[wp-docs] Codex and the Comment Spam page

[Owen Winkler]

Podz wrote:
> - This page leads to direct download links for code which people are 
> going to load straight into their site. Given that this page is editable 
> by anyone, I think this direct link is a Bad Thing. To that end, I'm 
> going to mail the authors concerned and ask about any possibility of a 
> static page in their space so the link can point there instead.
> People must have total confidence in what they are downloading, and I 
> see this as a weak link. Thoughts ?

Direct downloads are bad.
I'll edit my entry, if you like.

> - The Codex is getting it's fair share of crap posted, and we don't need 
> a Comment Spam page altering. I would prefer it was locked / protected / 
> whatever. 

When are we going to seriously consider requiring logins to modify 
codex?  It's a shame there isn't a moderation capability in MediaWiki 
for non-logged-in user submissions.

> - I think any new code should be added after it has been posted first to 
> the forums and in that subjected to some scrutiny / peer review. Again, 
> we are saying - by virtue of the page - that this code is good (or do we 
> allow links to anything ? I'd say No) and so we must be able to trust 
> the code. All it needs is someone to post bad code, someone to install 
> it and WP will get the blame.

Well, I think a certification system for plugins is an idea that merits 
consideration, but I don't see any reason to specifically target comment 
plugins with this scrutiny without an organized and impartial 
body/method to do so.  One aspect of which should be that *ALL* 
submitted plugins are reviewed, and not just the ones that are written 
by high-profile coders.  I digress.

Podz, what specific criteria were you thinking of using?

If the idea is that the codex is the voice of WordPress endorsing 
certain plugins, then there really shouldn't be any plugins in codex but 
the ones that come with the core.  Look at it this way: Assume that a 
plugin endures some testing and is "endorsed", but then months later a 
huge previously unknown vulnerability is exploited.  You're just asking 
for more heat saying, "We endorse this," than if you'd said, "Use at 
your own risk."

For that reason, I think that it might be better to do one of two things:

1) Toss all plugin references to a 3rd party.  Rather than listing the 
plugins themselves, list places that list plugins.  There are at least a 
couple of these places that I can think of.  This works because those 
places can also offer their own opinion on what they like, which won't 
attach to the WordPress name at all.

2) Use a Giant Disclaimer and list *everything*.  Make sure that it's 
clear that WordPress takes no responsibility for that code (or any code, 
really) doing Really Awful Things.

Where's that official centralized WordPress plugin repository?  Oh, drat.

Crosspost to wp-hackers, or avoid the doom?  Avoid the doom.

Owen