[wp-hackers] Development Process

Robert Deaton false.hopes at gmail.com
Thu Jul 27 08:41:20 GMT 2006


And it just so happens, conversations on IRC illustrated just the
thing that this thread was started as a concern to address. [Yes, this
has been trimmed, to cut out noise, nothing incredibly important was
cut out]

(04:05:41) • zedrdave reads the number of people trackbacking to
announce they are closing guest registration and doesn't have a single
regret.
(04:05:42) (Libertus) zedrdave: Is the Wp problem you have publicised
anything to do with plugins?
(04:05:49) (zedrdave) Libertus: a bit.
(04:06:03) (Libertus) zedrdave: Any particular plugin?
(04:06:17) (zedrdave) Libertus: nope. well, don't really feel like
discussing it. sorry.
(04:06:46) (Libertus) zedrdave: Fine.
(04:06:50) (zedrdave) Libertus: 'has nothing to do with you or anybody
here, but quite obviously you realize if I start blathering about it,
*then* I would be seriously affecting WP users.
(04:07:05) (Libertus) zedrdave: WP users are already seriously
affected, and you're not a WP dev
(04:07:19) (zedrdave) Libertus: Just a concerned user, just a concerned user :)
(04:07:24) (Libertus) 6 weeks so far without a fix
(04:07:54) (zedrdave) Libertus: and believe me, they'd be much more
affected if the exploit was simply spelt out directly.
(04:08:14) (Libertus) zedrdave: Which I'm going to do today, I think,
on my blog.
(04:08:31) (Libertus) I have the exploit file sitting on my desktop

So, now we've got people of our own community who want to give out
details on the exploit. Why? Let's see...

(04:09:34) (masquerade) oh for the love of... as if generating
unnecessary FUD prior to a bugfix/security release was bad enough, now
we've got people who want to publish how to exploit it
(04:10:18) (Libertus) masquerade: I've been wanting to publish ever
since I found the bug. It's the best way to get lazy devs to fix their
software.

We're back to the same old thing, the devs didn't react fast enough?
Is this a reason to hand out the keys to hundreds of thousands of WP
blogs? Not quite, imho, but you know, maybe I'm just nuts.

(04:10:56) (masquerade) Libertus, the best way to get them to fix a
bug might be, the best way to get them to fix a security vulnerability
is not to hand the keys to hundreds of thousands of WordPress installs
over to malicious users
(04:12:28) (masquerade) the ideal thing to do is change the way the
development process works, i.e. bring up threads on the hackers list,
eventually we'll get change
(04:12:43) (Libertus) I'll wait to see if the WP devs put out an
interim warning, asking blog users to disable registration until they
upgrade to 2.0.4
(04:13:27) (masquerade) 2.0.4 hit beta last night, help them ensure
anything necessary is fixed and let the release go out without putting
clueless users at risk
(04:14:39) (Libertus) masquerade: Clueless users are one think. Users
deliberately kept clueless is another.
(04:15:48) (Libertus) I'll be looking at 2.0.4 beta. I was part of the
bughunt after all.


Still, as long as there's a delay without feedback, people won't be
able to think sensibly about holding on to what they have. With the
proper feedback, we should be able to prevent these posts from
surfacing from most people, at least before the fix is released, but
more importantly, we need to ensure that someone who finds or is
reminded of the details of an exploit through one of these FUD popup
posts don't find the inclination to practice Full Disclosure to get
WordPress fixed.

-- 
--Robert Deaton


More information about the wp-hackers mailing list