[wp-hackers] WordPress plugin inspections
Ipstenu the Half-Elf
ipstenu at halfelf.org
Wed Feb 19 20:49:23 UTC 2014
The security email is for WP core security.
Plugin security issues should go to plugins at wordpress.org
On 2/19/14, 12:38 PM, Josh Pollock wrote:
> Jamie-
>
> The ability to easily do an independent security review of open source
> software, is one of the strengths of the open source model. But publishing
> vague results, and not contacting the developer, and/ or
> security at wordpress.org, with any concrete details of a threat doesn't help
> the developer, the community or the users. If anyone can identify a
> specific security threat in Pods, please email Scott at pods.io and we will
> address it, like any other responsible developer would.
>
> Take care,
> Josh
>
>
> On Wed, Feb 19, 2014 at 3:27 PM, Jamie Currie <jamie at wunderdojo.com> wrote:
>
>> I had the exact opposite reaction to Chris Williams. Literally a week ago
>> I was talking to someone about the need for more rigorous evaluation of
>> plugins. I find that I now use only a small handful of plugins that I have
>> extensive experience with because of the lack of any quality standard.
>>
>> If that sounds a bit harsh, I'd suggest enabling DEBUG and mysql slow
>> query (at something like 1 second) and then test out various plugins. And
>> that's just the blatantly obvious stuff. I won't point fingers, but I
>> recently had issues with one pretty popular plugin and when I went into the
>> code to poke around I found that it is fundamentally flawed in the design
>> -- so much so that I rewrote it and will be sending the author the new code
>> and explanation.
>>
>> I understand that a cursory review is subjective and prone to
>> misstatements, but it's at least a step in the right direction. Perhaps the
>> next step would be for Harry to formalize some kind of process for
>> responding to / contesting reviews and to encourage community involvement
>> (maybe via this list) to "review the reviews" if you will. I'd be happy to
>> get involved in a process like that if the end result were a base of
>> plugins that had been scrutinized by some of the WP brains on this list.
>>
>> And if, at the end of the day, he harnesses that power to help build a
>> business, I don't see anything wrong with that either. I think 99% of us
>> are using WP to make money and it seems to me like he's identified a clear
>> need and at least attempted to address it -- which is pretty much the story
>> of every successful business.
>>
>> Jamie Currie
>> Founder / CEO
>> wunderdojo
>> wunderdojo.com
>> tel: 949-734-0758
>> 1840 Park Newport, #409
>> Newport Beach, CA 92660
>> Master web & app developers
>>
>>
>>
>>
>>
>> ------ Original Message ------
>> From: "Chris Williams" <chris at clwill.com>
>> To: "wp-hackers at lists.automattic.com" <wp-hackers at lists.automattic.com>
>> Sent: 2/19/2014 12:17:17 PM
>> Subject: Re: [wp-hackers] WordPress plugin inspections
>>
>>> I certainly can't speak for others, but I would venture to say that your
>>> business model is evil at best. You do fly-by character assassination
>>> (oops, I mean "light-touch inspections"), based on personal bias ("this
>>> plugin is large"), and then broadly publish the results as if they are
>>> somehow authoritative. Worse yet, you then hold plugin developers at
>>> ransom for changing the review: "If you would like to commission us to
>>> inspect or review the latest version, please contact us."
>>>
>>> How this is of value to anyone, and how you sleep at night with this
>>> specious business model, is completely beyond me.
>>>
>>> On 2/19/14 10:43 AM, "Harry Metcalfe" <harry at dxw.com> wrote:
>>>
>>> Hello list,
>>>> We write and publish light-touch inspections of WordPress plugins that
>>>> we do for our clients. They are just a guide - we conduct some basic
>>>> checks, not a thorough review.
>>>>
>>>> Would plugins which fail this inspection be of general interest to the
>>>> list and therefore worth posting? Is the list also interested in
>>>> vulnerability advisories, or do people tend to get those elsewhere?
>>>>
>>>> Here's an example report:
>>>>
>>>> https://security.dxw.com/plugins/pods-custom-content-types-and-fields/
>>>>
>>>> Grateful for a steer...
>>>>
>>>> Harry
>>>>
>>>>
>>>> --
>>>> Harry Metcalfe
>>>> 07790 559 876
>>>> @harrym
>>>>
>>>> _______________________________________________
>>>> wp-hackers mailing list
>>>> wp-hackers at lists.automattic.com
>>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>>
>>> _______________________________________________
>>> wp-hackers mailing list
>>> wp-hackers at lists.automattic.com
>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
More information about the wp-hackers
mailing list