Acceptability of adding checksum details to WP CLI cache dir?
nateinaction opened this issue · 3 comments
Hey guys,
I'd like to run the checksum commands against a large number of sites with some frequency. I notice that each time the core command is run or each plugin that is encountered requires an external request to wordpress.org. I'd like to cut down on the number of external requests and feel there are two options:
- a flag that would allow pointing the request to an on network custom API which caches the checksum files or
- adding the checksum files to the existing WP CLI cache directory
How receptive is this repo to a PR to introduce one or both of these options? Do you have any guidance or suggestions about how you would prefer this to look?
Hi @nateinaction,
Thanks for the suggestion. Historically, we haven't cached checksum files because doing so presents an exploitation vector; a malicious plugin could alter the checksum cache to hide the fact that it's malicious.
Have you looked into installing a dedicated network proxy where you can generate and serve a cache? I think this would make for useful documentation and could also be a solution for #38
Yes, @danielbachhuber is right. For the checksum commands, a lot of what we would normally add for convenience or optimization is a potential way to override the checksums.
This is why any caching would need to be done externally, outside of the context of WordPress, so that code running within the WordPress context cannot impact it (like filtering or disabling it).
Hey guys,
Thanks for the feedback. This is how I will proceed. Closing.