Wayback Machine
Oct NOV FEB »
Previous capture 1 Next capture
2018 2019 2020 »
0 captures
1 Nov 19 - 30 Jan 21
Close Minimize Help

WordPress.org

Welcome to the Meta Team!

The Meta team is responsible for maintaining and managing WordPress.org websites. Our work is mostly done on the meta trac. If you see a bug, file a ticket!

We’re currently working on these fine projects, with more in store.

Check out our handbook to learn how to get involved.

Contact

The meta team communicates on Slack, in the #meta channel.

Make WordPress.org

Keyboard Shortcuts | Hide comment threads

Security review of authentication tokens

For the Five for the Future project, I ended up writing some custom code for authentication tokens which are stateful, have (cryptographically secure) random values, and can only be used once.

Those tokens will be used by companies to manage their pledges, so if an attacker was able to obtain a token, they’d be able to change a company’s name, logo, description, etc to something inappropriate, remove contributors from the pledge, and deactivate the pledge entirely.

The reasons why authentication tokens were chosen is documented in the commit, and additional background is available in issue #34 and PR #46.

Does anyone have any thoughts on the code, think there are any missing test cases, or see any other problems? If you think there’s an active vulnerability, please ping me privately or report it via HackerOne.

Props @timothyblynjacobs for pointing out that === was used instead of hash_equals(). Fixed in 35fa9932.

Feature and maintenance update for WordCamp.org: July 16 – August 23 2019 edition

Here is a list of WordCamp.org feature developments and maintenance work that has been accomplished since the last update.

  • Shipped WordCamp blocks for all sites!
  • Refactored our client for the Meetup.com API to authenticate with OAuth 2.0 and use exclusively version 3 endpoints, just ahead of the platform’s hasty deprecation of API keys and v2 endpoints.
  • Made progress on an additional WordCamp Schedule block.
  • Made progress on improvements to WordCamp’s PWA plugin.
  • Reviewed/committed community contribution to fix a bug in the Attendees shortcode.
  • Fixed a problem that was preventing new sites from connecting to Jetpack.
  • Improved our ability to respond quickly to plugin security updates by making upgrade notices visible on production server, and setting up Composer dependencies.

#wordcamp

+make.wordpress.org/community

Next WordCamp.org ticket scrub on August 22nd, 2019

Oops! The ticket scrub scheduled for August 15th did not occur, so we’re trying again next week. This time the ticket scrub will happen on Thursday, August 22, 2019 at 05:00 PM UTC in the #meta-wordcamp channel.

The focus is on Meta tickets with the WordCamp Site & Plugins component.

Comment below if there’s a specific ticket or topic you’d like to discuss.

#wordcamp

+make.wordpress.org/community

Block Directory updates

Here’s a brief outline of the status of the various parts of the block directory project.

The design of the Block Inserter within Gutenberg has gone through detailed explorations and iterations. The installation flow has been handed off for implementation. There is still some ongoing discussion around how to handle missing blocks and other error states. Mel has also explored some ideas for managing blocks within wp-admin.

Block Inserter work in progress

Implementing the Block Inserter is in progress in the form of a pull request. Some internal architectural changes are underway, but that’s testable now by anyone able to run a Gutenberg local environment. The next major hurdle after re-architecting the code is fully implementing and testing the plugin install code.

The Block Directory itself exists in a minimal form within the Plugin Directory. There is a prototype API endpoint for searching by block name, and work ongoing to implement that properly with ElasticSearch. Plugin developers can submit block-only plugins to the directory by including a block.json file and reaching out to @tellyworth in Slack. We’ve also explored the feasibility of supporting GitHub for block plugins.

WordCamp.org Dev Update: June 18 – July 15, 2019

Here is a list of WordCamp.org feature developments and maintenance work that has been accomplished since the last update.

### July 2 – July 15

  • Pulled data for 2018 annual WordCamp report.
  • Improved contributor onboarding by creating new sample database for location environment.
  • Iterated on Git -> SVN sync.
  • Minor maintenance: fixing duplicate invoices, fixing caching bug, tested upstream PWA PRs for compatibility, installed plugin updates.

### June 18 – July 1

  • Rate limited penetration tests against CampTix.
  • Iterated on offline schedule and day-of-event template.
  • Drafted a plan to upgrade our Meetup.com API client to use oAuth and v3 endpoints ahead of their last-minute deprecation deadline.
  • Improved committer devex and onboarding process by switching the WordCamp.org repository from SVN to GitHub, and setting up fully-trusted SSL certs in Docker.
  • Minor maintenance fixes: Installed plugin updates, enabled responsive embeds, updated “Polldaddy” strings to “Crowdsignal”.

#wordcamp

+make.wordpress.org/community

s
search
c
compose new post
r
reply
e
edit
t
go to top
j
go to the next post or comment
k
go to the previous post or comment
o
toggle comment visibility
esc
cancel edit post or comment
0
Skip to toolbar
:)