[icodemuch]

This seems like a pretty damning indictment of Automattic. The WordPress foundation (that they presumably set up) may have rules that give them legal cover for some of the moves they’re making, but it’s going to hurt them in the court of public opinion. I think that matters to developers, who are the people ultimately responsible for choosing whether or not to contribute to / use their product. It’s true that migration cost might prevent churn from these actions right now but stopping the train of logic there seems short sighted. What about all the business that they may have received in the future that they might not get now because they’ve tarnished their brand?

[benatkin]

I don't see it catching on that this is a "supply-chain attack" (from the article, but what came to mind when you said that it seems pretty damning). It isn't an attack because it's done deliberately by the owner (yes, owner) of the platform users are downloading from and not some upstream platform. The part of the chain involved is only one level deep. Maybe it's time to stop hyping up the term "software supply chain" because it gives me You Wouldn't Download a Car vibes.

Judged on its merits and not an exaggeration, I predict that the court of public opinion is going to go the same way as the court of law – a light pushback.

[stogot]

The article mentions they made subtle changes that broke websites. One user had 150 broken client sites and had to fix one by one. If that happened to me I’d consider it a supply chain attack

[WorldWideWebb]

How is this not a supply chain attack? Mattomatic literally took over a plugin that WPE owns/maintains by co-opting its plugin URL/slug. They renamed the plugin but took control over the URL that everyone’s plugin points to for updates. Literal MITM attack.

[benatkin]

wordpress.org isn’t an intermediary, they’re the publisher, so they can’t be in the middle, and they can’t be MITM

Now, the owner of a package could do a supply chain attack (with a very short chain which is why I think the concept is overhyped), and it would be a supply chain attack, but it wouldn’t be a man in the middle attack. WordPress took over ownership of it but they haven’t published malicious to it. Back when WP Engine owned it they could have published a malicious update and it would be a supply chain attack but with a very short chain unless the user installed a project that depended on it and caused it to automatically be installed.

[WorldWideWebb]

Wordpress.org is not the publisher of that plugin - WPE is. Wordpress.org was just hosting it in their plugin directory, which is where just about the entire community goes to for plugins. I’d guess that because of this drama, more plugin publishers will choose to not publish theirs in the directory anymore.

https://www.advancedcustomfields.com

[benatkin]

I’ll use npm as an example. When someone not at npm runs npm publish, their npm client sends a request for their package to be published, which to me shows that the person isn’t the publisher because they aren’t requesting for themselves to publish the package. But I see how it might be confusing.

[WorldWideWebb]

npm is a good analogy to this, but I don’t see how either one would be considered the publisher. Those are indexes/directories/whatever-you-want-to-call-it of packages/WP plugins. Another example would be something like GitHub. If GitHub (Microsoft) decided to take over the repo URL of a rival’s repository, I don’t think there would be any ambiguity about who was in the wrong.

Anywho - I’m not looking to get into an argument with a random internet stranger so have a good one.

[cutemonster]

Agreed that it's not a MITM but for other reasons: Automattic didn't insert themselves in between two communication nodes. Instead, they replaced one node with themselves. No further communication between the original nodes to in-the-middle intercept.

Isn't it rather a flavor of Impersonation Attack?

And "fraud" is maybe an ok word too?

> wrongful or criminal deception intended to result in financial or personal gain

(says some dictionary)

[drchaos]

If npm or Ubuntu would deliberately replace a package with their own implementation, without giving you notice or making this opt-in, would you call that a supply-chain attack? I would, unless the original package contained malicious code (which is not the case with WPE's custom fields plugin)

[benatkin]

Ubuntu patches all the time. WordPress could have done exactly the same with patches! Good idea.

Sometimes a patch isn’t enough so there is something like SilverWolf. That’s kinda like ACF/SCF.

[benatkin]

That's LibreWolf.

[labster]

It’s only technically a supply chain attack. Pretty much all they did was apply a security patch and remove the other company’s IP. It doesn’t really attack a user or put anyone at risk, which is what you normally mean with an attack, so it sounds hyperbolic.

That said it is absolutely scummy and dumb, and a sign that Automattic puts its own whims ahead of its clients’ stability. Even if this issue gets settled tomorrow, we now know that Automattic is an irrational actor. Who is going to choose a software platform for new projects where every week a new drama unfolds?

[benatkin]

> Automattic is an irrational actor

They're more human than the WP Engines of the world, though.

[labster]

Indeed. To err is human.

No one wants to talk about what WP Engine does, because Matt is making own-goals twice a week.

[hn_throwaway_99]

I'll talk about what WP Engine does, because I've been following this whole saga and I think they've done nothing wrong. Worse, I'm pissed that some open source folks are defending Matt's position that's basically "well, open source is whatever I say it is".

That is, WP Engine's cardinal sin (according to their detractors) appears to be that they make a ton of money from WordPress but they don't contribute back "sufficiently" to the ecosystem. I believe (as someone who has contributed a bunch to different open source projects) that this is complete and total bullshit. Since when do individual open source creators get to decide "how much" other people/companies need to "give back"? There is a very good reason open source licenses explicitly specify what you can and can't do with code. If you don't like that, you shouldn't be releasing your code as open source. More to the point, even outside of WP Engine's legal obligations (which nobody is really seriously believing they are in violation of, Matt's post-hoc ridiculous claims of trademark infringement notwithstanding), I think the arguments that they were a bad actor in the community were false, too, especially given Matt's actions.

Other open source creators have discovered that the economics of the cloud world means that it's easier for hosting providers to make a lot of money off open source projects than the original creators of that open source software. And while this may suck, many of these other creators handled this situation in a sane, adult manner, e.g. by forking and relicensing their software, or also see the whole nascent "fair source" movement. What they haven't done is decide to hold the whole community hostage because they decide, after the fact, that they're "owed" 8% of another company's revenue.

Seriously, I'd be interested to hear any rational argument about what WP Engine did that was so objectionable. If the best they can come up with is "they don't support infinite versions as the default out of the box", you'll have to excuse me if I don't think that's some sort of cardinal sin.

[benatkin]

I see a pattern of open source leaders being judged more harshly than proprietary software leaders. I think it’s because of a feedback loop. It started before the current crop of social media. People saw they could criticize Theo de Raadt more easily than Google because Google had its own weird nerds about a decade before the phenomenon with Elon Musk. These defenders were encouraged by the money and connections of the people they were defending, which is greater than those of the open source leaders.

I’m not saying you’re doing this deliberately but if you look at how long Matt Mullenweg has been leading WordPress, I think that puts the drama into context. People have forgotten a lot of the drama with FAANGs during these two decades and their leaders were never held to account.

What WP Engine has done is be soulless. They got acquired by a private equity firm, which makes them like a FAANG. The ways they’ve acted are more visible to WordPress than they are to us - they undermined the way they operate with other big hosts whose datacenters communicate with their datacenters, and users with their support. Matt explains it pretty well in this video: https://youtu.be/WU3sd1kDFLg?si=Og9QZ4_onwhbwvB3