Website design process and steps.

Hello guys please, can you give some advice for my website design process? I'll be very grateful.

Fist I will describe the steps I take for the design process , then I'll try to explain it and give more details about it.

      1. First contact
      2. Determine the project size, direction and scope.
      3. Site map and wire-framing in XD or Figma sometimes I use Edraw Mind Map
      4. Content gather and categorize and if it is necessary(in the most cases) generate it…

Website design process and steps.

WordPress “developer tools” hosting, update and bundling process

Recently, we submitted a template engine plugin called Willow – which we use on our projects to the WordPress plugin repo – but it was quickly rejected – the following reasons were given:

Your plugin has been rejected because we no longer accepting frameworks, boilerplates, and libraries as stand-alone plugins.

To explain the terminology here:

Framework/Boilerplate: a template from which more code can be built
Library: requires other plugins or themes to edit themselves in order to be used

We require that plugins be useful in and of themselves (even if only being a portal to an external service). This means that a plugin should either be installed and be fully functional, or it should have some administration panel.

When a plugin requires either the plugin itself to be edited to work, or can only be used by writing code elsewhere, it ceases to have as much a benefit to end users and is more of a developer tool.

While there are many benefits to frameworks and libraries, WordPress lacks any plugin dependency support at this time, which causes a host of issues.

The parade of likely support issues include (but are not limited to):

not recognizing the need for the library or and thinking they’ve been hacked
not properly forking the boilerplate and editing it in place, resulting in updates erasing code
not recognizing the need for the library plugin, and thus deleting it (causing others to break)
updating the library plugin separately from the dependent plugins, leading to breakage
updating a dependent plugin without updating the library, leading to breakage
different plugins requiring different versions of a library plugin without proper if-exists checks

We feel that libraries should be packaged with each plugin (hopefully in a way that doesn’t conflict with other plugins using the libraries). At least until core supports plugin dependencies. Frameworks, in and of themselves, have no place in our directory as they are non-functional templates.

They offered me a chance to argue my corner and show why this plugin should be hosted – which I did to the best of my powers – I argued from standpoint that this amounted to discrimination against advanced users – who would be forced to either bundle their frameworks into other plugins, making them harder to update or that we would be forced to write hacks to get our software into the WP update process – which seems wrong on many levels.

And, while the plugins team expressed some sympathy – nothing that they all used frameworks and the likes themselves, they were unmoved by my high and might rhetoric and the plugin remains rejected…

Of course, I can continue working in the way I have been until now – currently we use the Github updater plugin to integrate our public and private repos from GitHub into the WP updater – but it IS a hack – and it’s not seemless.

So – to my question – and please moderators, don’t delete this as a "too vague / opinionated" question – as this really is aimed at understanding how other developers use WordPress and has benefit both to us and I imagine others who have faced this same situation.

The question is – how should we host our own public plugins – for example on a 3rd party repo like GitHub – and make them easily available to find, install and update – in a way that is as native as possible to how they might work if they were hosted on wordpress.org?

Sub question might be about the relative pros and cons of bundling these "frameworks" into other plugins / themes – this feels wrong to me, especially considering WordPress’s lack of dependency management – but I would like to learn if this is viable and even recommended.

What is the process of index selection?

I have used several databases (relational + NoSQL) as a developer for 3+ years but I have a basic idea about the core of the database processes and database administration tasks. My question is about index selection problem. What I understood when reading through several articles is that in some databases query optimizer can choose the most relevant index(es) and in some other a database administrator have the authority to select the index(es) from the suggested list of indexes by the optimizer. But the idea on the process of selecting indexes is still vague. Can you give me a descriptive answer on how the index selection process happens or recommend me a book or a article to read to get a precise idea on the process of index selection from A to Z. The key areas I need information are,

  1. What are the criteria used to decide an index is the most appropriate for a query?
  2. Is there a difference between index selection in relational databases and index selection in NoSQL databases?
  3. What role does the query optimizer plays in index selection?
  4. If you are to automate the index selection process what would you most consider on giving solutions or taking new approaches?
  5. Are there any practical problems when in it comes to index selection and the performance of the database?
  6. Do I have the freedom of choosing different index structures (b tree, b+ tree, hashing,…) while creating indexes initially or do I need to stick in to one type of index structure?

Securely execute child process on embedded Linux


Background

I have an embedded Linux devices and need to invoke a subprocess. I try to avoid it but sometimes it’s the most practical thing to do, e.g. calling networking commands like ip, networkmanager or doing data processing using an proprietary program.

The simplest thing to do is to call system(3) but then these bad things can happen:

  • Neither program name or arguments are sanitized.
  • PATH is modified by an attacker causing the wrong program to be executed
  • Another environment variable such as `IFS is modified by the attacker
  • If the attacker has been able to gain access to the child program, he may see open files which were not closed
  • And he/she may be able to gain elevated privileges if root privileges were not dropped.

So I probably should not rely on system(3) but write my own fork+exec function; pass the full path to the binary to be executed; make any arguments to the child process hard-coded; sanitize the environment variable; close open files; and drop privileges.

I’ve read the advice given in TAOSSA and John Viegas Secure Programming Cookbook

My Question

  • Are these steps sufficient?
  • Can someone point to generic implementation of procedures for safely executing subprocesses in C and C++
  • Do I have to drop capabilities as well?
  • Should I consider running child processes in more isolation? If so, what options are available to me? seccomp filters? Namespace sandboxing?

seems like a wide gaping hole in the process for checking integrity of e.g. linux distro releases

Many linux distributions recommend using downloaded signing keys to verify the integrity of downloaded checksums. This seems utterly ridiculous to me, since the downloaded keys are just as suspect as the downloaded checksums. And checking key fingerprints is exactly the same thing, ie the page with the fingerprints is just another file downloaded by my browser.

Example: https://getfedora.org/en/security/

If I trust the PKI of my browser (assuming https) to authenticate the key or key fingerprints, then I dont need the signing process in the first place. But of course I DONT trust the PKI because the list of root certs distributed with major OS’s is chocked full of very very dodgy CAs.

At minimum, shouldn’t the keys of a new release be signed with the keys of the previous release? That way you can maintain a chain of integrity.

Given that the same process is used for GPG: https://gnupg.org/signature_key.html I assume I am being a moron and missing something obvious. Can anyone explain?

What is your process for scraping Tier 1 links to your money site? – Willing to pay for help!

Hi Guys!
What is your process for scraping Tier 1 links to your money site?
What I’m trying to do is having 1-2 links per month to my money site. And then to Tier 2 – Tier 3 those links. Links per minute and scraping speed is not an issue.  I want high quality links. I’m willing to pay for helping me.

Is revealing phone number during OTP verification process consifered vulnerability?

One of the common way of implementing 2FA is using phone number Text message or Call with OTP. As I can see, usually web services show something like "OTP was sent to the number +*********34". Is is done because revealing the number is considered a vulnerability? If yes, then which one, is it described anywhere? I guess it has something to do with not wanting to show too much info about the user. This info might be used be social engineering, but maybe there is something else?

Having a link to a trusted location with the description would be great as well.