The day before 2.3 is due to be released, hell breaks loose on wp-hackers as they fail to see why update notifications require Automattic to grab blog urls. Matt explains that they already know your blog url because they’ve been forcing you to ping Ping-O-Matic for years, and anyway it could be useful in the future. (Collecting information when you don’t really know what you want to do with it but you’re sure you’ll think of something? Yeah. That’s going to assauge people’s paranoia.) Hackers point out that Ping-O-Matic isn’t taking notes of what plugins and version numbers they’re using. Matt tells them if you don’t like it, fork. (I cannot be the only person who thinks this response is beginning to sound a little tired.) In response to pressure from Mark Jaquith, Matt racks his brains to think of something he could use the urls for in the future and comes up with some stuff about tying offsite blogs more closely into .org (He’s really not proving that good at this assuaging paranoia thing, is he?)
Doug Stewart’s explanation of how this isn’t going to play well with Techcrunch naturally goes unaddressed, because there isn’t really anything you can argue with:
If TechCrunch, Engadget, Slashdot, Kuro5hin, Linux Today, Ars Technica, etc. get wind that WordPress is “phoning home” and not notifying users that it is doing so (with some explanation as to the full ramifications), well, I think Six Apart’s recent issues with Open Sourcing MT 4 are going to look like a tempest in a teapot. Your reputation is something that is extremely difficult to build up, fairly difficult to maintain and EXTREMELY easy to lose very quickly.
Well, ok, I’m not sure about that last bit since the fanboys have been extraordinarily forgiving in the past, but I’m sure Six Apart could tell you that the more devoted the fans are to start with, the nastier they get when they think you’re screwing them over.
I don’t, as it happens, think this issue is as huge as they’re making out. If you’re so worried about security that you think people are going to hack into the wordpress.org database to find out what plugins you’re using, then why are you still downloading software in which holes are found every month from a server which was compromised earlier this year? And if you’re so worried about privacy, why are you using software that has a long-established history of ‘phoning home’ through hotlinked images and default pings? The majority of wordpress users are, by definition, fairly indifferent to privacy and security.
And the other thing is that, selfishly, I find it really hard to care what crap goes into 2.3 because I have no intention of having anything to do with it. Well, maybe some light theme testing, but it’s not something I’ll ever use. My main problem these days is deciding between Textpattern, MT and Habari.
drmiketemp said
Yet another reason why we’ve been debating removing WordPress from my boxes.
Why I wonder about is why this is coming up just now and not previously when this code was added into the trunk/ beta/ whatever. Not complaining. Just wondering why it took a bit.
And, yes, I chuckled when I saw the bit about “trusting wp.org.” My trust ended a long time ago with that site.
that girl again said
Maybe they were keeping quiet because they assumed it was a first pass at the code and that the troublesome urls would be gone by release time? Or, more likely, they don’t have the time to monitor Matt’s commits as closely as they should.
drmiketemp said
And to increase the worry of trustworthiness, it appears that wp.org is offline. I went to see if there was a thread on the subject but the site is not responding for me.
Well, that removes all of the concern that I’m feeling.
sunburntkamel said
i’m working on the same problem, although at this point I know wordpress so well, i can’t imagine using anything else for client work.
textpattern’s default template is utter shite. the one graham bancroft built for bus full of hippies is better (header and footer templates at least). My biggest issue with TxP is that you can’t trust plugin authors, since all plugins have to be installed as compiled PHP. it’s on par with obfuscated PHP in wp theme footers.
MT4 is nice, no major gripes yet. well, except for the pages stuff being not exactly usable yet, and dynamic publishing being more difficult that i expected. it remains to be seen what will be included in the GPL crippleware version, though.
habari still won’t install.
Drupal is actually my frontrunner. there’s a modified wp2drupal that works with drupal 5, but the guy’s site is down ATM. it does way more than i need, but that’s okay by me.
Root said
@sbk: When a guy of your calibre still can’t install Habari it has to make you wonder what they are doing.
Andrea said
One of these days someone is going to do a true fork of WP, and that will be interesting. Especially to see matt’s head explode.
