WP-Admin Notice: Plugin Contributor Change

[blobfolio]

Software updates are wonderful, but sometimes a good plugin gets sold to a bad person (​https://make.wordpress.org/meta/handbook/about/get-involved/learn-how-to-contribute-code/) who might then do bad things with it.

A simple way to help mitigate this would be to add a notice to the plugins and updates screens indicating if the remote contributor(s) differ from the locally-installed ones. That way users can take extra precautions before updating that they might not otherwise do.

This could either be done by caching the contributor values from routine plugins API calls (and handling differences as they happen), or by parsing that information from local copies of each plugin's readme.txt file.

The latter will probably be a bit more consistent (always local<->remote), particularly for users who only log in once per year, but I'll test both to see if there are any performance issues, etc., to weigh in.

I'll get an initial patch together soon. I just wanted to start a ticket for reference. :)

[pothi]

Great idea!

A simple way to help mitigate this would be to add a notice to the plugins and updates screens indicating if the remote contributor(s) differ from the locally-installed ones.

We need to cover users who have enabled automatic plugin updates too.

Also, the title could have been more generic such as "Notice: Plugin Contributor Change" instead of "Security Notice: Plugin Contributor Change".

[blobfolio]

Replying to pothi:

We need to cover users who have enabled automatic plugin updates too.

Thank you! Initially I was looking for solutions that could present information, but only in cases where it wouldn't have to change a site operator's workflow. Do you have any ideas of how we could notify (without inconveniencing) users who perform fully automated updates?

Also, the title could have been more generic such as "Notice: Plugin Contributor Change" instead of "Security Notice: Plugin Contributor Change".

Ah, good call. :) I can see how "security" could be unhelpful. I updated the title to WP-Admin Notice: Plugin Contributor Change. This way it better conveys where and who.

[pothi]

Do you have any ideas of how we could notify (without inconveniencing) users who perform fully automated updates?

Disclaimer: I am not a (regular) developer. So, I don't know the specifics. I believe this can be added depending on when and how we present the notice. If the notice is permanent until manually ignored by the user (such as by clicking the button "ignore this notice"), and if the notice is generated upon checking for plugin updates, then I believe we can put up a notice something like "the contributor/s for the plugin xyz has been changed when it switched from version 1.0 to 2.0. The currently installed version is 3.0. You may ignore this notice or know more at the plugin's WP.org repo".

The term "security" is what brought me here. :)

[blobfolio]

For reference, a related ticket has been opened on the Meta side: ​https://meta.trac.wordpress.org/ticket/3207

[blobfolio]

The Meta half of this task has been WONTFIXed as they are in the middle of work on a broader auditing system.

The existing plugins_information API endpoint does provide contributors information, but would require separate calls for every plugin, and return a lot of unnecessary data in the process. As most users are unlikely to read such notices or understand them, this is no longer workable as an in-Core feature.

But that said, there is definitely value here for security-minded site operators. I'll move this functionality into the next release of [Lord of the Files](​https://wordpress.org/plugins/blob-mimes/) instead.

Thanks, everyone!

[blobfolio]

For people arriving late to the thread, this functionality has landed in Lord of the Files 0.7.0: ​https://wordpress.org/plugins/blob-mimes/

In the rare event a WP-hosted plugin's contributor list changes (the local copy shows different contributors than the latest release at WP), a notice like the following will appear on the Updates and Plugins screens:

It is informational-only and does not otherwise interfere with the update process. :)