[wp-meta] [Making WordPress.org] #5744: For plugins using release confirmation, email confirmation is not required to add/remove committers.
Making WordPress.org
noreply at wordpress.org
Mon May 24 16:43:15 UTC 2021
#5744: For plugins using release confirmation, email confirmation is not required
to add/remove committers.
------------------------------+--------------------
Reporter: wfmatt | Owner: (none)
Type: defect | Status: new
Priority: normal | Milestone:
Component: Plugin Directory | Keywords:
------------------------------+--------------------
Currently the release confirmation for plugin releases will email all
plugin committers a link with an access token to verify the plugin release
is ready to go live. From a security perspective, a compromised wp.org
account with commit access to a plugin won't be able to approve of a new
plugin release without also having access to the account's email address.
But the compromised account can add a committer account which they control
to the plugin which bypasses this security feature.
Additionally, a compromised account can update the email address of the
victim account without verification of the victim email address which
would also bypass this feature.
There was a few features mentioned in the original ticket for this feature
that I think would be good to include:
List item 5 here: #5352
> Ideally, the committer who committed the release would not be able to be
the sole person who approves the release as well, which would effectively
make this always a 2+ person scenario. Maybe an exception would be the
same person can sign it off, as long as it's not forcefully enabled for
the plugin due to level of usage.
I saw some push back in the discussion. I think this would be good to have
even though it doesn't necessarily address this issue. I think making it
configurable by plugin developers would help address some of the concerns.
For instance, being able to set release confirmations to 2 approvals, but
not be able to decrease that without involving the plugins or meta team.
List item 7:
> Only those who have been a committer on a plugin for >1 week should be
able to sign off a release. (Also, Committers should know when a new
committer is added - #5351)
This would be good to include as a feature that would help to address this
issue (or at least give developers time to get ahead of a potential
compromise). I don't see it implemented anywhere in the confirmation code
though. I do think having email confirmation for changes in commit access
as well as updating the account email would be good to incorporate.
--
Ticket URL: <https://meta.trac.wordpress.org/ticket/5744>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org
More information about the wp-meta
mailing list