[wp-hackers] Plugin update & security / privacy

Otto otto at ottodestruct.com
Mon Sep 24 17:19:55 GMT 2007


Don't have any idea about legality. But unless the wordpress.org devs
are in europe, I don't think it makes any difference.

Anyway, one thing that does bug me is the non optimized state of the
plugin checker. I mean, look at all the crap it sends:

data:object(stdClass)(2) {
 ["plugins"]=>
 array(15) {
   ["akismet/akismet.php"]=>
   array(5) {
     ["Name"]=>
     string(7) "Akismet"
     ["Title"]=>
     string(71) "<a href="http://akismet.com/" title="Visit plugin
homepage">Akismet</a>"
     ["Description"]=>
     string(354) "Akismet checks your comments against the Akismet web
service to see if they look like spam or not. You need a <a
href="http://wordpress.com/api-keys/">WordPress.com API key</a> to use
it. You can review the spam it catches under &#8220;Comments.&#8221;
To show off your Akismet stats just put <code>&lt;?php
akismet_counter(); ?></code> in your template."
     ["Author"]=>
     string(80) "<a href="http://photomatt.net/" title="Visit author
homepage">Matt Mullenweg</a>"
     ["Version"]=>
     string(5) "2.0.2"
   }


Why on earth would the description ever be needed? The Author and
version and such I can understand.

The reason it's doing this is because it's simply sending everything
returned by get_plugins(), which is understandable for a first draft,
but this really should have been cleaned up before release. For my
site, it'll be sending a 30k or more of data, needlessly.

Well, until I hack it not to do that, of course. Still, it's fairly
ridiculous to roll with this without fixing up the obvious silly bits.


-Otto




On 9/24/07, Andy Staines <andy at yellowswordfish.com> wrote:
> Personally I don't care that much but isn't this actually illegal in
> some countries? I'm pretty sure it is here in Europe...
> Andy
>
> On 05:03  PM |  Mon 24 Sep 07, at 05:03  PM |  24 Sep 07, Otto wrote:
>
> > In the interests of clarity, let's state exactly what's going on.
> >
> > First case:
> > Every 43200 seconds (12 hours) or so, depending on when your site is
> > hit, the function will send a single HTTP request to
> > http://api.wordpress.org. It sends the following information:
> >
> > WordPress Version
> > PHP Version
> > Locale setting (if there is one)
> > The Blog's URL
> >
> > That's the main WordPress version check. It doesn't have anything to
> > do with plugins. Disabling it is easy, one line of code will do it:
> > remove_action('init','wp_version_check');
> >
> >
> > Second case:
> > Plugin update check. This occurs when you go to the plugin page and it
> > has not checked for updates in more than 43200 seconds (12 hours). It
> > also sends a single request to http://api.wordpress.org (different
> > script though) consisting of:
> > The Blog's URL
> > WordPress Version
> > Plugin names, url's, versions, etc. All the plugin info, basically,
> > including inactive plugins.
> >
> > Disabling this is also easy, another one-liner:
> > remove_action( 'load-plugins.php', 'wp_update_plugins' );
> >
> >
> > WordPress and Automattic's privacy policies can be found here:
> > http://automattic.com/privacy/
> >
> >
> > Two things I have to say:
> > 1. If the blog is set to "Private", on the privacy admin page, both of
> > these should be disabled. Why? Because the user will have expressed a
> > preference. Respect it.
> > 2. There should be a link to the above privacy policy in the admin
> > pages, somewhere.
> >
> > Given that WordPress has failed to do both of these, then yes, I agree
> > that this "feature" is subversive and will cause an outcry. Regardless
> > of *what* the information can be used (or not used) for, it's sending
> > out information without informing the user of that fact or disclaiming
> > what that information can and will be used to do. Furthermore, it has
> > no opt-out mechanism, especially when there exists a mechanism already
> > that allows the user to express such a preference.
> >
> > These two simple things are really not optional. They must be added.
> > If you're collecting data, ever, then these are the absolute minimum.
> >
> > So, there's my 2 cents.
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers at lists.automattic.com
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


More information about the wp-hackers mailing list