This seems like a pretty damning indictment of Automattic. The WordPress foundation (that they presumably set up) may have rules that give them legal cover for some of the moves they’re making, but it’s going to hurt them in the court of public opinion. I think that matters to developers, who are the people ultimately responsible for choosing whether or not to contribute to / use their product. It’s true that migration cost might prevent churn from these actions right now but stopping the train of logic there seems short sighted. What about all the business that they may have received in the future that they might not get now because they’ve tarnished their brand?
I don't see it catching on that this is a "supply-chain attack" (from the article, but what came to mind when you said that it seems pretty damning). It isn't an attack because it's done deliberately by the owner (yes, owner) of the platform users are downloading from and not some upstream platform. The part of the chain involved is only one level deep. Maybe it's time to stop hyping up the term "software supply chain" because it gives me You Wouldn't Download a Car vibes.
Judged on its merits and not an exaggeration, I predict that the court of public opinion is going to go the same way as the court of law – a light pushback.
The article mentions they made subtle changes that broke websites. One user had 150 broken client sites and had to fix one by one. If that happened to me I’d consider it a supply chain attack
How is this not a supply chain attack? Mattomatic literally took over a plugin that WPE owns/maintains by co-opting its plugin URL/slug. They renamed the plugin but took control over the URL that everyone’s plugin points to for updates. Literal MITM attack.
wordpress.org isn’t an intermediary, they’re the publisher, so they can’t be in the middle, and they can’t be MITM
Now, the owner of a package could do a supply chain attack (with a very short chain which is why I think the concept is overhyped), and it would be a supply chain attack, but it wouldn’t be a man in the middle attack. WordPress took over ownership of it but they haven’t published malicious to it. Back when WP Engine owned it they could have published a malicious update and it would be a supply chain attack but with a very short chain unless the user installed a project that depended on it and caused it to automatically be installed.
Wordpress.org is not the publisher of that plugin - WPE is. Wordpress.org was just hosting it in their plugin directory, which is where just about the entire community goes to for plugins. I’d guess that because of this drama, more plugin publishers will choose to not publish theirs in the directory anymore.
I’ll use npm as an example. When someone not at npm runs npm publish, their npm client sends a request for their package to be published, which to me shows that the person isn’t the publisher because they aren’t requesting for themselves to publish the package. But I see how it might be confusing.
npm is a good analogy to this, but I don’t see how either one would be considered the publisher. Those are indexes/directories/whatever-you-want-to-call-it of packages/WP plugins. Another example would be something like GitHub. If GitHub (Microsoft) decided to take over the repo URL of a rival’s repository, I don’t think there would be any ambiguity about who was in the wrong.
Anywho - I’m not looking to get into an argument with a random internet stranger so have a good one.
Agreed that it's not a MITM but for other reasons: Automattic didn't insert themselves in between two communication nodes. Instead, they replaced one node with themselves. No further communication between the original nodes to in-the-middle intercept.
Isn't it rather a flavor of
Impersonation Attack?
And "fraud" is maybe an ok word too?
> wrongful or criminal deception intended to result in financial or personal gain
If npm or Ubuntu would deliberately replace a package with their own implementation, without giving you notice or making this opt-in, would you call that a supply-chain attack? I would, unless the original package contained malicious code (which is not the case with WPE's custom fields plugin)
It’s only technically a supply chain attack. Pretty much all they did was apply a security patch and remove the other company’s IP. It doesn’t really attack a user or put anyone at risk, which is what you normally mean with an attack, so it sounds hyperbolic.
That said it is absolutely scummy and dumb, and a sign that Automattic puts its own whims ahead of its clients’ stability. Even if this issue gets settled tomorrow, we now know that Automattic is an irrational actor. Who is going to choose a software platform for new projects where every week a new drama unfolds?
I'll talk about what WP Engine does, because I've been following this whole saga and I think they've done nothing wrong. Worse, I'm pissed that some open source folks are defending Matt's position that's basically "well, open source is whatever I say it is".
That is, WP Engine's cardinal sin (according to their detractors) appears to be that they make a ton of money from WordPress but they don't contribute back "sufficiently" to the ecosystem. I believe (as someone who has contributed a bunch to different open source projects) that this is complete and total bullshit. Since when do individual open source creators get to decide "how much" other people/companies need to "give back"? There is a very good reason open source licenses explicitly specify what you can and can't do with code. If you don't like that, you shouldn't be releasing your code as open source. More to the point, even outside of WP Engine's legal obligations (which nobody is really seriously believing they are in violation of, Matt's post-hoc ridiculous claims of trademark infringement notwithstanding), I think the arguments that they were a bad actor in the community were false, too, especially given Matt's actions.