Root said
Matt would be delighted. He could get rid of all the malcontents like us. 🙂
sunburntkamel said
it’s not so much habari’s or my fault, as it is that pdo.so is not terribly popular (PHP5 is plenty popular).
skippy said
sunburntkamel: if you care to post to the habari-dev (or habari-user) mailing list, we’d be happy to help try to iron out any problems you might be having. I don’t know anything about your configuration, so I can’t suggest anything at this time.
Jesse Gardner said
I know it’s being ferociously debated on the Hackers thread, but what’s the thinking behind collecting this information? Unless Automattic had a vested interest in it, I’d think they’d drop the URL harvesting like a hot potato.
Picture Improvement said
“Why I wonder about is why this is coming up just now and not previously when this code was added into the trunk/ beta/ whatever.”
Matt made the same complaint, but the answer should be obvious. Only a very small number of people pay attention to all commits, and they aren’t necessarily the ones most concerned about privacy or security. The issue would’ve come up earlier if the community at large had known about it. I’m more inclined to blame the developer(s) who didn’t bother consulting with privacy advocates than the privacy advocates who didn’t know there was a feature they hadn’t been consulted about.
It’s possible that someone did care, actually, but it’s mostly n00bs who bother starting discussions on wp-hackers: I can’t even remember the last time a discussion there had any effect on development. Lots of verbiage, a brusque dismissal from on high if you’re lucky, and nothing ever changes.
Timothy Appnel said
Interesting thread here. The issue hand doesn’t seem like that big a deal. The response by the community leaders is a bit disheartening to read even if I’m not a user.
Has anyone gone over the privacy policy? http://automattic.com/privacy/ It seems to make reasonable assurances (though I have no legal expertise) though it does not list pingomatic.com as one of the site. From what I understand Automattic donates servers, but its not an official venture of the company. That said I don’t know who “owns it” and if there is some conflict of interest or other commingling of operations.
engtech said
I’m sure Six Apart could tell you that the more devoted the fans are to start with, the nastier they get when they think you’re screwing them over.
Truer words never spoken.
Ruby With Rails’ one click install package (Instant Rails) comes with some blog software called Typo. I got tempted for a second while I was looking at it 🙂
(and all open source should provide a no-dependencies, comes with apache/mysql/everything, no install footprint like Instant Rails — just let me try it!)
Kissing Bandit said
I’m truly disgusted with Mattco™. This, in my opinion, is a new low, even for him. There is absolutely no reason that WP.org should collect and store personally identifiableinformation about its users — I don’t care what “future” plans he may have in the works to make life easier.
I’ve tossed this around in my head a few times and I cannot come up with a feasible reason. If they want to collect plugin usage data, that doesn’t require collecting and storing the URL.
I’m at a loss for words. Learning about this actually makes me sad, especially for all the people who don’t even realize this is happening because they glossed over it in their WP 2.3 release announcement — in fact, they made it sound like a feature enhancement. *sigh*
-KB
WordPress 2.3 and Typo » Andy C said
[…] I sense increasing disquiet amongst some long standing, intelligent and loyal WordPress users so I took the precaution of […]
sunburntkamel said
typo’s also on my list of “can’t install”‘s. it’s a shame, since typogarden has the prettiest themes outside of wordpress and MT3. i’ll probably post to the habari list later this week or next week.
that girl again said
@Timothy: Automattic’s privacy policy did come up in the wp-hackers discussion, but since Matt had previously stressed that ‘WP.org != Automattic’, at least one person interpreted that to mean that the privacy policy did not apply in this instance. As far as I can work out, Automattic doesn’t own wordpress.org in order to maintain some semblance of it remaining a free OS project owned by the community. In the absence of a non-profit foundation, it remains Matt’s personal property. And I don’t think Matt has a privacy policy on any of his personal sites.
