[wp-meta] [Making WordPress.org] #5744: For plugins using release confirmation, email confirmation is not required to add/remove committers.

Making WordPress.org noreply at wordpress.org
Mon May 24 16:43:15 UTC 2021


#5744: For plugins using release confirmation, email confirmation is not required
to add/remove committers.
------------------------------+--------------------
 Reporter:  wfmatt            |      Owner:  (none)
     Type:  defect            |     Status:  new
 Priority:  normal            |  Milestone:
Component:  Plugin Directory  |   Keywords:
------------------------------+--------------------
 Currently the release confirmation for plugin releases will email all
 plugin committers a link with an access token to verify the plugin release
 is ready to go live. From a security perspective, a compromised wp.org
 account with commit access to a plugin won't be able to approve of a new
 plugin release without also having access to the account's email address.
 But the compromised account can add a committer account which they control
 to the plugin which bypasses this security feature.

 Additionally, a compromised account can update the email address of the
 victim account without verification of the victim email address which
 would also bypass this feature.

 There was a few features mentioned in the original ticket for this feature
 that I think would be good to include:

 List item 5 here: #5352

 > Ideally, the committer who committed the release would not be able to be
 the sole person who approves the release as well, which would effectively
 make this always a 2+ person scenario. Maybe an exception would be the
 same person can sign it off, as long as it's not forcefully enabled for
 the plugin due to level of usage.

 I saw some push back in the discussion. I think this would be good to have
 even though it doesn't necessarily address this issue. I think making it
 configurable by plugin developers would help address some of the concerns.
 For instance, being able to set release confirmations to 2 approvals, but
 not be able to decrease that without involving the plugins or meta team.

 List item 7:

 > Only those who have been a committer on a plugin for >1 week should be
 able to sign off a release. (Also, Committers should know when a new
 committer is added - #5351)

 This would be good to include as a feature that would help to address this
 issue (or at least give developers time to get ahead of a potential
 compromise). I don't see it implemented anywhere in the confirmation code
 though. I do think having email confirmation for changes in commit access
 as well as updating the account email would be good to incorporate.

-- 
Ticket URL: <https://meta.trac.wordpress.org/ticket/5744>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org


More information about the wp-meta mailing list