[wp-hackers] Plugin update & security / privacy
mark.wordpress at txfx.net
Mon Sep 24 04:01:42 GMT 2007
On Sep 23, 2007, at 6:09 PM, Matt Mullenweg wrote:
> Mark Jaquith wrote:
>> Back up a minute. Why is the blog URL needed?
> 1. It does no harm.
That's not really an argument /for/ it.
> 2. It's simple, easy, and self-evident.
It's a behind the scenes feature, so simplicity and ease don't really
apply. Self-evident? Evident to whom? Evident for what purpose?
> 3. It could be useful in the future.
Having a unique token is certainly nice, because it allows you to
identify unique WP installs and track percentages of people running
outdated versions or core or plugins. That sort of data can help
guide the project. For instance, if we want to change something that
will break a few plugins, we can see how many people are using those
plugins, and get an idea of the impact. That can be done with an
> I think this feature is actually going to dramatically improve the
> security of WordPress overall. We all saw the survey that 95% of WP
> blogs were vulnerable. That didn't even look a plugins. I think the
> survey was flawed, but you still can't deny that for most people
> knowing there is an update and actually updating just doesn't
> happen, and this is a necessary first step. If the only "trade-off"
> is sending an ALREADY PUBLIC blog URL to wordpress.org, then great!
But it's not a necessary trade-off. The update functionality works
just as well with an anonymous token.
I'm not about to douse myself with gasoline here, but it does seem
like we could address the privacy concerns (edge/paranoid though they
may seem) without affecting the functionality in a negative way and
without affecting WP.org's future ability to track WP/plugin version
statistics. If you have some killer feature that could be enabled on
WP.org without a WP update and that would require the use of blog
URLs (but doesn't expose private data like which plugins they have
installed), then please share. Maybe that will be enough to set
people at ease about the data they're providing.
Covered Web Services
WordPress Ninja @ b5media Inc
More information about the wp-hackers