[wp-hackers] Plugin update & security / privacy

Doug Stewart zamoose at gmail.com
Mon Sep 24 13:31:18 GMT 2007

On 9/24/07, Peter Westwood <peter.westwood at ftwr.co.uk> wrote:
> I think I agree with matt here.  The main point is this is a bikeshed issue.
> >From personal experience running the webservice for my version-check
> plugin [1] I have had no complaints of issues with the fact that it sends
> the blog url with every request.
> For me the main points are:
>  1. Sending the url doesn't expose any private information.
>  2. We have been sending our urls out as pings for years without any issue.
>  3. Sending the url may allow Wordpress.org to do analysis of the user
> base in the future - we should probably state this if and when it
> happens.
> In my view the best thing that could be done now is to document the API on
> the front page of api.wordpress.org and point there from the release
> notes.
> [1] http://blog.ftwr.co.uk/wordpress/wp-version-check/

I don't think discussion of an optional plugin is exactly apposite to
the discussion of a mandatory feature in the core product.

As the stories surrounding Yahoo!, Google, Microsoft, et al. and their
[mis]use of customers' information shows, average information
consumers are becoming increasingly worried about and sensitive to
issues pertaining to their privacy, regardless of the actual impact or
severity of the information exposed.

This isn't a bikeshed issue, in my opinion, due to the fact that when
it comes to the marketplace of ideas, perception IS reality.  If
TechCrunch, Engadget, Slashdot, Kuro5hin, Linux Today, Ars Technica,
etc. get wind that WordPress is "phoning home" and not notifying users
that it is doing so (with some explanation as to the full
ramifications), well, I think Six Apart's recent issues with Open
Sourcing MT 4 are going to look like a tempest in a teapot.  Your
reputation is something that is extremely difficult to build up,
fairly difficult to maintain and EXTREMELY easy to lose very quickly.

To developers, the potential benefits to having each WP install send
this info back are fairly evident.  To average users, frightened by
CNN Headline News' unending litany of identity theft reports, the
benefits are not so plain.

I'm not advocating that we strip it out at the last moment.  I'm
advocating for full, up-front and transparent disclosure, including,
but not limited to, the Dev Blog announcement, the release notes and
any external communications that get sent out to whomever cares to
receive information on the latest WordPress releases.



More information about the wp-hackers mailing list