Forum Update Status (Sept 5)

Summary: A great many things have been improved. Paramount was getting the data over (done!), syncing review stars with their new post IDs (done), and making the forums run faster (in progress).

Support Forums Upgrade Status (2016/09/05):

Please note: There was no way to actually test this properly before moving over, so while this is frustrating for everyone, the moderators have had to be quite aggressive in deleting repetitive reports of what’s broken. If you’ve found something that isn’t on the bugs and broken things list, please leave a reply there. Otherwise the answer is “As soon as we can get it done, it’ll be done.”

If you want to be super helpful, please make sure your fellow developers read the posts 🙂

#forums

Plugin Reviews Disabled (And More about the Support Forums)

Reviews will be broken until about September 5.

This is directly related to the support forum maintenance.

Per @jmdodd:

We’ll do our best to keep this window short, but for now the choice was between closing reviews for 4 days or closing all of the support forums for 24 to 48 hours.

The Meta team felt (and I personally agree) that it is far more important to have support forums than the reviews. And the support forums were unsustainable. So while this is a wrench in your plugins, it’s far far better than no forums at all for Labor Day Weekend.

Updated Sept 2 0233

From @otto42

Consider this an announcement: all plugin/theme connections to the forums are currently considered broken. We expected that. It will take a few days to restore this, and that’s considered acceptable losses, for now. We will be working to fix these issues over the next few days, and it will be corrected as we get to it. In other words, we are aware of the issues and working to fix them.

Updated Sept 2 1628

You may have noticed you can’t do some things in the forums anymore. This is known. Please read Forum Bugs and Broken Things before you complain. Here’s a list of what you’re probably trying to figure out. ALL of these are being working on. Don’t fret. Enjoy your weekend.

  • Plugin authors can’t sticky
  • Plugin committer/author support views don’t work
  • Plugin authors can’t resolve threads
  • Pinned topics are unpinned in plugin forums
  • Plugin Authors aren’t labelled as Plugin Authors
  • Cannot subscribe to plugin forums

#forums, #reviews

Reviewing the Revamped Guidelines

Thank you everyone for being patient about this.

This summer was spent re-writing and editing and tweaking the guidelines. I ripped them down, sat and spelled out what they meant, then I rewrote them to be more clear. Then I got the plugin review team to review the changes. Then I had a group of people at WCNYC Contributor Day review them.

Finally, I moved it all to a GitHub repo and started to ask smaller groups to review it. Then we had a quick rebranding and that all brings us here.

I would like everyone in the community to read these proposed updates to the Plugin Directory Guidelines.

WordPress.org Plugin Guidelines

At the risk of sounding trite, pull requests and issues are welcome.

If you feel a guideline’s explanation is unclear, please create an issue or a pull request with what you feel should be changed and why. All grammar/spelling corrections are greatly welcome. We’re trying to write these for all levels of developers, as well as people who may not speak English proficiently. Using words like ‘obsequious’ should be avoided (nb: That’s mostly to me who uses those words regularly).

All feedback should be opened as issues in the tracker.

Let the games begin!

#directory, #guidelines

COMPLETED! Upcoming Maintenance Window for Plugins SVN

Hello plugin authors!

We will have a maintenance window for the plugins SVN repository from August 31, 20:30 UTC through September 01, 00:30 UTC (four hours total). During this time, plugin authors will not be able to commit to the SVN repository.

This post on the WordPress.org status page will be updated when the maintenance window is complete.

Edit: Maintenance has been completed, and the plugins SVN is available for commit once again.

#maintenance, #svn

WordPress Plugin Directory

The WordPress Plugin Repository is rebranding as the WordPress Plugin Directory.

As “directory” refers to the entire plugin hosting service (the site, VCS, etc) and “repository” conventionally refers more specifically to just a VCS (such as GitHub, SVN, etc), we feel this will be less confusing and more in-line with the other aspects of WordPress.org.

We’re in the process of updating all our documentation. I believe I’ve updated all the documentation. Can I nap now?

#directory

Facebook Changed Sharing Counts

Today, Facebook released version 2.7 of their API and changed the manner in which shared posts are counted.

That would have been okay, except they also turned off the part of the 1.0 API (the one that didn’t use versions in their URLs because who needed that?) and blindsided everyone. Reading the Facebook Dev Changelog didn’t make that any more sensible to me either. But what I can tell you is here are some affected plugins/services:

  • Jetpack: https://github.com/Automattic/jetpack/pull/4879
  • Genesis Simple Share Buttons: https://wordpress.org/support/topic/facebook-share-counts-not-showing
  • SharedCount: https://www.sharedcount.com/notes/facebook_api_shutdown.php

Anyone who has a plugin (or theme) with sharing buttons that count MAY be affected. If someone can come up with a way to scan the repository for impacted plugins, let me know and I’ll be happy to do that and email as many of them directly as we can.

