He's already forced them to create an alternative store with their plugins so they can be used on WPEngine. Now he will force a split between the official version, hosted on WPEngine and the one hosted on WordPress.org. Misrepresenting a trademark and causing confusion, exactly what he accused WPEngine of in the first place.
Have they ever announced a CVE like this before? This seems really convenient. I don’t really like conspiracy theorizing but with everything going in, it doesn’t seem far fetched to think this is sabotage.
One idea that crossed my mind is that Automattic found a security issue and now they can "force" WPEngine to come up with a mechanism for managing plugins on their own. Then when all this hits the courts they point go "See, they could setup their own infrastructure in less than 30 days. They just choose to use ours to save money.". Or if WPEngine fails to do so, they lose credibility as a Wordpress hosting provider.
Couple that with Matt's clearly hinting post earlier today[0] and it really feels... calculated. Just another thing for them to throw on the lawsuit I guess.
Maybe "Automattic announces responsible disclosure of safety issue in WP-Engine-plugin" or something like that? It's pretty clear that they are doing it maliciously but I don't think it should be put in the title as if it's a confirmed fact.
I would have liked to make it "WP-Engine-developed plugin" or something like that because it's not specifically a WP Engine plugin, but the title length limit is 80 chars, right?
This one doesn't have a natural title. Then we let the community judge whether we've been clickbaited in regards to the mismatch between title and this tiny tweet.
Automattic and WP Engine are in litigation. The Story roughly goes like this:
Matt (CEO of Automattic) tries to get WP Engine to contribute more to WordPress development, including stuff close to blackmail
WP Engine sends a cease and desist
Automattic sends cease and desist to WP Engine claiming Trademark infringement
Automattic bans Access of WP Engine customers to WordPress servers, breaking plugin updates (which was temporarily reinstated and then banned after a deadline of a few days)
WP Engine sues Automattic
Automattic has a program where employees can leave until a deadline and get a severance payout if they are unhappy with the management.
It's awfully convenient to hold the person you're in litigation with to a thirty day deadline before publishing a CVE when you've banned them from the servers where they publish the fix.
There are many words one could use to describe the scenario, but at the top of my mind is the one I would expect to be wielded by modern business schools:
In the world of late-stage capitalism we live in, sensibility and morals are cutting into profit margins. In effect, having either is as good as leaving money on the table. Here Automattic have figured out a novel way to shut out competition, and more.
This same thread has already seen the next step in the playbook, too: reassign ownership of plugins that have high-severity CVEs open for more than 30 days, in the name of protecting the product, its integrity, and the community. The blunt word for that would be "theft".
Just like a sibling comment to yours rightly called this tactic "extortion".
I believe the fact that WP Engine relies on WordPress’ servers to run their platform suggests that this is more than just an open-source issue. If the problem were solely related to the source code, WP Engine’s access to WordPress servers wouldn’t be so critical. Although I’m not very familiar with WordPress, it appears their service is highly dependent on WordPress maintaining its servers, which makes the expectation for some kind of financial support seem reasonable.
Everyone relies on those servers. That's how WordPress ships. There is no way to make it use other servers and WordPress is an otherwise very flexible platform; it benefits from centralizing all of that as illustrated by the way it's designed. The whole ecosystem works around it.
So should everyone have to pay then? Everyone who uses the software uses the servers. If not what's the threshold? And remember that Matt has insisted WordPress.org ("those servers") belong to him personally, not to WordPress or to Automattic.
If you're going to monetize access to plugins and themes produced from volunteer work on your open source code... can they monetize too? Does everyone get a cut?
> Everyone relies on those servers. That's how WordPress ships. There is no way to make it use other servers
Making this configurable is something he has explicitly rejected:
> > When do you plan to add support in the admin UI for alternate source urls for plugins and themes, so that others can more effectively mirror your apparently overtaxed infrastructure?
> Why would I build that? The built-in source works great, for tens of millions of servers.
If I run a service that hosts VS Code in the cloud, should I have to pay Microsoft for my users to be able to access the extension marketplace or receive updates?
Visual Studio Code is the proprietary version (under the Microsoft Traditional License) of the open-source Code - OSS repository (licensed under MIT). Most of the code is open source, except for a small portion that includes elements such as code used for or providing access to services we run in our data centers (e.g., access to the Visual Studio Marketplace).