Half-Elf on Tech

Thoughts From a Professional Lesbian

Author: Ipstenu (Mika Epstein)

  • Oversight and Responsibility

    Oversight and Responsibility

    I was actually asked by a handful of people what my thoughts on this were, and while part of me is loath to wade in(I’m loathe because someone will accuse me of being pro-WP or anti-Devpress, and ignore the fact that I’m a Devpress affiliate or that I don’t work for WP. I don’t pretend to know all the answers, or the reasons, but I know what bothers me.), I agree it’s something that affects the open source community. Personal attacks aimed at me will be deleted.

    I’ll let WPCandy sum it up:

    Yesterday I posted about DevPress’ offer of free memberships to any WordCamp attendees, provided the WordCamp organizers are legit and contact DevPress about their interest. A number of organizers showed interest in the comments of that post, and WordCamp Philly organizer Doug Stewart announced the deal for attendees on their blog.

    Then, last evening, WPCandy was contacted by Andrea Middleton, who took an administration role with WordCamp Central earlier this year. Middleton notified WPCandy that the WordCamp guidelines (specifically the part on fundraising), WordCamp organizers should not allow companies that are not sponsoring their event to do giveaways at a WordCamp.(Source: WPCandy – Devpress deal for WordCamps is against WordCamp Central Guidelines.)

    They cover the situation pretty well, but the comments on WPCandy and the twitterverse is what has upset me, greatly. This whole mess was blown out of proportion and could have been handled quietly and maturely off book, without any of the name slinging and pointy-fingers that I’ve seen.

    What went wrong?

    WordCamp Philly should have said “Let’s double-check about the rules, because this is a grey area.” They made a perfectly understandable human ‘gaff’ and assumed it was cool, because we all know Devpress is cool and GPL and basically awesome.

    WordPress Hand StampDevpress should have said “I want to give things away at WordCamps.  I’ll ask the head honchos at WordCamp and find out what I need to do!”  They too made a perfectly normal mistake, assuming that WordCamp Philly would do any needed due diligence.

    One of the many things I’ve learned working for The Man is that people see a server on fire and always assume someone else has reported it, right up until you run in with a fire extinguisher and shout at them.(That’s a true story.)  I always quote Lord Buckley here: If you know what to do and you don’t do it, there you bloody well are, aren’t you?

    The right thing was to look before you leap and not assume.  People made mistakes.  They could have kept it all off the funny pages, too, by being patient.  WordCamp telling WPCandy “Hey, sorry, not so much kosher.” was a polite heads up and WPCandy, being journalistic in inclinations, ran with the story.  Devpress’s rep was, understandably, frustrated and upset at the smack down and at the slowness of resolution, and it showed.  But as a ‘formal’ statement, his email is the example the need of a bit of PR.(This mess is in part why I don’t consider websites like WPCandy (and certainly not this site!) to be journalism.  There’s an attitude and (supposedly) ethics to which journalists abide and a code to follow about how to handle this.  One of them is that WPCandy’s email should have explicitly stated that Justin’s response would be posted on their blog.  I studied journalism for a year, and I know I’m not a journalist!)

    Who is right?  Devpress or WordCamp?

    A lot of ‘right and wrong’ ties into my last two big posts, about legality and morality. I’ll put it plain and simple for you: If you’re going to have a WordCamp, which is sanctioned and branded by WordPress, then you are obligated, legally and morally, to abide by their guidelines.

    The rest of the bitching is commentary. If you don’t like WordPress’s rules and regulations, don’t use them. It’s just like the theme and plugin repos. If you don’t want to follow those guidelines, then you self-host, and as long as you abide by GPLv2, everyone’s happy. But WordCamp is run by WordPress, and they get to make the rules. No one’s stopping you from making ‘BlogCamp’ or whatever you want. You could probably even get away with using ‘Word’ in the title, though you would be wise to make it painfully clear that it was not a sanctioned WordPress event.

    WordCamps are an extension of WordPress.org and the WordPress Foundation, which means that they are not community ‘owned’ products, though they are community driven.  Maybe people are forgetting that, at the end of the day, the responsibility for WordCamp, and WordPress, is not us.  We’re the result, and the reason, but not the responsibility.  If WordPress vanished tomorrow, we could fork it and move on, make our own forums, and actually be okay.  But right now, we’re all taking advantage of a free product.  We give up our time and our efforts for something that doesn’t directly make us money.

    Why isn’t the community in charge?

