[wp-trac] [WordPress Trac] #16778: wordpress is leaking user/blog information during wp_version_check()
WordPress Trac
noreply at wordpress.org
Mon Nov 14 22:38:04 UTC 2016
#16778: wordpress is leaking user/blog information during wp_version_check()
----------------------------+----------------------
Reporter: investici | Owner:
Type: enhancement | Status: closed
Priority: normal | Milestone:
Component: Administration | Version:
Severity: minor | Resolution: invalid
Keywords: has-patch | Focuses:
----------------------------+----------------------
Changes (by chriscct7):
* keywords: has-patch close => has-patch
* status: reopened => closed
* resolution: => invalid
* milestone: Awaiting Review =>
Comment:
WordPress is an open source project. Unlike closed source projects, you
can freely read and edit the codebase and see exactly what is sent, or
learn about how different parts of the project operates.
Additionally, the WordPress project maintains an open information section,
similar to Wikipedia, where anyone can contribute new documentation or
information about the platform, that to a reasonable extent would be
useful to other users. As such, you're free to create a page for this, and
the instructions for doing so are here:
https://codex.wordpress.org/Codex:Creating_a_New_Page. It would likely be
categorized here: https://codex.wordpress.org/About_WordPress. As a
volunteer-based project, there's no group that's "responsible" so to speak
for creating content really of any sort for WordPress.org. The best way to
ensure that things get done, is often to do them or spearhead them. This
could be something to consider, as it doesn't appear that any of the other
volunteers who work on the project have had the interest in doing so for
this topic. As a place to start, the data is stored by WordPress.org for
calculation purposes for 48 hours, and then discarded.
There is a balance between having too much and too little information
about usage, and what that entails. There's groups on both sides of this.
This ticket is mostly comprised of users who would like (from my
understanding of reading the comments) less information to be sent back.
There are other tickets, who want WordPress to collect more information
than it currently does (generally with the argument that WordPress needs
to know more about it's users to make better software OR alternatively
that the WordPress core developers aren't collecting enough information to
base decisions on). This is a balancing act between privacy and
practicality.
As for this ticket, WordPress is now used by almost a quarter of the
internet, and since 6 years ago a total of what appears to be just 6
(quick count on my part; could be off +/-2) have expressed interest in a
filter for this. Aside from the performance implications of calling
apply_filter() which albeit while small is still a consideration factor,
there is also WordPress's core philosophies of "Design for the majority"
and "The Vocal Minority": https://wordpress.org/about/philosophy/. It is
unlikely that of the many tens of millions of active WordPress installs
more than a handful would actually use this filter. Furthermore,
introducing new filters have to be done with care, particularly out of
consideration for future development. Does a filter here prevent WordPress
from being able to achieve future goals due to backwards compatibility
concerns? Probably not, but again another thing to consider.
Finally, there is already an applicable WordPress filter that can be used
to achieve the same result: `http_request_args`, where the existence of
the `wp_install` header (which is exclusively used on wp_version_check()
calls in WordPress) could be used to filter the information from the body.
Given there's a way of filtering this data already, and there's a lack of
significant interest, closing this ticket. As a reminder, ticket
conversations can continue while the ticket is in a closed status.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/16778#comment:35>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list