this month’s security hole

Random Guy: Hey, I found a new exploit in wordpress
Devs: …
Devs: There is no security hole. People who say there is are lying.
Random Guy: Help me Spam Karma Guy, the devs are not listening to me and you’re the only one who can help!
Spam Karma Guy: They’re not going to warn anyone that their installs are at risk? OK then. Listen up everyone, you need to disable user registration for guests or bad stuff could happen.
Wordpress community: [goes and disables user registration]
Matt: You should have told us about this rather than scare all the users
Spam Karma Guy: Actually we did, not my fault you’re too inept to listen and would rather clog up the dashboard with boasting about your latest conferences than with useful information such as, oh, I don’t know, security alerts?
Me: [has sense of deja vu]

16 Comments »

  1. And notice Matt’s complete silence on the issue after his post on DrDave’s blog. If the bug wasn’t real, he would have been shouting from the rooftops. The least the fellow could do would be to say, “Yes, this is serious. Thanks for reporting it. It’s been fixed now.”

    But as DrDave says, you can’t scare the investors, can you?

    Oh WordPress, we hardly knew ye. You are now in the deathly grip of Automattic.

    Somebody please fork this program and save it from death by Matt-itude.

  2. Matt said

    drDave’s bug was one of several and not the most important, and if he had handled it in a more mature manner I would have thanked him. I have no problem with him, but I think this latest episode demonstrated more interest in generating hype and pageviews than interest in the community.

    The investment comment shows a pretty fundemental misunderstanding on how venture works, if you think any of them are particularly concerned about a security bug and update feel free to email them. All their contact info is public.

    I would heartily invite wank, joe, drdave, and others to create a fork and show the world their brilliance by how successful it is, but only if it means you’ll stop picking on WP. Wank can do the design and run the contests, joe can do documentation and support, and drdave can do all the development and spam protection.🙂

  3. skippy said

    At this year’s OSCON, several of the Subversion team gave a great presentation entitled How Open Source Projects Survive Poisonous People (And You Can Too). They listed four primary requirements of the development team, one of the most important of which was humility.

    So DrDave’s bug report was, to Matt’s eyes, sensational and over-the-top. So DrDave didn’t report the bug in the way that Matt thought was appropriate. But with a little humility, and with even a little effort of trying to see the situation from the eyes of the users, Matt could well have accepted the bug report in a positive spirit, and been “the bigger man” by saying thanks. Practicing what we want others to do goes a long way to helping them do that. Instead, I’ve often seen Matt acting defensive, when he’s not being overly terse, rather than supportive. It’s a complaint I’ve made before: he doesn’t offer much in the way of role-modelling or leadership. But then, I guess dictators aren’t very interested in those things.

    DrDave is perfectly entitled to generate pageviews — it’s his blog. Just like it’s Matt’s blog to generate shady revenue. Some expression about people in glass houses comes to mind.

    Anyway, while sitting in the presentation at OSCON, it finally hit me how little Matt and company do to encourage community participation. Sure, they let folks rant and rave on the hackers mailing list, but when a group of people come to something like a consensus and are ready to begin implementing some code for the project about which they care, Matt puts the veto on the whole thing by saying “that’s not what users want”. Unfortunately, as wank has detailed here several times, Matt is often looking at one community (wordpress.com users) and transporting their desires wholesale over to the other community (wordpress.org users).

    I spent rather a long time thinking about ways to apply the inverse of the presentation — that is, how can the community work to create a more inclusive environment for WordPress(.org) development. Unfortunately, the benevolent dictator model as used by WordPress isn’t likely to be easily influenced by the community, regardless of how caring or passionate they are. Just look at how long it took the IRC issue to creep toward any kind of resolution.

    So a fork is likely the only real solution to pursue. Chronolith is one such fork. I’m sure others exist; or will soon.

  4. wank said

    Ah, the ‘if you don’t like it, fork off’ argument. Was wondering how long it would be before that made its appearance in these pages.😉

    It is of course absolutely true that investors know and care nothing about security issues, or indeed any aspect of the project other than how much money it is going to make for them. And I’m sure they’re not worried that the next person whose email gets mishandled will head straight for the mailing lists with full details (this wasn’t the first time, and as nobody has acknowledged doing anything wrong it won’t be the last). Even if this does happen, they’ll be easy to flannel, and so will the majority of users.

