[wp-trac] [WordPress Trac] #43750: Establish a standard means of core reading privacy declarations from plugins’ readme.txt

WordPress Trac noreply at wordpress.org
Thu May 31 19:23:03 UTC 2018

#43750: Establish a standard means of core reading privacy declarations from
plugins’ readme.txt
 Reporter:  allendav                |       Owner:  (none)
     Type:  enhancement             |      Status:  new
 Priority:  normal                  |   Milestone:  Awaiting Review
Component:  Privacy                 |     Version:  trunk
 Severity:  normal                  |  Resolution:
 Keywords:  gdpr needs-patch close  |     Focuses:

Comment (by allendav):

 Replying to [comment:12 iandunn]:
 > Hmmm, I'm kinda leery of the idea of relying on a dev manually setting
 `readme.txt` headers. It feels like it'll be much more likely that results
 will be inaccurate. A dev could forget to update it when they add/remove
 export/erase callbacks, use the wrong values, etc.
 > It's also adding another thing that devs have to learn about and do.

 Absolutely - this is a downside to this. That said, I don't think plugin
 developers will be in the habit of removing integration to core privacy,
 in fact i suspect they'll probably be adding these privacy related tags
 just once in their plugin's lifecycle.

 I'm also comforted by the fact that themes do this tag business already.

 > I wonder if there's a way we can add support for identifiers to the
 export/erase callback registration process, in a way that'll maintain

 We could, but what would you do for plugins that don't need the
 exporter/erasers because they don't collect or copy personal data? The
 plugin header approach supports those plugins (which i suspect are the
 vast majority of plugins.)

 > Or maybe [https://stackoverflow.com/a/2222404/450127 use
 ReflectionFunction to determine the plugin that the callback is from], or
 see which plugins are hooking in to `wp_privacy_personal_data_exporters`.
 Those could have some false-positives there too, though, but maybe it's
 less likely than relying on them being manually set?  Maybe automatic
 detection could be the primary method, then then there's also a filter to
 let devs override the result?

 We could do this, but we wouldn't know what plugins implemented the export
 and erasure hooks until after we call all the registered exporters and
 erasers? I'd love to present this information to the admin before they run
 any export. Seems a little complicated and therefore potentially brittle

 It also suffers from the vast-majority problem - plugins that don't
 collect or copy personal data and so don't need to participate in export
 or erasure.

 > None of that feels like a very elegant solution, though; a `readme.txt`
 header would probably be simpler. I don't have a strong opinion either

 LOL, nope, neither is foolproof, but i think the readme.txt header tags
 idea has an edge in simplicity.

 Another neat thing about the Tags: idea is that other concepts might show
 up there, like requires-php-7 for example :P

Ticket URL: <https://core.trac.wordpress.org/ticket/43750#comment:13>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list