Half-Elf on Tech

Plugins: Bad Thief

in

The summary of this story is: The GPL does not mean WordPress.org has to host whatever code you want it to, regardless of what you think.

I promise it gets there.

Starting off bad

The story of Donald (fake name) begins with a plugin submission he never finished. Back in August 2021, he submitted a plugin with a number of security flaws. And a review to which he never replied. The plugin was rejected in February ’22 and resubmitted in March (one month later).

Per usual, Plugins flags those and asks the dev “Hey, you gonna reply this time?” because it’s a waste of everyone’s time to review shit they don’t use here. Donald ensured he would, so he got a full, lengthy, review.

I’ll admit, his reply was pretty unique.

It was a massive rant which I cannot share (privacy) but here are the key takeaways:

  1. He has been a developer for umpteen years
  2. He copied a plugin to make his own
  3. He thinks he bought the code via WordPress.org
  4. He would not make the security changes we listed
  5. The original plugin had the same flaws
  6. Other plugins have flaws too
  7. He thinks he bought the ‘source code’ (oh no…)
  8. He wants us(?) to fix it

Oh no…

A clip of an Alex Norris cartoon where the amorphous blob says “oh no”

I pinched the bridge of my nose. Anytime someone jumps to the old chestnut claim of “I am a developer of a bajillion years!”, it never ends well. Seriously. If you’re a developer since day one of WordPress, you should know not to break the guidelines.

I rejected the plugin and clarified a couple things.

  • In no way did Donald buy a plugin from WordPress.org
  • We don’t review every release of every plugin so yes, some have flaws
  • If it’s your plugin, you have to fix it
  • If it’s not your plugin, you can’t host it on .org
  • Removing the copyright and not making any changes isn’t a fork, it’s theft

That went over about as well as wearing a Yankees hat to a Cleveland baseball game.

What did he buy?

People will argue left right and center that it’s not stealing if the code is GPL. The part they always seem to miss is that it’s not their work, and it’s a lie to claim it is (this is why you add copyright, folks!) and when it’s a PREMIUM plugin, like this is, it’s stealing because you broke their license. And yes, he did.

But Donald was stuck on this weird part that he believed buying a plugin meant he owned it and could do whatever he wanted. Now if it was GPL, technically he could do that, but that doesn’t mean we have to do what he wants. And WordPress.org will not host code that you didn’t write, or at least reasonably fork.

I purchased the rights to the source code directly from the author.

Donald via Email

And he cc’d the original developer, Adam (fake name)!

I took a look at Adam’s account on .org and found his plugin. It was a free version of the one in question, and yes had security issues. In fact, it had been closed about a year ago.

Adam replied before I did and said “bro, no you did not.” I backed Adam, explaining what Donald bought was the code to use, and the license on Adam’s website said it could not be resold (remember it was non GPL code).

Good, we’re done!

Legal Drama

Donald replied with proof. What proof? A bunch of PDFs that (he said) proved he owned it.

It did not. The attachments showed he bought a yearly license for a number of domains.

Donald and Adam had a lot of back and forth about how that wasn’t how a license worked (Adam) and insisting he owned it (Donald).

The next attachment PDF showed he paid for a license (again) and a new one that said it’s a charge and how much (though not what for…). I assume he paid that for the ‘source code’ and I made this face:

Lucille Ball making an “ewwwww” face

At this point, Plugins was never CC’d on any reply from Adam (remember Adam’s plugin was closed because of securit), and Donald just kept going.

It’s Mine!

It got a little hard to figure out what was what, because Donald would reply-all and Adam wisely only replied to Donald. However since Donald quote-replied, we ended up getting almost everything.

Donald moved on to explain this was a fork, a term he learned from me, and he could prove it because he used fewer files and it was organized differently. The problem was the code was the same. About 80% or so the same. Not a small amount. And Donald insisted the GPL meant he could do this.

Again, yes he could, if the original code was bloody GPL to begin with! And it wasn’t. Oh and he didn’t meet the GPL requirement for copyright (GPL says you gotta retain copyright and add yours) nor WordPress’ for disclosure (you gotta credit the OG devs). Thus, Donald failed the sniff test.

This went on for hours and I didn’t reply.

Now, if you’re wondering “Why didn’t anyone reply?” it’s because that bevy of emails came in between 4pm and 4am Pacific Time. At this point, though, it was crystal clear that Donald had:

  1. Copied code and did, in the end, make a fork
  2. Copied premium code from a non GPL source
  3. Did not disclose the copying/forking in his readme nor source code
  4. Thinks he bought the rights to the source code (… that’s not what that means, but okay)

Oh and he was still insisting he bought it from WordPress.

So I tried again. I repeated the facts (you didn’t buy it from WordPress.org and it doesn’t meet the guidelines to be hosted on WordPress.org as a ‘fork’) and then followed up with banning him since, after 14+ emails overnight, it was obvious the cheese had fallen off Donald’s cracker.

I did take a moment to recommend he not post the code on GitHub due to the GPL issue, and if he did, Adam might have a legal case. I also told Adam I told Donald that, so Adam had a chance to protect himself.

Enter Crazypantsland

This time Donald agreed he didn’t buy it via WordPress.org, however he insisted he’d paid for the code (quoting half the price that was in the pdf I will note).

Again, you are wrong, I DID NOT take the premium plugin. What I took was the code base of [the version] I purchased provided to me by the author after he received payment. Only [then did I rebrand] and modify […] the code as my own.

Donald via email (removed identifying information)

Honestly I sat back.

His argument was he didn’t take the premium code, he took the code he purchased. I took a deep breath. I mean, maybe he just failed to make that connection? But I (and Adam) had already explained that before so who knows.

Donald’s email went on to …

  • Agree that I was correct to not host the code
  • Disagree that he’d ever claimed he bought it from WordPress.org
  • Agree that he bought the code from Adam
  • Disagree he should be banned

To be fair, few people would agree to that last one.

I tried again to explain how what he did was harmful, and the fastest summary of what he did is this:

Three panel comic. The first has someone showing off a ball and saying “I made this!” Another person takes the ball and says “you made this?” The next panel just has the second person holding the ball. The last panel has the second person declaring “I made this.”

Donald put some bells on it, but that’s basically what he did.

The gist again is “I did not take his code, I bought it and used it.”

He took something, which in that moment he had the legal right to take! But it’s still taking. If you bought a copy of the Sherlock story “A Study in Scarlet” (which is public domain!) and then re-released it with your name on it and a modern update, it’s not YOUR work anymore. It’s Sherlock the TV series, who bally well credits the source properly. But they don’t call it their original work, they call it an adaptation.

They credit.

Donald did not, and would not.

My Cousin Vinny

Marissa Tomei aside, Donald explained his legal rep (a family member) had told him he didn’t buy the code the way he thought he did. Donald had bought a license to use the code

Blessed hallelujah! I thought it was done. Alas, Donald went on to say he was going to clarify that little license matter with Adam (he never did, Adam refused), and then said that since it was legal to take code and reuse it, per GPL, he was good to go, please host his code.

This is after he agreed we were right about the non-GPL thing.

I explained, again, that the bottom line is WordPress.org will not host forks of premium code, will never allow non-GPL code, and would not accept forks that don’t credit the OG. Donald hit the trifecta. I recommended he ask his lawyer-family-person about the concept of “fruits from the poisoned tree.”

Donald went on to make all sorts of entirely wrong legal claims that the GPL allowed this, so WordPress had to let him host the code, and on and on. Then he threatened to sue.

At that point, I stopped. He got the final reply with the official “you are banned and we won’t read your emails anymore because you clearly do not get it” message.

The weekend happened and on Monday I found an email saying Donald had complained legally, and they too marvelled that someone would have a lawyer explain they were wrong, only to double down on the wrong.

I still need to send a sympathy gift to that poor person who had to deal with Donald.

%d