> This update is as minimal as possible to fix the security issue.
> This is a rare and unusual situation brought on by WP Engine’s legal attacks, we do not anticipate this happening for other plugins.
So.. is this fixing a security issue.. or is this because of WP Engine?
> and are forking Advanced Custom Fields (ACF) into a new plugin
And stealing their place in the plugin store. A fork generally implies that you are going to set off on your own, and not inhabit the dead flesh of the project you just killed.
Matt Mullenweg is the biggest child I have ever seen in operation.
> So.. is this fixing a security issue.. or is this because of WP Engine?
AFAIK, here's the timeline.
1. Automattic announced that there was a security issue in ACF.
2. WP Engine fixes it immediately.
3. Automattic bans the WP Engine developers from Wordpress.org, so they can't deploy the fix. This places millions of users at risk, but that's how they roll.
4. Automattic forks ACF, removes the commercial upgrade, and renames it.
So WordPress-the-org — which is effectively Matt, as far as I can tell — just Sherlocked a developer's plug-in using the developer's own code, ostensibly as retribution for a security issue that the developer had already fixed. https://www.advancedcustomfields.com/blog/acf-6-3-8-security...
That ACF security update was not made available on WordPress.org due to ACF maintainers being blocked from accessing WordPress.org, according to WordPress.org's blog https://wordpress.org/news/2024/09/wp-engine-banned/
Or, more blatant and accurate, Sherlocking is when Apple literally named their search product "Sherlock" when a popular third party shareware app named "Watson" already existed.
Unfortunately you have no proof of that, because the only relevant changes are actually neither introducing fixes, nor ever changing the plugin core code in a way that fixes security issues.
The only thing done is removing a LOT of references, links, and instructions that would remind of WP Engine, as well as all compatibility with the POR features.
However, these are no fixes. You just introduce a new variable, that you never use, and re-assign the same contents of that new variable back to the $_REQUEST
Unless you show proof of a security fix - which you could have pushed to users WITHOUT renaming the plugin, WITHOUT removing original, non-security related code, and WITHOUT breaking compatibility with the PRO features - you have LIED and STOLEN code in the name of WP.ORG
This will hopefully be recognized by WP Engine and if god wills, remove you from the equation once and for all legally speaking.
The maintainers [1] and the Wordpress project’s core security team lead [2] said that the fix was already published, despite your blocking them from publishing it directly and irresponsibly disclosing the issue out of spite [3].
ACF isn’t a premium plugin (linked post only concerns those).
The linked post also might not reflect the current policies. This update was a security update and was done due to the unique circumstances around the original publisher.
If anyone from Automattic is reading this and would like to confidentially leak any internal information about this behaviour from Matt, please email admin@bullenweg.com and I will publish it on bullenweg.com.
This is one of the sleaziest things I've ever seen. I fear a hard fork of WordPress is now inevitable and unfortunately, it's possibly going to kill the platform, all over one man's ego. How can I now sell my clients on using WordPress for mission critical things if on a whim the owner of WordPress can break my site or lock out my security updates, just because I chose the "wrong" host or plugin? I don't see how the Board can sit by and let this all unfold like this, it's practically business suicide.
TBF WordPress was also created by two men and one of them was Matt. Of course it only achieved it's success through efforts of countless others, but it's not just some person. Shame, it came to this.
We had hard forks of very popular systems before, e.g. xfree86 turned into x.org, LibreOffice vs OpenOffice.org, Hudson to Jenkins and others and basically everyone switched (nearly) overnight.
Fork will likely have a much better direction structure to avoid precisely this problem, at least it seems to be the pattern.
Wow, I hadn't heard about the nosebleed incident. Absurd, even if he ain't snorting coke, it's deeply weird to continue an interview while profusely bleeding as if nothing is happening.
I have no stake in any of this but some people have nosebleeds without anything nefarious or bad going on. This guy doesn’t need any help looking bad, suggesting that his nosebleed is important is stupid.
Him being in the middle of a mad coke bender would explain so much. I'm accepting this as canon until we find out WP Engine slept with his wife or something
> There is separate, but not directly related news that Jason Bahl has left WP Engine to work for Automattic and will be making WPGraphQL a canonical community plugin. We expect others will follow as well.
Anything to prop up their position and throw the company they are attacking under the bus. What a jerk.
The support notice got deleted[1]. The plugin developer got banned. Blocking access from certain ip. Shady or problematic hosting term[2]. I think hosting your code on wordpress.org is considered dangerous.
The diff contains two (identical) changes that aren't just ripping out upgrade notices for the pro version: Two functions that stop callbacks from accessing $_POST now also stop them from accessing $_REQUEST, which also contains everything in $_POST. Also confirmed by WP Engine's update notice[1].
I honestly don't see why anyone would treat this as a security issue. Everything involved is PHP code that can do whatever it wants, not in any kind of sandbox.
Edit: And even if it were this update doesn't fix the problem. POST variables can still be accessed:
Though, Automattic posted publicly that there was a vulnerability shortly after filing the CVE, while simultaneously blocking WPEngine from being able to push a fix to it because they'd cut off access to wp.org
I can’t find the actual number because Automattic’s tweet[1] announcing it has been deleted, but it’s the one mentioned in the ACF 6.3.8 release notes[2]. The authors of ACF can’t upload that version to wordpress.org themselves because Matt banned them from there before making the announcement.
ETA: Matt says[3] it’s a different vulnerability. Anybody willing to break out the almighty diff?
> The use of trademarks or other projects as the sole or initial term of a plugin slug is prohibited unless proof of legal ownership/representation can be confirmed
> What happens to a plugin if the plugin owner gets blocked?
however the page says "Last Updated: 12 October 2024" and https://github.com/WordPress/developer-plugins-handbook/blob... (permalink at the time of writing this) doesn't have this section. So it really looks someone manually edited the page on wordpress.org without editing the source. Now, who has such permissions and has the motive to do this?
I feel so bad for all the Wordpress devs and shops right now. This is not the kind of community turmoil I'd want to deal with leading up to holidays/new years!
It makes Drupal 8/Backdrop seem like a pleasant and wonderful experience, in comparison.
I don't think there was any bad blood between Drupal 8 and Backdrop, was there? It was forked in 2013 and look https://www.drupal.org/u/jenlampton Jen was still doing BADCamps and went to DrupalCons and all that. My memory is fuzzy a little but I do remember we were making huge progress on migrate at BADCamp 2014 and I do not remember a single tense moment with Jen or Nate. Or was that 2013? But even if it was, that was after the fork. Nate also went to DrupalCons look https://www.drupal.org/u/quicksketch
In short, I know I considered Backdrop futile but I don't think there was any significant controversy or is my memory failing me? http://www.drupal4hu.com/node/380 here's my post from the time.
Truth to be told there was significantly more controversy between me and the rest of the Drupal community than Backdrop and Drupal. You can not imagine how much I regret that.
Pathetic. Matt banned one of the most popular WordPress plugins. Then, he forked the code and hosted it on WP.org, which is against the Terms of Service. He also hosted it in the plugin directory on the same path as ACF, stealing its SEO traffic. Wow!
Matt's state of mind is clearly not good. If I were an investor in WordPress, I would start thinking about cutting my losses. WordPress will not recover from this self-inflicted destruction
*Update*
Oh, it's worse than that. He just renamed the ACF to SCF and claimed all the installations and reviews from ACF. I still can't believe this happened. This can't be legal!
Eventually you are going to have to confront that the distance between 'technical correctness' and 'moral correctness' is vaster than you apparently think it is.
1) WordPress clearly lacks functionality like ACF that belongs in core
2) Many developers clearly like ACF
3) Many do not (it's messy in the DB, if you ask me)
4) Core functionality that was if not API-compatible, at least API-familiar with ACF would be welcomed by many
5) Creating a new plugin that did this, that was transitioned into core (like other functionality has been), would be a good plan
6) Commandeering the slug for a decade-old commercial plugin like this, to replace it with a fork, is so obviously fucking bad form that it's still hard to believe it is happening even given all the other whatthefuckery that has been happening.
ETA: 7) "Secure Custom Fields"? Really? The difference is what?
What the fuck, Matt?
ETA: personally I understand many of the frustrations with WP Engine's positioning. I have experienced exactly the trademark confusion issues that the lawsuit has been about, where clients have assumed WP Engine is WordPress itself. I don't use them after some iffy customer service and technical issues early on. But this is absurd behaviour.
The fucked thing is that per the article, they're not even dedicating any resources to maintain it going forward, they've just made this one fix and are throwing it to other people to maintain if they want:
> Going forward, Secure Custom Fields is now a non-commercial plugin, and if any developers want to get involved in maintaining and improving it, please get in touch.
I can't even follow what's going on here, and I used to be an expert in software licensing drama. All I see is a bunch of unilateral actions driven by Matt Mullenweg that breaks so many implicit promises of how a free software steward should behave.
Wordpress sites quite often seen to be a hodge-podge of plugins, each with their own UI and conventions, and (as a host) I'm never an expert in anye one of them. Has one of the site designers used a plugin that has offended Matt? Or that might offend him in the near future? How do I even audit for that?
I don't need much of a push to move my position on this. Before: "eh, use Wordpress if it's cheaper" Now: "please don't, that decision will probably cost me".
Theoretically WPE might be a bad actor-- perhaps even more than any commercial competitor naturally is-- but they're smart enough to not smear it around with absurd moves like this that radiate a lack of professionalism or ability to predict reactions.
A lot of the comments seem to call out Matt (right or wrong). But that’s the easy thing to do.
No one dares address the systemic issue of for profit corporations exploitatively (ab)using open source software.
There is a social contract that people should contribute back, and while it’s largely unenforceable, as it should be, when it’s happening on a systemic level something has to be done. And we are all complicit if we don’t at least say that much and spare some good will towards the guy actively in that fight at least superficially
*Following is a response to some replies on the other thread, that clarifies my points
*
Matt being a poor steward of gpl is by definition not a systemic issue … unless ur claim is that many people in positions like him do what he does which is in turn caused by invariant factors?
The systemic issue is companies the world over not giving their fair share back in terms of contributing to foss.
I might agree with most of your points, I’m just trying to get people to realize there’s the local issue of Matt/wp and then there’s this global issue of companies building businesses off foss and not giving back.
> A lot of the comments seem to call out Matt (right or wrong). But that’s the easy thing to do.
It's also productive. If there's enough of an uproar, then the board will remove him. They're pretty much the only people who can stop him.
> There is a social contract that people should contribute back, and while it’s largely unenforceable, as it should be, when it’s happening on a systemic level something has to be done. And we are all complicit if we don’t at least say that much and spare some good will towards the guy actively in that fight at least superficially
You don't speak for me. Contributions to my OSS projects are appreciated, but all I ask is that users comply with the license terms.
If you feel that contributions are an unwritten obligation, he's made them much harder to ask for. Everyone else who asks for them in the future will be tarred with the same brush.
Matt is burning down the WordPress ecosystem because his shakedown attempt failed. He's prevented at least 2.5 million users from receiving security updates. He's earned my contempt, not my goodwill.
> I might agree with most of your points, I’m just trying to get people to realize there’s the local issue of Matt/wp and then there’s this global issue of companies building businesses off foss and not giving back.
I don't know how much goodwill we owe somebody currently being sued for extortion and who lied to a community about ownership of a trademark for over a decade in an attempt to take a whole community hostage when he feels like it's time to cash in. The writing was on the wall when he sold user intellectual property from WordPress.com and Tumblr to OpenAi. Was that fighting for open source?
I think we're pretty far removed from the original issue of WP Engine and WordPress and people are just trying to deal with the fallout from Matt's nuke-the-entire-ecosystem approach he's elected to take.
That was a great article from drupal. It’s a great idea and really goes along way to help, but we still need more.
This only addresses foss projects that are hosted as an offering. It wouldn’t address how for example the pgp guy basically went broke or just the general amount of pressure maintainers of “critical” foss packages are under and are spread so thin, that it’s always a triage fire and there’s never any room to “level up” with rewrites or full code base audits. And a lot of it comes at a huge personal cost but it just so happens the people often times in those shoes end up being super noble.
Maybe this is a cynical take but year after year it really does seem the software we rely on for modern life is just a house of cards where most cards are solo devs or a handful each doing the task of atlas cus the worlds corporations just don’t give back!
My words will ring true in 10-20 years when most of these people kick the bucket or retire and all we have left will be google’s next android| fuchsia and windows server.
Just stealing plugins right now? Or is this some kind of "eye for an eye" situation?
I'm really turned down from the whole ecosystem by this total shitshow. Seems like everything could be pulled from under running sites if some clown decides he doesn't like it anymore.
At this point I just hope that WP Engine wins whatever lawsuit happens and Matt Mullenweg (and everybody who was involved besides him) has to pack his things and leave everything WP-related forever.
We no longer do custom WordPress work --- it turned out to never be worth the hassle --- but when we did, our company used ACF extensively. High quality plugin with responsive support and very fair licensing terms.
It's certainly "high quality" in the sense of "it solves a huge number of requirements that WP core doesn't, in a way that's better that alternative plugins". It's a high quality WP Admin user experience. Just don't try looking too deeply into the database mess it creates.
For WordPress _users_, as in the people who log into the WordPress dashboard to run their website, 'stuck in the past' is often an advantage and not a bad thing. You'll be able to find blog posts and tutorials and youtube showing you how to use in, unlike the "new shiny" where there's no easily found example or support for.
This whole saga is surreal because I thought myself to be constitutionally incapable of rooting for a private equity firm to win a fight, but this is like watching a guy violently strain to shit his pants while yelling “Look what they made me do!”
Also the guy is in a hot tub with all of his friends and employees
If you were an insider deliberately trying to tank WordPress, it is hard for me to imagine anything you could do that would be more effective than this.
If you look at the reviews, they took over the advanced-custom-fields plugin and modified the owner to be Wordpress.org and renamed it to Secure Custom Fields.
What a terrible look
They also modified it by ripping out the pro features, so if people update their ACF Plugin and they had pro features enabled, it'll just break their install
Most of the world's 8+ billion people managed to go through the last months without shaking down a competitor, preventing users for receiving security updates, conducting a harassment campaign, or destroying an ecosystem because they feel like it. That's not just a mistake. He deserves contempt, firing, and a substantial fine at the very least.
I don’t think anyone wants to lynch him in the sense of harming him for the sake of it, or even retributive justice.
