[wp-meta] [Making WordPress.org] #5352: Plugin Security - Add email confirmation prior to releases being processed
Making WordPress.org
noreply at wordpress.org
Mon Aug 10 01:36:48 UTC 2020
#5352: Plugin Security - Add email confirmation prior to releases being processed
------------------------------+---------------------
Reporter: dd32 | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone:
Component: Plugin Directory | Resolution:
Keywords: |
------------------------------+---------------------
Comment (by dd32):
Replying to [comment:8 chriscct7]:
> There's 2 distinct cases:
> - Adding more security for releases, because Autoupdates means anyone
with access pushes to lots of sites
> - Trying to prevent rogue employees/committers from issuing releases.
I agree that they're different concerns, but disagree that they should be
treated as distinct cases. When a solution covers multiple questions, it's
best not to look at them separate from one another as you can end up with
a solution that works for one case but fails to work for another in a
"good manner"
> I think a really critical, and perhaps incorrect assumption that can be
made, is that larger plugins == more employees === more committers.
I agree, and that's why double-sign-off should be optional and opt-in -
that's to prevent the self-confirm/self-sign-off process.
1. Disabled - default
2. Confirmation from at least 1 person (can be Committer) - Minimum for
large plugins
3. Confirmation from at least 2 people (Committer + someone else, or 2
other people) - Ideal situation from a security POV, but optional
> I know many larger plugins have wanted 2FA on SVN
I also want 2FA for SVN, unfortunately, SVN doesn't support Multi-factor
authentication, unless you switch over to `ssh+svn://` which has a whole
other set of authentication and security issues that mean it's not
currently viable for a shared SVN like plugins.svn with untrusted users.
The only way to do 2FA with HTTPS SVN is something like.. `svn --user dd32
--password supersecret123456` (where 123456 is my TOTP code).
--
Ticket URL: <https://meta.trac.wordpress.org/ticket/5352#comment:16>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org
More information about the wp-meta
mailing list