Open jasonblewis opened 2 years ago
For this to work, we'd need either:
For a basic implementation of scenarios 1. & 2., the checksums would fail one of their main purposes. As the checksums would originate from the same third-party as the actual download, you'd need to be able to verify that third-party itself. Otherwise, anyone could easily spoof such a third-party vendor and provide a malicious version of the plugin together with the matching checksums.
For scenario 3., wordpress.org would need to provide some way of enforcing licensing/download restrictions, otherwise most vendors would refuse to upload their premium plugins.
This is not something the WP-CLI project can easily solve, and needs to be discussed at the ecosystem level. However, realistically, I see little hope for this being prioritised anytime soon...
@schlessera thanks for the clear explanation, and understood that it is an ecosystem level request that is unlikely to get priority any time soon. I'll just add that maybe a way for plug-in authors to cryptographically sign their plug-ins could be an approach?. No idea how this could work in practice but I'm just putting it out there as an idea.
I moved this issue to wp-cli/ideas
with state:unlikely
.
If the infrastructure for premium plugin checksums is ever produced, this is something we could consider.
Alternatively, someone could implement this as a third-party package.
Feature Request
Describe your use case and the problem you are facing
When checking that no files have been corrupted using
wp plugin verify-checksum --all
it would be really nice if paid plugins were also checked. currently my output looks like this:Describe the solution you'd like
please provide a way for plugin makers to also have their checksums checked. ideally by registering an official set of checksums for the plugin and it's versions?
PS. I love wp cli. Such an awesome tool. thanks for making it.