    2.0.4 may well be what finally drives me to switch to textpattern, however. I am too trigger-happy with the dreamhost installer for upgrading every other month to be a sustainable option for me (and yes, I know it does automatic upgrades, but I still have to backup and reinstall all my themes and plugins so it’s hardly hassle-free). Textpattern’s last release was in December. Other people may love the fast pace of WP development but I’m about ready to trade it in for a bit of stability.

    ETA: I wrote this comment before seeing skippy’s in my moderation queue. Thanks for the link to chronolith — I’m off to check it out now. I know about Lyceum for multiblogs, and fellow child of b2 b2evolution — anyone else have any others to share?

  5. Matt said

    Skippy, the bug report was accepted readily and responded to immediately by Ryan. drDave did not find the bug AFAIK, Geoff did. drDave posted first, emailed later. I asked a polite question on his blog because I didn’t make the connection between an issue someone else reported and his panic post. The release process had already begun, which is why I said in the comment “We’re about to put out a release.” As far as I know, I said or did nothing to cause the personal attacks drDave later made on his blog, I wasn’t even involved in the email conversation about the vulnerability at all. (We “claim” security emails by replying to it first, and Ryan had this one.) I was defensive about the personal attacks (eating raw kitten hearts, etc, since removed).

    Wank, the post you linked was about someone who was mad they weren’t mentioned in the announcement, not that their email was missed or mishandled. It was a mistake, I added a link to the fellow (who was a responsible security guy), and as he said “everything is fine now.” We get a ton of bogus security reports. Most folks are more than welcome to clarify their reports without throwing a drama fit. In this case something was intended to be handled on the plugin level, but isn’t in many common ones, hence the initial confusion.

    2.0.4 is an incredibly polished and secure release, and I couldn’t be happier with it. A proactive security audit uncovered issues that hadn’t even been reported yet. Of the reported issues, some hail back to b2 days. When a product gets as much adoption and scrutiny as WordPress does, the beauty of open source development really starts to kick in on the security side. I’d put WP against any other web application out there in security, including ones from Yahoo and Google. Automattic may also sponsor an external security audit before the 2.1 release.

    To skippy’s other point, I’m not going to apologize for having a vision for the core and not bending over to every iwhim of every developer. The features we don’t have are just as important as the ones we do. Our plugin API is more than robust enough to allow for almost any sort of development. (And where it’s not, I’m always happy to entertain expanding it.) Our track record of things to include like easy installation, clean permalinks, plugin API, themes, pages, podcasting/enclosures, has been pretty good thus far. I love that these things seem super-obvious… 2–3 years later.

  6. wank said

    You want more people complaining about security issues not being taken seriously? Here you go:

    ‘We’re back to the same old thing, the devs didn’t react fast enough’
    ‘Anyone know how to contact the developers? I have submitted to the security@wordpress.org a few days ago and recieved no reply.’
    ‘Its such a simple thing to do, I dont see why you dont say, “gee ya know, yeah thats a good idea, we forgot that, we overlooked that, we whatever.. good job, thanks for that”, and let it go, instead of passing off some damn error blocking code thing for ppl; to put into their .htacccess.’
    ‘I have to say, I’m somewhat disappointed in Matt’s response here. I’d say we’re certainly trying to incite something: an explination.’

    I’m sure there are reasonable explanations for each and every one of these instances, but you need to see they give a cumulative impression of an organisation which isn’t always able to respond to information in an appropriate or timely way, and has a marked tendency to get overdefensive when criticised.

    Oh, and Ryan clarified on wp-hackers that this latest one wasn’t purely a plugin issue:

    there is a bug in core WP involved that I believe I’ve fixed for 2.0.4. This is the core API bug Dave is talking about on his blog. I was in error before to say that this is a problem to be fixed solely by the plugins. There are some plugins that need help beyond the fix to the core, but the core fix should cover most plugins. Sorry for the confusion.

