[wp-trac] [WordPress Trac] #48486: Add compliance tab to plugin repository pages on WordPress.org
WordPress Trac
noreply at wordpress.org
Mon Dec 9 18:00:09 UTC 2019
#48486: Add compliance tab to plugin repository pages on WordPress.org
-------------------------+-------------------------------------------------
Reporter: katwhite | Owner: (none)
Type: feature | Status: new
request |
Priority: normal | Milestone: Awaiting Review
Component: Plugins | Version: 5.3
Severity: normal | Resolution:
Keywords: | Focuses: accessibility, docs, privacy,
| coding-standards
-------------------------+-------------------------------------------------
Comment (by carike):
LOTS of stuff to reply to :) Won't be able to get to everything right now,
but will get to it.
Including the file for the example readme.txt here :)
[=== Disclosures and Permissions Tabs ===
Contributors: Carike
Tags: disclosures, permissions, privacy, security
Requires at least: 4.9
Requires PHP: 5.6
License: GPLv2 or later
License URI: http://www.gnu.org/licenses/gpl-2.0.html
CODE IS NOT FUNCTIONAL YET. Experimental plugin. For discussion /
development. Intended as Feature as a Plugin.
== Description ==
VISION STATEMENT:
* We believe that privacy is a strategic competitive advantage.
* This Feature as a Plugin follows a risk-based, as opposed to a
compliance-based approach to privacy choices.
* We firmly believe that if your aim is informed consent and you act in
good faith at all times, then you are almost certain to come down on the
"right" side of legislation.
MISSION STATEMENT:
Thus far many site owners have relied solely on their user experience /
visual elements created by a plugin when choosing which of the many
plugins fulfilling a particular function to install. We aim to change
that.
* DPT seeks to allow website admins / owners to make more informed choices
when comparing plugins by facilitating plugin developers' ability to
disclose what information is collected from their site and / or their
users in a format that makes it understandable for an average user.
* DPT aims to do this by rationally standardizing privacy options within
the WordPress ecosystem.
* DPT was developed with the hope of leveraging unrealized synergies.
* DPT does not directly address
https://core.trac.wordpress.org/ticket/48486, which only addresses an
additional tab to the plugin page on the WordPress.org repository;
however, it does seek to compliment it.
* DPT does not seek to replace the Consent API, however, it does seek to
compliment it. You can find the Consent API at:
https://github.com/rlankhorst/wp-consent-level-api/blob/master/readme.txt
* DPT hopes to assist in implementing sensible guidelines for plugins to
advertise premium offerings, to hopefully enable plugin developers to
monetize their content without alienating the user-base.
== Installation ==
The code in this plugin is not yet functional.
Intended for discussion / development only.
Until such time as it is submitted to the WordPress plugin repository, you
will need to download a .zip folder via GitHub and upload the .zip folder
under your /wp-admin/ plugins menu.
== Frequently Asked Questions ==
= Is this plugin functional? =
No. This code is not yet functional. It is intended for discussion and
development.
= What does this plugin do? =
This plugin is intended as a Feature as a Plugin, which means it will
hopefully be included in WordPress core some day soon.
The DPT plugin creates two sub-menus under the Plugins tab in the /wp-
admin/ area; namely Disclosures and Permissions.
The Disclosures tab provides those with "manage options" capabilities with
privacy related disclosures.
A copy of such disclosures is also available on the plugin's WordPress.org
repository page.
The Permissions tab provides those with "manage options" capabilities with
privacy related options.
Site administrators / owners can turn off permissions for marketing;
statistics; and / or anonymous statistics on a site-wide basis; or they
can do so on a plugin-by-plugin basis; or they can manage individual
permissions (e.g. an external network call to example.com by plugin XYZ)
on a plugin-by-plugin basis.
= Does this plugin guarantee GDPR compliance? =
No.
== Changelog ==
= 0.0.0. =
Version for discussion. Code is not yet functional.
== Privacy Related Considerations ==
= Applicable Regulatory Standards =
The DPT plugin has not been tested against any specific regulatory
standard.
It does not, nor does it claim to, comply with any specific regulatory
standard.
The site administrator / owner is advised to exercise their best judgement
whether this plugin is suitable for use within the regulatory frameworks
in which they operate and to seek out legal advice if necessary.
= Contractual Terms =
Your use of the DPT plugin is subject to the license terms of the GNU
General Public License 2.0. or later.
The DPT plugin does not seek to create any contractual relationship with
you, other than those covered by the above license.
The DPT plugin does not operate as Software as a Service.
= Consent API Compatibility =
The DPT plugin aims to be compatible with the Consent API.
