Opened 4 years ago
Last modified 5 months ago
#5744 new feature request
For plugins using release confirmation, email confirmation is not required to add/remove committers.
Reported by: | wfmatt | Owned by: | |
---|---|---|---|
Milestone: | Priority: | highest omg bbq | |
Component: | Plugin Directory | Keywords: | |
Cc: |
Description
Currently the release confirmation for plugin releases will email all plugin committers a link with an access token to verify the plugin release is ready to go live. From a security perspective, a compromised wp.org account with commit access to a plugin won't be able to approve of a new plugin release without also having access to the account's email address. But the compromised account can add a committer account which they control to the plugin which bypasses this security feature.
Additionally, a compromised account can update the email address of the victim account without verification of the victim email address which would also bypass this feature.
There was a few features mentioned in the original ticket for this feature that I think would be good to include:
List item 5 here: #5352
Ideally, the committer who committed the release would not be able to be the sole person who approves the release as well, which would effectively make this always a 2+ person scenario. Maybe an exception would be the same person can sign it off, as long as it's not forcefully enabled for the plugin due to level of usage.
I saw some push back in the discussion. I think this would be good to have even though it doesn't necessarily address this issue. I think making it configurable by plugin developers would help address some of the concerns. For instance, being able to set release confirmations to 2 approvals, but not be able to decrease that without involving the plugins or meta team.
List item 7:
Only those who have been a committer on a plugin for >1 week should be able to sign off a release. (Also, Committers should know when a new committer is added - #5351)
This would be good to include as a feature that would help to address this issue (or at least give developers time to get ahead of a potential compromise). I don't see it implemented anywhere in the confirmation code though. I do think having email confirmation for changes in commit access as well as updating the account email would be good to incorporate.
Replying to wfmatt:
This is possible by contacting the plugins team, who can enable multi-sign-off. It's not able to be opt-in through the plugin admin as many plugin authors already enable single-sign-off "accidentally" despite the two warnings as they "want to see if it will actually enable".