Is CFDB gone?
-
Went to download CFDB to install on a new WordPress site, but WordPress says the plugin does not exist. I can’t find any way to download it from the website.
-
Delisting is a very good idea, as we have frequently found that it is the only thing that gets developers to fix vulnerabilities (including ones that are already being exploited) and if another vulnerability is reported to the developer subsequent to that, they will often deal with it in a timely manner without having to involve the people running the Plugin Directory.
We suggested years ago that WordPress start alerting people when they are using plugins that have been removed from the Plugin Directory and provide at least a general reason why it was removed. Shortly afterwards they said they were working on that, but the more recent position has been that letting people know of vulnerabilities in plugins they use would be harmful.
.. that letting people know of vulnerabilities in plugins they use would be harmful.
Interesting idea. Silent delisting leaves vulnerable plugins up and running forever in peoples sites, and that’s really harmful.
Keeping everybody uninformed is a good example of “security by obscurity” which has never worked and will never work.
What about a status of “currently not available” in plugin directory which keeps the plugin page online without download-links and also shows up in plugins list in peoples wp-admin similar to “update available” so they can start to investigate and/or decide to delete or disable a plugin until an update shows up.
All those bots and script-kiddies will know about the vulnerabilities anyway, no matter if a plugin is delisted or marked as “currently not available” or not marked at all.
As a result of the plugin getting delisted, we have had a number of public discussions about the vulnerabilities of this plugin. This may very well create more awareness of the problem than a simple status flag.
Also, many users are not aware that there have been incremental improvements made. While those changes may not solve all the problems, it is better to have a plugin with one hole instead of two.
Years ago we pointed out to them that it isn’t a good idea to hide vulnerabilities for the reasons you mentioned, but it clearly didn’t have an impact. Unfortunately, when it comes to security, especially of plugins, the people handling it for WordPress often seem to have a problem realizing the fairly obvious. They so far have also shown little willingness to listen to input that they are getting things wrong, which leads to problems continuing.
There is fair amount we are able to do when it comes to plugin vulnerabilities; like making sure they are aware of publicly disclosed vulnerabilities, making sure that vulnerabilities that haven’t been publicly disclosed, but are being exploited, are reported to them if the developer doesn’t respond, making sure that vulnerabilities actually have been fixed when they return them to the Plugin Directory, providing people an option to be alerted if they are using plugins that are being exploited with our plugin, but the rest is in their hands and that is where the problems continue to occur.
Without understanding all the technical details about vulnerabilities, I think wordpress pulling this plugin without leaving a “status un-available” message for wordpress clients, is extremely unprofessional to both you and the end user.
Products like yours make wordpress the powerful tool that it is and wordpress should have some semblance of respect for that. Thanks for a great plugin Michael hope to see it back up on wordpress soon.
I agree with @exposurefoundry. CFDB had an extremely high download count. It would seem to be much more respectful to developers and users to leave a page up with the description, download count, etc. and gives a reason for the “unavailable at this time” message. That would also enable existing users to know that there was a vulnerability and choose to disable or knowingly risk it. As it is now, my agency has hundreds of sites using this plugin and we had no idea there was an issue with it.
@msimpson, you should post the unprofessional portions of your email exchanges with wordpress.org. If they are as bad as you suggest, I’m sure some of us would help you make a stink and get another person assigned. Perhaps there needs to be more transparency and accountability to the review process, otherwise it seems like obnoxious reviewers can not only discourage developers but ultimately delist plugins for reasons that are more personal than professional. For example, the plugin review correspondence could be just another tab on the plugin page, like the support or screenshots tab.
Firstly, I want to thank the author for his time, efforts and dedication for both sharing his work (freely) and also hopefully trying to get the issues fixed and the plugin relisted.
Often, for developers of free open source software, it’s a thankless task – you certainly don’t do it for the income. In that regard, rather than disparaging a person’s work – why not offer some free assistance to get it fixed?
Like many others, I love the WordPress community and I want to encourage the open source work that people provide for love not money.
Programmer peers can be a bit sanctimonious sometimes. It would be a great shame if this man’s work is not supported – so please “WP person” and @msimpson please do your best to keep it courteous and helpful 🙂
As for taking down plugins without warning – I can understand why WP would do that, trying not to alert would be hackers. However, there should be some way to alert current users of an issue – perhaps an automated email or notification in the dashboard that says simply: “the plugin xyz that you are using has been removed from WP. You should replace it in your installation with another.”
I am coming originally from the vBulletin-scene (forum-software) and was involved in development of extensions, as well as running an official german website for such extensions for all licensed users. (Now I changed to WordPress some years ago)
What we do in such cases of vulnerability: we remove the attachment, place a warning within the page of this extension, contact the author and wait for a fix.
I think this would also be the best way here: let the page itself be there, just a notification “temporarily removed, author contacted” and that’s it.
Hello, I’m the lead rep for the Plugin Directory Team.
Since we remove plugins for many reasons, the minority of which being security related, we do not disclose the reason why any one particular plugin was removed. Our quite serious and valid concern is that if we were to disclose that a specific version was at risk without providing a fix, we would put people at a greater risk. In addition, by removing the plugin, we put pressure on the developers to address the situation promptly.
Is this perfect? Good god, no. We know it’s not perfect. Heck, I agree with @pluginvulnerabilities that we need a better way, but it’s a messier situation than I wish it was. We’re actively working on a way to ‘flag’ plugins so people can see it was removed, but we haven’t sorted out a safe way to inform people to why without putting people more at risk. MOST plugins are removed because people are abusive or acting illegally (stealing code, infringing trademarks, etc), after all.
I promise you this: We ALWAYS contact the developers and do our best to make it clear what was required to have the plugin restored as quickly as possible. The average plugin is restored within a week.
We are an 100% volunteer team too, and we do our best to direct people with issues to educate themselves and become better developers. Everyone always has room to learn how to do things better and safer. We’re not naive enough to think we’re perfect either 🙂 We make mistakes. We NEVER disparage people’s work. We know they’re trying their hardest. We hope they understand so are we.
In this situation, reviewing why the plugin was removed and the previous conversations, I don’t feel a mistake has been made.
I’m closing this as the thread is non-productive. If you have questions about your own plugins, or about the process, feel free to email us at
plugins@wordpress.orgPlease note, we have written up at FAQ to address most of people’s concerns regarding plugin closures:
* https://developer.wordpress.org/plugins/wordpress-org/plugin-developer-faq/#closed-plugins
I’m sorry everyone’s having a tough time with this. I understand your frustrations. No one hates the plugin directory code more than me and Otto, though. We know it has a lot of room for improvement, and I hope you can be patient with us as the community works to fix it.
- The topic ‘Is CFDB gone?’ is closed to new replies.
