Make WordPress Core

Opened 3 months ago

Last modified 3 months ago

#62202 new feature request

allow plugin versions to be flagged as security updates

Reported by: oliversild's profile oliversild Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Security Keywords: close
Focuses: coding-standards Cc:

Description

With the Cyber Resilience Act estimated to become a law within the European Union somewhere in Q4 2024 - we should take some steps early on to make it easy for plugin & theme developers to comply.

One of the specific requirements from the CRA is to release security updates separately from functional updates. This allows the end-users to quickly patch security issues without the need to go over the rest of the changes, which may have compatibility issues or breaking changes.

Making it possible for the plugin developers to flag a new version as a "security update" helps to better communicate security updates to the end-users, but also creates a new capability for the end-users to turn on automatic updates for security updates only.

Attachments (1)

image.png (23.3 KB) - added by patchstack 3 months ago.

Download all attachments as: .zip

Change History (6)

#1 @patchstack
3 months ago

If this is going into consideration, perhaps a good place UI wise is the plugin release management dashboard located at https://wordpress.org/plugins/developers/releases/

@patchstack
3 months ago

#2 @oliversild
3 months ago

Within the core, we can then add an option to enable Security auto-updates separately from the general plugin updates. https://i.imgur.com/IWHuSLb.png

We have that option for the core updates already, so I expect we have that capability/flagging for core already?
https://i.imgur.com/wUEMnxe.png

#3 @desrosj
3 months ago

  • Keywords close added

Hi @oliversild,

Welcome to Trac!

Though this adds a bit more modern take by expanding the plugin auto-update feature, this seems like a duplicate of #57280.

There's also #3428, which is similar but not specifically meant for security updates.

I looked and I could not find a corresponding Meta ticket spun off after #57280, so that is still needed. I'm leaving this open to confirm that this is a duplicate, and allow for the meta ticket to be created before closing out.

#4 @audrasjb
3 months ago

Thanks for the ticket,

I support this proposal, however, the first step for this implementation should probably happen on WordPress.org side, so in meta.trac.wordpress.org, to choose a direction (determine a specific commit message pattern for example).

#5 @dufresnesteven
3 months ago

Hey! I pitched a plugin release page in this meta ticket: https://meta.trac.wordpress.org/ticket/7783

As mentioned in the description, I think this is a logical place to disclose security notices to authors and also seems like a logical place for authors to flag versions as security updates.

Note: See TracTickets for help on using tickets.