[wp-forums] Security and Accountability
Vicki Frei
vkaryl at localnet.com
Sat Mar 4 15:42:31 GMT 2006
Well, you're not going to get any disagreement or rebuttal from me, either of
you. I rather like Podz' suggestion to refer server stuff to the host... I DO
know what I'm doing on my own account, but I am NOT comfortable advising other
than files should remain 644, folders 755, and NOTHING world-writeable.
V
Scott Merrill wrote:
> Caution: inflammatory post follows.
>
> Podz wrote:
>> There are many hosts with many setups and as such WordPress
>> documentation cannot cater for all - so it approaches this by catering
>> for none. It does this for the above reason and also for another - so WP
>> cannot be blamed.
>> The fault is pushed to the user.
>> Yet no page at wordpress.org carries any advice on permissions.
>> The readme.html with the package carries no advice on permissions.
>> Codex carries no specific advice on permissions.
>
> I place the blame for this squarely on Matt's shoulders.
>
> I wrote the bit about recommended file permissions. My recommendation,
> absent any official information from the development team, was that the
> /wp-content/ directory be read-only, and specific sub-directories inside
> /wp-content/ have relaxed permissions on a case-by-case basis. I
> recommended this in order to minimize the number of writable directories.
>
> Those recommendations stayed in place, online, and linked to for a
> number of months. It wasn't until the release of WP 2.0, with Matt's
> modified version of my wp-db-backup plugin, that Matt finally stated
> publicly that it was always his intention to have /wp-content/
> completely writable. This was, as far as I can remember, the first time
> many (myself included) heard this news.
>
> Not only do I disagree with the requirement for a writable /wp-content/,
> I disagree strongly with Matt's casual -- almost dimissive -- attitude
> regarding his involvement with the documentation.
>
> I should point out, too, that I saw no effort from Matt to modify the
> official documentation for his project. He merely criticized it in a
> trac comment, and left the documentation unmodified. That's leadership
> for you.
>
> I understand that writing code is more fun than writing docs. But I
> feel that Matt, Ryan, and any other core developer has an _obligation_
> to provide proactive assistance with the finer points of documentation.
> They know the code better than anyone else, and are _the_ authoritative
> body for questions or ambiguities. That they choose to adbicate their
> responsibility explains a lot of the frustrations that have been
> percolating throughout the community.
>
> Matt's living it up, going to conferences and glad-handing people, while
> the rest of us are left to struggle with confusing undocumented code,
> and to try to distill meaning from the madness for the other users who
> just want to use the damned thing.
>
>> But sites either do not work because of permissions or are insecure
>> because of permissions. So they look to codex, they look to official
>> pages. And they find nothing because no-one will commit to writing
>> anything because they fear getting the blame.
>
> It's not just a matter of blame, Podz. It's a matter of competing
> interests. Every time we try to write thorough documentation that
> addresses as many conflicting configurations as possible, we get slammed
> for making "confusing" documentation.
>
> But Matt can sweep in and apply a new theme to the code which _breaks_ a
> lot of functionality, and renders complex pages completely useless,
> without so much as an "excuse me, please".
>
> Rather than fix the codex (one mechanism of which would be to install a
> fresh MediaWiki installation into a new directory, and then manually
> copy-and-paste pages from old to new -- yes, we'd lose history, but we'd
> keep the damn docs usable), Matt wants to write a new plugin for
> WordPress to "solve" the problem. This is perfectly acceptable from
> Matt's point of view, even though the documentation continues to suffer
> in the meantime.
>
> But when others come along and volunteer to "solve" the problem of
> inline function references, Matt poo-poos the whole effort as a waste of
> time, saying instead that such documentation belongs on a publicly
> editable wiki. Forgive me for not leaping to participate when the
> current wiki situation is abominable.
>
>> But they ask in the forums don't they ?
>> They expect an answer from those of us there don't they ?
>> So devs and people who know all about perms and suchlike are content to
>> let forum helpers get it in the neck when things go wrong because they
>> won't write anything.
>> Nice.
>
> The devs don't answer because they don't care. The devs care about the
> fun stuff of writing code. The care about making a revenue stream from
> all the ancillary services they've developed around WordPress:
> pingomatic, akismet, blicki, WordPress.com, and whatever other pokers
> Matt has in the fire.
>
> My recent withdrawl from all things WordPress has helped put some things
> in perspective. Matt and crew are poor project leaders. Matt's
> egomaniacal Automattic stuff is hurting the WordPress community. The
> code continues to grow hodge-podge without a clearly defined vision or
> roadmap being presented to would-be contributors. Contributions that
> don't satisfy Matt's undocumented criteria are simply ignored. Trac
> tickets are closed with terse "wontfix" messages, rather than useful
> explanations as to why it wont be fixed.
>
> I would very much like to see WordPress thrive and succeed. I would
> like for the autocratic development model to be relaxed. I would like
> to read, and discuss, a plan for long-term development and vision. I
> would like to see specific product release projections so that testing,
> documentation, and plugins can all be readied _prior_ to a release. I
> would like to see contributions of all sorts being _encouraged_ rather
> than dismissed because they don't coincide with one person's particular
> preferences. I would like to see infrastructure and site issues be
> dealt with in an open, responsive manner.
>
> Basically, it Matt gets hit by the bus, much of WordPress's successs is
> screwed. It doesn't need to be that way.
>
More information about the wp-forums
mailing list