encouraging users' procrastination in keeping their
>>>>>> WP installs up-to-date.
>>>>>>
>>>>>> But, we're also, as a subset of the overall WP install base, much more
>>>>>> likely to be early adopters of each new WP version. We do have to keep in
>>>>>> mind that 50% of the WP install base is currently using pre-3.0 versions of
>>>>>> WP.
>>>>>>
>>>>>> Personally, I would like to see Repository-hosted Themes have no
>>>>>> backward compatibility prior to the current major version - and I would like
>>>>>> to see Extend display "Requires" and "Tested Up To" tags like the ones
>>>>>> displayed for Plugins. But, we have to balance our population-subset desires
>>>>>> with the realities of the overall population.
>>>>>>
>>>>>> Chip
>>>>>>
>>>>>> On Wed, Oct 20, 2010 at 9:07 AM, Marty Martin <m at seoserpent.com>wrote:
>>>>>>
>>>>>>> Personally I don't give a crap if other users aren't upgrading their
>>>>>>> WP, but upgrades to core happen for many reasons (security is a good one)
>>>>>>> and there's not much point in releasing a theme for a version of WP you
>>>>>>> can't (easily) get any more. Plus, I don't want to have to deal with trying
>>>>>>> to figure out if a theme is compatible with 2.9 when I run 3.0.1 on all of
>>>>>>> my sites, including my theme checking site. :o)
>>>>>>>
>>>>>>> My $0.02.
>>>>>>>
>>>>>>> Marty
>>>>>>>
>>>>>>>
>>>>>>> On Wed, Oct 20, 2010 at 10:02 AM, Chip Bennett <chip at chipbennett.net
>>>>>>> > wrote:
>>>>>>>
>>>>>>>> Perhaps we should indicate an allowable age of
>>>>>>>> backward-compatibility support? What's the right answer here?
>>>>>>>>
>>>>>>>> 1) Themes must support current major WP version only (e.g. 3.0, not
>>>>>>>> 2.9.x)
>>>>>>>> 2) Themes may support a certain number of previous major WP versions
>>>>>>>> (e.g. for 3.0, Themes may provide backward-compatibility for 2.9.x, or
>>>>>>>> 2.8.x)
>>>>>>>> 3) Themes may provide backward-compatibility as old as the Developer
>>>>>>>> wishes to support
>>>>>>>>
>>>>>>>> I think One might be a bit restrictive, and difficult to enforce (WP
>>>>>>>> 3.0 adoption is at just over 49%, 4 months after release), but certainly
>>>>>>>> easiest on the Review Team. I think Three would be way too difficult to
>>>>>>>> manage, and would end up causing nightmares for the automated checks (Theme
>>>>>>>> Check and the Uploader Script), due to backward-compatibility support for
>>>>>>>> deprecated functions. So, it would seem to me that Two is the most viable
>>>>>>>> option.
>>>>>>>>
>>>>>>>> The question is: how far back?
>>>>>>>>
>>>>>>>> Chip
>>>>>>>>
>>>>>>>>
>>>>>>>> On Wed, Oct 20, 2010 at 8:28 AM, Gene Robinson <emhr at submersible.me
>>>>>>>> > wrote:
>>>>>>>>
>>>>>>>>>
>>>>>>>>> A quick draft item has been added to the Theme Review ...
>>>>>>>>>
>>>>>>>>> http://codex.wordpress.org/Theme_Review#Site_Information
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Looks good. I think it would be a service to theme developers to
>>>>>>>>> state that bloginfo('url') is a wrapper for home('url') that provides
>>>>>>>>> backward compatibility for versions < 3.0 Although an opposing argument
>>>>>>>>> might view this as enabling people to hold out on upgrading WP.
>>>>>>>>>
>>>>>>>>> @Nacin - When you review Simply Works Core 1.3.3<http://themes.trac.wordpress.org/ticket/1596> ,
>>>>>>>>> I'd appreciate your going-over my <http://themes.trac.wordpress.org/ticket/1566>previous
>>>>>>>>> review's suggestions<http://themes.trac.wordpress.org/ticket/1566>
>>>>>>>>> .
>>>>>>>>>
>>>>>>>>> -Gene (emhr)
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> theme-reviewers mailing list
>>>>>>>>> theme-reviewers at lists.wordpress.org
>>>>>>>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> theme-reviewers mailing list
>>>>>>>> theme-reviewers at lists.wordpress.org
>>>>>>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> theme-reviewers mailing list
>>>>>>> theme-reviewers at lists.wordpress.org
>>>>>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> theme-reviewers mailing list
>>>>>> theme-reviewers at lists.wordpress.org
>>>>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>>>>
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> theme-reviewers mailing list
>>>>> theme-reviewers at lists.wordpress.org
>>>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> theme-reviewers mailing list
>>>> theme-reviewers at lists.wordpress.org
>>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>>
>>>>
>>>
>>
>> _______________________________________________
>> theme-reviewers mailing list
>> theme-reviewers at lists.wordpress.org
>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>
>>
>
> _______________________________________________
> theme-reviewers mailing list
> theme-reviewers at lists.wordpress.org
> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wordpress.org/pipermail/theme-reviewers/attachments/20101020/f18e9055/attachment-0001.htm>
More information about the theme-reviewers
mailing list