    That points right back to the heart of the issue for me.  The community isn’t in charge because it’s not a Big Dog.  At the end of the day, every project needs someone to stand up and say “This is what we’re doing.”  We need a big dog, someone to be in charge, and someone to draw a line.  A lot of people have made noise that this should be a person the community votes on and approves.  I disagree.

    WordPress was never about ‘community’ in that sense.

    The community doesn’t provide oversight to the plugins, the themes, or the forums on WordPress.org.  Sure, we volunteer our time, but we don’t all have trac commit privileges, do we?  We are not where the buck stops for this, and we have to keep that in perspective. You can tout all you want about doing what the ‘community’ wants, but the community provides ideas, suggestions, dreams and hopes. Someone else looks at the bottom line and says yes or no.

    Fly Again - Some rights reserved by cornerofartThat’s really very freeing to me.  That makes it easy for me to say ‘You know, I really hate this new thing.’ and I don’t feel like they’re going to revoke my license.  As long as I keep it all in perspective and remember that I don’t have to like it, but as long as I play this game, thems the rules, and it’s okay.  You can support the tool without loving every aspect of it, and no one says otherwise.

    The responsibility of oversight belongs with WordPress, not you or me, and the fall out does too.  A community has trouble being in charge like that because oversight ‘committees’ rarely work to anything but mediocrity.  As it stands today, WordPress is benignly governed by a company who listens, pays attention, and respects us, even if they don’t do everything each individual wants, and they keep their eye on the scope. (Perhaps by comparison, you should read up on the growing pains Drupal’s had recently.  Not enough oversight there, perhaps, but I have to study more about their entire situation to know for sure.)  If everything goes great, we ignore our overlords, and when we don’t like something, we vilify them.

    Why are you so mad about this?

    The vilification.

    I’m upset to see people being mean to each other. People are blaming each other, calling names, and pointing fingers. Of course this is a situation that makes people angry and emotional, but if we’re running a business, we don’t get the luxury of doing that publicly anymore. You no longer speak for yourself, you speak for your group.(I run a fan website for an actress.  Every single time I speak my own speculation about the TV show she’s on, someone assumes I know something secret and am not telling them, or I’m hinting at what’s to come.  I no longer am able to speak for me the fan because of this.  Trust me, I know how daft it is, and I hate it.)

    But the problem is I see a lot of name calling aimed at one person alone. That really bothers me because it looks like people are attacking a person and not remembering that the WordPress Foundation manages WordCamps. NOT the community. NOT the sponsors. NOT you or me. Hell, not even the volunteers who are doing the work!

    The Foundation.

    If you have a problem with WordCamp and the WordPress Foundation, do the right thing and take it to them.

    Most importantly, we need to be patient with each other. You don’t change the world in a day. Sure, we’re used to a fast paced world, where decisions are made on a dime and the whole status quo changes in the time it takes to svn up. But things still need to happen with thought and understanding. We have to look at the whole situation. And that’s why with responsibility comes the need to have oversight.

  • Multiple “Share This” On Your Front Page

    Multiple “Share This” On Your Front Page

    So you want people to be able to easily share your posts, and you install Jetpack and configure it so that the happy icons only show up on posts and pages (since you can’t make it show on only posts).

    Share This Settings

    Then you decide to make a Static Front Page so everything looks pretty. Except you get multiple instances of the sharing links! That isn’t what you wanted at all!

    The problem is that the when you make a static front page, it’s actually not an index page. It is simply a page using a template. Strictly speaking, it’s not an archive page, nor an index page, and because of that it’s treated like any other page and the ‘share this’ settings treat is ‘correctly’ by showing itself every time a page/post is called. I did report this to Jetpack, by the way, and they were a bit torn on if this is Jetpack being silly or something that needs to be addressed in core (that is, does WordPress need to grow up and treat a static front page as an index page).

    While they’re hashing this out, you can fix it yourself, which is a relief to those of us who ran into this.

    The easiest (and actually best) way is to use the WordPress template hierarchy to your advantage. If you use a front-page.php file instead of a static front page, WordPress knows that it’s an index page. This is the best way because you don’t make any extra ‘calls’ to the code. WordPress tucks it away on it’s own. To do this, if you’re using a page template, just copy the template (say page-snarfer.php) into front-page.php and call it a day. Depending on your theme, you may need to add a call to any special classes being called. (I know that if you use Hybrid Core, you need to add a call to page-template-home for it to format right.)