Root, you’re right: Matt would like nothing better than for somebody to make a proper fork. Not only would it clear the decks of dissidents but it would give his code some extra credibility. It must have been a slap in the face when the habari team said ‘you know, actually we’d rather start from scratch than try to make anything out of that ancient bloated stuff.’ A fork would say ‘we don’t agree with the way you’re running this, but your software is so great we can’t bring ourselves to give it up. It inspires us to pick up the baton and run with it elsewhere.’ So far nobody has been prepared to give either Matt’s leadership or his code that kind of endorsement. Either they stick with WP because the politics aren’t important enough to push them out, or they junk the platform along with the politics. My own feeling is that if you’re forward-thinking enough to contemplate forking, you also recognise that WP is getting on a bit and that PHP5 and Ruby on Rails are better bets for the future.
Speaking of which, I forgot about Typo! I’ll have to look into it again. I thought about learning Ruby a while back, but that went the way of most of my random thoughts.
sunburntkamel said
WP/PHP4 is getting on a bit but MT4/Perl isn’t? huhwha?
in the absence of a foundation, it’s just like it’s code: personal property of the contributors. the onus of the privacy policy falls on the site to which the information is transmitted: api.wordpress.org.
at least all the wanking in hackers did get matt to mention that he’s transmitting the stuff, albeit without any information about the security of said stuff.
sunburntkamel said
excuse my second ‘its’ and its extraneous apostrophe.
Robert Synnott said
If you move to MovableType, you can always start wank.typepad.com! On the plus side, the developers are considerably saner and less up themselves.
Anyway, this data being collected is interesting in that in many cases they are collecting data on plugin uses (and thus, to an extent, personal preferences; a stock tracker widget would suggest interest in investment, for instance) and associating it with data that it sometimes, or even often, personally identifiable (blogs which state author name, WHOIS data, etc.)
IANAL, but I really wonder whether this raises EU->US data export issues, and whether there is sufficient disclosure of what the data is used for to satisfy relevant laws? A number of large companies have serious trouble with this sort of thing.
Also, from the policy: “We don’t store personal information on our servers unless required for the on-going operation of one of our services… In our blogging products, we aim to make it as simple as possible for you to control what’s visible to the public, seen by search engines, kept private, and permanently deleted.” Obviously, .org is a law unto itself.
that girl again said
Heh, I was going to mention that WP looked cutting-edge in its day alongside clunky old Perl-using MT. The things inclining me towards MT are the nicer interface, multiblog capacity and being able to use my livejournal skins 😉 But the slowness remains a kicker.
Robert Synnott said
MT slow? You mean the admin interface? You can improve things considerably by using FastCGI, generally.
Andrea said
But did MT get any better at stopping spam? I kicked MT2.6 to the curb for WP.
Su said
The thing that’s most interesting here, at least to me, isn’t so much the collecting of the information(not that I agree with it), but that Matt’s refusal to provide an opt-out extends to the point of, “Go fork yourself.” I mean, seriously?
While I can think of many applications that send various bits of information home, coming up with one that neither asks, nor lets you disable that is a lot harder.
Michele said
@Andrea – MT’s default anti-spam setup is pretty good and can be tweaked. WP’s default anti-spam plugin (Akismet) was seriously over rated.
drmiketemp said
Andrea, I’ve only had two spam comments hit my MT blog in two months and both were caught by the internal MT systems.
Alan said
Well duh. WP has always phoned home. It’s one of the reasons I no longer use WP. But I don’t blame Matt for doing this. It’s the bane of open source projects. The developers have to make money somehow otherwise there won’t be enough to sustain a decent lifestyle. Collecting data on users is Web 2.0 currency.
Wordpress User-Agent « Archive « The Doctor What said
[…] 2007-09-25: A couple of articles: wank.wordpress.com & Slashdot This entry was written by docwhat, posted on 2007-09-24 at 1:30 am, filed under […]
Root said
Matt needs to Fork off 🙂
Javier Aroche said
Seems Matt is getting crazy.
Before upgrade your wordpress be sure wipe your
/wp-admin/includes/update.php
file 😀Kissing Bandit said
…or change line 29 from:
$http_request .= 'User-Agent: WordPress/' . $wp_version . '; ' . get_bloginfo('url') . "\r\n";
to
$http_request .= 'User-Agent: WordPress/' . $wp_version . '; http://www.example.com/' . "\r\n";
Of course, I haven’t mucked around in the code enough to know if that’s the only location you’d need to change.
