top | item 41825692

(no title)

I'd been staying out of this conflict, partly because I'm not really in the know on WP Engine's behavior behind-the-scenes and, as weird as Mullenweg's plays have been, I don't like to comment on things I'm not fully read into.

But, this touches on a particular hobby horse of mine. It involves some old conflicts too, but I don't want to ruminate on them.

From about 2016 to 2019, I was heavily involved with trying to remedy what I considered an existential threat to the Internet: WordPress's auto-updater.

https://core.trac.wordpress.org/ticket/25052 + https://core.trac.wordpress.org/ticket/39309

If that sounds alarming, consider the enormity of WordPress's market share. Millions of websites. W3Techs estimates it powers about 43% of websites whose server-side stack is detectable. At the time, it was a mere 33%.

https://w3techs.com/technologies/overview/content_management

For the longest time, the auto-updater would pull an update file from WordPress.org, and then install it. There was no code-signing of any form until I got involved. So if you pop one server, you get access to potentially millions.

Now imagine all of those webservers conscripted into a DDoS botnet.

Thus, existential threat to the Internet.

Eventually, we solved the immediate risk and then got into discussing the long tail of getting theme and plugin updates signed too.

https://paragonie.com/blog/2019/05/wordpress-5-2-mitigating-...

https://core.trac.wordpress.org/ticket/49200

You can read my ideas to solve this problem for WordPress (and the PHP ecosystem at large) here: https://gossamer.tools

Here's the part that delves into old drama: Mullenweg was so uncooperative that I wrote a critical piece called #StopMullware (a pun on "malware") due to his resistance to even commit to solving the damn problem. On my end, I reimplemented all of libsodium in pure PHP (and supported all the way back to 5.2.4 just to cater to WordPress's obsession with backwards compatibility to the lowest common denominator), and just needed them to be willing to review and accept patches. Even though I was shouldering as much of the work as I logically could, that wasn't enough for Matt. After he responded to my criticism, I took it down, since he committed in writing to actually solving the problem. (You can read his response at https://medium.com/@photomatt/wordpress-and-update-signing-5... if you care to.)

The reason I'm bringing this old conflict up isn't to reopen old wounds. It's that this specific tactic that Mullenweg employed would have been mitigated by solving the supply chain risk that I was so incandescent about in 2016.

(If you read my proposals from that era, you'll notice that I cared a lot about the developers controlling their keys, not WordPress.)

I don't keep up-to-date on Internet drama, so maybe someone already raised this point elsewhere. I just find it remarkable that the unappreciated work for WordPress/PHP I did over the years is relevant to Mullenweg's current clusterfuck. Incredible.

Since my knowledge on the background noise that preceded this public conflict is pretty much nil, I have no reason to believe WP Engine hold any sort of moral high ground. And I don't really care either way.

Rather, I'd like to extend an open invitation: If anyone is serious about leading the community to fork off WordPress, as I've heard in recent weeks, I'm happy to talk at length about my ideas for security enhancements and technical debt collection. If nothing else comes of this, I'd like to minimize the amount of pain experienced by the community built around WordPress, even if its leadership is frustrating and selfish.

discuss

rafark|1 year ago

Very interesting. I’ve been writing code for a while but if I’m honest I have no idea how code signing works. Any good resource on how it works especially in php?

CiPHPerCoder|1 year ago

It's just an Ed25519 signature of a file. The closest thing we have to runtime code-signing are Phar signatures. https://www.php.net/manual/en/phar.fileformat.signature.php

photomatt|1 year ago

I will happily promote and link to any forks from WordPress.org. I've linked to two already, let me know if I need to promote more.

maxbond|1 year ago

That doesn't move the needle as far as restoring the trust you've broken.

You should negotiate with WP Engine to drop their suit contingent on your resignation. Maybe they'll go for it. Resigning is the only thing that would prove you're serious about allowing your power to be checked. And perhaps the only thing that would stop you from cutting a huge settlement check (probably within weeks and not the years you've anticipated).

Do you think that's something you're capable of? Do you care more about the future of WordPress and of open source than you do about your own power and rivalries? Will you prove it to us?

To be frank I don't believe you will. I'm pretty cynical about this kind of thing. But I've been wrong before. It would take a very strong person to admit, not just publicly but to their bitter rivals, that they had lost control and damaged their own life's work.

But if that person is you - it wouldn't be much, but you'd have my admiration.

---

Stark: Make peace with the Lannisters, you say? With the people who tried to murder my boy?

Baelish: We only make peace with our enemies, my lord.

CiPHPerCoder|1 year ago

While I appreciate the sentiment, I don't know that a hard fork is necessarily the right answer.

https://scottarc.blog/2024/10/14/trust-rules-everything-arou...

rhfufiwnfntnt|1 year ago

[deleted]