Hacker News new | ask | show | jobs
by chii 609 days ago
> Hijacking the ACF WordPress.org page

is it a hijacking, if they own that page in the first place? The community placed trust on that owner of the page to be impartial, which was shown to be false here of course.

This means that this community page/list should no longer be trusted, and an alternative be sought out.
2 comments
pushedx 609 days ago
IANAL, but the only expressly illegal thing that they seem to have done is maintain the "acf" tag, and used the "advanced-custom-fields" URL, which could be trademark violations.

I'm sure there are other laws that are relevant here related to deception and misuse of the subscription to the plugin updates by the 2 million users involved.

Legal issues aside, this is an extreme erosion in trust for any user of the WordPress.org platform. They can no longer have confidence that their commerical (or non-commerical) plugin won't be chopped up and have its users stolen at any moment.

link
CRConrad 608 days ago
> Legal issues aside, this is an extreme erosion in trust for any user of the WordPress.org platform. They can no longer have confidence that their commerical (or non-commerical) plugin won't be chopped up and have its users stolen at any moment.

Not just the plug-in creators, but those (“stolen”) plug-in users, too. There is an example in TFA, the guy who had to update many (150, IIRC?) of his customers’ sites after the plug-in was switched out from under him.

link
ycombinatrix 604 days ago
I don't remember this scene in The Force Awakens
link
CRConrad 604 days ago
Standard HN jargon, "The Fff...ine Article".
link
bmacho 609 days ago
> is it a hijacking, if they own that page in the first place? The community placed trust on that owner of the page to be impartial

I would say yes, it is hijacking. It is very very similar to any MITM attack ever, like anyone in the looong chain of trust deciding that they will do something with the trust they have. Like, can your ISP redirect google.com to their own google.com? They surely can, and it probably wouldn't even break their contract with you. It would be a trademark infringement, probably GDPR violation, but not much else.

Since WordPress.org acts as a traditional package repository, they can: serve you the package, or don't serve you the package for various reasons. Everything else is hijacking or worse, especially if the intent is just to turn you their user, and the result is to break your website. Even if you don't have a contract with them that they will serve WP Engine's unmodified plugin to you.

link