Hacker News new | ask | show | jobs
by sgdfhijfgsdfgds 611 days ago
Wordpress has a (highly effective) auto-updates mechanism for security patches.

It was extended a couple of years ago to automatically apply plugin updates for you if you opted in, and I think automatic plugin updates may now be the default.

(This is on balance a good thing; almost all WP vulnerabilities are outdated plugins, and until this mechanism was prevalent, WordPress occasionally had to live-patch existing installations of third party plugins in the case of severe vulnerabilities.)

The reason this nasty little takeover worked is that they (Matt, whoever helped) have stolen ACF's slug (advanced-custom-fields). So as far as the updater is concerned, it's just another plugin update to the same code base.

And in fact, very little has changed.
1 comments
arielcostas 611 days ago
IDK if WordPress plugins respect SEMVER, but shouldn't this auto-update thingy update only patch versions, or minor versions at most? Idk, breaking changes like these is definitely not something you want your CMS to do overnight when you won't notice until you receive complaints that your site is broken
link
mldevv 611 days ago
Yes and that is a huge deal - I made this point to others that it shouldn't be considered a minor version change
link
sgdfhijfgsdfgds 611 days ago
Right. And actually this small detail is emblematic of the whole problem.

When you roll out an auto-updates mechanism you're saying to the people who enable it "you can trust us to do the right thing with your project while you are elsewhere -- this is a risk but it's one we manage for your benefit".

If you roll out a change for purely political/commercial reasons that are ultimately not your end user's concern -- we're not a party to that lawsuit -- then you're undermining the trust in that mechanism entirely.

It was a stupid, arrogant, underhanded thing to do.

link
sgdfhijfgsdfgds 611 days ago
Yeah.

I don't know off-hand what the rule is for plugin updates, actually; I'd have to look it up.

As far as WordPress itself is concerned, the updater definitely does not auto-push updates to major WP versions by default [0], and they continue to patch older versions for a long time.

But at any rate, whether the plugin updates respect SEMVER or not, Matt/WP.org pushed this bullshit out as the most minor of minor version number changes over the previous ACF version: 6.3.6.2.

https://wordpress.org/plugins/advanced-custom-fields/advance... (scroll down to the bottom and you can download the previous version to diff it)

So as far as the poor benighted plugin updater is concerned, it's just a change to the display name, which is inconsequential.

[0] WP Engine do, ironically, on a pretty short timescale!

link