[wp-meta] [Making WordPress.org] #286: Setup SVN pre-commit hooks to enforce plugin guidelines
Making WordPress.org
noreply at wordpress.org
Mon Jan 20 22:16:51 UTC 2014
#286: Setup SVN pre-commit hooks to enforce plugin guidelines
--------------------------+-------------------------------
Reporter: iandunn | Owner:
Type: enhancement | Status: new
Priority: normal | Component: Plugins Directory
Resolution: | Keywords:
--------------------------+-------------------------------
Comment (by Otto42):
We actually already have a commit hook to scan for certain types of things
like eval and base64 and such. It emails me, @nacin, and @duck_, I
believe.
The number of false positives is so large as to almost make it not worth
the effort. Almost. I've found a few things there, but most of it is fine.
Take a simple "base64" example. There exist APIs which actually use
variants of base64 in them (Facebook, for one), and thus it's not malware
all the time. And actual malware is better at hiding "base64" calls than
you would believe. We actually have better luck at scanning for gibberish
which looks like encoded code.
As for people purchasing plugins and then adding "stuff" to them, this has
already occurred several times. In a few cases, we've removed them because
of said stuff, and in other cases, the stuff was not particularly
objectionable. In at least one case, the problem solved itself by somebody
taking the previous code and forking it to a new name and developing it
further separately.
Realistically, adding a pre-commit hook isn't at all difficult, but just
you try writing code to scan for those sort of things and see how well you
do at it. It ain't easy. Code is not amenable to automated scanning for
intent.
--
Ticket URL: <https://meta.trac.wordpress.org/ticket/286#comment:1>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org
More information about the wp-meta
mailing list