Opened 3 months ago
Last modified 3 months ago
#62202 new feature request
allow plugin versions to be flagged as security updates
Reported by: | oliversild | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | |
Component: | Security | Keywords: | close |
Focuses: | coding-standards | Cc: |
Description
With the Cyber Resilience Act estimated to become a law within the European Union somewhere in Q4 2024 - we should take some steps early on to make it easy for plugin & theme developers to comply.
One of the specific requirements from the CRA is to release security updates separately from functional updates. This allows the end-users to quickly patch security issues without the need to go over the rest of the changes, which may have compatibility issues or breaking changes.
Making it possible for the plugin developers to flag a new version as a "security update" helps to better communicate security updates to the end-users, but also creates a new capability for the end-users to turn on automatic updates for security updates only.
Attachments (1)
Change History (6)
#3
@
3 months ago
- Keywords close added
Hi @oliversild,
Welcome to Trac!
Though this adds a bit more modern take by expanding the plugin auto-update feature, this seems like a duplicate of #57280.
There's also #3428, which is similar but not specifically meant for security updates.
I looked and I could not find a corresponding Meta ticket spun off after #57280, so that is still needed. I'm leaving this open to confirm that this is a duplicate, and allow for the meta ticket to be created before closing out.
#4
@
3 months ago
Thanks for the ticket,
I support this proposal, however, the first step for this implementation should probably happen on WordPress.org side, so in meta.trac.wordpress.org, to choose a direction (determine a specific commit message pattern for example).
#5
@
3 months ago
Hey! I pitched a plugin release page in this meta ticket: https://meta.trac.wordpress.org/ticket/7783
As mentioned in the description, I think this is a logical place to disclose security notices to authors and also seems like a logical place for authors to flag versions as security updates.
If this is going into consideration, perhaps a good place UI wise is the plugin release management dashboard located at https://wordpress.org/plugins/developers/releases/