The reason I say this is that recently I was made aware of a security flaw in one of my free plugins. I patched and updated on Moodle.org as quickly as possible. I wondered if I should post about it in one of the forum threads dedicated to it, but for the most part the users subscribed to those would be updaters, and I would risk alerting less good people to a flaw they might exploit. I am still not sure what the best course of action is to be honest.
Ideally I would have access to a list of subscribed users to which I could send a direct message (email or message). Is there a best practice here, or some way we can implement a notification feature. After all Moodle alerts registered Moodle site admins of security issues in Moodle in advance of any public release of such information, so it seems like plugins should be no different in this respect.
I think this is a good idea, if you add this to the tracker I'll certainly vote for it.
We had exactly the same situation and I also think it would be really great if plugin maintainers could inform their users directly.
Even if there is no such important thing as a security flaw I thing it should be possible that plugin maintainers can get in touch with their users by mail or notifications in the systems which use the plugin.
In the interim, you could always set up existing methods, inviting plugin users to subscribe to:
- Set up a twitter account and hashtag for users to follow.
- Set up a Telegram and/or a Slack discussion.
- Set up an email newsletter type subscription.
With my "developer" hat on I agree it would be nice to be able to contact all users of my plugins..
But I don't think that using Moodle site registration data is the right method for this. Site admins that "register" with Moodle are not really expecting that their information will be "shared" with the developers of all 3rd party plugins they use on their site - the data is also covered by Moodle's
Privacy Notice and Data Processing Agreement
Implementing a way for users to do this based on site registration data would be pretty complex - first we'd need to adjust the moodle.org privacy notice, then we'd need to implement a way for admins to explicitly reject notifications related to specific plugins and receive notifications from other plugins... Personally I don't think this would be viable to do within the plugins db.
There might be a way we could identify specific plugin releases as containing a security update though, so that in the plugins update screen a bigger warning is displayed when there is a release that contains a security fix - but I'm not sure how useful that would really be.
I think Mike has the right idea here - it would be better for you to implement your own "registration" tool within your plugins or provide some form of new subscription service where users elect-in to receive communication from you.
I wondered if I should post about it in one of the forum threads dedicated to it, but for the most part the users subscribed to those would be updaters, and I would risk alerting less good people to a flaw they might exploit.
That is what every software producer has to deal with. Generally, security by obscurity does not work, particularly not in the open source world. If there is a solution / fix available, it works best to notify users loudly in an open and transparent way. So feel encouraged to inform about the security release via all the communication channels (twitter, forums etc) to highlight the importance of the upgrade.