[wp-hackers] Security at Wordpress

[Elliotte Harold]

Doug Stewart wrote:

> I don't know what your level of involvement with the WP Trac system has
> been thus far, but there is a lot of activity on it.  Tickets routinely
> get attention within a day or so of their submission.  If your changes
> are indeed beneficial, feature-complete, etc., there's a good chance
> that they will be incorporated.

So far they're small things that I need for my site. I see no chance any 
of these would be adopted into the core code base. Some of them 
shouldn't be.

> To withhold your actual code and attempt to force action by
> "threatening" a fork is pretty arrogant and against the principles of
> Open Source development, IMNSHO.

Forking is a core principle of open source development. One of the 
reasons we write open source (better yet, free) software is precisely so 
that developers who have different needs or who have different visions 
can explore different options.

Since WordPress is wisely published under the GPL, any changes I publish 
in any hypothetical fork will be freely available to the core developers 
if they decide to incorporate them. Certainly if I discover any major 
bugs I'll report them to the core. However most of what I want to do are 
changes that the core team have already explicitly rejected. (e.g. 
cookie-free authentication, removing unsafe GETs, requiring PHP 5, etc.)

One problem I have with working on the main trunk is purely practical. I 
am much more productive when using a source code control system of some 
kind, be it CVS or Subversion. Since I'm not a committer on WordPress 
(nor would I expect to be one) writing anything more than a trivial 
patch, requires me to setup my own repository starting from the current 
head. Once I've done that, I'm 50% of the way to a fork anyhow.

-- 
Elliotte Rusty Harold  elharo at metalab.unc.edu
XML in a Nutshell 3rd Edition Just Published!
http://www.cafeconleche.org/books/xian3/
http://www.amazon.com/exec/obidos/ISBN=0596007647/cafeaulaitA/ref=nosim