Other open source creators have discovered that the economics of the cloud world means that it's easier for hosting providers to make a lot of money off open source projects than the original creators of that open source software. And while this may suck, many of these other creators handled this situation in a sane, adult manner, e.g. by forking and relicensing their software, or also see the whole nascent "fair source" movement. What they haven't done is decide to hold the whole community hostage because they decide, after the fact, that they're "owed" 8% of another company's revenue.
Seriously, I'd be interested to hear any rational argument about what WP Engine did that was so objectionable. If the best they can come up with is "they don't support infinite versions as the default out of the box", you'll have to excuse me if I don't think that's some sort of cardinal sin.
I see a pattern of open source leaders being judged more harshly than proprietary software leaders. I think it’s because of a feedback loop. It started before the current crop of social media. People saw they could criticize Theo de Raadt more easily than Google because Google had its own weird nerds about a decade before the phenomenon with Elon Musk. These defenders were encouraged by the money and connections of the people they were defending, which is greater than those of the open source leaders.
I’m not saying you’re doing this deliberately but if you look at how long Matt Mullenweg has been leading WordPress, I think that puts the drama into context. People have forgotten a lot of the drama with FAANGs during these two decades and their leaders were never held to account.
What WP Engine has done is be soulless. They got acquired by a private equity firm, which makes them like a FAANG. The ways they’ve acted are more visible to WordPress than they are to us - they undermined the way they operate with other big hosts whose datacenters communicate with their datacenters, and users with their support. Matt explains it pretty well in this video: https://youtu.be/WU3sd1kDFLg?si=Og9QZ4_onwhbwvB3
> I see a pattern of open source leaders being judged more harshly than proprietary software leaders.
I will only speak for myself, but I find this to be baloney. I'm not judging "open source leaders" more harshly - I'm judging a single open source leader, Matt Mullenweg, harshly solely due to his own actions and statements.
You say "What WP Engine has done is be soulless." That's kind of my whole point - I don't give a fuck, at all, that WP Engine is "soulless". First, they're a hosting company, not a church. My fundamental issue with Matt's behavior in the first place is that just because a company is "soulless", i.e. whatever line he has in his head that is the "minimum" a company should have to contribute back because they use open source software he first created, that he gets to do a shakedown, take over what was their largest open source contribution in the first place, and then demand 8% of their revenue.
Frankly, I don't believe any of this moralistic framing in the first place. I think he saw WP Engine as an "unfair" competitor to WordPress.com, and his actions are simply to cripple a business competitor.
> I'm not judging "open source leaders" more harshly
On purpose, no. But it's a question of interest. People seem to have a lot of interest in going after open source tech leaders that they don't have for going after closed source tech leaders, partly because any time they go after closed source tech leaders they have to deal with paid defenders (many who are simply paid by being on the much larger payroll, partly funded by government contracts obtained through bribery).
If you'd have judged a FAANG the same way but don't ever get around to judging them, that amounts to being more harsh with open source leaders.
Whatever man. I think this is all completely irrelevant to the current WordPress saga, not to mention that I totally disagree with your 0-evidence hypothesis in the first place that people are somehow more critical of open source leaders. FWIW, there is plenty in my HN comment history lambasting Google's fall from technically-admired leader to "just another big company led by the bean counters".
> People seem to have a lot of interest in going after open source tech leaders
Also, this: Often there's more OSS users (since usually it's free).
If 1% of the users are angry, that could mean many more angry people for a popular OSS project, and comments here at HN, than for some similar proprietary software?
> They got acquired by a private equity firm, which makes them like a FAANG.
I’ve read this sentence 5 times over and still have no idea what you mean by this? How does a company being acquired by a private equity firm make them like a multinational public company? What does being “like a FAANG” mean to you?
As an aside, Automattic was an investor in WP Engine and sold their shares to that same private equity firm.
Eh, I'm not completely convinced open source leaders are judged more harshly.
Go find people on the street and ask them to name the CEO of WordPress and then ask them to name the CEO of Google. Like the average person doesn't criticize an open source leader because they have no idea who they are.
In any sort of big tech thread there are tons of criticisms about privacy violations, basic functionality, lack of support, etc.
However, more to the thread. If say Amazon yoink'd Apple's store and started selling Amazon Basic Macbooks on it there would be complaints.
I read the article as acknowledging this pressure by arguing that Weird Nerds should not be forced into people management positions. Without the workplace pressure on Weird Nerds to become people managers, would they still manage people? Maybe not.
I can’t speak for academia, but in tech companies I’ve worked at I’ve seen a marked improvement in management when there’s a tech track for engineer advancement such that they never need to become managers, if they don’t want.