    And according to the same thread, the plugin issues seem to be the consequence of inadequate documentation; unsurprising, seeing as it’s mainly non-coders writing the docs, and there is no way you and Ryan have time even to think about documentation, what with trying to keep on top of bugs and developing new features and supporting clients and keeping wordpress.com running smoothly and maintaining Akismet and attending every conference going.

    I’m glad Automattic will be chucking some money at finding more security holes; it should reduce the number of emergency updates, which whatever you say can’t be palatable to corporate clients. Maybe you should also think about hiring a marketing person to post to the dead blog and do the firefighting when stuff like this happens, because to be honest your idea of ‘polite’ doesn’t always tally with other people’s. You need a diplomat who’ll douse the flames with lovely soothing fluffy foam. As opposed to petrol.

    Feel free to rebut. Or copy/paste some more irrelevant marketing spiel about the strength of your vision and what great features you have, that would work too.

  7. skippy said

    Matt, once again you’ve sidestepped the criticism by trying to change the issue.

    No one is asking you to apologize for having a vision for the core product; though I’m sure that many would argue that that vision is not clearly articulated (see also here and here, though, to further confuse would-be contributors) to the community of developers. Nor is anyone asking you to “bend over” to the whim of every would-be developer.

    The care and feeding of a community that congeals around an Open Source or Free Software project is a delicate thing. I can’t claim to have any expertise in the matter, because I’ve never been in a position to do it. But I’ve been a participant in many such projects, and I’ve seen a fair amount of what works and what doesn’t work.

    Wank is right: a better interface with the community is definately in order. Matt, you’ve chosen to make yourself the visible embodiment of WordPress, going so far as to name the company that “sponsors” it after yourself. I think you have an obligation to present a positive, supporting image when dealing with the community you’re trying to assemble. You can’t get huffy everytime someone does something you don’t like. If you get huffy, they’ll keep doing it.

    You’ve complained before that people don’t come to you directly with issues. Did you contact DrDave privately about his post? Did you seek first to understand, then to be understood? Have you learned anything from this episode? If so, do you plan to share what you’ve learned with your community? You have a blog, which you’ve used very little to communicate with your users lately. It might be a good time to share with them what you (individually, as well as the Automattic collective) plan to do to make things better.

    It’s totally okay if you don’t (yet) have the personality type to effectively manage community interactions. It’s a hard gig, and not one that I would relish. Maybe you should carefully consider wank’s advice and hire someone who will be the primary public interface of WordPress / Automattic. That’ll let you focus on the nitty-gritty back-end stuff to which you (seemingly, since I really don’t know WHAT it is you do) like to do. Or you could transition the WP development into a community-run democratic process, and drop the mantle of benevolent dictator. Let Automattic fund the boring, non-sexy stuff, and let the community drive the development of features that they feel are important.

  8. skippy said

    As an aside, wank, were you aware that none of your tags list your site in the wordpress.com tag list?

    http://wordpress.com/tag/megalomania/
    http://wordpress.com/tag/wank/

    Did you opt-out of the tag list in some way?

  9. Matt said

    You read it on the internet, so it must be true.

    There is such a thing as releasing too fast. Often a fix can create new bugs, especially if it’s a change to an API or touches a lot of files. Without proper testing, eagerness to get a release out can cause more harm than good. This is something I’ve learned over the years. (Remember 1.5.2.1.4.2…?)

    Regardless, each security issue you linked was resolved within 2-3 days, and every person received a reply from a dev.

    The plugin API was created before Automattic existed. As Ryan and I both had full-time jobs outside of WordPress — that’s really a more plausible explanation for the lack of documentation you posit. (Anyway, the plugin API has quite good documentation.)

    Corporate clients know and understand security updates far more than regular folks. (Think Apache, Firefox, Windows…) Besides, most larger corporate folks deal with security at a higher level, like mod_security, so tehse issues don’t matter. The updates are more for the core WP user who doesn’t have the tech know-how or the access to tweak at that level.