Javier Aroche said
Also, you have to modify the code and just send the plugin name without plugin version and descripción…. should this work? who knows.
_ck_ said
Some interesting (and helpful) things being said here compared to the insanity on Slashdot. A few thoughts to contribute for what it’s worth:
1. Forced version checking is kinda pointless unless WordPress is going to update itself and who in their right might with all the security issues is going to chmod 777 their WP directory to allow it to self update? Why not just stop at a banner being displayed insisting that a new version is available and just highly recommend an upgrade?
2. What kind of ego does it take to NOT spend an extra few minutes of coding time to add a checkbox to the admin page to disable this feature for those that know what they are doing (and ping-o-matic is one of the first things I remove on any new WP setup, so some people are indeed aware of it and dislike it).
3. Going back to MovableType? Oh HECK no. I still groan everytime I have to work on an old 2.661 version to help out a friend. Maybe you need to go watch 800 entries compile into new pages (and watch the server loads climb through the roof) to remind you why we abandoned their methods. There were some politics with MovableType like this fiasco too.
4. I sure hope bbPress learns from this fiasco and gives an opt-out when this “feature” gets folded in, because I would hate to walk away from all my time invested to help that project 😦
5. There is a growing problem with the sheer number of plugins required to make a WordPress or bbPress setup behave. All those file loads are starting to add up and affect page rendering time even on fast servers with opcode caches. More has to be done in the core with fewer includes. The concept of seeing WP/BB as a bare framework has to be abandoned or compromised sometime soon. Why still in 2.3 are comments not paginated without a plugin? Why was tagging natively a priority when basic UI functionality is still not standard?
Kissing Bandit said
WordPress has just be outted in a very big way:
Slashdot: Developers Admit WordPress 2.3 Spies On Users. Of course, MattCo™ got to them and they issued an “update” and article title change to “WordPress 2.3 Does NOT Spy on Users”. That’s a comedy of errors if ever I saw one. I’ve said it before and I’ll say it again, Matt is the master of spin.
-KB
Kissing Bandit said
Then the script will not be able to tell you whether you need to upgrade or not. Kind of defeats the purpose.
The only bit of information that MattCo™ doesn’t need to collect from users is their blog URL. Period. The only information necessary to say “hey, you’re plugin’s outdated” is the plugin name and current version number.
-KB
Kissing Bandit said
My apologies for the deluge of comments, but I also forgot to note in my first one that Matt refutes the article stating that “in fact [he links] to one of the plugins in the release announcement”. That link didn’t mysteriously appear until after the noise started. (Hint: check the Google Cache version.) So far, Matt is par for course.
-KB
_ck_ said
Actually no information needs to be sent at all to do this properly.
If there was a mini-downloadable database of all the current version numbers, a blog would NOT have to send ANY information at all.
It’s a far better technique too, where the server only has to do the work once to compile the mini-database and the client-side does all the work comparing version numbers.
Then the DB is assigned a version number (build #) in itself and you only download the new DB when it’s a major build number change.
Completely passive technique and no privacy violations of any kind.
IMHO, easier to code too.
Why does ANY information need to be sent to the WP servers? « _ck_ says… said
[…] info By _ck_ Categories: WP development With the 2.3 fiasco of sending a list of all plugins being used and blog url to the WP servers, I can’t […]
Steven Trewin said
I like the way Matt says to others to “fork” the software, while even myself shows interest, I have this ‘feel’ that it can’t be forked anyway, I don’t know why but forking WordPress isn’t really any option somehow, no wonder the Habari developers have started from scratch.
Read the comments on Slashdot, a few have stated its a mess to deal with to try forking since the underlying architecture is a mess and it’s bugged with security holes. That certainly changes my view on the software, I just hope Matt gets his act together and starts listening to others concerns, regarding security otherwise it is going to hurt WP in the end.
vcdgeek said
Iam just waiting for Habari to be released.
Hope its soon.
drmiketemp said
But Matt says that he always listens to end users. *snort*
(Follow the link and do a search within that page for ‘listen.’)
Kissing Bandit said
That’s a damn fine example _ck_ — never thought of that. Thanks for bringing it up.
