Make bundled binaries optional

  • This plugin seems pretty good, but it feels pretty unsafe to bundle binaries with it. How do I know that I can trust your binaries and that they’re not trojans? I can delete the binaries and get known good copies by compiling them myself or through my operating system’s package manager, but they’ll just come back when the plugin is updated. I (and many others) would prefer if the plugin didn’t come with any binaries at all, and they were available as an optional download.

    https://www.ads-software.com/plugins/ewww-image-optimizer/

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author nosilver4u

    (@nosilver4u)

    And many more than you don’t even know what a binary IS, let alone how to compile it. There is an option on the advanced tab that explicitly lets you disable the bundled binaries and use the ones you’ve installed on the system. And how do you know you can trust them? Because 100,000+ other people do.

    Thread Starter Daniel15

    (@daniel15)

    The thing is that I installed all the dependencies myself, and don’t even want the bundled third-party binaries on my system. They’re just extra risk. Number of users is not a good measure of trust (see Hoverzoom, Hola). The bundled binaries are not verifiable; there’s no way to tell if someone has uploaded a plugin update containing malicious versions of the binaries.

    What if you made it an optional step after installation? “The required binaries were not detected on your system, click here to automatically install them”. Users that don’t know how to compile them could use the automated version.

    Plugin Author nosilver4u

    (@nosilver4u)

    The recommendation from the WP plugins team was that they should be included with the plugin, and I have no plans to change that, sorry.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Make bundled binaries optional’ is closed to new replies.