    But sometimes you can’t do that. Like if you’re on MultiSite and you use the same theme for multiple sites and you don’t want them all to have the same style of front page. Well now we have a minor problem. First thing to do is turn off sharing for the page you’re using as the static front page.
    Turn off sharing

    Doing just that brought me to this:
    One Less Share This

    In this case, I’m using a static front page with some content, formatted via the Twenty Eleven “Showcase Template” to show recent posts below my content. The first post shows up as an excerpt and then the rest show as titles with links (apologies for the different color):
    Multiple Posts - One Share This

    So for this theme it works perfectly and I’m happy as can be. This method also works if you’re using a Static Front Page without a page template!

    Double Rainbow For The Win But. That doesn’t work for all themes. And this is where we have to do the ugly things we don’t want to do. We have to edit CSS. In and of itself, this is pretty easy but I think it’s a poor choice because all this will do is hide the icons from displaying, and that means the code still gets rendered and call and that means you’re putting more work into loading your page than you need.

    Sometimes you just can’t fix it the best way, and acknowledging that, here’s how to do it. First, you must be using a page template for your static front page. (I said this once before, but it bears repeating: If you’re not using a page template, you can fix this by just turning off the sharing for the page.) Open up that template and look for something like this:

    <div id="primary" class="showcase">

    Once you’ve found it, you just have to add in a CSS call:

    div#primary.showcase div.sharing {display:none;}

    That says “In the primary.showcase div, if anything’s using the div sharing, hide it.” Not the most elegant or efficient way about it, but it gets the job done.

  • TimThumb and the Pseudo (D)DoS Effect

    TimThumb and the Pseudo (D)DoS Effect

    Over the course of a day, my server rebooted httpd twice. That’s not a common thing for me, as after days and hours of work, I managed to finegal my server into a semblance of stability so it could handle massive loads. At first I thought it was due to my traffic spike of an increase of about 1500% (no I did not screw up a decimal place there, my traffic went from a couple hundred to nearly 4000 in one day). Then I thought that couldn’t be right, because my traffic had actually mellowed out by the time I was crashing.

    So I went to my emails and pulled up the Apache Status log and noticed that 70% of the calls to my site were GETs to pages like this:

    /wp-content/themes/newsworld-1.0.0/thumb.php?src=/g0../0d1.
    /wp-content/themes/DeepFocus/tools/timthumb.php?src=/g0../0
    /wp-content/themes/TheProfessional/tools/timthumb.php?src=/

    Thumb Wrestling And thanks to that massive spike in traffic, my server was slowing down to the point that HTTP was becoming unresponsive and it had to reboot itself. In short, the TimThumb exploit was causing my server to behave like it was under a Denial of Service Attack, even though I don’t use TimThumb! My server was able to handle this, but if I’d been back on my old Shared Server, I’d probably have not gotten a text from the server at 11pm saying “Man, we had to reboot, but it’s okay now. Can I have a beer?”, but instead woken up to ‘Dude, where’s my website!?’ And this is with having a fantastic web host who cares and takes the time to help me out.

    Normally this is where I’d tell you what to do if you’ve been infected via the TimThumb exploit, but Cleaning Up the TimThumb Hack covered it pretty well. Just remember this, if you have been infected, you must reset all your passwords. This is true of any and all hacks. As soon as someone has access to meddle with files on your server, you could be hurt worse than you know. At the very least, you need to read the post “Technical details and scripts of the WordPress Timthumb.php hack” by the guy who ‘fixed’ TimThumb.

    What I wanted to do here was sort out how to block people who were looking for timthumb.php files (I can’t block thumb.php as I use that filename elsewhere). Reading up on Perishable Press’s Stupid .htaccess Tricks it’s clear we can do this:

    # prevent viewing of a specific file

 order allow,deny
 deny from all

    That should simply block access. An .htaccess block is a pretty simple way to reduce your server load, because people are getting punted before they get very far into things. Still, it’s something I have to install on each account on my server. Right now they’re just hammering ipstenu.org, and this is not the only domain on my server. This is, by the way, the same problem with using a plugin like WordPress Firewall. It’s a fantastic idea, if all you have is one account on a server. Protect yourself.

    I don’t. I run a VPS, and I have four domains here which I should be protecting. It’s easy enough to make that change on all four, plus two other external servers, but is that the best use of my time? I say no. I think I should automate as much of this as I can. What I really want is to say ‘If you’re looking for timthumb.php, then the odds are you’re looking for security vulnerabilities, and you need to just die in a fire.’ Or at least firewall block them. Seeing as I already have CSF on my server, it was logical for me to start there.

