[wp-trac] [WordPress Trac] #45058: Proposal for plugin/theme public hashes to prove authenticity of installed code
WordPress Trac
noreply at wordpress.org
Sat Oct 6 16:05:56 UTC 2018
#45058: Proposal for plugin/theme public hashes to prove authenticity of installed
code
-------------------------+-----------------------------
Reporter: duanestorey | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version:
Severity: normal | Keywords:
Focuses: |
-------------------------+-----------------------------
There have been some discussions recently online about issues surrounding
nulled (pro) themes and plugins, as well as unauthorized, possibly
modified versions of themes and plugins hosted on WordPress.org, but
installed from other sources.
I would like to propose adding a plugin/theme hashing mechanism to the
deployment system (i.e. when you tag a plugin or theme, part of the
package generation process generates the archive hash for display publicly
on the associated plugin/theme page of wordpress.org, and also available
via the API to the plugin page and auto-updater within WordPress).
Ultimately this would let both end-users and WordPress itself potentially
understand whether or not a plugin or theme had been modified. Possibly as
part of the nightly cron WordPress could check the local plugin/theme
hashes against the published ones -if they didn't match, it indicates
something has been changed locally. Conceivably Pro plugin authors could
implement a similar approach, the goal of course not being to prevent
people from taking advantage of the freedoms associated with the GPL, but
to help alleviate issues where ZIP files floating around have malicious
code in them but the end-user doesn't have the ability to detect that
themselves. At the bare minimum providing hashes would allow someone to
know if a plugin or theme had been modified after the author(s) officially
released them.
I have seen various other open source projects now provide hashes of the
official downloads online. It might be a good direction for WordPress to
go towards in the future as well. I wanted to post this to possibly
generate some discussion around it. Cheers.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/45058>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list