#api, #boom

Plugin Directory Revamp Meeting Today

Plugin Directory Chat Agenda

This is _not_ a meeting about the plugin review process or guidelines. This is only about the revamp.

#directory, #reminder, #repository

Status on the Plugin Repo Revamp, Guidelines, and Handbooks

First off, please read Obenland’s post on the repo:

Plugin Directory v3: Next Steps

Obviously we have a long way to go.

As for the Guidelines, I wanted to be done and ready to release them to everyone before 4.6 dropped, but I’ve been using small focus groups at WordCamps first. This resulted in a lot of small changes that I want to take the time to go over with the Plugin Team before I unleash it to the world for nitpicking. A huge amount of thanks goes to @courtneydawn @logankipp and @lunacodes for being my first run of editors!

As we clean up the aftermath of the 4.6 emails (you have no idea…), I’ll be pinging people whom I know to be good copyeditors and have mentioned wanting to help before. If you think that’s you, please leave a comment here. I won’t be asking everyone as I’ve found that to be overwhelming for me to be able to process, so please don’t take it personally. Once I have it mostly good, I’ll flip it from Google Docs to a Git Repo and people can pull request!

Also a handbook! Oh me oh my I’ve been writing one! And I’m almost ready to ask Sam to flip the switch for it. It’s sparse and will need lots of attention too.

Thank you everyone for understanding the crazy that goes on with all this, and for being patient. It’s been a long 7 months for me working on all this.

#directory, #guidelines, #repository

Reminder: WordPress 4.6 is imminent. Are your plugins ready? (also make sure your email is valid)

The email went out last night to everyone with commit access to a plugin.

After testing your plugins and ensuring compatibility, it only takes a few moments to change the readme “Tested up to:” value to 4.6. This information provides peace of mind to users and helps encourage them to update to the latest version.

For each plugin that is compatible, you don’t need to release a new version — just change the stable version’s readme value.

Looking to get more familiar with 4.6? Read this roundup post on the core development blog to check out the changes made to register_meta(), native fonts, persistent comment cache, Customizer APIs, WP_HTTP API, and much, much more: https://make.wordpress.org/core/2016/07/26/wordpress-4-6-field-guide/

Thank you for all you do for the WordPress community, and we hope you enjoy 4.6 as much as we do.

Also, as we’ve been warning for the last two cycles, some plugins have been closed. It’s a requirement that we be able to contact you. We’ve also been pushing back on auto-replies, since they make it impossible for us to tell if there’s a human reading. Frankly, based on the content of the auto-replies, this is the cycle we see:

We email you and receive an auto reply of “A support ticket has been created…” We email a warning “Hey, please remove us from this auto reply…” and we get another auto reply. We don’t reply to that one, but 3 months later when we send another email, the cycle starts anew. This tells us that you are not actually reading your support emails. Which means we have no way to contact you (and your users probably hate you, just FYI). So this time, plugins have been closed.

Your plugin has been closed (or you were removed from a plugin) based on the following criteria:

  • If you have auto-replied to our ‘Are your plugin ready?’ email 4+ times, and your plugin has not been updated in 2+ years
  • If your email bounced
  • If your auto-reply says “I’m on vacation until…” and it’s a invalid future date (example: someone’s out of office said they’d be back August 2014…)
  • If your auto-reply said you no longer work at a company
  • If your auto-reply says the company no longer exists

If the only valid emails for the plugin meet those criteria, the plugin was closed. If it was only one committer, they were removed and everyone else was emailed and notified.

In all cases we absolutely emailed each and every one of you. I did it myself. I directly contacted over 80 plugins about this situation and expressly told them if their plugins were closed or if people were removed, and why.

If you find your plugin was closed and you didn’t get an email, check spam, because they were all sent. Even to people who auto-replied. Which was really annoying.

#notice, #reminder, #updates

Security Alert: Httpoxy

You may have heard about this already. Even so, please read this post. Normally we email all possibly impacted developers directly. In this case, trying to generate a list gave me over 6 gigs of results. I trimmed it down, but given the volume of people using Guzzle and possibly using suspect code, it was more straightforward to post an alert.

httpoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments. It comes down to a simple namespace conflict:

  • RFC 3875 (CGI) puts the HTTP Proxy header from a request into the environment variables as HTTP_PROXY
  • HTTP_PROXY is a popular environment variable used to configure an outgoing proxy

This leads to a remotely exploitable vulnerability.

You can read about the entire situation on httpoxy.org. While the fix is, as most are, a server one, all developers should be aware of this.

Don’t bother doing the following:

  • Using unset($_SERVER['HTTP_PROXY']) – it does not affect the value returned from getenv(), so is not an effective mitigation
  • Using putenv('HTTP_PROXY=') – it does not work either (to be precise: it only works if that value is coming from an actual environment variable rather than a header – so, it cannot be used for mitigation)

You can prevent and mitigate some of this in your code. Read up on httpoxy Prevention.

#security