1. Michael

    What a great idea for a plugin, and it seems pretty solid. Why can’t I think of these things!?


  2. Flick

    Wow. What a brilliant find! I think Paul has done and is continuing to do some excellent work here and I, for one, can’t wait to discover what hidden gems there might be :) Thanks for the info!


  3. WordPress-Newsletter Nr. 126 | perun.net

    […] Auch viele Entwickler von WordPress-Plugins legen mittlerweile ihre Plugins dort ab. In diesem englischen Artikel gibt es eine Anleitung, wie man aus dem Backend, die Plugins von Github […]


  4. Otto

    I’m not knocking the idea, but this sounds incredibly dangerous.

    Think of it a lot like the Apple App Store and the jailbroken Cydia repositories on iPhones. If you install things from elsewhere, well, you have no form of security. Great for power users and people who can read and evaluate code, but pretty much useless for anybody else.

    When you combine this with GitHub, well, the implications are terrifying. With a minor amount of effort, one could create scripts to create github accounts, fork legitimate plugins, insert a couple lines of malicious code, and thus flood the search results with malware intended specifically for this case. Each of these steps is easily scriptable, and can be done without even installing “git” on your computer, thanks to github’s easy forking and editing.

    For something like this to be useful, it needs verification and authenticity. It needs a way to eliminate the forks and the false results and to confirm authorship. None of that is in github, at present.


  5. Paul Clark

    @Otto – I absolutely agree. Even though it is a plugin for power users, and I don’t think Github would be as fruitful for malware as Google, security and authenticity are top priorities.

    Github does allow for quite a few options by default: Forks can be excluded, and search results can be filtered by a minimum star count, watch count, or fork count.

    The plugin was already excluding all forks by default. Based on your input, I’ll require a minimum star count as well. At a minimum, that will at least require *some* users see *some* value in search results.

    That, of course, does not enforce a standard of validated authenticity. I think there is an excellent model for creating that, however, in the Mac package manager Homebrew. Essentially, a list of authenticated repositories is managed in the homebrew repo, and users submit updates via pull request.

    Github allows search to be whitelisted by either owner or repository, and users could add their own sources in an admin interface.

    I’m interested to hear your thoughts. :)


  6. Paul Clark

    Thanks for the detailed review, Sarah!

    I’m already looking into adding automatic updates using the Git Plugin Updates plugin, which supports Github and Bitbucket.


  7. Craig Grella

    Obviously there is some risk installing any plugin, even those from the WP repository. I would imagine there be even more risk installing from a repository like git where there is even less oversight.

    Maybe the next eventual step would be a group that helps curate or rate/certify WP plugins on git. That might help.


  8. Mike Dunham

    This is interesting – but I agree that it is absolutely essential to have the option to switch between WordPress.org and GitHub. I also agree there needs to be a good way to limit the results of the search. Even though WordPress.org is not a perfect model for ensuring plugins follow coding guidelines, there is a system that keeps out most of the chaff. I would like to see them jettison plugins that have not been updated in years(!) – but the same is true on Github. There are going to be orphans that no longer have an active community that turn up in a search if there isn’t a way to set criteria for your search. Yes, you should check the details before you install anything from anywhere – but still – setting criteria would lower the overhead in search.

    Actually – I guess I’m preaching to the choir on the criteria issue – that should be a core feature of plugin and theme search on the admin dashboard.


  9. Paul Clark

    @Mike Dunham – Agreed. I have a selector to switch between wordpress.org and github.com next on my list. It should also include an option to search within a GitHub username.

    After adding a minimum star requirement last night, I also added links to view details on the Github repo page or author profile, and now display the author avatar as well. That gives a stronger sense of who is publishing what.


  10. Piet

    I tend to agree with @Otto too. It is a good idea, but you definitely need to build in security for it to work properly.

    Apart from that, I host all my plugins on both the WordPress Repository and Github. But what’s on Github is “stable” beta as I like to call it and on the official Repository I only host the latest stable versions.

    So for normal users I would not recommend to download my plugins via Github.


  11. Simon

    There’s also Code for the People’s ‘External Update API’ (https://github.com/cftp/external-update-api), which doesn’t help with the initial search/installation, but once you have installed a plugin (or theme) from GitHub it allows you to get updates from there (even if the code is in a private repo). It’s extensible so you can add your own non-GitHub sources too.


  12. WP Plugins from GitHub | Macs And More

    […] WP Plugins from GitHub […]


  13. Development Agency 10up Acquires Brainstorm Media

    […] such as Larry Fitzgerald of the Arizona Cardinals and USA Today. A few months ago, Sarah Gooding profiled a plugin created by Paul Clark called Github Plugin Search that enables users to access and install […]


  14. Andy Fragen

    In addition to Paul’s excellent updater plugin. I’ve also created a plugin, GitHub Updater that updates plugins or themes with a simple additional header.


Comments are closed.

%d bloggers like this: