Hacker Remix

Did Automattic commit open source theft?

109 points by ValentineC 5 days ago | 59 comments

paulgb 5 days ago

> Amusingly, in its war against WP Engine, Automattic might have created the single best advertisement for their chief rival. WP Engine now has proof it’s immune to unauthorized plugin takeover.

This is a great point. By weaponizing the fact that Automatic controls the plugin registry against a rival by doing something (at best) dangerously adjacent to a supply chain attack, WP Engine stands out now as uniquely immune to that type of attack.

This whole thing makes me sad, I used to use wordpress back in the 2000s and even had some plugins in the directory at the time. I was rooting for Matt but the more I read about this the more it seems like Automattic isn't the good actor here.

icodemuch 5 days ago

This seems like a pretty damning indictment of Automattic. The WordPress foundation (that they presumably set up) may have rules that give them legal cover for some of the moves they’re making, but it’s going to hurt them in the court of public opinion. I think that matters to developers, who are the people ultimately responsible for choosing whether or not to contribute to / use their product. It’s true that migration cost might prevent churn from these actions right now but stopping the train of logic there seems short sighted. What about all the business that they may have received in the future that they might not get now because they’ve tarnished their brand?

benatkin 4 days ago

I don't see it catching on that this is a "supply-chain attack" (from the article, but what came to mind when you said that it seems pretty damning). It isn't an attack because it's done deliberately by the owner (yes, owner) of the platform users are downloading from and not some upstream platform. The part of the chain involved is only one level deep. Maybe it's time to stop hyping up the term "software supply chain" because it gives me You Wouldn't Download a Car vibes.

Judged on its merits and not an exaggeration, I predict that the court of public opinion is going to go the same way as the court of law – a light pushback.

stogot 4 days ago

The article mentions they made subtle changes that broke websites. One user had 150 broken client sites and had to fix one by one. If that happened to me I’d consider it a supply chain attack

WorldWideWebb 4 days ago

How is this not a supply chain attack? Mattomatic literally took over a plugin that WPE owns/maintains by co-opting its plugin URL/slug. They renamed the plugin but took control over the URL that everyone’s plugin points to for updates. Literal MITM attack.

benatkin 4 days ago

wordpress.org isn’t an intermediary, they’re the publisher, so they can’t be in the middle, and they can’t be MITM

Now, the owner of a package could do a supply chain attack (with a very short chain which is why I think the concept is overhyped), and it would be a supply chain attack, but it wouldn’t be a man in the middle attack. WordPress took over ownership of it but they haven’t published malicious to it. Back when WP Engine owned it they could have published a malicious update and it would be a supply chain attack but with a very short chain unless the user installed a project that depended on it and caused it to automatically be installed.

WorldWideWebb 4 days ago

Wordpress.org is not the publisher of that plugin - WPE is. Wordpress.org was just hosting it in their plugin directory, which is where just about the entire community goes to for plugins. I’d guess that because of this drama, more plugin publishers will choose to not publish theirs in the directory anymore.

https://www.advancedcustomfields.com

benatkin 4 days ago

I’ll use npm as an example. When someone not at npm runs npm publish, their npm client sends a request for their package to be published, which to me shows that the person isn’t the publisher because they aren’t requesting for themselves to publish the package. But I see how it might be confusing.

WorldWideWebb 4 days ago

npm is a good analogy to this, but I don’t see how either one would be considered the publisher. Those are indexes/directories/whatever-you-want-to-call-it of packages/WP plugins. Another example would be something like GitHub. If GitHub (Microsoft) decided to take over the repo URL of a rival’s repository, I don’t think there would be any ambiguity about who was in the wrong.

Anywho - I’m not looking to get into an argument with a random internet stranger so have a good one.

drchaos 4 days ago

If npm or Ubuntu would deliberately replace a package with their own implementation, without giving you notice or making this opt-in, would you call that a supply-chain attack? I would, unless the original package contained malicious code (which is not the case with WPE's custom fields plugin)

benatkin 4 days ago

Ubuntu patches all the time. WordPress could have done exactly the same with patches! Good idea.

Sometimes a patch isn’t enough so there is something like SilverWolf. That’s kinda like ACF/SCF.

benatkin 4 days ago

That's LibreWolf.

labster 4 days ago

It’s only technically a supply chain attack. Pretty much all they did was apply a security patch and remove the other company’s IP. It doesn’t really attack a user or put anyone at risk, which is what you normally mean with an attack, so it sounds hyperbolic.

That said it is absolutely scummy and dumb, and a sign that Automattic puts its own whims ahead of its clients’ stability. Even if this issue gets settled tomorrow, we now know that Automattic is an irrational actor. Who is going to choose a software platform for new projects where every week a new drama unfolds?

benatkin 4 days ago

> Automattic is an irrational actor

They're more human than the WP Engines of the world, though.

labster 4 days ago

Indeed. To err is human.

No one wants to talk about what WP Engine does, because Matt is making own-goals twice a week.

hn_throwaway_99 4 days ago

I'll talk about what WP Engine does, because I've been following this whole saga and I think they've done nothing wrong. Worse, I'm pissed that some open source folks are defending Matt's position that's basically "well, open source is whatever I say it is".

That is, WP Engine's cardinal sin (according to their detractors) appears to be that they make a ton of money from WordPress but they don't contribute back "sufficiently" to the ecosystem. I believe (as someone who has contributed a bunch to different open source projects) that this is complete and total bullshit. Since when do individual open source creators get to decide "how much" other people/companies need to "give back"? There is a very good reason open source licenses explicitly specify what you can and can't do with code. If you don't like that, you shouldn't be releasing your code as open source. More to the point, even outside of WP Engine's legal obligations (which nobody is really seriously believing they are in violation of, Matt's post-hoc ridiculous claims of trademark infringement notwithstanding), I think the arguments that they were a bad actor in the community were false, too, especially given Matt's actions.

Other open source creators have discovered that the economics of the cloud world means that it's easier for hosting providers to make a lot of money off open source projects than the original creators of that open source software. And while this may suck, many of these other creators handled this situation in a sane, adult manner, e.g. by forking and relicensing their software, or also see the whole nascent "fair source" movement. What they haven't done is decide to hold the whole community hostage because they decide, after the fact, that they're "owed" 8% of another company's revenue.

Seriously, I'd be interested to hear any rational argument about what WP Engine did that was so objectionable. If the best they can come up with is "they don't support infinite versions as the default out of the box", you'll have to excuse me if I don't think that's some sort of cardinal sin.

benatkin 4 days ago

I see a pattern of open source leaders being judged more harshly than proprietary software leaders. I think it’s because of a feedback loop. It started before the current crop of social media. People saw they could criticize Theo de Raadt more easily than Google because Google had its own weird nerds about a decade before the phenomenon with Elon Musk. These defenders were encouraged by the money and connections of the people they were defending, which is greater than those of the open source leaders.

I’m not saying you’re doing this deliberately but if you look at how long Matt Mullenweg has been leading WordPress, I think that puts the drama into context. People have forgotten a lot of the drama with FAANGs during these two decades and their leaders were never held to account.

What WP Engine has done is be soulless. They got acquired by a private equity firm, which makes them like a FAANG. The ways they’ve acted are more visible to WordPress than they are to us - they undermined the way they operate with other big hosts whose datacenters communicate with their datacenters, and users with their support. Matt explains it pretty well in this video: https://youtu.be/WU3sd1kDFLg?si=Og9QZ4_onwhbwvB3

hn_throwaway_99 4 days ago

> I see a pattern of open source leaders being judged more harshly than proprietary software leaders.

I will only speak for myself, but I find this to be baloney. I'm not judging "open source leaders" more harshly - I'm judging a single open source leader, Matt Mullenweg, harshly solely due to his own actions and statements.

You say "What WP Engine has done is be soulless." That's kind of my whole point - I don't give a fuck, at all, that WP Engine is "soulless". First, they're a hosting company, not a church. My fundamental issue with Matt's behavior in the first place is that just because a company is "soulless", i.e. whatever line he has in his head that is the "minimum" a company should have to contribute back because they use open source software he first created, that he gets to do a shakedown, take over what was their largest open source contribution in the first place, and then demand 8% of their revenue.

Frankly, I don't believe any of this moralistic framing in the first place. I think he saw WP Engine as an "unfair" competitor to WordPress.com, and his actions are simply to cripple a business competitor.

benatkin 4 days ago

> I'm not judging "open source leaders" more harshly

On purpose, no. But it's a question of interest. People seem to have a lot of interest in going after open source tech leaders that they don't have for going after closed source tech leaders, partly because any time they go after closed source tech leaders they have to deal with paid defenders (many who are simply paid by being on the much larger payroll, partly funded by government contracts obtained through bribery).

If you'd have judged a FAANG the same way but don't ever get around to judging them, that amounts to being more harsh with open source leaders.

hn_throwaway_99 4 days ago

Whatever man. I think this is all completely irrelevant to the current WordPress saga, not to mention that I totally disagree with your 0-evidence hypothesis in the first place that people are somehow more critical of open source leaders. FWIW, there is plenty in my HN comment history lambasting Google's fall from technically-admired leader to "just another big company led by the bean counters".

einsteinx2 4 days ago

> They got acquired by a private equity firm, which makes them like a FAANG.

I’ve read this sentence 5 times over and still have no idea what you mean by this? How does a company being acquired by a private equity firm make them like a multinational public company? What does being “like a FAANG” mean to you?

As an aside, Automattic was an investor in WP Engine and sold their shares to that same private equity firm.

lesuorac 4 days ago

Eh, I'm not completely convinced open source leaders are judged more harshly.

Go find people on the street and ask them to name the CEO of WordPress and then ask them to name the CEO of Google. Like the average person doesn't criticize an open source leader because they have no idea who they are.

In any sort of big tech thread there are tons of criticisms about privacy violations, basic functionality, lack of support, etc.

However, more to the thread. If say Amazon yoink'd Apple's store and started selling Amazon Basic Macbooks on it there would be complaints.

CRConrad 3 days ago

> I’m not saying you’re doing this deliberately

No, but by even mentioning that you're rather slyly implying they might be.

And apparently forgetting — or trying to obfuscate — that the one person we know is doing something deliberately here is mr Mullenweg.

> but if you look at how long Matt Mullenweg has been leading WordPress, I think that puts the drama into context.

The relevant context here is what he is doing now.

SahAssar 4 days ago

Regardless of all else I'm hoping we can all agree on:

* The wordpress foundation (and wordpress.org) is not independent enough from Matt & Automattic

* taking over a package in a package registry with automatic updates is really, really bad

benatkin 4 days ago

> The wordpress foundation (and wordpress.org) is not independent enough from Matt & Automattic

I see people call for this, and I'd like to see that energy used to call for antitrust against Facebook, which grew at the same time as WordPress. https://en.wikipedia.org/wiki/Federal_Trade_Commission_v._Me....

I don't think they meant to express the intention of it being independent when creating a nonprofit. I think they just created a nonprofit because that's what made the most sense of the available options. I think a B Corp is more along the lines of what was intended.

SahAssar 4 days ago

I don't think anyone thinks of Meta or Facebook products as open-source in the same way as WordPress (they have open source projects but none that are as core to their business as WordPress is to Automattic).

Even now it seems like Matt is trying to shroud himself in open-source as a defense. If so the foundation should be more independent.

Lash_LaRue 4 days ago

I don't know if they committed "theft" under criminal law, but I would bet lots of money that Automattic is going to get obliterated by the complaint filed by WP Engine, probably including injunctive relief. Tortious interference in a contract is normally difficult to prove because one of the elements is malice or intent to cause harm, but Matt basically handed WP Engine's lawyers all the ammo they would ever need during his yappy media tour.

I would further bet that Matt's either on drugs or maybe has a brain tumor or some other undiagnosed medical condition. Only an insane person would destroy their entire reputation and life's work like this.

TheNewsIsHere 2 days ago

Alternatively, he could have been like this all along and now he’s just striking. It’s in vogue to “re-align” your corporate backed FOSS project to squeeze money out of everything you can. Collateral damage be damned. Enshittification seemingly knows no bounds.