[wp-hackers] Plugin update & security / privacy

Mark Jaquith mark.wordpress at txfx.net
Mon Sep 24 04:01:42 GMT 2007 

On Sep 23, 2007, at 6:09 PM, Matt Mullenweg wrote:

> Mark Jaquith wrote:
>> Back up a minute.  Why is the blog URL needed?
>
> 1. It does no harm.

That's not really an argument /for/ it.

> 2. It's simple, easy, and self-evident.

It's a behind the scenes feature, so simplicity and ease don't really  
apply.  Self-evident?  Evident to whom?  Evident for what purpose?

> 3. It could be useful in the future.

Having a unique token is certainly nice, because it allows you to  
identify unique WP installs and track percentages of people running  
outdated versions or core or plugins.  That sort of data can help  
guide the project.  For instance, if we want to change something that  
will break a few plugins, we can see how many people are using those  
plugins, and get an idea of the impact.  That can be done with an  
anonymous token.

> I think this feature is actually going to dramatically improve the  
> security of WordPress overall. We all saw the survey that 95% of WP  
> blogs were vulnerable. That didn't even look a plugins. I think the  
> survey was flawed, but you still can't deny that for most people  
> knowing there is an update and actually updating just doesn't  
> happen, and this is a necessary first step. If the only "trade-off"  
> is sending an ALREADY PUBLIC blog URL to wordpress.org, then great!

But it's not a necessary trade-off.  The update functionality works  
just as well with an anonymous token.

I'm not about to douse myself with gasoline here, but it does seem  
like we could address the privacy concerns (edge/paranoid though they  
may seem) without affecting the functionality in a negative way and  
without affecting WP.org's future ability to track WP/plugin version  
statistics.  If you have some killer feature that could be enabled on  
WP.org without a WP update and that would require the use of blog  
URLs (but doesn't expose private data like which plugins they have  
installed), then please share.  Maybe that will be enough to set  
people at ease about the data they're providing.

--
Mark Jaquith
http://markjaquith.com/

Covered Web Services
http://coveredwebservices.com/

WordPress Ninja @ b5media Inc
http://b5media.com/

More information about the wp-hackers mailing list