Plugin/theme updates directory integration

Simone · January 30, 2023, 2:52pm

I don’t think we have enough people to review each new release.

What I think is that you should trust the developer to install a plugin, but as you said if a plugin is hosted on a bad hosting it can be hacked and the plugin can be overwritten with malicious code.

alvarofranz · January 30, 2023, 2:54pm

The way I intended this to work is by manually updating the current version on the directory dashboard (as a plugin author). What’s easier? … upload my plugin to two directories (WordPress and ClassicPress) or do it once and change the version manually in the other place? well… both require a minute or two.

That could potentially happen… could be a point. Then: stick to “hosted on WordPress, GitHub, GitLab…” sites where the being-hacked probability is low?

As far as I know, it doesn’t matter where the plugin is hosted, you can always edit it in a new version to be a bad person… even on the WordPress directory.

ElisabettaCarrara · January 30, 2023, 3:40pm

That could potentially happen… could be a point. Then: stick to “hosted on WordPress, GitHub, GitLab…” sites where the being-hacked probability is low?

Yes basically. since CP is a listing every listing should include a field where to point to fetch updates. We can allow updates coming from WP repo (that is SVN), github, gitlab… where the chance to be hacked is low (these repos have strong security measure in place to prevent hacking of their servers).

I agree that a bad dev can update the plugin to include malicious code, but this is a very rare occurrence and if one lists his plugin on WP or CP and it undergoes review one can assume that dev is trusted. If the dev is discovered to put malicious code in its plugins it gets kicked out (this already happens in WP because the bad code is discovered and outed, so we can apply same measure to plugin listed in CP)

viktor · January 30, 2023, 5:03pm

This discussion has served its purpose to identify a way to manage updates for WP repo and CP directory plugins/themes. So it will be closed.

However, the WordPress repo as a source discussion will be moved to Github to continue to explore this possibility. Anyone interested (@alvarofranz @joyously) in this discussion can monitor or participate here:

github.com/ClassicPress/Directory

Add WordPress.org repository as a source

opened 04:59PM - 30 Jan 23 UTC

viktorix

enhancement status: discussion

This issue is created to continue the discussion started in [the forum](https://…forums.classicpress.net/t/plugin-theme-updates-directory-integration/4558/41) about adding WordPress.org repository as a source. If we simply treat it as a repository source, regardless of its rules, it shouldn't be a problem adding it to the directory. It is developer's choice to use WordPress.org instead of a Git-based source. It is also developers responsibility to follow WP repos rules to stay listed. If WordPress closes the plugin/theme, API no longer returns any data and ClassicPress directory would suspend such plugin/theme pending a review. For this integration to work, WordPress.org API must be used similarly to GitHub API. For example: https://api.wordpress.org/plugins/info/1.0/wordpress-seo.json The API returns the necessary data for the directory to do its job: - `download_link` - provides URL to a zip file with the latest version. - `description` - can be used as a fallback for the item's description, similarly to how fallback works with README.md in the repository. Plugins/themes would still need to follow all the requirements and rules to be listed in the directory, this includes passing CPCS. Listing in WordPress repository doesn't guarantee listing in ClassicPress directory. The update process would be handled through the directory as we have a new process being put in place to default to CP directory. If `Update URI` is empty and `Requires CP` is set, ClassicPress core will default to use directory for updates. So there should be no issues. Important to remember: A WordPress plugin installed through original WP core integration will default to use CP directory for updates because it will have `Requires CP` set. This could lead to WP repo integration removal from CP core, if WP plugins/themes begin to get listed in the directory. This is only a discussion right now, open to feedback.

Thanks to everyone who participated, we appreciate your feedback.

viktor · January 30, 2023, 5:03pm