I'd been staying out of this conflict, partly because I'm not really in the know on WP Engine's behavior behind-the-scenes and, as weird as Mullenweg's plays have been, I don't like to comment on things I'm not fully read into.
But, this touches on a particular hobby horse of mine. It involves some old conflicts too, but I don't want to ruminate on them.
From about 2016 to 2019, I was heavily involved with trying to remedy what I considered an existential threat to the Internet: WordPress's auto-updater.
If that sounds alarming, consider the enormity of WordPress's market share. Millions of websites. W3Techs estimates it powers about 43% of websites whose server-side stack is detectable. At the time, it was a mere 33%.
For the longest time, the auto-updater would pull an update file from WordPress.org, and then install it. There was no code-signing of any form until I got involved. So if you pop one server, you get access to potentially millions.
Now imagine all of those webservers conscripted into a DDoS botnet.
Thus, existential threat to the Internet.
Eventually, we solved the immediate risk and then got into discussing the long tail of getting theme and plugin updates signed too.
You can read my ideas to solve this problem for WordPress (and the PHP ecosystem at large) here: https://gossamer.tools
Here's the part that delves into old drama: Mullenweg was so uncooperative that I wrote a critical piece called #StopMullware (a pun on "malware") due to his resistance to even commit to solving the damn problem. On my end, I reimplemented all of libsodium in pure PHP (and supported all the way back to 5.2.4 just to cater to WordPress's obsession with backwards compatibility to the lowest common denominator), and just needed them to be willing to review and accept patches. Even though I was shouldering as much of the work as I logically could, that wasn't enough for Matt. After he responded to my criticism, I took it down, since he committed in writing to actually solving the problem. (You can read his response at https://medium.com/@photomatt/wordpress-and-update-signing-5... if you care to.)
The reason I'm bringing this old conflict up isn't to reopen old wounds. It's that this specific tactic that Mullenweg employed would have been mitigated by solving the supply chain risk that I was so incandescent about in 2016.
(If you read my proposals from that era, you'll notice that I cared a lot about the developers controlling their keys, not WordPress.)
I don't keep up-to-date on Internet drama, so maybe someone already raised this point elsewhere. I just find it remarkable that the unappreciated work for WordPress/PHP I did over the years is relevant to Mullenweg's current clusterfuck. Incredible.
Since my knowledge on the background noise that preceded this public conflict is pretty much nil, I have no reason to believe WP Engine hold any sort of moral high ground. And I don't really care either way.
Rather, I'd like to extend an open invitation: If anyone is serious about leading the community to fork off WordPress, as I've heard in recent weeks, I'm happy to talk at length about my ideas for security enhancements and technical debt collection. If nothing else comes of this, I'd like to minimize the amount of pain experienced by the community built around WordPress, even if its leadership is frustrating and selfish.
Very interesting. I’ve been writing code for a while but if I’m honest I have no idea how code signing works. Any good resource on how it works especially in php?
That doesn't move the needle as far as restoring the trust you've broken.
You should negotiate with WP Engine to drop their suit contingent on your resignation. Maybe they'll go for it. Resigning is the only thing that would prove you're serious about allowing your power to be checked. And perhaps the only thing that would stop you from cutting a huge settlement check (probably within weeks and not the years you've anticipated).
Do you think that's something you're capable of? Do you care more about the future of WordPress and of open source than you do about your own power and rivalries? Will you prove it to us?
To be frank I don't believe you will. I'm pretty cynical about this kind of thing. But I've been wrong before. It would take a very strong person to admit, not just publicly but to their bitter rivals, that they had lost control and damaged their own life's work.
But if that person is you - it wouldn't be much, but you'd have my admiration.
---
Stark: Make peace with the Lannisters, you say? With the people who tried to murder my boy?
Baelish: We only make peace with our enemies, my lord.
> In this lawsuit against you and your mother, is it you or her who is accused of sexual harassment and racism?
Both (and the company through which they employed the plaintiff) are accused of the various discrimination, harassment, wage theft, etc., violations.
(EDIT: Though his mother is apparently accused of doing the direct racially- and religiously-bigoted statements, and the persistent graphic descriptions of Matt's sexual escapades, Matt's role -- other than as ultimately responsible as employer -- is participating directly in retaliation by taking complaints about the behavior back to his mother who accelerated rather than taking action to curtail them.)
> I don’t have access to read the case details.
You don't need access, you just need to go straight to the court site instead of a third-party aggregator.
And, if you had a nickel for every currently-active lawsuit against Matt and his mom for that kind of thing filed on June 9, 2022, you'd have two nickels, which isn't a lot, but it's interesting that there is more than one...
Am I reading this correctly? This guy owns an LLC through which he directly employs a personal healthcare team for his mother? And Mr. "Post-Economic" couldn't pay his nurses a fair wage?
> PLEASE TAKE NOTICE that Defendants hereby respectfully object to the Case Management Order, Notice of Time and Place of Trial and Trial Related Orders dated May 23, 2024. Since the filing of Defendants’ Case Management Conference Statement on May 21, 2024, Mira Hashmall, lead counsel for Defendants, has had a 5-7 day trial scheduled with a start date of March 17, 2025. With the trial in this matter starting on March 10, 2025, and trial in Case No. CGC-22-600095 starting on March 24, 2025, that would be three back-to-back trials and potential overlap amongst them.
But, this touches on a particular hobby horse of mine. It involves some old conflicts too, but I don't want to ruminate on them.
From about 2016 to 2019, I was heavily involved with trying to remedy what I considered an existential threat to the Internet: WordPress's auto-updater.
https://core.trac.wordpress.org/ticket/25052 + https://core.trac.wordpress.org/ticket/39309
If that sounds alarming, consider the enormity of WordPress's market share. Millions of websites. W3Techs estimates it powers about 43% of websites whose server-side stack is detectable. At the time, it was a mere 33%.
https://w3techs.com/technologies/overview/content_management
For the longest time, the auto-updater would pull an update file from WordPress.org, and then install it. There was no code-signing of any form until I got involved. So if you pop one server, you get access to potentially millions.
Now imagine all of those webservers conscripted into a DDoS botnet.
Thus, existential threat to the Internet.
Eventually, we solved the immediate risk and then got into discussing the long tail of getting theme and plugin updates signed too.
https://paragonie.com/blog/2019/05/wordpress-5-2-mitigating-...
https://core.trac.wordpress.org/ticket/49200
You can read my ideas to solve this problem for WordPress (and the PHP ecosystem at large) here: https://gossamer.tools
Here's the part that delves into old drama: Mullenweg was so uncooperative that I wrote a critical piece called #StopMullware (a pun on "malware") due to his resistance to even commit to solving the damn problem. On my end, I reimplemented all of libsodium in pure PHP (and supported all the way back to 5.2.4 just to cater to WordPress's obsession with backwards compatibility to the lowest common denominator), and just needed them to be willing to review and accept patches. Even though I was shouldering as much of the work as I logically could, that wasn't enough for Matt. After he responded to my criticism, I took it down, since he committed in writing to actually solving the problem. (You can read his response at https://medium.com/@photomatt/wordpress-and-update-signing-5... if you care to.)
The reason I'm bringing this old conflict up isn't to reopen old wounds. It's that this specific tactic that Mullenweg employed would have been mitigated by solving the supply chain risk that I was so incandescent about in 2016.
(If you read my proposals from that era, you'll notice that I cared a lot about the developers controlling their keys, not WordPress.)
I don't keep up-to-date on Internet drama, so maybe someone already raised this point elsewhere. I just find it remarkable that the unappreciated work for WordPress/PHP I did over the years is relevant to Mullenweg's current clusterfuck. Incredible.
Since my knowledge on the background noise that preceded this public conflict is pretty much nil, I have no reason to believe WP Engine hold any sort of moral high ground. And I don't really care either way.
Rather, I'd like to extend an open invitation: If anyone is serious about leading the community to fork off WordPress, as I've heard in recent weeks, I'm happy to talk at length about my ideas for security enhancements and technical debt collection. If nothing else comes of this, I'd like to minimize the amount of pain experienced by the community built around WordPress, even if its leadership is frustrating and selfish.