[wp-hackers] Plugin update & security / privacy

Viper007Bond viper at viper007bond.com
Mon Sep 24 05:19:15 GMT 2007


I'm not trying to suck up or anything, but I have to agree with Matt on this
one. I still have yet to a valid security related issue with transmitting
the install URL when checking for updates. Not to mention all of this is
going on the assumption that Joe Blow has an Office Depot "Easy Button" for
hacking into the WP.org server and even then, as Matt said, nothing is being
stored.

The paranoid factor however is valid, as shown by this long discussion. It
seems just too many people are wearing tin foil hats these days and getting
worked up over what in my opinion is nothing. "The Man" is not out to get
you, people.

Simply put, I think we should do what is best for the majority. For the
minority, plugins will work nicely.

On 9/23/07, Matt Mullenweg <m at mullenweg.com> wrote:
>
> Mark Jaquith wrote:
> >> 2. It's simple, easy, and self-evident.
> >
> > It's a behind the scenes feature, so simplicity and ease don't really
> > apply.  Self-evident?  Evident to whom?  Evident for what purpose?
>
> URLs are useful unique identifiers and in my opinion the best one to use
> on the web. You can normalize them, organize them by domains and
> subdomains, look for odd characters or paths, create stats by TLDs, map
> them to hosting providers, use them as a basis for a crawl, and
> associate them with WordPress.org profiles. MD5s are unique, but don't
> have a lot of value beyond that, and even a capitalization or trailing
> slash change will change the whole MD5. There are also things I think we
> haven't imagined yet that could make URLs useful. Maybe a .org toolbar
> that ties into your .org profile and makes it easy to manage multiple
> blogs and tie them together. If by the time 2.5 comes around we're still
> not doing anything useful with it then we can re-examine it.
>
> I don't think an MD5 would be significantly more anonymous either.
> Anyone with a list of URLs could associate the md5 with a URL just by
> pre-computing the URL MD5s and comparing. So they would be different,
> but not really better. You'd have to add a salt of some kind. We're
> hours from the release arguing about a bikeshed that was checked in over
> a month ago.
>
> --
> Matt Mullenweg
>   http://photomatt.net | http://wordpress.org
> http://automattic.com | http://akismet.com
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>



-- 
Viper007Bond | http://www.viper007bond.com/


More information about the wp-hackers mailing list