WP, phone home

The day before 2.3 is due to be released, hell breaks loose on wp-hackers as they fail to see why update notifications require Automattic to grab blog urls. Matt explains that they already know your blog url because they’ve been forcing you to ping Ping-O-Matic for years, and anyway it could be useful in the future. (Collecting information when you don’t really know what you want to do with it but you’re sure you’ll think of something? Yeah. That’s going to assauge people’s paranoia.) Hackers point out that Ping-O-Matic isn’t taking notes of what plugins and version numbers they’re using. Matt tells them if you don’t like it, fork. (I cannot be the only person who thinks this response is beginning to sound a little tired.) In response to pressure from Mark Jaquith, Matt racks his brains to think of something he could use the urls for in the future and comes up with some stuff about tying offsite blogs more closely into .org (He’s really not proving that good at this assuaging paranoia thing, is he?)

Doug Stewart’s explanation of how this isn’t going to play well with Techcrunch naturally goes unaddressed, because there isn’t really anything you can argue with:

If TechCrunch, Engadget, Slashdot, Kuro5hin, Linux Today, Ars Technica, etc. get wind that WordPress is “phoning home” and not notifying users that it is doing so (with some explanation as to the full ramifications), well, I think Six Apart’s recent issues with Open Sourcing MT 4 are going to look like a tempest in a teapot. Your reputation is something that is extremely difficult to build up, fairly difficult to maintain and EXTREMELY easy to lose very quickly.

Well, ok, I’m not sure about that last bit since the fanboys have been extraordinarily forgiving in the past, but I’m sure Six Apart could tell you that the more devoted the fans are to start with, the nastier they get when they think you’re screwing them over.

I don’t, as it happens, think this issue is as huge as they’re making out. If you’re so worried about security that you think people are going to hack into the wordpress.org database to find out what plugins you’re using, then why are you still downloading software in which holes are found every month from a server which was compromised earlier this year? And if you’re so worried about privacy, why are you using software that has a long-established history of ‘phoning home’ through hotlinked images and default pings? The majority of wordpress users are, by definition, fairly indifferent to privacy and security.

And the other thing is that, selfishly, I find it really hard to care what crap goes into 2.3 because I have no intention of having anything to do with it. Well, maybe some light theme testing, but it’s not something I’ll ever use. My main problem these days is deciding between Textpattern, MT and Habari.

64 Comments »

  1. drmiketemp said

    Yet another reason why we’ve been debating removing WordPress from my boxes.

    Why I wonder about is why this is coming up just now and not previously when this code was added into the trunk/ beta/ whatever. Not complaining. Just wondering why it took a bit.

    And, yes, I chuckled when I saw the bit about “trusting wp.org.” My trust ended a long time ago with that site.

  2. Maybe they were keeping quiet because they assumed it was a first pass at the code and that the troublesome urls would be gone by release time? Or, more likely, they don’t have the time to monitor Matt’s commits as closely as they should.

  3. drmiketemp said

    And to increase the worry of trustworthiness, it appears that wp.org is offline. I went to see if there was a thread on the subject but the site is not responding for me.

    Well, that removes all of the concern that I’m feeling.

  4. i’m working on the same problem, although at this point I know wordpress so well, i can’t imagine using anything else for client work.

    textpattern’s default template is utter shite. the one graham bancroft built for bus full of hippies is better (header and footer templates at least). My biggest issue with TxP is that you can’t trust plugin authors, since all plugins have to be installed as compiled PHP. it’s on par with obfuscated PHP in wp theme footers.

    MT4 is nice, no major gripes yet. well, except for the pages stuff being not exactly usable yet, and dynamic publishing being more difficult that i expected. it remains to be seen what will be included in the GPL crippleware version, though.

    habari still won’t install.

    Drupal is actually my frontrunner. there’s a modified wp2drupal that works with drupal 5, but the guy’s site is down ATM. it does way more than i need, but that’s okay by me.

  5. Root said

    @sbk: When a guy of your calibre still can’t install Habari it has to make you wonder what they are doing.

  6. Andrea said

    One of these days someone is going to do a true fork of WP, and that will be interesting. Especially to see matt’s head explode.

  7. Root said

    Matt would be delighted. He could get rid of all the malcontents like us. :)

  8. it’s not so much habari’s or my fault, as it is that pdo.so is not terribly popular (PHP5 is plenty popular).

  9. skippy said

    sunburntkamel: if you care to post to the habari-dev (or habari-user) mailing list, we’d be happy to help try to iron out any problems you might be having. I don’t know anything about your configuration, so I can’t suggest anything at this time.

  10. I know it’s being ferociously debated on the Hackers thread, but what’s the thinking behind collecting this information? Unless Automattic had a vested interest in it, I’d think they’d drop the URL harvesting like a hot potato.

  11. Picture Improvement said

    “Why I wonder about is why this is coming up just now and not previously when this code was added into the trunk/ beta/ whatever.”

    Matt made the same complaint, but the answer should be obvious. Only a very small number of people pay attention to all commits, and they aren’t necessarily the ones most concerned about privacy or security. The issue would’ve come up earlier if the community at large had known about it. I’m more inclined to blame the developer(s) who didn’t bother consulting with privacy advocates than the privacy advocates who didn’t know there was a feature they hadn’t been consulted about.

    It’s possible that someone did care, actually, but it’s mostly n00bs who bother starting discussions on wp-hackers: I can’t even remember the last time a discussion there had any effect on development. Lots of verbiage, a brusque dismissal from on high if you’re lucky, and nothing ever changes.

  12. Timothy Appnel said

    Interesting thread here. The issue hand doesn’t seem like that big a deal. The response by the community leaders is a bit disheartening to read even if I’m not a user.

    Has anyone gone over the privacy policy? http://automattic.com/privacy/ It seems to make reasonable assurances (though I have no legal expertise) though it does not list pingomatic.com as one of the site. From what I understand Automattic donates servers, but its not an official venture of the company. That said I don’t know who “owns it” and if there is some conflict of interest or other commingling of operations.

  13. engtech said

    I’m sure Six Apart could tell you that the more devoted the fans are to start with, the nastier they get when they think you’re screwing them over.

    Truer words never spoken.

    Ruby With Rails’ one click install package (Instant Rails) comes with some blog software called Typo. I got tempted for a second while I was looking at it :)

    (and all open source should provide a no-dependencies, comes with apache/mysql/everything, no install footprint like Instant Rails — just let me try it!)

  14. Kissing Bandit said

    I’m truly disgusted with Mattco™. This, in my opinion, is a new low, even for him. There is absolutely no reason that WP.org should collect and store personally identifiableinformation about its users — I don’t care what “future” plans he may have in the works to make life easier.

    I’ve tossed this around in my head a few times and I cannot come up with a feasible reason. If they want to collect plugin usage data, that doesn’t require collecting and storing the URL.

    I’m at a loss for words. Learning about this actually makes me sad, especially for all the people who don’t even realize this is happening because they glossed over it in their WP 2.3 release announcement — in fact, they made it sound like a feature enhancement. *sigh*

    -KB

  15. [...] I sense increasing disquiet amongst some long standing, intelligent and loyal WordPress users so I took the precaution of [...]

  16. typo’s also on my list of “can’t install”‘s. it’s a shame, since typogarden has the prettiest themes outside of wordpress and MT3. i’ll probably post to the habari list later this week or next week.

  17. @Timothy: Automattic’s privacy policy did come up in the wp-hackers discussion, but since Matt had previously stressed that ‘WP.org != Automattic’, at least one person interpreted that to mean that the privacy policy did not apply in this instance. As far as I can work out, Automattic doesn’t own wordpress.org in order to maintain some semblance of it remaining a free OS project owned by the community. In the absence of a non-profit foundation, it remains Matt’s personal property. And I don’t think Matt has a privacy policy on any of his personal sites.

    Root, you’re right: Matt would like nothing better than for somebody to make a proper fork. Not only would it clear the decks of dissidents but it would give his code some extra credibility. It must have been a slap in the face when the habari team said ‘you know, actually we’d rather start from scratch than try to make anything out of that ancient bloated stuff.’ A fork would say ‘we don’t agree with the way you’re running this, but your software is so great we can’t bring ourselves to give it up. It inspires us to pick up the baton and run with it elsewhere.’ So far nobody has been prepared to give either Matt’s leadership or his code that kind of endorsement. Either they stick with WP because the politics aren’t important enough to push them out, or they junk the platform along with the politics. My own feeling is that if you’re forward-thinking enough to contemplate forking, you also recognise that WP is getting on a bit and that PHP5 and Ruby on Rails are better bets for the future.

    Speaking of which, I forgot about Typo! I’ll have to look into it again. I thought about learning Ruby a while back, but that went the way of most of my random thoughts.

  18. WP/PHP4 is getting on a bit but MT4/Perl isn’t? huhwha?

    in the absence of a foundation, it’s just like it’s code: personal property of the contributors. the onus of the privacy policy falls on the site to which the information is transmitted: api.wordpress.org.
    at least all the wanking in hackers did get matt to mention that he’s transmitting the stuff, albeit without any information about the security of said stuff.

  19. excuse my second ‘its’ and its extraneous apostrophe.

  20. If you move to MovableType, you can always start wank.typepad.com! On the plus side, the developers are considerably saner and less up themselves.

    Anyway, this data being collected is interesting in that in many cases they are collecting data on plugin uses (and thus, to an extent, personal preferences; a stock tracker widget would suggest interest in investment, for instance) and associating it with data that it sometimes, or even often, personally identifiable (blogs which state author name, WHOIS data, etc.)

    IANAL, but I really wonder whether this raises EU->US data export issues, and whether there is sufficient disclosure of what the data is used for to satisfy relevant laws? A number of large companies have serious trouble with this sort of thing.

    Also, from the policy: “We don’t store personal information on our servers unless required for the on-going operation of one of our services… In our blogging products, we aim to make it as simple as possible for you to control what’s visible to the public, seen by search engines, kept private, and permanently deleted.” Obviously, .org is a law unto itself.

  21. WP/PHP4 is getting on a bit but MT4/Perl isn’t? huhwha?

    Heh, I was going to mention that WP looked cutting-edge in its day alongside clunky old Perl-using MT. The things inclining me towards MT are the nicer interface, multiblog capacity and being able to use my livejournal skins ;) But the slowness remains a kicker.

  22. MT slow? You mean the admin interface? You can improve things considerably by using FastCGI, generally.

  23. Andrea said

    But did MT get any better at stopping spam? I kicked MT2.6 to the curb for WP.

  24. Su said

    The thing that’s most interesting here, at least to me, isn’t so much the collecting of the information(not that I agree with it), but that Matt’s refusal to provide an opt-out extends to the point of, “Go fork yourself.” I mean, seriously?

    While I can think of many applications that send various bits of information home, coming up with one that neither asks, nor lets you disable that is a lot harder.

  25. Michele said

    @Andrea – MT’s default anti-spam setup is pretty good and can be tweaked. WP’s default anti-spam plugin (Akismet) was seriously over rated.

  26. drmiketemp said

    Andrea, I’ve only had two spam comments hit my MT blog in two months and both were caught by the internal MT systems.

  27. Alan said

    Well duh. WP has always phoned home. It’s one of the reasons I no longer use WP. But I don’t blame Matt for doing this. It’s the bane of open source projects. The developers have to make money somehow otherwise there won’t be enough to sustain a decent lifestyle. Collecting data on users is Web 2.0 currency.

  28. [...] 2007-09-25: A couple of articles: wank.wordpress.com & Slashdot This entry was written by docwhat, posted on 2007-09-24 at 1:30 am, filed under [...]

  29. Root said

    Matt needs to Fork off :)

  30. Seems Matt is getting crazy.

    Before upgrade your wordpress be sure wipe your/wp-admin/includes/update.php file :D

  31. Kissing Bandit said

    …or change line 29 from:
    $http_request .= 'User-Agent: WordPress/' . $wp_version . '; ' . get_bloginfo('url') . "\r\n";

    to

    $http_request .= 'User-Agent: WordPress/' . $wp_version . '; http://www.example.com/' . "\r\n";

    Of course, I haven’t mucked around in the code enough to know if that’s the only location you’d need to change.

  32. Also, you have to modify the code and just send the plugin name without plugin version and descripción…. should this work? who knows.

  33. _ck_ said

    Some interesting (and helpful) things being said here compared to the insanity on Slashdot. A few thoughts to contribute for what it’s worth:

    1. Forced version checking is kinda pointless unless WordPress is going to update itself and who in their right might with all the security issues is going to chmod 777 their WP directory to allow it to self update? Why not just stop at a banner being displayed insisting that a new version is available and just highly recommend an upgrade?

    2. What kind of ego does it take to NOT spend an extra few minutes of coding time to add a checkbox to the admin page to disable this feature for those that know what they are doing (and ping-o-matic is one of the first things I remove on any new WP setup, so some people are indeed aware of it and dislike it).

    3. Going back to MovableType? Oh HECK no. I still groan everytime I have to work on an old 2.661 version to help out a friend. Maybe you need to go watch 800 entries compile into new pages (and watch the server loads climb through the roof) to remind you why we abandoned their methods. There were some politics with MovableType like this fiasco too.

    4. I sure hope bbPress learns from this fiasco and gives an opt-out when this “feature” gets folded in, because I would hate to walk away from all my time invested to help that project :(

    5. There is a growing problem with the sheer number of plugins required to make a WordPress or bbPress setup behave. All those file loads are starting to add up and affect page rendering time even on fast servers with opcode caches. More has to be done in the core with fewer includes. The concept of seeing WP/BB as a bare framework has to be abandoned or compromised sometime soon. Why still in 2.3 are comments not paginated without a plugin? Why was tagging natively a priority when basic UI functionality is still not standard?

  34. Kissing Bandit said

    WordPress has just be outted in a very big way:
    Slashdot: Developers Admit WordPress 2.3 Spies On Users. Of course, MattCo™ got to them and they issued an “update” and article title change to “WordPress 2.3 Does NOT Spy on Users”. That’s a comedy of errors if ever I saw one. I’ve said it before and I’ll say it again, Matt is the master of spin.

    -KB

  35. Kissing Bandit said

    Also, you have to modify the code and just send the plugin name without plugin version and descripción…

    Then the script will not be able to tell you whether you need to upgrade or not. Kind of defeats the purpose.

    The only bit of information that MattCo™ doesn’t need to collect from users is their blog URL. Period. The only information necessary to say “hey, you’re plugin’s outdated” is the plugin name and current version number.

    -KB

  36. Kissing Bandit said

    My apologies for the deluge of comments, but I also forgot to note in my first one that Matt refutes the article stating that “in fact [he links] to one of the plugins in the release announcement”. That link didn’t mysteriously appear until after the noise started. (Hint: check the Google Cache version.) So far, Matt is par for course.

    -KB

  37. _ck_ said

    The only information necessary to say “hey, you’re plugin’s outdated” is the plugin name and current version number.

    Actually no information needs to be sent at all to do this properly.

    If there was a mini-downloadable database of all the current version numbers, a blog would NOT have to send ANY information at all.

    It’s a far better technique too, where the server only has to do the work once to compile the mini-database and the client-side does all the work comparing version numbers.

    Then the DB is assigned a version number (build #) in itself and you only download the new DB when it’s a major build number change.

    Completely passive technique and no privacy violations of any kind.

    IMHO, easier to code too.

  38. [...] info By _ck_ Categories: WP development With the 2.3 fiasco of sending a list of all plugins being used and blog url to the WP servers, I can’t [...]

  39. I like the way Matt says to others to “fork” the software, while even myself shows interest, I have this ‘feel’ that it can’t be forked anyway, I don’t know why but forking WordPress isn’t really any option somehow, no wonder the Habari developers have started from scratch.

    Read the comments on Slashdot, a few have stated its a mess to deal with to try forking since the underlying architecture is a mess and it’s bugged with security holes. That certainly changes my view on the software, I just hope Matt gets his act together and starts listening to others concerns, regarding security otherwise it is going to hurt WP in the end.

  40. vcdgeek said

    Iam just waiting for Habari to be released.
    Hope its soon.

  41. drmiketemp said

    But Matt says that he always listens to end users. *snort*

    (Follow the link and do a search within that page for ‘listen.’)

  42. Kissing Bandit said

    That’s a damn fine example _ck_ — never thought of that. Thanks for bringing it up.

    -KB

  43. [...] myself, although based on the number of offers for help installing Habari I landed myself with one comment on WW, I’m going to give Habari another shot in the near [...]

  44. But Matt says that he always listens to end users.

    Nice try Mr. Mullenweg. I don’t get fooled.

  45. drmiketemp said

    Actually most of the interview is BS. I just haven’t had the time to shift through it and write up a response.

    Not that it would matter though of course.

  46. Su said

    I still groan everytime I have to work on an old 2.661 version to help out a friend.

    You’d help your friend out a lot more by doing a proper upgrade, you know. Are you seriously judging MT based on that version? I’m not even interested in changing your mind; I couldn’t care less what you use. This is just ridiculous.

  47. AJ said

    @Kissing Bandit

    Or maybe change the URL to http://photomatt.net instead of example.com :D

  48. options said

    here’s a crackpot (or just crappy) collage of some random quotes

    Moritz ‘Morty’ Strübe
    Sun Sep 23 22:29:28 GMT 2007

    Matt Mullenweg schrieb:
    > Mark Jaquith wrote:
    >> Back up a minute. Why is the blog URL needed?
    >
    > 1. It does no harm.

    It can. We only have your word for that. And sorry, that is not enough for me. Especially if it does not have to be.

    > 2. It’s simple, easy, and self-evident.

    Wrapping md5 around it is, too.

    > 3. It could be useful in the future.

    What for?

    well, guys just like to play with other people’s data:

    Okay, you’ve stumbled on the real secret behind this site.

    Why go to all the trouble of setting up a free system that sends out over a hundred thousand pings a day? To play with all the data of course. :)

    further goes a totally unrelated, off this topic stuff, but somehow it’s also came across into my paranoid mind:

    Part of what gave the News Departments their start is that other big sites have noticed the Top Posts and asked us to feed them the best stuff in certain established categories.

    .
    2TGA: wank look.

  49. drmiketemp said

    I finally having the chance to skim through that thread and there is one thing that sticks in my mind.

    Mark Jaquith and Robin Adrianse are telling Matt that this isn’t a good idea. Both of those folks are fairly big contributers to the wordpress development and they’re saying that it’s not a good idea. Robin even mentions that she may regret sending that email but she still sends it.

    I do like Aaron post though. “I’d highly doubt that even if you convinced Matt…”

  50. *sigh*

    wank, looks like I’ve been Akismet’ed yet again. My comment disappeared.

    “I believe in Free Speech” my a*cough*s….

  51. seems Akismet is a powerful censorship tool… beware matt wishes xDDD

  52. Kissing Bandit said

    @AJ:

    That thought did cross my mind, but I thought I’d be nice. ;)

    -KB

  53. WP 2.3 Update Notification vs. WP-Plugins DB

    As there’s currently some discussion ongoing if WP 2.3 should send your plain URL to WP.org (while checking for some newer versions of your plugins you use), or not.
    I would like to mention one alternative, at the same time I’ll cover some …

  54. My Habari said

    [...] I sense increasing disquiet amongst some long standing, intelligent and loyal WordPress users so I took the precaution of [...]

  55. [...] WordPress 2.3.x arrived on the scene, there was a huge kerfuffle over the privacy implications of its new update notification feature. Since I see no point in [...]

  56. [...] now reports a missing table (wp_post2cat) which is slightly irritating.Also, I sense increasing disquiet amongst some long standing, intelligent and loyal WordPress users so I took the precaution of [...]

  57. Elpie said

    If you are interested – WordPress now phones home far more data than it did with 2.5.
    I wrote a post about what its collecting (without permission) now: http://lynnepope.net/data-wordpress-sends

  58. drmike said

    We have a plugin on wpmu that removes many of these callouts. Not sure if it gets all of them though:

    http://snipt.net/cafespain/wordpress-mu-remote-call-removal-plugin/

  59. [...] I sense increasing disquiet amongst some long standing, intelligent and loyal WordPress users so I took the precaution of [...]

  60. Your blog is really excellent. It inspires the readers who has that great desire to lead a better and happier life. Thanks for sharing this information and hope to read more from you.

    • I can’t really explain why I think this spam is awesome. I think it is because it is totally inappropriate for the blog in question without having to mention Viagra.

  61. Hi there colleagues, fastidious paragraph and good arguments commented here,
    I am truly enjoying by these.

  62. I know this if off topic but I’m looking into starting my own blog and was wondering what all is needed to get set up? I’m assuming having a blog like yours would
    cost a pretty penny? I’m not very web smart so I’m not 100% sure.
    Any tips or advice would be greatly appreciated.
    Kudos

  63. mẫu email marketing hiệu quả

    WP, phone home | wordpress™ wank

RSS feed for comments on this post · TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s