[wp-hackers] List etiquette

Elliotte Harold elharo at metalab.unc.edu
Fri Apr 21 09:09:31 GMT 2006

Matt Mullenweg wrote:

> Yes, but the main responsibility of developers is not to Elliotte 
> Harold. Your selfish interests do not coincide with the WP community.

My "selfish" interest is in seeing that no one can randomly delete posts 
from my blog. I suspect that interest is shared by the vast majority of 
the WordPress community. I'm shocked that you don't seem to agree with 

And I suppose it's quite selfish to take the time to figure out what's 
going on, summarize it, and tell everyone about it. Obviously I should 
have generously kept all the info to myself.

> I also missed your patch on Trac.

I learned a long time ago that it's pointless to submit patches to open 
source projects unless the developers have expressed a prior commitment 
to accepting them. Sometimes when developers are hellbent on driving 90 
miles per hour down the wrong road, you have to wait until they crash 
before they're willing to consider changing course.

The first two actions to be taken here are obvious and not especially 
difficult. (1. Warn the user base not to follow 3rd party links from the 
wp-admin page. 2.  Stop misusing GET.) Instead, the community seems 
focused on complex fixes for other problems that are still vulnerable.

> Publishing line-by-line exploits or details about security 
> vulnerabilities when we do a release would help crackers far more than 
> our general user base, which is overwhelmingly non-technical. We get 
> flak about it, but frankly I care far more about our non-savvy and more 
> vulnerable users than security-blinded idealists.

If you actually did a release this would be fine. You haven't. The bug 
exists. It's out there, and there's no fix available, nor does one seem 
to be likely in the future. Sending private e-mail to 
security at project.org is fine for projects that recognize, respond to, 
and expeditiously fix security holes. However if projects are not 
prepared to treat security seriously, then the information needs to be 
made public so users can take actions to protect themselves when vendors 
can't or won't. This applies whether the project is open or closed 
source. The only difference is it's usually a little easier for third 
parties to patch open source security bugs.

Elliotte Rusty Harold  elharo at metalab.unc.edu
XML in a Nutshell 3rd Edition Just Published!

More information about the wp-hackers mailing list