[theme-reviewers] Guidance on theme security

Edward Caissie edward.caissie at gmail.com
Wed Oct 20 15:00:15 UTC 2010 

Something to keep in mind with the adoption of the current version of
WordPress is the stigmatism attached to a 'point-zero' release.

For the most part, the average user is easily swayed to believe that a
point-zero release is buggy and not a great idea to upgrade to so they wait
for the 'point-one' release.  I use the term "average user" for the simple
sake most users do not appreicate or understand the version numbering
process used in WordPress.

If I wasn't involved as much as I am I would likely also consider myself one
of those "average users" in thinking that 3.0 should be a wait and see
unless you enjoy using buggy software (BTW, I think a lot of the blame can
be attributed to nacin, or the good folk in that Washington state city
*grin* ).

I think once WP3.1 is released and given a (possibly short) reasonable
amount of time to be implemented we will start to see installations skewed
much more towards 3.0+ than what we are seeing now.

As to backward compatibility in the Theme repository, IMHO one full version
30-60 days after one full release is about as far as would be needed. That
gives authors the ability to address what needs to be changed (if anything)
and minimizes the impact on the Theme Review process. Of course, this is
related to the discussions that have been on-going for months regarding the
Theme repository in general.

On Wed, Oct 20, 2010 at 10:31 AM, Marty Martin <m at seoserpent.com> wrote:

> Great round up post also on the review process.  Nicely done.
>
> M
>
>
> On Wed, Oct 20, 2010 at 10:30 AM, Chip Bennett <chip at chipbennett.net>wrote:
>
>> It's definitely something that needs to be looked at in the future. I
>> don't imagine any immediate Guidelines revisions will result; as you'll
>> quickly discover: we use this list to kick around thoughts, ideas, and
>> concerns - some of which end up impacting the Guidelines, and some that
>> don't. :)
>>
>> Chip
>>
>>
>> On Wed, Oct 20, 2010 at 9:27 AM, Marty Martin <m at seoserpent.com> wrote:
>>
>>> Forgot to add, maybe tabling this for the next release would be a good
>>> idea and at that point, maybe 3.0 adoption will be higher.
>>>
>>> M
>>>
>>>
>>> On Wed, Oct 20, 2010 at 10:27 AM, Marty Martin <m at seoserpent.com> wrote:
>>>
>>>> I'm fine with themes being backward-compatible, I am just balking at us
>>>> (read: *me*) having to check it.  ;)
>>>>
>>>> Marty
>>>>
>>>>
>>>> On Wed, Oct 20, 2010 at 10:25 AM, Chip Bennett <chip at chipbennett.net>wrote:
>>>>
>>>>> Interestingly, the stats indicate:
>>>>>
>>>>> 3.0: 49.1%
>>>>> 2.9: 27.3%
>>>>> 2.8: 10.6%
>>>>>
>>>>> So, basically:
>>>>>
>>>>> 3.0: 50%
>>>>> 2.9+: 76%
>>>>> 2.8+: 87%
>>>>>
>>>>> That probably gives us a pretty good indication of where the overall
>>>>> userbase is.
>>>>>
>>>>> While I would *prefer* that we say *no* backward-compatibility, it is
>>>>> *reasonable *to allow backward-compatibility for up to one major
>>>>> revision, as it would cover 3/4 of the overall userbase.
>>>>>
>>>>> Of course, this is a strange release cycle, since we basically skipped
>>>>> an entire development cycle. So, maybe we revisit this after 3.1 and then
>>>>> again after 3.2?
>>>>>
>>>>> Chip
>>>>>
>>>>>
>>>>> On Wed, Oct 20, 2010 at 9:17 AM, Marty Martin <m at seoserpent.com>wrote:
>>>>>
>>>>>> Wait, other people use WordPress?  :P
>>>>>>
>>>>>> Yeah, I get what you're saying, but it's kind of like IE6
>>>>>> backward-compatibility.  At some point, you've just got to quit offering it.
>>>>>>  It's a process and security issue that we don't want to encourage.  I
>>>>>> understand that if I personally want to run Windows 3.11 on my machine, I
>>>>>> can, but I'm not going to be able to get the "latest and greatest" software
>>>>>> to run on it.
>>>>>>
>>>>>> I will join you in between this rock and hard place.  :D
>>>>>>
>>>>>> M
>>>>>>
>>>>>> On Wed, Oct 20, 2010 at 10:12 AM, Chip Bennett <chip at chipbennett.net>wrote:
>>>>>>
>>>>>>> Oh, in principle and in general, I agree. And, the official Theme
>>>>>>> Repository should not be encouraging users' procrastination in keeping their
>>>>>>> WP installs up-to-date.
>>>>>>>
>>>>>>> But, we're also, as a subset of the overall WP install base, much
>>>>>>> more likely to be early adopters of each new WP version. We do have to keep
>>>>>>> in mind that 50% of the WP install base is currently using pre-3.0 versions
>>>>>>> of WP.
>>>>>>>
>>>>>>> Personally, I would like to see Repository-hosted Themes have no
>>>>>>> backward compatibility prior to the current major version - and I would like
>>>>>>> to see Extend display "Requires" and "Tested Up To" tags like the ones
>>>>>>> displayed for Plugins. But, we have to balance our population-subset desires
>>>>>>> with the realities of the overall population.
>>>>>>>
>>>>>>> Chip
>>>>>>>
>>>>>>> On Wed, Oct 20, 2010 at 9:07 AM, Marty Martin <m at seoserpent.com>wrote:
>>>>>>>
>>>>>>>> Personally I don't give a crap if other users aren't upgrading their
>>>>>>>> WP, but upgrades to core happen for many reasons (security is a good one)
>>>>>>>> and there's not much point in releasing a theme for a version of WP you
>>>>>>>> can't (easily) get any more.  Plus, I don't want to have to deal with trying
>>>>>>>> to figure out if a theme is compatible with 2.9 when I run 3.0.1 on all of
>>>>>>>> my sites, including my theme checking site.  :o)
>>>>>>>>
>>>>>>>> My $0.02.
>>>>>>>>
>>>>>>>> Marty
>>>>>>>>
>>>>>>>>
>>>>>>>> On Wed, Oct 20, 2010 at 10:02 AM, Chip Bennett <
>>>>>>>> chip at chipbennett.net> wrote:
>>>>>>>>
>>>>>>>>> Perhaps we should indicate an allowable age of
>>>>>>>>> backward-compatibility support? What's the right answer here?
>>>>>>>>>
>>>>>>>>> 1) Themes must support current major WP version only (e.g. 3.0, not
>>>>>>>>> 2.9.x)
>>>>>>>>> 2) Themes may support a certain number of previous major WP
>>>>>>>>> versions (e.g. for 3.0, Themes may provide backward-compatibility for 2.9.x,
>>>>>>>>> or 2.8.x)
>>>>>>>>> 3) Themes may provide backward-compatibility as old as the
>>>>>>>>> Developer wishes to support
>>>>>>>>>
>>>>>>>>> I think One might be a bit restrictive, and difficult to enforce
>>>>>>>>> (WP 3.0 adoption is at just over 49%, 4 months after release), but certainly
>>>>>>>>> easiest on the Review Team. I think Three would be way too difficult to
>>>>>>>>> manage, and would end up causing nightmares for the automated checks (Theme
>>>>>>>>> Check and the Uploader Script), due to backward-compatibility support for
>>>>>>>>> deprecated functions. So, it would seem to me that Two is the most viable
>>>>>>>>> option.
>>>>>>>>>
>>>>>>>>> The question is: how far back?
>>>>>>>>>
>>>>>>>>> Chip
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Wed, Oct 20, 2010 at 8:28 AM, Gene Robinson <
>>>>>>>>> emhr at submersible.me> wrote:
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> A quick draft item has been added to the Theme Review ...
>>>>>>>>>>
>>>>>>>>>> http://codex.wordpress.org/Theme_Review#Site_Information
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Looks good. I think it would be a service to theme developers to
>>>>>>>>>> state that bloginfo('url') is a wrapper for home('url') that provides
>>>>>>>>>> backward compatibility for versions <  3.0 Although an opposing argument
>>>>>>>>>> might view this as enabling people to hold out on upgrading WP.
>>>>>>>>>>
>>>>>>>>>> @Nacin -  When you review Simply Works Core 1.3.3<http://themes.trac.wordpress.org/ticket/1596> ,
>>>>>>>>>> I'd appreciate your going-over my <http://themes.trac.wordpress.org/ticket/1566>previous
>>>>>>>>>> review's suggestions<http://themes.trac.wordpress.org/ticket/1566>
>>>>>>>>>> .
>>>>>>>>>>
>>>>>>>>>> -Gene (emhr)
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> _______________________________________________
>>>>>>>>>> theme-reviewers mailing list
>>>>>>>>>> theme-reviewers at lists.wordpress.org
>>>>>>>>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> theme-reviewers mailing list
>>>>>>>>> theme-reviewers at lists.wordpress.org
>>>>>>>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> theme-reviewers mailing list
>>>>>>>> theme-reviewers at lists.wordpress.org
>>>>>>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> theme-reviewers mailing list
>>>>>>> theme-reviewers at lists.wordpress.org
>>>>>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> theme-reviewers mailing list
>>>>>> theme-reviewers at lists.wordpress.org
>>>>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>>>>
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> theme-reviewers mailing list
>>>>> theme-reviewers at lists.wordpress.org
>>>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>>>
>>>>>
>>>>
>>>
>>> _______________________________________________
>>> theme-reviewers mailing list
>>> theme-reviewers at lists.wordpress.org
>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>
>>>
>>
>> _______________________________________________
>> theme-reviewers mailing list
>> theme-reviewers at lists.wordpress.org
>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>
>>
>
> _______________________________________________
> theme-reviewers mailing list
> theme-reviewers at lists.wordpress.org
> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wordpress.org/pipermail/theme-reviewers/attachments/20101020/8c5f2a52/attachment-0001.htm>

More information about the theme-reviewers mailing list