[wp-hackers] Is disabling remote client access a good idea?

Daniel Jalkut jalkut at red-sweater.com
Sat Jun 28 20:49:40 GMT 2008

Hi Lloyd:

On Jun 26, 2008, at 5:21 PM, Lloyd Budd wrote:

> On Tue, Jun 24, 2008 at 8:52 PM, Daniel Jalkut <jalkut at red- 
> sweater.com> wrote:
>> It's been interesting to see how the general vibe on this list has  
>> been more
>> supportive of the limitation, while the comments on my blog are in  
>> both
>> directions but I think with a bit of lean against the limitation.
> A significant factor is the way your article frames the issue and
> excites people. There are numerous problems with your analogies and
> comparisons, but that is off topic here.

Point taken. I wasn't trying to be particularly exciting, but I guess  
I do have strong feelings.  Mostly I just wanted to get the thoughts  
into the atmosphere, and it looks like I've succeeded if at the cost  
of possibly offending some people with my style. I acknowledge that  
the metaphors, especially of the bank/ATMs, have some major flaws.

> I think your concern is a valid one, and I value a good protest. Still
> there is no "WordPress's decision". It's the thousands of WordPress
> participants, particularly the regular contributors in the remote
> access area including yourself. "A real solution" is ultimately
> offered through code.

Good points. However, you have to agree that policy decisions are made  
in deciding which code gets integrated and which doesn't. For  
instance, my offering a "make sure XMLRPC support is enabled" patch  
isn't going to get me anywhere :) A subset of WordPress contributors  
do ultimately make decisions, and I think it makes senes at least  
conversationally to call those decisions "WordPress's".

> Still I'd like to do a little talky to, as I'm also intriged by this
> change. I wonder if it is something that will last many versions, and
> might end up being short sited (pun intended). I'm surprised the
> discussion has been so focused on traditional clients. Publishing from
> other social tools and sites into WP is increasing popular -- upload
> your video to service X and publish to your blog; go out for coffee
> and let the world know.

I think you're right that more talk should be done about the varied  
(and increasing!) uses for the remote APIs.  Many people seem to be  
dismissing the disabling as insignificant because of the relatively  
small number of people who are using dedicated desktop clients. But  
it's a great point and worth considering how many "mash-up" type  
plugins and services will not work unless the interfaces are enabled.

> It seems like an OAuth or like solution is desirable, or soon will be.
> Then again on wp-xmlrc, people didn't seem excited about
> http://comox.textdrive.com/pipermail/wp-xmlrpc/2008-June/000208.html
> Assuming OAuth does get hawt, what addition benefits and protections
> does disabling provide if you also have OAuth? The extra hoop the 1st
> time would seem to add little benefit if OAuth is always the first
> gate. Of course, it might be a tough pill to swallow because it would
> really break all existing clients.

Good point. The major breakage would probably be undesirable enough  
that it would have to be an opt-in. But I guess we have to start  

Thanks for sharing your thoughts on the matter,


More information about the wp-hackers mailing list