[wp-hackers] wordpress security

[mccormicky]

> *>Most people have enough
> >clues to check which version they are using* (if they don't already know)
> so
> >a simple notification that a new release is available and whether that
> >release is a security release or not should suffice.
>


yep!




On Mon, Oct 19, 2009 at 6:34 PM, Lynne Pope <lynne.pope at gmail.com> wrote:

> 2009/10/20 mccormicky <mccormicky at gmail.com>
>
> >
> > I also think that not doing something because 25 people will complain
> about
> > it but 200,000 will be helped is not reasonable.
> >
>
> One of the problems faced by all FOSS projects is that developers are
> rarely
> able to identify what constitutes an "average user". Another problem is the
> assumption that if users don't like a feature, they will complain and we
> will all know.
>
> WordPress is downloaded millions of times. If even half of those downloads
> result in a live site, then the discrepancy in numbers between installs and
> people visiting the forums or mailing lists is huge. Many people who have
> complaints over things they don't like don't bother saying anything, they
> just change to another open source app. Kudos or complaints are not a good
> way to judge if a feature is wanted/liked/not causing issues.
>
> When considering the subsets of users, two important groups were
> overlooked:
>
> 1) Users who do an auto install via a server script such as Fantastico.
> These people tend to rely on their auto-installer to help keep them
> up-to-date. Some of these scripts send out an email notification, some
> don't. Since the auto-installers usually have to be licensed by the hosting
> provider these are not always up-to-date and I know of at least one host
> that is still providing WordPress 2.5.1 as a one-click install.
> Apps are often modified by the auto-installers. The user thinks they are
> getting WordPress but what they are really getting is a modified
> distribution of WordPress with no guarantee that update nags are even
> present.
>
> 2) Hosts/ISP's.
> Hosts can be a projects best friend or worst enemy. They don't get to see
> update notices and an email notification from inside a WordPress install is
> not going to help them. If they perceive WordPress to be insecure they
> either ban it from their servers or warn their customers not to use it. Or
> refuse to help if a site is hacked.
> On the other hand, a host that keeps informed about new releases will
> usually send out notices or announce the update on their forums. These may
> be the only forums a user visits.
>
> In my earlier email I suggested adding an opt-in link to the WordPress
> announcements list. When I was thinking more about this I realised that
> having any information on the readme or install screens doesn't help the
> users in 1). Many of the auto-install scripts remove the install screens.
>
> I have read everyone's arguments for an opt-in email in the core, but am
> still firmly convinced that its not the way to go. Most people have enough
> clues to check which version they are using (if they don't already know) so
> a simple notification that a new release is available and whether that
> release is a security release or not should suffice.
>
> The WP-Announce list exists. Everyone can use it, including hosts, to get
> email announcements (assuming the list will ever be used). So, what I
> propose is this:
> Get a commitment from the core team that they will issue announcements on
> that list. And that they will state which upgrades are necessary for
> security.
> Change the sample data - instead of, "this is a post", provide some
> meaningful information. With a link to subscribe to WP-Announce.
> Make an entry announcing that WP-Announce is being used, so this will show
> in the dashboard feeds. Bloggers will quickly pick up on this and news of
> it
> will spread.
>
> Lynne
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>