| > Real users are not getting security updates or features they expected because the company / vendor they are buying their product from did not do due diligence to secure their supply chain. It's not WPE's supply chain, it's the end users' supply chain. There's no way they could have seen this coming. Targeting WPE was essentially arbitrary. Users are affected because WPE was cut off, not because they did anything wrong. > BUT WP Engine doesn't get to hide behind the limits of their obligations under the open source licenses I'm curious to know what you think they should have done, because other then just heap money on a literal direct competitor, I can't imagine what they could have done. > Is WordPress not open source? What stops WPEngine from doing it themselves, they have the source. How are they supposed to have a copy of all the updates if they're blocked? This is such a nonsense suggestion. Of course they could run the servers, but those are empty servers with no data. > If an upstream source is so critical to your business that its loss would cripple you or your customers... maybe consider spending some money on securing and retaining access to that source. You're only just defending Automattic's literally extortion tactics. Should I as a user be worried that Linode or Hetzner will be blocked next because they aren't paying a tithe to WordPress? |
I suppose not pissing off their single and sole supplier of the product they're reselling to their customers might have been a smart move. If you buy your product from your competition, you probably need to stay on their good side. Maybe not re-selling a product when their continued access to the product was controlled by a competitor might also have been a good idea.
> Of course they could run the servers, but those are empty servers with no data.
Do they not have the source? Probably time to start hiring some developers and make their own patches for security issues in the product they're selling. No warranty express or implied is exactly that. They get the software, they get the source. Everything else is a bonus. Especially if the defense of their conduct is that there's no obligation for them to have done anything more than the license required of them.
> Should I as a user be worried that Linode or Hetzner will be blocked next because they aren't paying a tithe to WordPress?
Yes, you probably should be. Any time you're reliant on a single source of failure for a critical component of your business you should be worried about it. Sometimes you accept the risk and nothing happens. And sometimes you accept the risk and something does happen and you learn why redundancy is important.