[wp-hackers] Code reviews for plugins?

Lynne Pope lynne.pope at gmail.com
Sun Aug 22 13:32:07 UTC 2010

On 20 August 2010 09:12, Heiko Rabe <heiko.rabe at code-styling.de> wrote:

> It would be a good idea to check plugins, no doubt. But if you introduce
> such a rating of flagging system which additionally can be filtered on, you
> would imply, that all not yet reviewed plugins are crap. You would give
> advantage to the already reviewed plugins and it stucks until the review
> has
> taken place and reached a particular plugin.
> During this time delay a well done plugin will be presented to audience as
> a
> "bad" one, which is wrong but felt so by audience for psychological
> reasons.
> Keep in mind, that this affects also the download and utilization rates of
> plugins!

If there was enough publicity about the review cycle I think people would be
smart enough to realise reviews take time. It wouldn't be hard to write a
monthly post to show how much progress has been made - like a review
progress meter. If possible, it would be good to have a new field in the
plugin repo to show a status to users, something like: "not yet reviewed",
"developer notified of some issues", and "version xyz passed review", with
the date shown for the last two.

> Second concern: I would approximate the number of code lines over all
> plugins at least 10851 plugins multiplied an average of 2000 lines =
> approx.
> 20 million lines of code at least! I think, it's a huge bunch of work to
> read through the code, understand it, looking for security holes, XSS
> attach
> vectors etc.

I don't think it's necessary to review all plugins. WordPress phones home
with information about which plugins are installed on which versions of
WordPress. The repo probably contains a lot of plugins that are no longer in
use so why not use the information that is collected from the backend to
shortlist only those plugins that are currently being used?
Then work through from the most popular plugins in use on WP 3.01 & 3.0 to
least popular on those versions, followed by the 2.9 versions.

I'd also suggest publicizing this as much as possible and asking users to
get involved. Very few people are using the works/doesn't work reporting
function in Extend but if users could contribute by testing and reporting
back to the reviewers it could help speed the review process along. If users
report that a plugin doesn't work then there's no need for a code review -
just inform the developer.

Maybe also see if the repo can be changed slightly so that any plugins that
don't work and which have been abandoned could be moved to a, "No longer
maintained" directory. This will help users avoid trying to install a plugin
that won't work while also providing a repository of plugins other
developers can consider resurrecting. Just a thought...

>  So the time this will take is extra ordinary and I'm afraid, that some

things are not possible to understand inside some plugins without deeper
>  knowledge of what they are made for.

I agree Heiko, but I think this idea is something that would gain momentum
and could become a real asset to the WordPress community. It's a +1 from me.


More information about the wp-hackers mailing list