WordPress plugin developers will begin receiving commit notification emails


Following yesterday’s events, an update has been pushed to the WordPress.org plugin SVN system. All commits made to an author’s plugins will now be emailed to that author, both for convenience and as an added security measure.

If you have ever subscribed to email notifications from the core WordPress trac system (for commits) you will recognize the kind of notifications the new system sends (pictured above).

WordPress core developer and Audrey Capital’s Tech Ninja Andrew Nacin posted the news to the WordPress dev blog, along with a security reminder:

And not to sound like the PA in a subway or at an airport, but if you see something, say something. Say things to [email protected]

Nacin said the update comes a bit sooner than planned, and that future updates will include the ability to subscribe to others’ plugins for the purposes of added collaboration. Have you committed to your WordPress plugin in the last 24 hours? If so, what do you think of the new notifications?

5 thoughts on “WordPress plugin developers will begin receiving commit notification emails

  1. Color me surprised (sorry, the pun was just too easy here) — I knew there were HTML versions of those emails, but Gmail only ever renders the plain text version for me. Other than that, some more changes on the way, for sure.

  2. When I got my first commit email from the WP.org servers it caused me a bit of a panic actually, it looked exactly like emails I get from WP.com so at first glance I thought I’d accidentally committed something to the wrong server 🙂

    Thanks Nacin for activating these, it’ll go a long way to helping ensure plugins are only updated by the legitimate owners.

  3. I think this is a good idea, but I’d prefer if there were options for the emails… Perhaps we could just receive a daily/weekly digest instead of an email for each change.

    • Commit emails are very helpful for a team of developers, but these were also introduced as an audit trail, to hopefully enable developers to catch suspicious commits to their own plugins.

      It was a confluence of events that enabled us to act quickly when it came to AddThis, W3 Total Cache, and WPTouch. We may not be so lucky next time. Ideally, these commit emails will enable developers to catch suspicious activity as it occurs. A weekly digest would not help.

      Also, digest emails are terrible for mailing lists, as when you want to reply, your email isn’t linked with the rest of the conversation. While this isn’t a mailing list (yet), the far better approach is to filter everything into a folder then review them once a day or week.

Comments are closed.