[wp-hackers] WordPress plugin inspections

Thu Feb 20 09:08:15 UTC 2014

Hi Casey,

Thanks for the feedback and questions.

Really good point about the comments - inspections are a manual process 
and I would hope we would notice any comments like that and take them 
into account. We haven't spotted many yet though! Generally the comments 
are along the lines of "// TODO: I know this is bad but I'll fix it 
later" :)

On those requests:

Filing bugs is something we'd love to be able to do, but I just don't 
think it's practical for us. An inspection is a very time-limited thing 
and it doesn't usually result in enough information for a good bug 
report. If we find something that's definitely vulnerable, we do 
generally write an advisory and report that, either directly or via 
plugins at wordpress.org. We would also like to be able to notify plugin 
authors, but for it to be practical, it would have to be automatic. We 
can't automatically email authors as WordPress.org (entirely reasonably) 
does not publicise author email addresses. I suppose we could put a 
robot post on the plugin forum, but that seems... questionable. What do 
you think?

Of course, we do want to keep everything as up to date as we can. 
Unfortunately we don't have nearly the time to be able to monitor all 
the inspections for updated versions and check them again proactively. 
Inspections will get update if a client asks us to review an updated 
version. We do currently always do an updated inspection if the author 
drops us a note to ask for one, but that is a bit dependent on our 
availability - I can't guarantee we'll always be able to. But certainly 
for now, if you have a new version, send an email to contact at dxw.com 
with the details, and we'll have a look.

Cheers,

Harry

On 20/02/2014 05:01, Casey Bisson wrote:
> Harry,
>
> Criticism is hard to take, but important for improvement.
>
> Now that I’ve learned of your reviews, I’m anxious to find out if your team has reviewed any of my plugins, and what issues that might have uncovered.
>
> Because I’m not the only one who has to read my code, and pull requests or patches make my day, I know I how important it is to make my code easy to read and use consistent style.
>
> I have no idea who the reviewers are, or what their skills might be, but it’s probably fair that code that might be questionable to them is worth looking at on my part. If I’ve got a really good reason to do something that raises flags for others, then that’s a really good reason to put comments in the code explaining it. That’s especially true for security and performance issues.
>
> Two requests:
>
> * Consider filing bugs. Just a generic bug with a link to the review so I’d be aware of it would be great. Most of my plugins are in Github, https://github.com/misterbisson?tab=repositories (the others are sort of abandoned by now).
>
> * If I update my plugin to address the issues, are you willing to review the updates in a reasonable time and update the public review?
>
> Thank you,
>
> —Casey
>
>
>
> On Feb 19, 2014, at 10:43 AM, Harry Metcalfe <harry at dxw.com> wrote:
>
>> Hello list,
>>
>> We write and publish light-touch inspections of WordPress plugins that we do for our clients. They are just a guide - we conduct some basic checks, not a thorough review.
>>
>> Would plugins which fail this inspection be of general interest to the list and therefore worth posting? Is the list also interested in vulnerability advisories, or do people tend to get those elsewhere?
>>
>> Here's an example report:
>>
>> https://security.dxw.com/plugins/pods-custom-content-types-and-fields/
>>
>> Grateful for a steer...
>>
>> Harry
>>
>>
>> -- 
>> Harry Metcalfe
>> 07790 559 876
>> @harrym
>>
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers