[wp-hackers] Richer metadata for plugin versions

[David Anderson]

> You should update any and all plugins immediately when there is an
> update available, period.
Really?

- Your website is being advertised on national radio today, in 20 
minutes time. There's a new version of a plugin available, which 
advertises a new feature that you don't use. Update immediately ... ?

- Plugin X has a security hole that allows immediate and complete site 
take-over. Obviously, you should update immediately. But plugin Y just 
has a minor tweak to a feature you hardly use. You might want to take an 
hour or day to test it out. There's a difference in that situation. The 
metadata I'm proposing would help you know which is which.

- If "you should update any and all plugins immediately", then WordPress 
should just do it. Why is WordPress making users do something manually 
that should "always" be done automatically?

So, obviously "you should always update immediately" is not true. In the 
WordPress admin, it's a choice offered to users, and rightly so. Users 
can choose their own policies based on their own immediate needs and 
risk assessments. Adding a "last-insecure-version" tag helps users to 
make that choice more intelligently, based upon more information. It's a 
good thing.
> If the plugin author has a habit of introducing new versions with
> bugs, then you should stop using that plugin and find a different one
> instead.
Given a choice between letting the volunteer early-adopters try out new 
versions for a few days, and breaking your website, losing business, and 
then researching a new plugin, I don't see how the former can be the 
one-and-only true choice.

Sure, if he has a "habit", then switch plugins. But you cannot 
accumulate data on their habits without taking time. And under the 
"always update immediately" scheme, you'll break your website several 
times whilst finding out what their habits are. Again, I think lots of 
WordPress users would prefer an alternative. I certainly would.

> I do not see it as a good idea to introduce anything which even
> remotely suggests that it is okay to not update. It is not okay.
> Update. Immediately. Always.
So, why does WordPress not do that for you, if it's the only right policy?

Seems to me there's a fork in the road. If "update immediately always" 
is right, then WordPress should handle it automatically; someone should 
code up a patch to do it, and remove the maintenance task from users 
(why offer them the option of doing the wrong thing?). If, on the other 
hand, it's right to let the user make a decision about it, then surely 
it's a good thing to give them more information to base that decision 
on. Sure, not all plugin authors will use the tag; but that also gives 
users more information when choosing which are the good plugins to 
choose and which are the bad. So it's win-win.

David

-- 
WordShell - WordPress fast from the CLI - www.wordshell.net