People want him removed from Wordpress leadership to protect Wordpress. The harm to him is really orthogonal to the greater goal of not destroying the software that runs 40% of the internet or whatever, triggering man-centuries of pointless labor to replace it across all those installs.
Given the options of letting Matt tear the ecosystem apart or letting the ecosystem tear Matt apart (figuratively, not literally), the ecosystem should win. It sucks for Matt, but wasting cumulative lifetimes of human effort to migrate all these installs is stupid and not worth saving one man’s ego over.
> This update is as minimal as possible to fix the security issue.
> This is a rare and unusual situation brought on by WP Engine’s legal attacks, we do not anticipate this happening for other plugins.
So.. is this fixing a security issue.. or is this because of WP Engine?
> and are forking Advanced Custom Fields (ACF) into a new plugin
And stealing their place in the plugin store. A fork generally implies that you are going to set off on your own, and not inhabit the dead flesh of the project you just killed.
Matt Mullenweg is the biggest child I have ever seen in operation.
> So.. is this fixing a security issue.. or is this because of WP Engine?
AFAIK, here's the timeline.
1. Automattic announced that there was a security issue in ACF.
2. WP Engine fixes it immediately.
3. Automattic bans the WP Engine developers from Wordpress.org, so they can't deploy the fix. This places millions of users at risk, but that's how they roll.
4. Automattic forks ACF, removes the commercial upgrade, and renames it.
Your timeline is rearranging some things around[1]. WP Engine was banned before the security issue.
[1] https://duerrenberger.dev/blog/2024/10/08/timeline-of-the-wo...
1 reply →
Not a fork. They just took over the account/listing, which preserves 1200 reviews, etc. As fascinating as it is deplorable.
> So.. is this fixing a security issue.. or is this because of WP Engine?
It's fixing a security issue WP Engine cannot fix because they are banned from wordpress.org.
*Has fixed, but can't post the fixed version to wordpress.org, to be clear
Not just "stealing their place in the plugin store" but also blatantly committing trademark violations. https://imgur.com/a/D7YHn4e
Pot... Kettle... Something, something.
So WordPress-the-org — which is effectively Matt, as far as I can tell — just Sherlocked a developer's plug-in using the developer's own code, ostensibly as retribution for a security issue that the developer had already fixed. https://www.advancedcustomfields.com/blog/acf-6-3-8-security...
What am I missing?
That ACF security update was not made available on WordPress.org due to ACF maintainers being blocked from accessing WordPress.org, according to WordPress.org's blog https://wordpress.org/news/2024/09/wp-engine-banned/
> Sherlocked
The verb you're looking for is stole
Sherloking is when a Walmart is built next to a cornershop. Here the dude tore open the corner shop while claiming to be a victim.
When I posted, I was under the impression that ACF was open source. But the GitHub repo doesn’t list one, so if it’s not open source…WTF.
11 replies →
Or, more blatant and accurate, Sherlocking is when Apple literally named their search product "Sherlock" when a popular third party shareware app named "Watson" already existed.
This release fixes a separate security vulnerability from the original update.
Unfortunately you have no proof of that, because the only relevant changes are actually neither introducing fixes, nor ever changing the plugin core code in a way that fixes security issues. The only thing done is removing a LOT of references, links, and instructions that would remind of WP Engine, as well as all compatibility with the POR features.
Then, you added a few irrelevant changes that to the inexperienced eye look like security fixes https://plugins.trac.wordpress.org/changeset?old_path=%2Fadv...
However, these are no fixes. You just introduce a new variable, that you never use, and re-assign the same contents of that new variable back to the $_REQUEST
Unless you show proof of a security fix - which you could have pushed to users WITHOUT renaming the plugin, WITHOUT removing original, non-security related code, and WITHOUT breaking compatibility with the PRO features - you have LIED and STOLEN code in the name of WP.ORG
This will hopefully be recognized by WP Engine and if god wills, remove you from the equation once and for all legally speaking.
12 replies →
Can anyone else prove this security vulnerability actually existed?
7 replies →
You are abusing the community for your own gain. Stop!
9 replies →
The maintainers [1] and the Wordpress project’s core security team lead [2] said that the fix was already published, despite your blocking them from publishing it directly and irresponsibly disclosing the issue out of spite [3].
Was that not true?
[1] https://x.com/wp_acf/status/1843376378210857441
[2] https://x.com/johnbillion/status/1843750679141331039
[3] https://x.com/johnbillion/status/1842627564453454049
1 reply →
[flagged]
Wordpress banned forks from the plugin directory a while ago, so they're doing what they ban everyone else from doing. https://make.wordpress.org/plugins/2021/02/16/reminder-forke...
Rules are for thee, not for me
ACF isn’t a premium plugin (linked post only concerns those).
The linked post also might not reflect the current policies. This update was a security update and was done due to the unique circumstances around the original publisher.
There are a lot of other employers that won't make you lie for them.
12 replies →
The mental gymnastics you keep doing to defend your boss are impressive, and I'm sure will reflect well on your next perf cycle!
Exactly. ACF is free and open source. ACF Pro is not. Secure Custom Fields is based on the free version (ACF, without "Pro").
2 replies →
Spamming nonsense isn't a good look...
Related: the main developer on the Fields API proposal is calling it quits on involvement with WordPress.
https://github.com/sc0ttkclark/wordpress-fields-api
I'm not entirely sure what it is but it has over 350 stars and quite a few forks so it's probably important.
Now resigned maintainer Scott is also lead dev of Pods, awesome ACF-like plugin.
Lines have been crossed when stealing other people's code, what happened in the case of ACF to SCF, IMHO.
If anyone from Automattic is reading this and would like to confidentially leak any internal information about this behaviour from Matt, please email admin@bullenweg.com and I will publish it on bullenweg.com.
This is excellent!
Is there a repo of this website?
It would be good to have for preservation purposes.
https://github.com/bullenweg/bullenweg.github.io
It actually is an excellent website, and the repo is here: https://github.com/bullenweg/bullenweg.github.io
4 replies →
This is one of the sleaziest things I've ever seen. I fear a hard fork of WordPress is now inevitable and unfortunately, it's possibly going to kill the platform, all over one man's ego. How can I now sell my clients on using WordPress for mission critical things if on a whim the owner of WordPress can break my site or lock out my security updates, just because I chose the "wrong" host or plugin? I don't see how the Board can sit by and let this all unfold like this, it's practically business suicide.
TBF WordPress was also created by two men and one of them was Matt. Of course it only achieved it's success through efforts of countless others, but it's not just some person. Shame, it came to this.
We had hard forks of very popular systems before, e.g. xfree86 turned into x.org, LibreOffice vs OpenOffice.org, Hudson to Jenkins and others and basically everyone switched (nearly) overnight.
Fork will likely have a much better direction structure to avoid precisely this problem, at least it seems to be the pattern.
If anyone is interested in the extended controversy surrounding Wordpress, there is a site that has been tracking everything.[0]
[0] https://bullenweg.com
Wow, I hadn't heard about the nosebleed incident. Absurd, even if he ain't snorting coke, it's deeply weird to continue an interview while profusely bleeding as if nothing is happening.
I have no stake in any of this but some people have nosebleeds without anything nefarious or bad going on. This guy doesn’t need any help looking bad, suggesting that his nosebleed is important is stupid.
2 replies →
Him being in the middle of a mad coke bender would explain so much. I'm accepting this as canon until we find out WP Engine slept with his wife or something
Link to the delta from the latest code revision where they replaced “ACF” with “SCF”.
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph...
Not a lawyer, but since WPE sells ACF services, can WP redirect users away? That is directly impacting a competitor’s bottom line.
I think tortious interference would be the relevant allegation, but I have no idea what the likelihood of it sticking is.
Blog post on wordpress.org concerning this: https://wordpress.org/news/2024/10/secure-custom-fields/
> There is separate, but not directly related news that Jason Bahl has left WP Engine to work for Automattic and will be making WPGraphQL a canonical community plugin. We expect others will follow as well.
Anything to prop up their position and throw the company they are attacking under the bus. What a jerk.
Which, by the way, previously ended with "We expect others will defect as well." before the post was edited
1 reply →
The support notice got deleted[1]. The plugin developer got banned. Blocking access from certain ip. Shady or problematic hosting term[2]. I think hosting your code on wordpress.org is considered dangerous.
1. https://wordpress.org/support/topic/future-updates-for-acf-a...
2. https://github.com/wordpress/wporg-plugin-guidelines/blob/tr...
Yeah, that is not how trust works.
> This update is as minimal as possible to fix the security issue.
What is the actual issue? CVE number?
The diff contains two (identical) changes that aren't just ripping out upgrade notices for the pro version: Two functions that stop callbacks from accessing $_POST now also stop them from accessing $_REQUEST, which also contains everything in $_POST. Also confirmed by WP Engine's update notice[1].
I honestly don't see why anyone would treat this as a security issue. Everything involved is PHP code that can do whatever it wants, not in any kind of sandbox.
Edit: And even if it were this update doesn't fix the problem. POST variables can still be accessed:
[1]: https://www.advancedcustomfields.com/blog/acf-6-3-8-security...
Details haven't been made public yet: https://www.cve.org/CVERecord?id=CVE-2024-9529
Though, Automattic posted publicly that there was a vulnerability shortly after filing the CVE, while simultaneously blocking WPEngine from being able to push a fix to it because they'd cut off access to wp.org
2 replies →
I can’t find the actual number because Automattic’s tweet[1] announcing it has been deleted, but it’s the one mentioned in the ACF 6.3.8 release notes[2]. The authors of ACF can’t upload that version to wordpress.org themselves because Matt banned them from there before making the announcement.
ETA: Matt says[3] it’s a different vulnerability. Anybody willing to break out the almighty diff?
[1] Discussed at the time: https://news.ycombinator.com/item?id=41821829
I think they mean that it's developed by WP Engine and that's the security issue.
According to https://make.wordpress.org/plugins/2021/02/16/reminder-forke... this is piracy.
Let's look at newer documentation:
https://developer.wordpress.org/plugins/wordpress-org/detail...
> The use of trademarks or other projects as the sole or initial term of a plugin slug is prohibited unless proof of legal ownership/representation can be confirmed
The plugin is at https://wordpress.org/plugins/advanced-custom-fields and advanced custom fields filed for trademark last December https://trademarks.justia.com/983/21/advanced-custom-9832116...
Also
https://developer.wordpress.org/plugins/wordpress-org/plugin...
> We also don’t accept 100% copies of other people’s work
There's a clause which looks applicable https://developer.wordpress.org/plugins/wordpress-org/plugin...
> What happens to a plugin if the plugin owner gets blocked?
however the page says "Last Updated: 12 October 2024" and https://github.com/WordPress/developer-plugins-handbook/blob... (permalink at the time of writing this) doesn't have this section. So it really looks someone manually edited the page on wordpress.org without editing the source. Now, who has such permissions and has the motive to do this?
I feel so bad for all the Wordpress devs and shops right now. This is not the kind of community turmoil I'd want to deal with leading up to holidays/new years!
It makes Drupal 8/Backdrop seem like a pleasant and wonderful experience, in comparison.
I don't think there was any bad blood between Drupal 8 and Backdrop, was there? It was forked in 2013 and look https://www.drupal.org/u/jenlampton Jen was still doing BADCamps and went to DrupalCons and all that. My memory is fuzzy a little but I do remember we were making huge progress on migrate at BADCamp 2014 and I do not remember a single tense moment with Jen or Nate. Or was that 2013? But even if it was, that was after the fork. Nate also went to DrupalCons look https://www.drupal.org/u/quicksketch
In short, I know I considered Backdrop futile but I don't think there was any significant controversy or is my memory failing me? http://www.drupal4hu.com/node/380 here's my post from the time.
Truth to be told there was significantly more controversy between me and the rest of the Drupal community than Backdrop and Drupal. You can not imagine how much I regret that.
4 replies →
Good catches. Also note that "ACF" is trademarked by WPEngine and is used throughout the source code and reviews.
As a builder of a small specialized CMS for which WordPress is a large generalized competitor, thanks Matt. Refugees welcome.
I'm rooting for this to happen. Best of luck to the new king of the market.
I'm interested. Please do share.
Thanks but I'm going for pseudonymity on this account. Just a few dozen clients.
2 replies →
I thought there weren't any hinges left for Matt to unhinge. He dug for that minior vulnerability to be to able to justify that takeover.
Who can ever trust this guy and his company, ever again?
Good lord, why?? That’s such a petty move and is just doing further damage to the WordPress ecosystem.
scorched earth is always so successful
This gets better by the day.
I'm so rooting for WPE and I hope the judge will lay it heavy.
Pathetic. Matt banned one of the most popular WordPress plugins. Then, he forked the code and hosted it on WP.org, which is against the Terms of Service. He also hosted it in the plugin directory on the same path as ACF, stealing its SEO traffic. Wow!
Matt's state of mind is clearly not good. If I were an investor in WordPress, I would start thinking about cutting my losses. WordPress will not recover from this self-inflicted destruction
*Update* Oh, it's worse than that. He just renamed the ACF to SCF and claimed all the installations and reviews from ACF. I still can't believe this happened. This can't be legal!
Have you read the GPL?
Eventually you are going to have to confront that the distance between 'technical correctness' and 'moral correctness' is vaster than you apparently think it is.
Parent does not mention GPL, nor is this a GPL issue. It's about the takeover of an existing plugin and it's reviews/installs.
1 reply →
The problem isn’t GPL or code, it’s a trademark and trusting issue.
What kind of response is that? Does that mean you approve of sites like GPLDL then?
Have you read https://trademarks.justia.com/983/21/advanced-custom-9832116... and https://trademarks.justia.com/983/21/acf-98321135.html ?
1 reply →
[flagged]
OK so:
1) WordPress clearly lacks functionality like ACF that belongs in core
2) Many developers clearly like ACF
3) Many do not (it's messy in the DB, if you ask me)
4) Core functionality that was if not API-compatible, at least API-familiar with ACF would be welcomed by many
5) Creating a new plugin that did this, that was transitioned into core (like other functionality has been), would be a good plan
6) Commandeering the slug for a decade-old commercial plugin like this, to replace it with a fork, is so obviously fucking bad form that it's still hard to believe it is happening even given all the other whatthefuckery that has been happening.
ETA: 7) "Secure Custom Fields"? Really? The difference is what?
What the fuck, Matt?
ETA: personally I understand many of the frustrations with WP Engine's positioning. I have experienced exactly the trademark confusion issues that the lawsuit has been about, where clients have assumed WP Engine is WordPress itself. I don't use them after some iffy customer service and technical issues early on. But this is absurd behaviour.
The fucked thing is that per the article, they're not even dedicating any resources to maintain it going forward, they've just made this one fix and are throwing it to other people to maintain if they want:
> Going forward, Secure Custom Fields is now a non-commercial plugin, and if any developers want to get involved in maintaining and improving it, please get in touch.
We have taken on stewardship of this code going forward, and will dedicate engineers to it. Probably more than Silver Lake does.
4 replies →
So, wordpress is being burnt to the ground by Matt. Just great. :/
I can't even follow what's going on here, and I used to be an expert in software licensing drama. All I see is a bunch of unilateral actions driven by Matt Mullenweg that breaks so many implicit promises of how a free software steward should behave.
Wordpress sites quite often seen to be a hodge-podge of plugins, each with their own UI and conventions, and (as a host) I'm never an expert in anye one of them. Has one of the site designers used a plugin that has offended Matt? Or that might offend him in the near future? How do I even audit for that?
I don't need much of a push to move my position on this. Before: "eh, use Wordpress if it's cheaper" Now: "please don't, that decision will probably cost me".
Theoretically WPE might be a bad actor-- perhaps even more than any commercial competitor naturally is-- but they're smart enough to not smear it around with absurd moves like this that radiate a lack of professionalism or ability to predict reactions.
It is as if Wordpress [1] is asserting that the original author is a danger to public safety. Their terms read: ...
To that end, we reserve the following rights: ... to make changes to a plugin, without developer consent, in the interest of public safety.
[1]: https://x.com/WordPress/status/1845179613783142426
ProcessWire CMS (https://processwire.com/) is a neat alternative if one requires quite complex set of custom fields on a website.
So, is the next step to capture wp-migrate (or another prominent WPEngine plugin) or to update the core to degrade ACF pro ?
I wonder what will happen to old websites I built with ACF and did not touch for years? Are they vulnerable now, as owners cannot get updates for ACF?
I had to login to several sites and make sure that the plugins would not auto-update. This is pretty much like a rogue actor taking over a plugin.
The slug hasn't changed so it will receive updates (from SCF repository, now under the control of Automattic).
If you used ACF pro then the plug-in is downloaded from ACF website.
But.
The obvious next move is to put code in the core that would degrade ACF pro.
Posted this in the other thread:
A lot of the comments seem to call out Matt (right or wrong). But that’s the easy thing to do.
No one dares address the systemic issue of for profit corporations exploitatively (ab)using open source software.
There is a social contract that people should contribute back, and while it’s largely unenforceable, as it should be, when it’s happening on a systemic level something has to be done. And we are all complicit if we don’t at least say that much and spare some good will towards the guy actively in that fight at least superficially
*Following is a response to some replies on the other thread, that clarifies my points *
Matt being a poor steward of gpl is by definition not a systemic issue … unless ur claim is that many people in positions like him do what he does which is in turn caused by invariant factors?
The systemic issue is companies the world over not giving their fair share back in terms of contributing to foss.
I might agree with most of your points, I’m just trying to get people to realize there’s the local issue of Matt/wp and then there’s this global issue of companies building businesses off foss and not giving back.
> A lot of the comments seem to call out Matt (right or wrong). But that’s the easy thing to do.
It's also productive. If there's enough of an uproar, then the board will remove him. They're pretty much the only people who can stop him.
> There is a social contract that people should contribute back, and while it’s largely unenforceable, as it should be, when it’s happening on a systemic level something has to be done. And we are all complicit if we don’t at least say that much and spare some good will towards the guy actively in that fight at least superficially
You don't speak for me. Contributions to my OSS projects are appreciated, but all I ask is that users comply with the license terms.
If you feel that contributions are an unwritten obligation, he's made them much harder to ask for. Everyone else who asks for them in the future will be tarred with the same brush.
Matt is burning down the WordPress ecosystem because his shakedown attempt failed. He's prevented at least 2.5 million users from receiving security updates. He's earned my contempt, not my goodwill.
> I might agree with most of your points, I’m just trying to get people to realize there’s the local issue of Matt/wp and then there’s this global issue of companies building businesses off foss and not giving back.
Drew said it best. (https://drewdevault.com/2021/01/20/FOSS-is-to-surrender-your...) If you want to require contributions, pick an appropriate license.
I don't know how much goodwill we owe somebody currently being sued for extortion and who lied to a community about ownership of a trademark for over a decade in an attempt to take a whole community hostage when he feels like it's time to cash in. The writing was on the wall when he sold user intellectual property from WordPress.com and Tumblr to OpenAi. Was that fighting for open source?
A number of people have dealt with the maker/taker issue, for example Dries, the founder and BDFL of the Drupal project: https://dri.es/solving-the-maker-taker-problem
I think we're pretty far removed from the original issue of WP Engine and WordPress and people are just trying to deal with the fallout from Matt's nuke-the-entire-ecosystem approach he's elected to take.
Hey Jeff! :)))))
That was a great article from drupal. It’s a great idea and really goes along way to help, but we still need more.
This only addresses foss projects that are hosted as an offering. It wouldn’t address how for example the pgp guy basically went broke or just the general amount of pressure maintainers of “critical” foss packages are under and are spread so thin, that it’s always a triage fire and there’s never any room to “level up” with rewrites or full code base audits. And a lot of it comes at a huge personal cost but it just so happens the people often times in those shoes end up being super noble.
Maybe this is a cynical take but year after year it really does seem the software we rely on for modern life is just a house of cards where most cards are solo devs or a handful each doing the task of atlas cus the worlds corporations just don’t give back!
My words will ring true in 10-20 years when most of these people kick the bucket or retire and all we have left will be google’s next android| fuchsia and windows server.
Just stealing plugins right now? Or is this some kind of "eye for an eye" situation?
I'm really turned down from the whole ecosystem by this total shitshow. Seems like everything could be pulled from under running sites if some clown decides he doesn't like it anymore.
At this point I just hope that WP Engine wins whatever lawsuit happens and Matt Mullenweg (and everybody who was involved besides him) has to pack his things and leave everything WP-related forever.
We no longer do custom WordPress work --- it turned out to never be worth the hassle --- but when we did, our company used ACF extensively. High quality plugin with responsive support and very fair licensing terms.
This --- to me --- smacks of complete bullshit.
Forking it is whatever, but to take over their namespace and thus break trust across the ecosystem is a dealbreaker. All devs will have to move.
It is complete bullshit, but calling ACF high quality is also pretty out there.
It's one of those giants in WP that is stuck in the past, arguably much like a lot of core.
It's certainly "high quality" in the sense of "it solves a huge number of requirements that WP core doesn't, in a way that's better that alternative plugins". It's a high quality WP Admin user experience. Just don't try looking too deeply into the database mess it creates.
For WordPress _users_, as in the people who log into the WordPress dashboard to run their website, 'stuck in the past' is often an advantage and not a bad thing. You'll be able to find blog posts and tutorials and youtube showing you how to use in, unlike the "new shiny" where there's no easily found example or support for.
1 reply →
To be fair we haven’t worked with WP in 4 years; our experience with ACF was always positive.
1 reply →
This whole saga is surreal because I thought myself to be constitutionally incapable of rooting for a private equity firm to win a fight, but this is like watching a guy violently strain to shit his pants while yelling “Look what they made me do!”
Also the guy is in a hot tub with all of his friends and employees
If you were an insider deliberately trying to tank WordPress, it is hard for me to imagine anything you could do that would be more effective than this.
Perhaps he shorted the Automattic stock... no, wait, Automattic is privately held... make it make sense!
The URL though says "advanced-custom-fields"; Matt...I can't find the words to comment; I just shake my head -_-
If you look at the reviews, they took over the advanced-custom-fields plugin and modified the owner to be Wordpress.org and renamed it to Secure Custom Fields.
What a terrible look
They also modified it by ripping out the pro features, so if people update their ACF Plugin and they had pro features enabled, it'll just break their install
https://plugins.trac.wordpress.org/changeset/3167679/advance...
So they forked some open source software and "hacked it up" to remove notices from the original creators? Fascinating.
1 reply →
What a choice, and what poor timing.
Companies that make breaking changes on holiday weekends aren’t going to earn much goodwill from developers.
17 replies →
The pro version of the plugin is a separate install, this just rips out the upgrade notices.
AFAIK the free version never included “pro features” in the first place
This is a human being, making a mistake, only to be bullied by literally the whole internet?
Never have I ever witnessed a lynch with any positive consequence whats so ever in my entire life.
Empathy all the way. We all make mistakes. Stay kind and positive.
Most of the world's 8+ billion people managed to go through the last months without shaking down a competitor, preventing users for receiving security updates, conducting a harassment campaign, or destroying an ecosystem because they feel like it. That's not just a mistake. He deserves contempt, firing, and a substantial fine at the very least.
I don’t think anyone wants to lynch him in the sense of harming him for the sake of it, or even retributive justice.
People want him removed from Wordpress leadership to protect Wordpress. The harm to him is really orthogonal to the greater goal of not destroying the software that runs 40% of the internet or whatever, triggering man-centuries of pointless labor to replace it across all those installs.
Given the options of letting Matt tear the ecosystem apart or letting the ecosystem tear Matt apart (figuratively, not literally), the ecosystem should win. It sucks for Matt, but wasting cumulative lifetimes of human effort to migrate all these installs is stupid and not worth saving one man’s ego over.
Actively running a harassment campaign against a competitor is not "making a mistake".