Thanks for your helpful comments, and reassurance on updates – much appreciated

I’ll raise textdomains on github.

Have a great new year !

Last time, our plugin approval process was significantly delayed. We submitted it around September 5 and didn’t receive approval until February. Such delays are demotivating, especially when contributing free versions to the repository.

Again your dedication to enhancing the plugin ecosystem is truly appreciated!

The key changes I’ve seen are:

• shared leadership
• improved transparency
• creation of suitable team documentation & training
• development of tools to improve processes for both the Plugins Review team & plugin developers
• increased focus on help & education of plugin developers.

Thanks for a job well done as we look forward to even more improvements this year.

I would be pissed off if my urgent update gets rejected

For plugins that exist in the Directory, the Phase 2 checks would run after your new version is already released. We recommend plugin authors integrate Plugin Check into their development workflows so that any issues could be addressed before a version is released, but for the precise reason you mentioned (not wanting to block a security or urgent update), the Phase 2 checks are planned to run after your plugin version has been tagged and released, and would come in the form of either an email to the committers (only if items are found) and/or be visible in the Advanced tab section for the committers of that plugin.

my plugins extend bbpress and so use the capability within bbpress to revise their templates by adding my own versions within the plugin

I would recommend opening a GitHub ticket for this use case on the repo here: https://github.com/WordPress/plugin-check/issues so that the team that’s working on the PCP checks for textdomains can look into it

2. It would be good to get bbpress which is owned by wordpress and has 100,000 installations compliant 🙂

I definitely agree, though that’s something the bbPress team would be working on as opposed to the Plugins Team. Several of the Community plugins are already working on or have completed their work against the PCP version 1.3 checks, which is great news, and I know some of the other members of the Plugins Team have been helping with some of the others.

Many plugins fail the check, but are ‘safe enough’ to be let loose, so stopping an update for the fact that there is output which say lacks an esc_html but might fix a bug affecting many live sites, or fix an urgent security issue could be counter productive.

If non-compliance is seen as a major major security issue, then the logic would be to run it across all plugins, not those that do updates. Logic says it is those that update who are more likely to be compliant, so should actually be further down the list to be looked at.

Plugins are free and contribute to both wordpress.org and to the attractiveness of using WordPress which in turn affects Automattic’s bottom line.

So as someone who gives my plugins free to WordPress and by definition Automattic, I would be pissed off if my urgent update gets rejected until I spend hours fixing issues that do not comply with a predetermined set of tests.

I have run PCP against my plugins, and there are lots of little issues that i need to fix, and I have a plan to do these, but like many plugin authors, I do this in my free time, and need time to get everything fixed.

So please do let authors know that there plugins are not compliant, but please do not stop development/bug fix releases unless there is a real red line, and then only as far as getting that fixed.

You do need to take the ‘free development team’ you have with you as you journey to make WordPress better.

On the PCP

1. my plugins extend bbpress and so use the capability within bbpress to revise their templates by adding my own versions within the plugin. This then throws a ‘Mismatched text domain. Expected ‘bbp-style-pack’ but got ‘bbpress’. error. But it is exactly the bbpress domain that needs to be used there. I cannot see how to fix that.

2. It would be good to get bbpress which is owned by wordpress and has 100,000 installations compliant 🙂

But YES this is a really great idea

Plugin Check and 2FA Now Mandatory For New Plugin Submissions

This is really great idea. When someone upload a plugin then review it. And Check is it a malware ? or Not?

WordPress.WP.AlternativeFunctions are part of that category, and while you can usually get around it by adding the appropriate /* @phpcs:ignore … */, there are going to be issues when using a third-party library that utilizes things like json_encode() or parse_url() (others too obviously). It doesn’t really make sense to edit the library itself since that’s something you need to manually go in and do every time the library is updated.

This request for feedback concerns the basic standards of user information and consent for the installation of recommended plugins.
How would a different type of plugin or context affect this objective?
What differences in user information/consent should there be between different types of plugins?