Being a professor at a research university is really multiple non-overlapping jobs all at once: managing your research group, bringing in funding and publicity, helping run your department and research community, and teaching classes. PhD programs really only prepare you for the nuts-and-bolts of research, and maybe teaching. Only if you're lucky, your advisor was thoughtful enough to make proper introductions to help you get started on funding and prestige out of the gate.
It's not surprising that lots of people opt out or wash out of this system because the expectations don't match the formal preparation for it.
You can blame the bureaucrats for this multi-facted outcome. Their ever-increasing pressure of getting new funding and balancing your books with frequent budget updates is what leads to so much time spent on those activities. And of course they tie those activities to your promotion, instead of the importance of your discoveries which is what should be the only thing that matters.
From a certain perspective, there are two kinds of fields in the academia: "laboratory science" and everything else. If you want to make a career in laboratory science, you need to be a manager and a professional beggar. You need to bring in money to hire people to do your research, and you need to support the administration with grant overheads. If you are good at the job, you pay the administration more than they pay you. Long-term non-manager positions are rare, because they are more expensive for the university than successful managers.
Outside laboratory science, the expectation to bring in funding is not as strong. You don't need much money to do research, and grants are not as readily available. As far as the administration is concerned, if you do your teaching duty without too many issues, you can use the rest of your time as you see fit. Academic politics revolve more around personal relationships with the tenured people at your department.
Even if you’re not doing performance reviews there’s still a need for directing people technically when the work exceeds what one person(even a 10xer(if such a thing really exists), and that’s where you need some minimum amount of EQ
I think the contention is that playing political games, as quoted in the article, is beyond the minimum amount of EQ normally expected for a non-management role.
Problem is that many places design their ladder such that non-managers are expected to do manager-like work past a certain level. This is to much dismay of those people who are not trained in management skills, and most of the skills they have acquired thus far are no longer being put to good use. These Weird Nerds may very well understand that being at the next level means making impact that exceeds what one person can do alone, nonetheless they will become increasingly unhappy at those roles. Maybe they will leave, maybe they will avoid getting promoted to higher levels in the first place.
I mean it really depends where the weird nerd is. I mean I can say I'm on the border of weird nerd myself, though I say I have enough EQ to get around. Never want to manage people, and have a "high enough" position for myself. The company I work for is in the middle of a new software project and just a few months in I layed out a document stating how and where the software was going to hit failure points that were going to cause outages/degradations of service. Nine months later those failures started occurring like dominoes. We had to stop on new deliveries and work on performance for months.
I mean the entire VC culture is ate up with the 10x CEO, the fact that a few other people lower down the totem pole can 10x in their narrow field shouldn't be a surprise.
> Weird Nerds should not be forced into people management positions
Let's forget the Weird Nerds for a minute and look at the following situation: a person W is technically savvy enough to have accomplished a big chunk of project X. Say, 90%. And then there is a 10% left which takes as much work. So management hires people from a consultancy to pick up the 10%. Except that these guys don't write much code. They are adept at finding their way into technical management at light speed and want to push what should be their work back to W, while doing the bare minimum otherwise. Now W has more work than before, because he has been pushed into politics. At the very least, he will need to communicate to his colleagues that they need to pick up the slack for real. With some luck, W will find a nice way to do that, but that's the kind of problem he is ill-equipped to handle.
There is something in this article which is overlooked in these comments: people like Katalin Karikó are often under a lot of pressure to perform. They can have crippling debts, or be supporting an elderly parent or relative. Or fear something as life-wrecking as a deportation. They don't get the luxury of being "average", because there are more desirable "average" candidates than them: people who speaks with the right accent or in the right cultural code.
I've been using Go since 2012 (I believe). It's a great language, but it doesn't "solve concurrency". It makes concurrency quite a lot easier than in most other languages, and much easier than almost all mainstream languages circa 2012, but there's still lots of room to improve.
On HN the Apple-related headlines that make it to the top are 80-90% how glorious Apple's closed source platform is and 10-20% how awful apple's dictatorship of their own app store is. I don't think it's true that we should not post critical articles just because Apple already "gets enough" by some standard.
Oh I don't. I expect Apple to hold their bug reporters to those standards, though, so it's interesting to see that they are giving a "bounty" to this "irresponsible disclosure".
How was the disclosure irresponsible? AIUI, multiple attempts were made to report the bug. It went viral a couple of days later on social media. I'm not aware of a link between those two events.
Huh? Group calls were not a new feature, and the teen's mother made several attempts to disclose it privately to Apple, including registering for a developer account and submitting a bug from there. I'm pretty sure that's as close as "responsible disclosure" as you can get.
What? As far as I understand, with his mom, he attempted to report it to the product-security email Apple tells you to do, they were brushed off and told to file radars, which they then did. And nothing happened. So, yes, he reported it responsibly and was ignored... traditionally, that's when security researchers say you move to reporting it via more public means...
