[wp-hackers] Richer metadata for plugin versions
david at wordshell.net
Wed Jul 11 17:45:17 UTC 2012
> You should update any and all plugins immediately when there is an
> update available, period.
- Your website is being advertised on national radio today, in 20
minutes time. There's a new version of a plugin available, which
advertises a new feature that you don't use. Update immediately ... ?
- Plugin X has a security hole that allows immediate and complete site
take-over. Obviously, you should update immediately. But plugin Y just
has a minor tweak to a feature you hardly use. You might want to take an
hour or day to test it out. There's a difference in that situation. The
metadata I'm proposing would help you know which is which.
- If "you should update any and all plugins immediately", then WordPress
should just do it. Why is WordPress making users do something manually
that should "always" be done automatically?
So, obviously "you should always update immediately" is not true. In the
WordPress admin, it's a choice offered to users, and rightly so. Users
can choose their own policies based on their own immediate needs and
risk assessments. Adding a "last-insecure-version" tag helps users to
make that choice more intelligently, based upon more information. It's a
> If the plugin author has a habit of introducing new versions with
> bugs, then you should stop using that plugin and find a different one
Given a choice between letting the volunteer early-adopters try out new
versions for a few days, and breaking your website, losing business, and
then researching a new plugin, I don't see how the former can be the
one-and-only true choice.
Sure, if he has a "habit", then switch plugins. But you cannot
accumulate data on their habits without taking time. And under the
"always update immediately" scheme, you'll break your website several
times whilst finding out what their habits are. Again, I think lots of
WordPress users would prefer an alternative. I certainly would.
> I do not see it as a good idea to introduce anything which even
> remotely suggests that it is okay to not update. It is not okay.
> Update. Immediately. Always.
So, why does WordPress not do that for you, if it's the only right policy?
Seems to me there's a fork in the road. If "update immediately always"
is right, then WordPress should handle it automatically; someone should
code up a patch to do it, and remove the maintenance task from users
(why offer them the option of doing the wrong thing?). If, on the other
hand, it's right to let the user make a decision about it, then surely
it's a good thing to give them more information to base that decision
on. Sure, not all plugin authors will use the tag; but that also gives
users more information when choosing which are the good plugins to
choose and which are the bad. So it's win-win.
WordShell - WordPress fast from the CLI - www.wordshell.net
More information about the wp-hackers