[wp-hackers] Automatic Upgrades with InstantUpgrade plugin
zamoose at gmail.com
Wed Apr 4 17:29:34 GMT 2007
On 4/4/07, Alex Günsche <ag.ml2007 at zirona.com> wrote:
> On Wed, 2007-04-04 at 10:29 -0400, Doug Stewart wrote:
> > I'm a bit fuzzy on what exactly you'll be using the FTP for. What
> > portion of the upgrade process are you proposing be accomplished via
> > FTP? Downloading the .zip/tar.gz of WordPress from wp.org?
> No, the deleting and inserting of the WordPress files on the user's
> webspace. If I let the webserver do this, it will need permissions like
> 777 (for directories) or 666 (for files), because on most hosts, FTP
> user and webserver user have different system accounts. Now if I would
> log into the webspace with FTP credentials, I would act as FTP user, and
> could therefore overcome permission issues.
You'll be FTPing _from_ the webhost _to_ the webhost? Hmmm.
> > What advantages do you percieve in this method over your current
> > methodology
> Users don't have to make tons of files writable, and the WP root doesn't
> have to be left writable. Also, once a user wants to remove the plugin,
> he/she must perform a pain-in-the-you-know-where procedure to regain
> ownership of the files. This would all become obsolete when using FTP;
> the user would enter the credentials once, and would not be bothered by
> chmod issues.
I agree that messing with the perms on a WP install is a Bad Idea(tm).
Your methodology assumes that everyone has FTP access, though, which
isn't a universal truth. Some may be CPanel-limited, others
The fundamental problem with in-line updates is that, in order for
them to work, the webserver must have perms to alter the files in
question which is a terribly vexing security issue in any situation.
One tack that hasn't been pursued is a PHP frontend to a shell
scripted backend. Have you thought of that, perhaps? You'd obviously
need different scripts for Windows vs. *NIX hosts, but it wouldn't
really be any more insecure than using FTP as a method for doing this.
I guess what I'm trying to say is that web-based updates aren't a
great idea for the core app. Migrating to a new version of WP is a
weighty decision and, as such, ought to have some serious thought put
into it by the ones doing the updating. Simply clicking a few buttons
is a great way to get into a heap o' trouble, particularly if you're a
leading podcaster with an allergy to README.txts. *grin* (And
Charles, if you're reading this, we love you, buddy!)
> > (one which received a bit of a knock in the WP Podcast
> > #21, btw. http://tinyurl.com/3cgvd9 *grin*)
> Yes... that episode. ;) I am a bit disappointed how somebody can make
> (and admit!) a stupid mistake, then attribute it to the plugin, and then
> talk five minutes about how screwed that plugin is. But, ok... it's his
> opinion, and I guess he didn't mean to be so harsh (as the comments also
Charles did indeed seem to be apologetic in the comments. Didn't
credit me for getting him set back on the right path in #wordpress
either! Such are the perils of the Intarweb[s]. *chuckle*
More information about the wp-hackers