8 Comments

  1. realistdreamer

    As a writer, I hate being asked to commit to the same format for every piece of content. Notwithstanding this, structure and consistency are important to “readers” and is probably more important for “surfers.” Anything that could be done in this area would increase uptake of information by all who encounter it.

    We can save the freeform for less strictly informational posts.


  2. A structured format is really hard to stick to in a volunteer project environment, and creates more work than is necessary.

    I feel there are only three things that could be done, which would make a huge difference:

    Use the WP-Announcements emailing list & add a link to this in the README.
    Tying announcements to WordPress itself is not practical as it relies on sites having a valid email address (not all do) and also relies on WP being able to access the install. Server permissions may make this impossible.
    Release patches, not just full downloads.Where patches can be safely applied to different versions, say so.
    Better commenting of code. If code is changed to harden security commenting it would enable users to identify where this hardening has taken place and fix their own code accordingly.

    The ideas for improving alerts in the WordPress backend are good, but don’t help those users who are running heavily customised installs, or who have locked their servers down so tight that they do not get upgrade notices, or see the dashboard feeds, or who manually apply fixes in a company-proscribed process.


  3. Hi Jeffro,

    Great post and I entirely agree. Regarding the email notification, there is a plugin that does this: Upgrade Notification by Email

    I do agree that it should be an option in the core, but the plugin may be a help right now when it’s not in the core.


  4. @realistdreamer – I see where you’re coming from, but I think the freeform could be kept in the summary of the post regarding the update. The other stuff is just easy to find links for that specific information.

    @Stephen Cronin – That is the plugin that inspired the thought that something like it should be added to the core. Some folks may disagree but I think it’s a small price to pay for one more dedicated piece of the notification puzzle.


  5. Regarding the concept of a WordPress Threat Level – This is something really hard to define.

    It is rare that a security fix is so cut and dry that you can make one of these level based statements – and if you do prepare to be shown by the ingenuity of the crackers themselves that you were wrong – it is very hard to identify all the ways in which a security bug that is fixed can be exploited!


  6. It’d be really nice to have it be clearer what’s changed.

    If it’s for security for people who have logins (and I don’t have other “users”) then I’m not worried.

    If it only modifies one file I could do that myself (and leave the RSS feed core files that I modify alone).

    It’d just be nice to know more…


  7. @westi – Yeah, in discussions with other folks regarding this idea of threat levels, it would do more harm than good if WordPress labeled the threat as minimal and yet, those who didn’t upgrade based on the threat level were compromised anyways.

    @Gary LaPointe – And that is one of the things I was trying to stress. Providing more information up front to allow responsible users such as yourself to figure out what has to be done.


Comments are closed.