[wp-meta] [Making WordPress.org] #5352: Plugin Security - Add email confirmation prior to releases being processed
noreply at wordpress.org
Thu Aug 6 00:50:08 UTC 2020
#5352: Plugin Security - Add email confirmation prior to releases being processed
Reporter: dd32 | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone:
Component: Plugin Directory | Resolution:
Comment (by dd32):
Replying to [comment:5 Ipstenu]:
> It's opt IN? I'm in :)
> I would like to ''EVENTUALLY'' make it opt-out and not opt-in, as
updates are a big deal and this would give folks an extra layer of
protection. But I can fight for that one later.
- Opt-In for all ''for now''
- Forced-Opt-In and no Opt-out for high usage plugins ''soon''
- Opt-Out ''some day'' in the future.
> Which is this. When a new version of WP is released, and I update my
plugins, sometimes I ''only'' update the readmes in trunk and the latest
Let's be blunt, that's why I included `Yes, I know about Tested Up To
we'll figure something out.` in point three.
It's a silly scenario we find ourselves in where people ''need'' to change
their readme's in `/tags/` to make these kind of changes, they shouldn't
have to update the files that exist on sites just to flag that.
I would rather find a way we can work around this, without changing ZIPs,
because having multiple versions of a plugin out there with varied file
hashes sucks. Off the top of my head:
- Readme changes are allowed, but doesn't rebuild the ZIP
- Readme changes are not needed, because `Tested up to` can be set
somewhere else for the latest release (UI option?)
- Directory Readme isn't included in plugins at all, and it's replaced
with a document that links to the WordPress.org plugins page for further
details (This won't be liked by some..)
This is only complicated in my mind by the fact that sometimes people want
to update a typo in their plugins readme without releasing a new version,
or those who constantly change their tags to find the perfect tags to give
them the most search ranking.
> That should (IMO) not require a sign off, but also should be 'honored'
and my zips should be rebuilt.
It's not ''really'' about malicious changes (although that's part of it),
it's more about `plugin.1.2.3.zip` changing and not being able to be
cached for a long period of time. Just like how plugins that use `Stable
Tag: trunk` don't get versioned zips and `plugin.zip` is both version 1.0
and 2.0 depending on what point in time you access it. It's a caching and
signing nightmare. (Yes, we can (and probably will) start to use
`plugin.zip?v=$unique_version_id` as the url soon)
> Second, what about people who use TRUNK as their stable tag? Can we
detect that and require confirmation for ''every'' single push? While
annoying to the developer, it would hammer home the gosh darn point of
trunk is not meant like that, please use tags.
Point 2: `initially I'm thinking they'll be required to use tags for
releases, releases from trunk will no longer be an option`.
The alternative is just as you've said, email on every commit.
If a plugin wants the higher-level of security (and they should) they
should do things the right way and use Tags! Thankfully only 15% of
plugins with >= 100k active installs use trunk, but that's still not a
I'd almost prefer to remove the ability to release from `/trunk/`
entirely, and instead, add a UI button for "Release version x.y" that
Checked the trunk files versions were correct, tagged it for them, and
then updated the trunk `Stable Tag` readme field for them.
(That's complicated for other reasons, but I would totally support it and
probably use it myself)
> > 5. Ideally, the committer who committed the release would not be able
to be the sole person who approves the release as well [....].
> As long as this is an "IF you are the only committer, you can sign off.
ELSE you need someone else." Then yeah, that's okay. [....]
Agreed. I think it should be opt-in as well. Having a single committer
should not be a detriment to the author, and we shouldn't result in a
state where every committer ultimately just has two accounts just to work
I would like to have three states:
1. No confirmation needed (initial default)
2. 1 Confirmation needed (default for high-usage plugins eventually)
3. 2 Confirmations needed (Opt-in, Committer cannot make the release alone
but can be 1/2 confirmations)
If it makes it easier, I'd even be willing to make the 3rd choice NOT be
selectable via the UI, and it be something that only Plugin Admins can
enable for a plugin, as long as they're aware it's an option.
For example, I own plugin `ACME Inc Gallery` I'm a two-person agency, we
opt-in to have this confirmation enabled and either of us can sign it off.
We require 1 confirmation which can be either of us (So the Committer can
self-release, or Person1 can commit and Person2 can do the Email
confirmation when they come online later and verify the diff looked
`EMCA Inc Best Gallery` is our competitor, the owner doesn't trust any
single individual because they believe I've infiltrated his employee pool
and will destroy them from the inside out. They require 2 Confirmations,
Person1 Commits, Person1 Confirms via email, Person2 Confirms it via
email, and only once Person2 confirms it triggers the release to go out.
Being able to opt-in for 2 confirmations rather than 1 is intended ONLY
for those larger plugins that have enough people backing it, where no
individual should be able to unilaterally decide to release an update that
changes their plugins from embedding Cat pictures to embedding Dog
Ticket URL: <https://meta.trac.wordpress.org/ticket/5352#comment:6>
Making WordPress.org <https://meta.trac.wordpress.org/>
More information about the wp-meta