Publication of Custom-Developed Theme on WP.org

[kennyr87]

(I am Kenny Rogers, a webmaster at the Department of State. I manage a WordPress site deployed internally to State's Intranet.)

I am interested publishing a custom-developed theme and plugins to WordPress.org. Our site is currently published on State's Intranet, so everything's internal. The theme was built using Roots Sage and Bootstrap, so most of the code is already OS. There's just a few custom functions and theme files.

Anyone have experience making themes / plugins available to the WordPress (Drupal, etc) community? Thanks for your efforts with this.

[IanLee1521]

Hi @kennyr87 -- I'm responding without my work hat on, but I am Ian Lee, a developer from @LLNL

I wasn't involved, but I know that we have done little releases like this before; https://www.drupal.org/project/date_ap_style is one specific to the Drupal community I was able to find.

Did you have any specific questions I might be able to help with? I'm sure our processes are different, but I'll try to answer anything as best I can.

[kennyr87]

Thanks @IanLee1521. My main concern is to assure our IA people that our code does not create any identifiable risks to network security. What kind of processes do you have in place to review your packages for network or other security risks.

Always available at rogersk2@state.gov to share any documents. Thanks.

[alex]

@kennyr87 Hi, in order to maintain security of software and ensure it does not introduce any risks, there's as few things projects I work on do -- these aren't really specific to OSS vs. closed source though!

• Mandatory code review, all code is reviewed by another engineer on the project before it's incorporated (https://alexgaynor.net/2013/sep/26/effective-code-review/)
• Integrating static analysis tools into continuous integration
• Using webhooks to automatically notify relevant people if a pull request touches security sensitive code (https://speakerdeck.com/alex/the-cobblers-children-have-no-shoes-or-building-better-tools-for-ourselves)
• Making sure every developer knows about the security processes our team uses, e.g. never committing passwords or secrets to version control

[IanLee1521]

@kennyr87, I'm pretty sure that @alex just gave a much better answer than I could have... That said, I'm been interested in organizing (or contributing to) some kind of documentation that had those sorts of recommendations in it.

[johnmod3]

@kennyr87 can you ask you IA people what they need? get them involved ?

[kennyr87]

@johnmod3 our IA policy people said it's up to me, the application owner, to decide whether or not to release code as OSS. they seem to be more focused on risks associated with using software on DOS systems and not really with DOS publishing software.

so, i'll start with some of things @alex suggested and some things recommended on Stack Overflow. i'll also start a repo re @IanLee1521 suggestion to get some kind of documentation going on this.