[theme-reviewers] Where is the line?

Otto otto at ottodestruct.com
Sun Jun 26 21:00:02 UTC 2011


On Sat, Jun 25, 2011 at 8:57 PM, Bruce Wampler <brucewampler at gmail.com> wrote:
> So, out of curiosity, why is it OK for the standard WP media library loader
> to upload files and have them owned by apache and not the user. Why doesn't
> it insist on using FTP as necessary? Seriously, why not?

The media library has limitations built in. Try uploading a file type
it doesn't recognize, as a non-admin user.

> And in the big picture of the WP world, why have security issues taken over
> theme submission, when there are no controls whatsoever for plugins? The
> simple answer is that you have to start somewhere, but why are theme authors
> bearing the brunt of the issue?

Themes have a specific, defined, goal. Plugins don't. Also, I didn't
create the theme review process. In fact, I started out hating it, but
I came around to improving it and making it not totally painful.

Look, I'm sorry you're not happy about this system, but it is what it is.


> Why do I have to spend hours and hours of my
> (volunteer) time to understand the confusing WP file library, and then
> rewriting hundreds of lined of perfectly good code that uses fopen handles
> in creative ways (like to easily switch between file output and "echo"
> output with the same code), when many of the most popular plugins are
> subject to absolutely no reviews or standards whatsoever. If security is
> such an issue, then I suggest at least a little energy be diverted to
> getting control of plugins.

Plugins are starting to be reviewed more, and things are happening on
that front. The fact that you don't see them doesn't mean they're not
occurring.

-Otto


More information about the theme-reviewers mailing list