Feature #712
closedPlugin/theme request form
0%
Description
I would like to work up a more formalized procedure by which plugins and themes are added to the Commons.
I have a number of concerns related to this issue.
- Security. One lousy plugin/theme could potentially put all user data, and really the functioning of the whole site, at risk.
- Maintenance. When our users begin to use a plugin, and the developer of the plugin stops updating it, it means that the dev team is faced with a choice: find a way to get the plugin off the site (find a replacement, perhaps), or adopt and maintain the plugin ourselves. Both are extremely time-intensive, and we do not have an infinite amount of time.
- Support. Themes and plugins are inconsistent and often incompatible with each other. This means more support questions.
- Performance. This is especially a concern for plugins. If we have hundreds of plugins available, it makes it possible for users to activate many, many plugins at the same time, which can have an appreciable effect on our server resources if the site becomes popular.
There's not much of a process in place right now for adding stuff to the site. Only BuddyPress plugins are heavily vetted (because it affects the greatest number of users). I'm not so worried about these kinds of cases. On the other hand, in the case of non-BP plugins, I glance over the source code (looking for things like direct DB calls) and ensure that the plugin doesn't crash when activated. And for themes (especially ones that don't come from the WP repo) we run it through the Theme Check, which checks for malicious-looking code and some other technical things. These procedures are, to say the least, incomplete.
For that reason, I want to work up a document or two that will standardize the request and vetting process. I've listed some thoughts below about what such documents might look like. Matt and Scott, I've added you as watchers to see if you have any feedback regarding the requester questions. Ray and Ron, I've added you to see if you have any suggestions for the developer questions. This is totally off the top of my head, and is probably quite incomplete, so I'm anxious to hear some feedback. My comments are in brackets.
QUESTIONS FOR THE PERSON REQUESTING THE PLUGIN/THEME [generally this means Matt or a community facilitator]
- What's the name of the plugin/theme?
- [plugins] In a few words, what does it do?
- How is the plugin/theme different from what's already provided on the Commons?
- What's the potential impact? Who will use it?
- Who initially made the request? [sometimes Matt is passing along requests from members, sometimes suggesting something he found himself]
- Who is the plugin author?
- Say a little bit about the release history and popularity of the plugin. How many times has it been downloaded? When was it last updated? [The idea behind these last two questions is that I'm more likely to look favorably on plugins that are less likely to be abandoned]
QUESTIONS FOR THE REVIEWING DEVELOPER [generally me]
- Maintenance: Given the data above, how likely is it that the plugin is going to be abandoned by the developer?
- Security: Scan for XSS and DB vulnerabilities [How? Is there a better way than doing it by hand? Anyone have a script that greps for things like 'echo $' and "INSERT "? I chatted a bit with Mark Jaquith in Phoenix and it sounds like he just has a list of things he searches for. Maybe we should invest in writing something.]
- Redundancy: If this plugin/theme does something that plugins/themes on the site already do, is there enough reason to put it on anyway? Maybe we should migrate users from the older plugin/theme to the new one? How hard would that be?
- Themes: What are the results of the Theme Check? Many of the 'required' warnings I don't care much about - they are wordpress.org nitpicks. But consistent calls to deprecated functions, for instance, could indicate something about the quality of the theme.
Thanks in advance for your help brainstorming, everyone.