Back to the real reason why Permalink Redirect 2.0 was released. When you visit your WordPress’ plugin manager page, and see the following notice…
… do not click on “upgrade automatically”. Let me repeat, Do Not Click on Upgrade Automatically. Because if you do, you will not be upgraded to Permalink Redirect 1.0, but rather a completely different plugin will be installed.
Over the past week I have been notified by a few people about a strange behaviour after they have let the WordPress Automatic Plugin Upgrade to upgrade their Permalink Redirect plugin for them. Instead of getting an upgrade, another plugin of the same name, Permalink Redirect by Joost de Valk, has been installed instead. It has been asked on WordPress support forum, and it turns out that Joost’s plugin has registered the slug “permalink-redirect” on WP’s plugin directory which I assume is where the version number is checked. So when Joost bumped the version number to 1.0 a few days ago, suddenly everyone with Permalink Redirect installed gets that automatic upgrade option…
Here is what I have posted on WordPress.org regarding this issue, and so far there is no response.
Hi. This is an issue recently raised by users of one of my WordPress plugin.
I wrote Permalink Redirect back in 2005 to solve the issue of canonical permalink URL, and it has been downloaded many times and installed on many WordPress sites. Its core functionality has been integrated into WordPress 2.5 although it is now doing a bit more that just fixing the permalink. Currently the version in my own Subversion repository is 0.8.5 and is compatible with WP 2/2.5/2.6.
Then one of my users notified me that when he visited the plugin management page, the Permalink Redirect plugin has been marked that a new version is now available. User has been given the option to download or upgrade it automatically. To his horror, after the upgrade my plugin now ceases to be installed, and a complete different plugin with the same name but different author is now installed and activated.
Doh.
Now my question is, how can two totally independent plugins with different author and different plugin URL be allowed to be replaced by one another? Moreover, I would like to know whether there’s any solution in this situation.
Cheers,
Scott
Being able to replace someone else’s WordPress plugin almost-automatically by registering the same name on WordPress.org — this is a serious issue. While the code is hosted on WordPress.org, but I do not thing the code is audited by Automattic/WordPress developers. There is one scenario — what if offending code that automatically insert spammy links to all your posts get automatically pushed to the end user? And I won’t even talk about worse or more evil scenarios.
I do not think two independent plugins sharing the same name is an issue (although I do suggest that you do a Google search before start writing a new one). It is also partly my fault for not registering mine with WordPress.org (but why should it be centrally organised?) Anyway. Make sure you check very carefully before clicking on “upgrade automatically”, or disable the automatic upgrade all together.
And the reason for Permalink Redirect 2.0? So it will be greater than 1.0 and you won’t be bothered by WordPress’ “kind reminder” that you need to “upgrade”. Until Joost releases his next upgrade as Permalink Redirect 2008…
Let me make clear that it was absolutely NOT my intention to do this! We’ll have to find a way to make this system a bit more robust :)
OK, I counted…. I upgraded 47 plugins on eight sites today with no problems anywhere.
Out of the WordPress 2,571 available plugins, I think it may be prudent for you to cite more examples of your “alert” before claiming this as a potential epidemic.
I’m not discounting that the problems you mention are needing attention, but to state “Let me repeat, Do Not Click on Upgrade Automatically” might be a bit of an overreaction at this point.
@Pablo — when I said “Do Not Click Upgrade Automatically”, I am talking about my specific example of Permalink Redirect because you would be upgrading to Joost’s plugin instead of mine.
Now, Joost is a nice guy who is willing to work around now, and his plugin is so different from mine that my users picked up the difference straight away so we are sure there is no sneaky activities around.
Imagine it is Joost’s evil twin (sorry Joost!), who grabbed my plugin, add his code to turn all infested WordPress installation into part of his evil botnet that DDoS websites who he has blackmailed for a ransom. Everything still points at me as “Permalink Redirect 2008″ on WordPress.org still has “Scott Yang” all over the place, and most people who automatically upgraded have no idea as it appears functional… Meanwhile Australian Federal Police knocks on my door for committing cyber crime.
Now. You have automatically upgraded all 47 plugins. Did you check whether they are genuine and they all came from the original author.
Why doesn’t the WordPress repository generate a guid for it’s plugins, then require that to be added as a key in the plugin file. That would then be what your blog looked for in the repository when it goes to upload
@Glenn — indeed, and I think you can compare that with Firefox add-on auto-updates. First of all, you shouldn’t need to host your plugin with WordPress but something like updateURL directive can be added to direct WordPress installs to find where the new update is.
Then updates must be signed with a unique key so that if the 3rd party repository has been compromised, they would not be able to temper with the binary zip files.
Now that you’ve added your plugin to the repository, has the problem gone away?
@Matt
Nope, it’s stilling updating to Joost de Valk’s Permalink Redirect plugin.
Sounds freaky. Will need to be careful and double check henceforth after upgrading to see if it is indeed the plugin that I had before. Thanks for the update.
Hello,
I have installed your plug-in but reflected problems with rss feeds unfortunately no longer reachable at http://miosito.com/blog/feed
How can I fix this?