[wp-meta] [Making WordPress.org] #5352: Plugin Security - Add email confirmation prior to releases being processed

Making WordPress.org noreply at wordpress.org
Wed Aug 5 10:26:27 UTC 2020 

#5352: Plugin Security - Add email confirmation prior to releases being processed
------------------------------+---------------------
 Reporter:  dd32              |       Owner:  (none)
     Type:  enhancement       |      Status:  new
 Priority:  normal            |   Milestone:
Component:  Plugin Directory  |  Resolution:
 Keywords:                    |
------------------------------+---------------------

Comment (by dd32):

 Replying to [comment:3 casiepa]:
 > Random thoughts, but I suppose most is covered:
 > 1. The committer will get an email to click on. Should all committers
 get this or just the one that committed? Probably just the one that
 committed as it's just the final step of the process

 all committers, as preferably it'd be a different committer to sign off
 (so it's 2+ committers, not a solo action). But since many plugins are
 single active committer it's really just a final confirmation in those
 cases.

 > 2. Putting 'abc' in the Stable Tag would trigger this process. If 'abc'
 does not exist under /tags the current flow is to consider trunk for
 further steps. Any safety measure needed here?

 If the tag doesn't exist then it's treated like `trunk` and processing
 should abort then and there.

 > 3. Let's say the limit goes on 100k. Today I have 99k and tomorrow I
 have 100k, will I get a warning about the new way of releasing my plugin?

 I think we'd have to have a "congratulations! You've got 100k active
 installs, now.. here's what it means for you.." email. For default
 settings it'd just be an extra two clicks.

 > 4. 1 million? 100k? I would think that even a plugin with 20k installs
 that would have an issue could damage w.org reputation, so don't put the
 limit too high

 I would hope that we can decrease the limit over time, realistically there
 should be no reason why it couldn't be required for every plugin to have
 at least one committer sign off, and to have higher usage plugins require
 two.
 But that would require us to also support releases from `trunk` which I'm
 not too enthusiastic about adding at first :)

-- 
Ticket URL: <https://meta.trac.wordpress.org/ticket/5352#comment:4>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org

More information about the wp-meta mailing list