[wp-hackers] Richer metadata for plugin versions

David Anderson david at wordshell.net
Wed Jul 11 20:14:20 UTC 2012


>   I'm just saying that it's a bad idea to suggest that not-updating is a
>   viable strategy. If you don't want to update, then fine, but also be
>   aware of the consequences as well.
>
>   It's better to update than to not-update and become increasingly
>   behind and increasingly insecure. The time between exploits becoming
>   public and those exploits being actively used for evil is as close to
>   zero as you can imagine.

I think this is an argument *for* the extra meta-data. Personally I was 
imagining choosing between "update now" and "update in 3 or 4 days time 
when the early adopters have done some testing for me". If the plugin 
update is marked as a security update, then that gives me extra 
information to persuade me to upgrade *sooner* rather than later.

"This is a security update" has other uses too. If such meta-data were 
made compulsory, then it would greatly help hosting companies. They 
could auto-inform their clients of insecure sites. They could offer them 
commercial update services. They could complete audits with a reasonable 
level of assurance.
Here's a way to make them compulsory - have two tags in the readme.txt, 
"Secure versions" and "Insecure versions". The plugin author would have 
to list every version in one of the two. An unlisted version would not 
be offered up by the WordPress plugins directory (and insecure ones 
could be removed or made harder to reach).

At present, the meta-data can only help you answer the question "am I 
running the highest-numbered version?" But "highest numbered" and "best 
for me" are not identical questions. "Don't fix what is not broken" is 
good advice. Adding security information would be a big step forward IMO 
so that you can actually know whether something is broken.

David



-- 
WordShell - WordPress fast from the CLI - www.wordshell.net



More information about the wp-hackers mailing list