Wiki can be edited by foreigners.

[real-yfprojects]

Wiki pages can currently be edited by any Github user which is kind of a Security Threat. It might also lead to misbehaviour of individuals. Instead I would suggest limiting editing to Collaborators.

I also have a question closely linked to this issue. I recently created a pyenv plugin called pyenv-link. I would like to see it being listed in the corresponding section of the Wiki. However I wonder whether I should add it to the list myself.

[native-api]

Wiki pages can currently be edited by any Github user which is kind of a Security Threat. It might also lead to misbehaviour of individuals. Instead I would suggest limiting editing to Collaborators.

Github only supports allowing editing either to everyone or to users with push access.
We allowed the former intentionally so that users can add info for more use cases and update obsolete one relevant to them without having to involve the team.
Pull requests or some kind of more flexible security would certainly be welcome but there's no support in the platform.

We assessed if that really would be a security threat, and it doesn't look so. What harm can be done -- adding wrong packages to installation instructions? Distro repos don't have malicious software in their repos so the abuser wouldn't benefit from that. Github support can block users who do blatantly harmful actions.
This has been so for a couple of months, and there weren't any case of abuse so far.
If there'll be a growing amount of inaccurate information, we can move the officially maintained part into the main repo.

[native-api]

I also have a question closely linked to this issue. I recently created a pyenv plugin called pyenv-link. I would like to see it being listed in the corresponding section of the Wiki. However I wonder whether I should add it to the list myself.

Yes, you can do that.
So far, there aren't many plugins useful for a large number of users, and they aren't very discoverable -- so any publicity is good.
If and when there'll be too many for the list to still be useful, we'll think of something.

[real-yfprojects]

Github only supports allowing editing either to everyone or to users with push access.

But I don't have push access, do I?

What harm can be done -- adding wrong packages to installation instructions?

I was thinking of some think like curl https://pyenv.run | bash but with a malicious url. Though you are right that the policy can be adjusted once such incident has occurred.

[native-api]

I also have a question closely linked to this issue. I recently created a pyenv plugin called pyenv-link. I would like to see it being listed in the corresponding section of the Wiki. However I wonder whether I should add it to the list myself.

Yes, you can do that. So far, there aren't many plugins useful for a large number of users, and they aren't very discoverable -- so any publicity is good. If and when there'll be too many for the list to still be useful, we'll trhink of something.

It won't hurt to ask if in doubt like you just did.

So far, http://meatballwiki.org/wiki/SoftSecurity has worked well enough. I only once deleted some inaccurate information -- and it wasn't even actively harmful, just not as helpful as the author probably hoped.

[real-yfprojects]

That's reasonable enough. There are no further objections on my part. Though this policy could be stated somewhere in the Wiki to avoid future confusion.

[native-api]

Though this policy could be stated somewhere in the Wiki to avoid future confusion.

And how would one find it? Only if it's on the front page...

I think the Contribution guide would be more appropriate.

[real-yfprojects]

I think the Contribution guide would be more appropriate.

Yes, that would be a suitable place. However adding a statement to the plugin page in the Wiki on how to add plugins would be useful too.