14 Comments


  1. What a great idea for a plugin, and it seems pretty solid. Why can’t I think of these things!?

    Reply
  2. Flick

    Wow. What a brilliant find! I think Paul has done and is continuing to do some excellent work here and I, for one, can’t wait to discover what hidden gems there might be :) Thanks for the info!

    Reply


  3. I’m not knocking the idea, but this sounds incredibly dangerous.

    Think of it a lot like the Apple App Store and the jailbroken Cydia repositories on iPhones. If you install things from elsewhere, well, you have no form of security. Great for power users and people who can read and evaluate code, but pretty much useless for anybody else.

    When you combine this with GitHub, well, the implications are terrifying. With a minor amount of effort, one could create scripts to create github accounts, fork legitimate plugins, insert a couple lines of malicious code, and thus flood the search results with malware intended specifically for this case. Each of these steps is easily scriptable, and can be done without even installing “git” on your computer, thanks to github’s easy forking and editing.

    For something like this to be useful, it needs verification and authenticity. It needs a way to eliminate the forks and the false results and to confirm authorship. None of that is in github, at present.

    Reply

  4. @Otto – I absolutely agree. Even though it is a plugin for power users, and I don’t think Github would be as fruitful for malware as Google, security and authenticity are top priorities.

    Github does allow for quite a few options by default: Forks can be excluded, and search results can be filtered by a minimum star count, watch count, or fork count.

    The plugin was already excluding all forks by default. Based on your input, I’ll require a minimum star count as well. At a minimum, that will at least require *some* users see *some* value in search results.

    That, of course, does not enforce a standard of validated authenticity. I think there is an excellent model for creating that, however, in the Mac package manager Homebrew. Essentially, a list of authenticated repositories is managed in the homebrew repo, and users submit updates via pull request.

    Github allows search to be whitelisted by either owner or repository, and users could add their own sources in an admin interface.

    I’m interested to hear your thoughts. :)

    Reply

  5. Obviously there is some risk installing any plugin, even those from the WP repository. I would imagine there be even more risk installing from a repository like git where there is even less oversight.

    Maybe the next eventual step would be a group that helps curate or rate/certify WP plugins on git. That might help.

    Reply

  6. This is interesting – but I agree that it is absolutely essential to have the option to switch between WordPress.org and GitHub. I also agree there needs to be a good way to limit the results of the search. Even though WordPress.org is not a perfect model for ensuring plugins follow coding guidelines, there is a system that keeps out most of the chaff. I would like to see them jettison plugins that have not been updated in years(!) – but the same is true on Github. There are going to be orphans that no longer have an active community that turn up in a search if there isn’t a way to set criteria for your search. Yes, you should check the details before you install anything from anywhere – but still – setting criteria would lower the overhead in search.

    Actually – I guess I’m preaching to the choir on the criteria issue – that should be a core feature of plugin and theme search on the admin dashboard.

    Reply

  7. @Mike Dunham – Agreed. I have a selector to switch between wordpress.org and github.com next on my list. It should also include an option to search within a GitHub username.

    After adding a minimum star requirement last night, I also added links to view details on the Github repo page or author profile, and now display the author avatar as well. That gives a stronger sense of who is publishing what.

    Reply

  8. I tend to agree with @Otto too. It is a good idea, but you definitely need to build in security for it to work properly.

    Apart from that, I host all my plugins on both the WordPress Repository and Github. But what’s on Github is “stable” beta as I like to call it and on the official Repository I only host the latest stable versions.

    So for normal users I would not recommend to download my plugins via Github.

    Reply

  9. There’s also Code for the People’s ‘External Update API’ (https://github.com/cftp/external-update-api), which doesn’t help with the initial search/installation, but once you have installed a plugin (or theme) from GitHub it allows you to get updates from there (even if the code is in a private repo). It’s extensible so you can add your own non-GitHub sources too.

    Reply



  10. In addition to Paul’s excellent updater plugin. I’ve also created a plugin, GitHub Updater that updates plugins or themes with a simple additional header.

    Reply

Leave a Reply