Support » Requests and Feedback » Always give the reason why a plugin was taken from repo.

  • Resolved chrisplaneta

    (@chrisplaneta)



    When a plugin is taken down there is no information on the reason why it was done. I believe it has to be mandatory.

    Today I learned that [ a plugin ] with 900k+ active installs was taken down. Why? 900k+ sys admins are wondering the same. Is it a security flaw? Nobody knows. And we should. Especially if there’s a security risk.

    From time to time situations like that happen – some gallery plugin, then backup plugin, then SEO – and some of them have huge user base. Not informing them on the reason a plugin was taken down is very irresponsible and – in my view – needs to be addressed and corrected.

Viewing 6 replies - 1 through 6 (of 6 total)
  • What would be irresponsible is leaving a problematic plugin up on the repository when it was known to be a problem.

    It’s not the admin’s place to report to the world the reason for their decisions. The ‘telling’ might put the admin in legal and financial troubles in some cases.

    Moderator Jan Dembowski

    (@jdembowski)

    Brute Squad and Volunteer Moderator

    When a plugin is taken down there is no information on the reason why it was done. I believe it has to be mandatory.

    That’s not a good idea unless it’s something that has been resolved already. Then yes, there ought to be a notice why on the plugin page. I’ll come back to that.

    Here’s a scenario. Let’s say ACME Widgets (and if that’s a real plugin then I apologize, it’s just an example) has some exploitable vulnerability in it.

    1. This is reported to the Plugins team.
    2. The plugin is closed. It’s no longer available to download.
    3. A patched version is created and validated.
    4. The version number is bumped up and the plugin is re-opened.
    5. Users get a notice of the update and install the new version.
    6. Almost 100% certainly the vulnerability will be responsibly disclosed on one or many sites. This should ALWAYS be the last step.

    It does not serve anyone’s interests to inform users about the vulnerability before it is remediated. It absolutely serves no one’s interest to continue to distribute vulnerable code during that window when the plugins team has been notified.

    *Drinks coffee*

    The verbiage of the closed plugin has been updated recently with something like “plugin not available due to plugin guidelines violations” or something but if it’s a security issue then that shouldn’t be disclosed until the appropriate time.

    Hmmm…

    I get your point. Or at least partly.

    Is disclosing the fact that there’s a security risk (without stating exactly where it is) also risky?

    Because if yes, than I’m ok with not disclosing any information on the reason why the plugin was taken down. If not, then why not just say it? Then people who administer tens or hunderds of sites will get a red light and will decide whether to replace the plugin or wait until… well, they don’t, know.

    This is the second issue. If there’s no information of any type than people don’t know whether to wait for update or not. I think a notice like that would be very helpful.

    Moderator Andrew Nevins

    (@anevins)

    WCLDN 2018 Contributor | Volunteer support

    If I understand correctly, your point is that the notification that is already on the plugin isn’t clear enough and there should be an alternative ?

    I think the notification should tell people what options they have because right now they don’t know what to do.

    If disclosing information about security flaws is a big no, than I think people should be at least informed if there’s a chance that the plugin will come back or that it will no longer be available.

    Moderator Samuel Wood (Otto)

    (@otto42)

    WordPress.org Admin

    Is disclosing the fact that there’s a security risk (without stating exactly where it is) also risky?

    Yes, it is very risky. When we know of an issue, we keep it secret until it is solved, and then we get the fix out as fast as possible. If we said there was a security issue, then the bad-guys would know that one exists, go find it, and try to exploit it as fast as possible, before we get a fix out. Thus the lack of transparency for security matters.

    It’s a race, basically.

    I think the notification should tell people what options they have because right now they don’t know what to do.

    That’s the point. You don’t need to do anything. If it’s a security issue, then a fix will likely come out soon, and the details of the issue should be kept secret until the fix is out. If it’s not a security issue (and most of the time, it isn’t), then doing anything would cause you disruption for no reason. Freaking out about a plugin being temporarily unavailable is counterproductive.

    As it stands, when a plugin is closed, most of the time it’s because the author asked us to do it. Other times it’s because of a minor guideline violation. Usually these are not big deals and the problem is fixed and the plugin is back up as soon as possible. Often we try to work with authors to fix minor issues without closing the plugins for those sorts of things.

Viewing 6 replies - 1 through 6 (of 6 total)
  • You must be logged in to reply to this topic.