I've been thinking about this lately after cruising around sm.org, and the more I think about it, the more I don't want files being edited by plugins.
If a plugin requires a core edit, the user should have to do that themselves. We lose the ability to do quick patches SMF style, but I'm not convinced that's a bad thing either.
What finally made me change my mind? The number of reports of 'my site's been hacked'. Sure, on shared hosting you're definitely at more risk than you are on a VPS, but there is an inherent risk on a shared host that is made distinctly worse by having to change the file permissions, especially as people will often go away and change them to be writable generally when they don't need to, to avoid hassle in the future.
By limiting the scope of what is needed to be edited, the core files never need to be handled in that way.
The only argument that is on the other side of the fence is about people doing raw changes, but firstly if you are doing raw changes, that puts the onus on you to back up and so on. And it puts the onus on you to remember the changes you made.
Thing is, WP acts like this and it seems to be tolerated over there, but what happens is that the automated update actually can tell you what files are changing and you can then go away and figure out for yourself whether you should or should not deal with that.
I have no problem telling users that if they're going to modify the core software, they're responsible for the consequences, but I'm not going to babysit them for upgrading. There are good reasons why hacking the core shouldn't be done, and I'm finally convinced beyond doubt now that the benefits are easily outweighed by the problems attached.
If a plugin requires a core edit, the user should have to do that themselves. We lose the ability to do quick patches SMF style, but I'm not convinced that's a bad thing either.
What finally made me change my mind? The number of reports of 'my site's been hacked'. Sure, on shared hosting you're definitely at more risk than you are on a VPS, but there is an inherent risk on a shared host that is made distinctly worse by having to change the file permissions, especially as people will often go away and change them to be writable generally when they don't need to, to avoid hassle in the future.
By limiting the scope of what is needed to be edited, the core files never need to be handled in that way.
The only argument that is on the other side of the fence is about people doing raw changes, but firstly if you are doing raw changes, that puts the onus on you to back up and so on. And it puts the onus on you to remember the changes you made.
Thing is, WP acts like this and it seems to be tolerated over there, but what happens is that the automated update actually can tell you what files are changing and you can then go away and figure out for yourself whether you should or should not deal with that.
I have no problem telling users that if they're going to modify the core software, they're responsible for the consequences, but I'm not going to babysit them for upgrading. There are good reasons why hacking the core shouldn't be done, and I'm finally convinced beyond doubt now that the benefits are easily outweighed by the problems attached.