    I’m not interested in hiring a marketing person, unless you’re available?😉

  10. wank said

    Um, no. As you may have observed, I am more petrol than foam.😉

  11. wank said

    & @skippy: yeah, the tags thing is an ongoing issue. I posted about it on the forum and filed a feedback; not sure what more I can do. I doubt I was getting much traffic from tags anyway, my categories are too weird for that. Still, it’s a pain that the cat links on my posts take me to empty pages. I don’t much like having links that lead nowhere.

    Podz said he didn’t know of anything that could be causing it, so if my blog was deliberately excluded (and I’m not saying it was, you know, just nobody else to my knowledge has reported this problem) then nobody bothered telling support about it. My initial thought was that due to the *ahem* connotations of my username it had erroneously been marked as ‘mature’, but, as I say, if that were the case Podz would have been able to tell me so.

  12. wank said

    Also, this discussion has made it clearer to me than ever how great threaded comments are. I know it would play havoc with the themes but the usability payoff would be worth it.

  13. Picture Improvement said

    “Anyway, the plugin API has quite good documentation.”

    Matt, did you even read the page you linked to? It’s out of date. The hook reference is explicitly marked as incomplete, and it’s littered with lines marked “TBD”. There’s almost no example code. The “Writing a Plugin” page is more useful, but not much more. “Quite good”, yes, but only by comparison with some other parts of the codex. The phrase “damn with faint praise” springs to mind.

    New plugin authors come out of it not even knowing how to perform basic tasks: I’m thinking here of the guy on the hackers list yesterday who asked how to make a “whole page plugin”. It’s the kind of situation where an API reference is useless; he needed a “recipe”. How about some example plugins demonstrating good style and best practices?

    And, yes, before you say it, I realize that the community (such as it is) could write this documentation. But they won’t, at least not without some prodding or encouragement. Even if they have the motivation, they can’t: no-one has the authority to come in and say, “these are the official guidelines for making a plugin”. No-one can come in and say, “let’s use this plugin auto-update spec”, “let’s tell people to use this ‘license’ header in the plugin metadata”, etc.

    Every time this comes up, you tell people to just dive in and do it; that’s the way to get things done. It’s a shame that you’ve been burned in the past by folk lacking the commitment to follow through, but we’ve been burned too. The inline documentation effort proved that, from the community’s perspective, the “just dive in” system doesn’t work. Trac is littered with patches that haven’t been committed but haven’t received any indication why not. Discussions on -hackers are increasingly bereft of people who actually know what they’re talking about, because constructive suggestions, even questions clearly meant for the core developers, are met with silence. We don’t want to waste our time any more than you want to waste yours.

    As benevolent dictator for life, you actually have to dictate. Delegate! Give someone else permission. Provide some direction, hey?

    Too much just hangs in limbo, and there’s no sense that you care that the rest of us have an investment in the project too.

    wank, sorry for posting this here, but skippy’s comments (with which I could not agree more) set something off. Incidentally, I don’t know whether to be worried or glad that I’m not the only one seriously considering a fork.My reasons have more to do with technology than community (e.g., a desire to get rid of the worst legacy code, move to PHP5, upgrade Atom to 1.0…), but still.

  14. wank said

    Hey, no problem. I’m not a coder myself so it’s always good to hear from people with experience of that side of things.

    (They still haven’t upgraded to Atom 1.0?!? When did politics become more important than standards compliance?)

  15. tehu said

    wank:
    if you want to test blogware, have a look on Dotclear 2 beta 1.
    http://preview.dotclear.net/wiki/Download
    Some features : PHP5, multi-blog, dynamic pages, template syntax MT-like, themes with widgets, antispam, import filters (dotclear1 and RSS), etc.
    The downside : there’s no english doc available. The Dotclear community is heavily french but supportive for the English speaking ones🙂

  16. wank said

    Oh yes, I’ve seen Dotclear and thought it looked interesting. And I don’t mind a bit of Frenchness😉 EasyPHP, which I use for theme development, is French, and b2 (from which WP itself mutated) was invented by a guy from Corsica.

    Also ‘pé-ache-pé’ sounds infinitely better than ‘pee-aitch-pee’.

RSS feed for comments on this post · TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s