[wp-trac] [WordPress Trac] #30465: Dashboard alert if a plugin/theme was removed from WordPress repo

Wed Oct 30 00:18:54 UTC 2024

#30465: Dashboard alert if a plugin/theme was removed from WordPress repo
---------------------------------------------+-----------------------
 Reporter:  sergej.mueller                   |       Owner:  (none)
     Type:  feature request                  |      Status:  reopened
 Priority:  normal                           |   Milestone:  6.8
Component:  Security                         |     Version:
 Severity:  normal                           |  Resolution:
 Keywords:  dev-feedback security has-patch  |     Focuses:
---------------------------------------------+-----------------------

Comment (by dd32):

 Replying to [comment:47 oliversild]:
 > I don't think we need to freak people out, but we also can't leave them
 in the dark.

 I do agree. But there's work that needs to be done to ensure that it's
 appropriately communicated, and not a scare-campaign.

 > The message could be "Warning: This plugin is currently closed in
 WordPress.org plugins repository. What does this mean?" - just link that
 to an article which would then outline all possible reasons why this might
 be, such as:

 Yup, all the plugin closure reasons need a plugins handbook page which
 outlines the reasons and steps forward. Same for plugin rejection reasons.
 Those handbook pages don't yet exist though.

 > - Plugin moved away from WordPress.org and is set to receive updates &
 support elsewhere.

 This is one that we're probably never going to be able to publicly
 acknowledge in any WordPress.org documentation IMHO.

 > - Plugin is abandoned, does not receive (security) updates and is not
 actively developed anymore.

 This is common, but is not something that is tracked. Specifically, it's
 either closed as `Guideline Violation` (Email bounced, or author did not
 respond to an issue) or a security issue was reported and it was closed
 for security.

 What people see as `Guideline Violation` basically means everything from
 `Author is a jerk who is deliberately squireling your data away to their
 servers` to `Their email hosted on their own VPS was unavailable for 5
 minutes`.

 > We don't need a perfect solution right away. We can always improve. But,
 the users need to know now!

 Except, We kind of do. Once such a thing is present within Core, you're
 opening the floodgates for increased support burdens upon Plugin
 Authors/Plugin Reviewers, not to mention the support burden for
 WordPress.org forums, hosting providers, and WordPress providers (think:
 agencies, etc)

 Replying to [comment:48 palmiak]:
 > @dd32 I think we should try to push it faster than slower.

 60 days is the WordPress.org plugin directory closure window. If the
 plugins team (This needs to be discussed with them) wishes to change that,
 we can.

 Given the vast majority of plugin authors appear unable to resolve even
 the most minor issues with 60/90 days, I doubt increasing that will happen
 anytime soon.

 ----

 I'm going to try to wrap this PR up into a plugin for testing and try to
 document the deficiencies in the plugin documentation.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/30465#comment:51>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform