[wp-hackers] Plugin update & security / privacy

Kimmo Suominen kimmo at global-wire.fi
Sun Sep 23 22:16:00 GMT 2007


On Sun, Sep 23, 2007 at 05:54:25PM -0400, Mark Jaquith wrote:
> On Sep 23, 2007, at 3:35 PM, Matt Mullenweg wrote:
> 
> >I think this feature is actually going to dramatically improve the  
> >security of WordPress overall. We all saw the survey that 95% of WP  
> >blogs were vulnerable. That didn't even look a plugins. I think the  
> >survey was flawed, but you still can't deny that for most people  
> >knowing there is an update and actually updating just doesn't  
> >happen, and this is a necessary first step. If the only "trade-off"  
> >is sending an ALREADY PUBLIC blog URL to wordpress.org, then great!
> 
> Back up a minute.  Why is the blog URL needed?  The update  
> notification functionality works fine without it.  You don't need it  
> for statistics purposes -- wp_hash('update-notification') 's output  
> would be just as unique.  How do users benefit by sending their blog  
> URL?  I think the onus is on us to show why it is necessary or  
> beneficial.  If we can't, it shouldn't be there.

Thanks, Mark -- I think that is the correct question.

And the same question should be asked about the other data that is
sent.  Why are the plugin versions sent to the server?  It should be
enough to send the plugin filename and/or name, so the server can
return a list of current versions.  The client (WP) can then figure
out which plugins need updating.

Best regards,
+ Kimmo
-- 
<A HREF="http://kimmo.suominen.com/">Kimmo Suominen</A>



More information about the wp-hackers mailing list