[wp-meta] [Making WordPress.org] #6921: Prepare for Plugin Dependencies

Making WordPress.org noreply at wordpress.org
Sat Apr 8 07:33:21 UTC 2023 

#6921: Prepare for Plugin Dependencies
------------------------------+---------------------
 Reporter:  dd32              |       Owner:  (none)
     Type:  defect (bug)      |      Status:  new
 Priority:  normal            |   Milestone:
Component:  Plugin Directory  |  Resolution:
 Keywords:  needs-patch       |
------------------------------+---------------------

Comment (by Otto42):

 Replying to [comment:6 afragen]:
 > Updates to the add-on plugin would be available from WordPress.org

 Not if it declared a dependency that was not available. That's the point
 of this ticket.

 > This is a logical fallacy. Are you really prepared to say that the
 repository is not the place for free plugins, that just happen to be add-
 ons for premium plugins?

 Not at all. Simply that such plugins should not be using the dependencies
 feature, because the dependencies cannot be verified by the plugin
 directory.

 Replying to [comment:7 afragen]:
 > Honestly, there is nothing the Plugins API, nor the Plugin Repository,
 need to change for the Plugin Dependencies feature.

 Clearly, that is not the case. I believe there was discussion about a
 phase two, which would allow for Uris to be included in the headers and
 allow installation of code from unvetted sources. Obviously, that would be
 a bad idea, since malicious code could then be easily be snuck in to the
 directory. You may think this is unlikely, but it happens on the regular
 and has for at least 15 years.

 The plugin directory is very much a "walled garden". We vet plugins for
 malware, security, general issues and improvement. All sorts of things. I
 have done so for more than a decade. So, creating a hole, or backdoor if
 you will, to install unverified code from the general internet, is not
 acceptable for plugins in the directory to do. So yes, it very much does
 need to be limited by the plugin directory. And if necessary, completely
 disabled by the plugin directory.

-- 
Ticket URL: <https://meta.trac.wordpress.org/ticket/6921#comment:9>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org

More information about the wp-meta mailing list