[theme-reviewers] Where is the line?

Otto otto at ottodestruct.com
Sun Jun 26 21:00:02 UTC 2011

On Sat, Jun 25, 2011 at 8:57 PM, Bruce Wampler <brucewampler at gmail.com> wrote:
> So, out of curiosity, why is it OK for the standard WP media library loader
> to upload files and have them owned by apache and not the user. Why doesn't
> it insist on using FTP as necessary? Seriously, why not?

The media library has limitations built in. Try uploading a file type
it doesn't recognize, as a non-admin user.

> And in the big picture of the WP world, why have security issues taken over
> theme submission, when there are no controls whatsoever for plugins? The
> simple answer is that you have to start somewhere, but why are theme authors
> bearing the brunt of the issue?

Themes have a specific, defined, goal. Plugins don't. Also, I didn't
create the theme review process. In fact, I started out hating it, but
I came around to improving it and making it not totally painful.

Look, I'm sorry you're not happy about this system, but it is what it is.

> Why do I have to spend hours and hours of my
> (volunteer) time to understand the confusing WP file library, and then
> rewriting hundreds of lined of perfectly good code that uses fopen handles
> in creative ways (like to easily switch between file output and "echo"
> output with the same code), when many of the most popular plugins are
> subject to absolutely no reviews or standards whatsoever. If security is
> such an issue, then I suggest at least a little energy be diverted to
> getting control of plugins.

Plugins are starting to be reviewed more, and things are happening on
that front. The fact that you don't see them doesn't mean they're not


More information about the theme-reviewers mailing list