= Disclosure and Permissions Tabs Compatibility =
The DPT plugin aims to be compatible with the Disclosure and Permissions
Tabs.
= Cookies =
The DPT plugin does not set any cookies.
The DPT plugin reserves the right to set cookies in future versions of the
plugin, if this is in the best interests of its development, subject to
providing the appropriate disclosures in that future version of the
plugin's readme.txt file.
= External Network Calls =
The DPT plugin does not send any external network calls.
The DPT plugin reserves the right to make external network calls in future
versions of the plugin, if this is in the best interests of its
development, subject to providing the appropriate disclosures in that
future version of the plugin's readme.txt file.
= Cron Jobs =
The DPT plugin does not create any cron jobs.
The DPT plugin reserves the right to create cron jobs in future versions
of the plugin, if this is in the best interests of its development,
subject to providing the appropriate disclosures in that future version of
the plugin's readme.txt file.
= Mail =
The DPT plugin may attempt to send notifications to administrators, based
on their e-mail notification settings.
Such e-mails are classified as functional and / or may contain security
related information.
The site administrator / owner may choose to opt out from such notices on
behalf of all users by visiting the Permissions Tab under the Plugins menu
in /wp-admin/; however, this is NOT advisable, due to the functional
nature of the notifications.
= Advertising =
The DPT plugin does not currently contain advertisements.
The DPT plugin reserves the right to display advertisements on the
plugin's settings page; the plugin list page, as well as the dashboard in
the /wp-admin/ area.
We endeavour to comply with any Guidelines pertaining to advertisements
set by repositories that we submit to.
Any advertisements set by the DPT plugin should be dismiss-able by a user
with the "manage options" capability visiting the Permissions settings
page under the Plugins tab in the /wp-admin/ area.
= Credits =
The WordPress.org repository's Guidelines requires opt-in consent if
credits are to be displayed to users on the site's front end.
The DPT plugin does not currently seek to set credits on the front end.
== Accessibility ==
As the DPT plugin does not have a focus on presentation elements, it does
not seek to target any specific WCAG 2.0. level.
The accessibility of this plugin should be roughly equivalent to that of
the /wp-admin/ area in general.
== Security ==
The DPT plugin does not aim to conform to any specific security framework.
The DPT plugin does seek to conform to WordPress.org repository best
practices, including as they relate to security.
If you would like to help keep the WordPress.org ecosystem safe for the
community and you have spotted a possible vulnerability in this plugin,
please use the "Report This Plugin" button provided.
If you suspect that this plugin itself constitutes an exploit, please
choose the option to notify only the Plugin Team. An e-mail will be sent
to them. Members of the Plugins Team are volunteers, so please allow some
time for them to respond.
If you would like to inform the developer of the suspected exploit, please
select the appropriate option. You may choose to include your contact
details to the developer or not.
Please note that your contact details may be used to assist you with the
resolution of your query and may be processed and stored in accordance
with the WordPress.org and the developer's privacy policies (if
applicable).
Please include Proof of Concept if you can, as well as as many other
details as possible.
Please note that the "Report This Plugin" is not a support channel. Any
e-mails not related to security vulnerabilities will not be responded to.
== Certifications ==
The DPT has not undergone any certifications with regards to compliance.
The plugin is provided in accordance with the GNU 2.0. General Public
License (or later) and as such, is offered "as is" and expressly offers no
warranties or guarantees of any kind, including, but not limited to,
fitness for any purpose.]
I'll jump through whatever documentation hoops I need to (which I guess
includes figuring out how to use the official repo).
Just relying on the ticketing system contributed to a lot of friction for
other projects, so I'll copy over and see if that helps.
> There's nothing bad about a readme, it just has flaws. To be clear, so
will any automated testing/scanning we invent. We're going to need both.
I agree 100%.
The issues people have mentioned in Slack is that the readme.txt is not
translation-ready.
It would also be good to have the Disclosures on a tab in the user's
installation, in addition to having it in the WordPress.org repository
plugin page.
Just to make it very clear to everyone, I don't expect that one single
measure will address all the issues that come up. I follow a risk-based
approach, not a compliance-based approach.
I also don't expect that all of this will be part of a version 1.
Trying to articulate a vision for a v3 or even a v4.
I actually think that deciding on yes / no headers is a great place to
start for v1.
Deciding what needs to be disclosed is key.
I would simply like to see a solution that would enable some level of
"checking" / audit of what plugin authors disclose.
I realize parts of that may be considered as advanced tools and may not be
considered suitable for inclusion in core.
And I am okay with that :)
Changes aren't an insult :)
--
Ticket URL: <https://core.trac.wordpress.org/ticket/48486#comment:23>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list