Tag Archives: drupal

WordPress security: the case for dependency management

Two things happened in the last week to spark this post; I gave the weekly “Show and Tell” at work on my favourite things about Drupal that I’d like WordPress to learn from (one of them should appear in 4.1, by the way), and yesterday a vulnerability was revealed in the still popular TimThumb library used by many WordPress themes and plugins.

Dependencies

One of my favourite things about Drupal is that it offers theme and module developers the ability to use dependencies. A few simple lines in the module.info file (Drupal’s sort-of readme.txt equivalent) can specify that the module depends on other modules and Drupal will recognise that, offering to install and/or enable those modules for you in order to meet those dependencies. E.g.;

dependencies[] = views
dependencies[] = rules
dependencies[] = features

That’s not all though, Drupal also allows module developers to specify required libraries in a similar way. Those libraries are then installed in a ‘libraries’ directory alongside the modules directory.

Duplicated Effort

By contrast, WordPress plugin and theme developers often have to bundle those libraries into their plugin or theme. The result, when a security issue like yesterday’s TimThumb exploit is revealed, is that individual plugin and theme developers need to update their projects individually and push out an update, leaving users vulnerable until the developer gets round to it.

Instead, having a system like Drupal’s dependencies means that, once the library itself is updated, all installations could pull down that library update and secure their site without the plugin/theme developer having to lift a finger. Installs are secured quicker with minimal effort.

There are other benefits to a dependency system but I believe the security angle is by far the most compelling.

My suggestions above actually go a bit further than what Drupal offers at the moment, I believe, but a system that works as close to the plugin/theme system as possible would be beneficial.

TimThumb, seriously?

Before you say it, yes, there is a better way to deal with TimThumb specifically. David Bisset put it best:

Thoughts?

Picture credit: The Colorful Library of an Interaction Designer by See-ming Lee

Could/should the WordPress Foundation do more?

Wordpress_logoGenuine question.

A couple of posts have caught my attention over the last week;

It got me thinking about the WordPress Foundation and whether it could do more to help promote WordPress. With 18.9% of the web powered by WordPress you might think there is no need! You might be right.

As John points out, efforts from the likes of the WordPress.com VIP team and the Big Media & Enterprise WordPress meetups are great, but with much of that coming from Automattic and WordPress agencies, is there a case for pooling that effort to better promote WordPress more widely, and with more independence?

Already the Foundation gives enabling support to WordCamps and it’s fantastic that we have so many. Here are some quick ideas off the top of my head of other promotional efforts the Foundation could* do;

  • WordPress sector champions who would work on promoting the use of WordPress in specific sectors, producing case studies, networking in those sectors, generating connections and leads for agencies and freelancers and so on. Target sectors might include;
    • Enterprise
    • Education
    • Government
    • Retail
    • Journalism
  • Core support staff who would help with organising IRC chats, trac tickets, helping new contributors get started, running/supporting contributor days. These could be either employed direct by the Foundation or seconded to it by agencies. (I have no idea if some of the work I’ve mentioned here is even required.)
  • Outreach people to help arrange things like Google Summer of Code and other as-yet-unspecified outreach projects aimed at getting folks engaged with WordPress.
  • A WordCamp team who would work with and support WordCamp organisers. Likely nothing/little needs to change on this point anyway.

Of course, all that would need funding, and I’m reminded here of the jQuery Foundation and it’s membership structure. Something similar for the WordPress Foundation may work, and help those involved in WordPress feel like not only are they contributing to WordPress the project, but also the WordPress ecosystem.

What do you think; does that sound like a good idea, is is necessary, is it a terrible idea, is it okay but could be done differently? Shout below!

 

* Not could as in could do now, but could do at some point, if the resource was available.