[wp-meta] [Making WordPress.org] #286: Setup SVN pre-commit hooks to enforce plugin guidelines

Making WordPress.org noreply at wordpress.org
Mon Jan 20 22:16:51 UTC 2014

#286: Setup SVN pre-commit hooks to enforce plugin guidelines
  Reporter:  iandunn      |      Owner:
      Type:  enhancement  |     Status:  new
  Priority:  normal       |  Component:  Plugins Directory
Resolution:               |   Keywords:

Comment (by Otto42):

 We actually already have a commit hook to scan for certain types of things
 like eval and base64 and such. It emails me, @nacin, and @duck_, I

 The number of false positives is so large as to almost make it not worth
 the effort. Almost. I've found a few things there, but most of it is fine.
 Take a simple "base64" example. There exist APIs which actually use
 variants of base64 in them (Facebook, for one), and thus it's not malware
 all the time. And actual malware is better at hiding "base64" calls than
 you would  believe. We actually have better luck at scanning for gibberish
 which looks like encoded code.

 As for people purchasing plugins and then adding "stuff" to them, this has
 already occurred several times. In a few cases, we've removed them because
 of said stuff, and in other cases, the stuff was not particularly
 objectionable. In at least one case, the problem solved itself by somebody
 taking the previous code and forking it to a new name and developing it
 further separately.

 Realistically, adding a pre-commit hook isn't at all difficult, but just
 you try writing code to scan for those sort of things and see how well you
 do at it. It ain't easy. Code is not amenable to automated scanning for

Ticket URL: <https://meta.trac.wordpress.org/ticket/286#comment:1>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org

More information about the wp-meta mailing list