-KB
archGFX | Buckshot, Ep. 5: Sidegrading said
[…] myself, although based on the number of offers for help installing Habari I landed myself with one comment on WW, I’m going to give Habari another shot in the near […]
Javier Aroche said
Nice try Mr. Mullenweg. I don’t get fooled.
drmiketemp said
Actually most of the interview is BS. I just haven’t had the time to shift through it and write up a response.
Not that it would matter though of course.
Su said
I still groan everytime I have to work on an old 2.661 version to help out a friend.
You’d help your friend out a lot more by doing a proper upgrade, you know. Are you seriously judging MT based on that version? I’m not even interested in changing your mind; I couldn’t care less what you use. This is just ridiculous.
AJ said
@Kissing Bandit
Or maybe change the URL to http://photomatt.net instead of example.com 😀
options said
here’s a crackpot (or just crappy) collage of some random quotes
well, guys just like to play with other people’s data:
further goes a totally unrelated, off this topic stuff, but somehow it’s also came across into my paranoid mind:
.
2TGA: wank look.
drmiketemp said
I finally having the chance to skim through that thread and there is one thing that sticks in my mind.
Mark Jaquith and Robin Adrianse are telling Matt that this isn’t a good idea. Both of those folks are fairly big contributers to the wordpress development and they’re saying that it’s not a good idea. Robin even mentions that she may regret sending that email but she still sends it.
I do like Aaron post though. “I’d highly doubt that even if you convinced Matt…”
drmiketemp2 said
*sigh*
wank, looks like I’ve been Akismet’ed yet again. My comment disappeared.
“I believe in Free Speech” my a*cough*s….
Javier Aroche said
seems Akismet is a powerful censorship tool… beware matt wishes xDDD
Kissing Bandit said
@AJ:
That thought did cross my mind, but I thought I’d be nice. 😉
-KB
PhSoftware Programming Blog - PSPB said
WP 2.3 Update Notification vs. WP-Plugins DB
As there’s currently some discussion ongoing if WP 2.3 should send your plain URL to WP.org (while checking for some newer versions of your plugins you use), or not.
I would like to mention one alternative, at the same time I’ll cover some …
My Habari said
[…] I sense increasing disquiet amongst some long standing, intelligent and loyal WordPress users so I took the precaution of […]
A Few Personal WordPress Core Hacks - WordPress SEO and Blog Marketing said
[…] WordPress 2.3.x arrived on the scene, there was a huge kerfuffle over the privacy implications of its new update notification feature. Since I see no point in […]
WordPress 2.3 and Typo - Blog in isolation said
[…] now reports a missing table (wp_post2cat) which is slightly irritating.Also, I sense increasing disquiet amongst some long standing, intelligent and loyal WordPress users so I took the precaution of […]
Elpie said
If you are interested – WordPress now phones home far more data than it did with 2.5.
I wrote a post about what its collecting (without permission) now: http://lynnepope.net/data-wordpress-sends
drmike said
We have a plugin on wpmu that removes many of these callouts. Not sure if it gets all of them though:
http://snipt.net/cafespain/wordpress-mu-remote-call-removal-plugin/
WordPress 2.3 and Typo « Blog in isolation said
[…] I sense increasing disquiet amongst some long standing, intelligent and loyal WordPress users so I took the precaution of […]
Resume Writing Service said
Your blog is really excellent. It inspires the readers who has that great desire to lead a better and happier life. Thanks for sharing this information and hope to read more from you.
that girl again said
I can’t really explain why I think this spam is awesome. I think it is because it is totally inappropriate for the blog in question without having to mention Viagra.
Sergio Platero said
I’m also commenting to make you be aware of what a brilliant discovery my cousin’s girl undergone visiting your site. She realized so many details, most notably what it’s like to possess an ideal giving nature to have the rest really easily gain knowledge of various tortuous topics. You really exceeded visitors’ expected results. Many thanks for distributing such invaluable, trustworthy, explanatory and even unique thoughts on that topic to Lizeth.
gamis haramain said
Fabulous, what a website it is! This webpage provides valuable data to us, keep
it up.
bedroom said
I quite like reading a post that will make men and women think.
Also, thank you for allowing for me to comment!