Mandy has a great idea with having text box widgets be nameable inside of the WordPress widgets area. If you add a Title, yes, they get shown as “Text: My Ad”, but then that “My Ad” title also gets displayed to the user. That’s really not what you want.
Disclosure: Mandy contacted us at the WordPress HelpCenter about this idea, and I suggested that she post it on the Ideas Forum.
Related: As a “WordPress Professional” now, I expect I’ll blog here a bit more going forward.
[Hi. I write here when it suits me.]
Jane’s post on setting the scope for future releases shows that WordPress’s process is continuing to mature. Notably:
- “Future release” goes away, and features will get slotted for specific releases.
- “As long as we’re not in freeze” goes away as a mentality.
- Project planning.
I have a prediction—the first few plans will suck! But that’s true of every project plan. [I know; I’m a project manager.] But I have hope that it will get better.
The embarrassing bug behind 2.9.1 getting so quickly moved out the door has me thinking about testing again. Before I expound on this topic, I find that I better just dive in before I sit here and pontificate…
As I look at the planned features for WP 2.7 as reported by Weblog Tools Collection, I’m having a few thoughts:
- I noted on the 27th that it made sense that WordPress would be hosting themes at wordpress.org/extend to allow for ease-of-upgrading, and it looks like a Theme Update API will help with that.
- Plugin management and overall WP upgrade management is improving. That’s a net win for everything WP-related, security most of all. [Same goes for theme.] Making users aware that software is due to be upgraded and making it easy for them to do so is what’s going to help solve WordPress’s reputation as a black-hat scammer’s favorite target.
- There’s still no love for an AJAX-ified TrackBack tool entry. It’s still “(Separate multiple URLs with spaces)”. Criminy.
- A side benefit of hosting the plugins on wordpress.org/extend is that the WP folks can see which plugins are truly getting the most use. It looks like things like comment threading, XML sitemap generation, and comment subscription are going to make their way into the core codebase. Now, there is an argument to be made that leaving these things to plugins is just fine—that WP’s core should have the absolute minimum number of functions involved, and that anything but basic functionality should be left to plugins. There are many arguments to be made for this philosophy pro and con, but I think that, at the end of the day, WordPress should bring in the most popular plugins into the codebase. Why? If it’s terribly popular, it’ll be seen as quasi-official, and anything that’s gotten that level of praise in the community needs to have a more stringent security review than relying on a third-party developer. Note: This is not a slam on 3rd party devs at all. It’s actually a praise—if you’ve gotten that popular, it’s a good thing. Now, one can argue whether WP’s security reviews and patches are stringent or swift enough [and the answer to that seems to be that there will never be a time when everyone is satisfied by either], but if WP brings it under the umbrella, they’re saying, “This is mission critical.” Also, it reduces user/administrator workload in keeping plugins up-to-date.
- All that said, it surprises me that Akismet is still a plugin and not a part of the core for this very reason, and I say that as an avid fan of Spam Karma, a financial contributor to same, and someone who considered, briefly, helping the GPL project along from a management / usability review perspective. [That’s before I told myself that I didn’t want to make the time for it.]
As WordPress progresses towards full-maturity—right now, it’s out of college and in its first job, making lots of dough and acquiring lots of stuff—these are all good things. I’m still very much a happy WordPress supporter.
Well, my request for an agreeable openness went nowhere. :shrug: We have our WP 2.2.3, and it fixes the issues that Alexander and others raised. That is very good. Thanks, guys. And for the record, it was 16 days between notice and release. Very good.
Also, the news about the betas has been great. Beta 3 of WP 2.3 is the last one that’s going up, and the new version should drop on Mon 24 Sep [presuming it’s ready; if they miss the date, it’s not a big issue, eh?]. These are the questions I have about it, though:
- Will 2.2.x get any support if security holes are found? 2.1 didn’t, if you’ll remember from the 2.2 release notes, but the jump from 2.2 to 2.3 is going to cause some breakage, I think, and that always slows adoption. I’d hope that a reasonable amount of security support would be provided. I’m not expecting that it’ll be kept up forever, but for say, maybe, a month?
- Are we going to see a roadmap again? That was always fun.
Well, again we’ve got folks claiming to have found a remote SQL injection in WordPress, one that affects all versions. At least the discoverer, Alexander Concha, did the right thing: notifying the WP folks. He’s chosen not to disclose information about the hole, which means one of two things:
- It’s bogus.
- It’s heinous.
Because I’m weird and like to know about these things, maybe I should just ask Mark Jaquith about it, considering that he was great in discussing the WordPress “worm”. Matt’s probably still busy defending himself against straw men, anyway.
So, how about it, boys? Can you address the question? Or will it just be four weeks between notice and release without much comment otherwise? Yes, yes, yes, I imagine that I could look this up in Trac, but I’m an aerospace engineer, not a computer one; your PHP is as fuzzy to me as my Navier-Stokes equations likely are to you.
Lest you think that I am anti-Matt here, I’m not, because I think Duncan Riley was being an ass. Implicit in that comment is agreement with Mark Jaquith’s comments on the saga, especially:
Matt made a huge mistake by allowing [all the SEO-optimized crap on WordPress.org]. I was disappointed in him at the time, both personally and professionally. But he’s learned from that mistake. More than that, he’s lead efforts to warn others about that kind of behavior. That’s what the whole “sponsored themes” thing was about. That’s what the Vanilla comment was about.
See, exactly. While I have butted heads with Matt, I always find him willing to listen. That’s why I’d buy him several, several beers if we ever ended up in Houston at the same time. [Note to self: next time you’re headed to JSC for work, ring Matt up.]
Back in July when I last wrote here, Matt asked:
What exactly do you want us to say?
If it’s important, then we’re working as fast as we can to get a release out and promote the heck out of it. (Think 2.1.1.) If we consider it low priority, then it waits for the next regular release, but we get raked over folks who think every little problem is the sky falling.
I think I’ll answer by saying, “What Mark posted about the WordPress Worm being bandied about is exactly what I want to see, Matt.” All I really want to see is, “Yeah, we see the bug; yeah, we’ve got a fix; no, it’s not that big of a deal.” If the bug-reporters have a disagreement with that, you’ve opened the floor for discussion, and as long as you’re cool in how you respond to the discussion and stick to the facts and don’t sling FUD about, things’ll be just fine.
There’s a vulnerability in WP 2.2.1. BlogSecurity is who brought it to my attention. After being burned by vulnerabilities before—and having gotten absolutely slammed over the weekend with HTTP requests—I worry about this security hole.
Note: Coblentz discovered the bug on 21 Jun reported the bug on 22 Jun. When did WP reply? 5 Jul, three days after a second notification. Indeed, the first notification came the same day as Matt Mullenweg raked Wincent Colaiuta over the coals.
Getting people to upgrade web software is hard. We work as best we can with hosting companies, but a consideration is that it’s best to roll several security fixes into one release. It’s not responsible to do a release if we know of another problem, so sometimes there is a lag between an initial report and a final release, not to mention the testing required of a product used as much as WP.
Indeed, it is. In fact, it’s possible that there are other security fixes in the works for WP 2.2.2, ones that have been reported to the devs and not put out on SecurityFocus. Maybe WP 2.2.2 drops tonight. But in the meantime, I have a nagging worry and no response. Unsettling.