    Ice Blocks floating in the lake - Sarah OhBlocking an IP is easy, and I can do it via command line or GUI. Auto-detecting a URL though, is more complicated. Part of me thinks that, much like I can auto-block someone who tries to log in with any ID 10 times in a row, I should be able to add in a file pattern somewhere. Turns out you can’t, at least not the way I wanted. Instead, you have to do it differently.

    TimThumb’s exploit scanner isn’t actually a DDoS Attack, but it acts like one. A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make your site unavailable. Basically they hit your site with so much traffic that it’s incapable of its job: serving up webpages to happy readers! That’s why I call this a pseudo (D)DoS attack. The goal of the scanner is to see if you’re using Timthumb and, if so, to be evil. It’s not really distributed (i.e. multiple computers at once), though because of the number of people running the exploit scanner, it can seem that way. The side effect is that your site is hammered and can’t do what it wants. Which leads us to Connection Tracking.

    CSF has a tool called ‘Connection Tracking’ which lets you limit how many times a specific IP can hit your site at once before they get tossed to a shit-list. I set this to 300, and told it to only scan ports 80 and 443 (because I need to have unlimited FTP, and sometimes I log in from different IPs – yes, my home IP is on the whitelist).

    Connection Tracking. This option enables tracking of all connections from IP addresses to the server. If the total number of connections is greater than this value then the offending IP address is blocked. This can be used to help# prevent some types of DOS attack.

    Care should be taken with this option. It’s entirely possible that you will see false-positives. Some protocols can be connection hungry, e.g. FTP, IMAPD and HTTP so it could be quite easy to trigger, especially with a lot of closed connections in TIME_WAIT. However, for a server that is prone to DOS attacks this may be very useful. A reasonable setting for this option might be around 300.

    Setting this up is a little less obvious for the new person. Go to WHM > Plugins > ConfigServer Security & Firewall and look for “Firewall Configuration”
    CSF Firewall Configuration

    Click on the button, look for CT_LIMIT and change it to 300.
    CT_LIMIT settings

    Scroll down, click ‘Change’ and then restart CSF.

    Now, you could put this as low as 100, or as high as you want, but I did some reading and 300 seems like something not too likely to trip innocent people up, but just enough to catch the bad guys. I may way to lower this to 200 or so, but I know that a lot of people come to one part of my server for the image gallery, and they tend to open lots of pages at once. I don’t want to hurt them. The other thing to keep in mind is how short is the block time. The IP block is set for 30 minutes, which isn’t much at all, but it could be just enough to make the transient DDoSers go away. ETA: As of February 2012, I’ve actually lowered this to 50, and it’s made a world of difference! My day to day CPU is a little higher, but the number of spikes that caused outages has dropped.

    I’m not doing this to stop the people who want to bring my server to its knees. I’m doing it to stop the people who are ‘scanning’ for exploits. A true DDoS is hard to block because as soon as I block it, I have to defend against it again and again. CSF would be like a sump pump in your flooded basement, always running until it burns out the motor. It comes from too many sources, and for the little guy (i.e. me), I may just have to shut things down for an hour and wait it out. But these scanners, well, I can block them with this trick, and not hurt my server doing so!

  • United States Patent: 8010458

    An online social network is provided in which members of the online social network control who may view their personal information and who may communicate with them. The members control who may view their personal information by setting a visibility preference. A member may not view another member’s full personal profile if the measure of relatedness between the two is greater than the visibility preference of the other member. The members also control who may communicate with them by setting a contactability preference. A member may not communicate with another member if the measure of relatedness between the two is greater than the contactability preference of the other member.

    via United States Patent: 8010458.

    It’s official. The US patent office is useless.

  • The Morality of Forking

    The Morality of Forking

    Having already established that Forking is Legal, I felt it best to take the other end of the argument.(This was intended to be all one post, but at about 3000 words, it needed to be split up.)

    Clarification here. Jigoshop is a product of Jigowatt. I call them Jigoshop in both my posts because it’s easier for my brain.

    Gil Rutkowski remarked (without knowing I was already writing this):

    Funny how people pick and choose between the “SPIRIT” of the GPL and its literal legal application to fit their argument. (@flashingcursor on Twitter)

    Two ForksWe often sum up GPL as “Do what you want with this software. Just let other people do what they want with the software you make from it.” If you’re not familiar with it, I think I can sum up the spirit of GPL as “Don’t be a dick.” (Wil Wheaton in Exile) People get in a lot of arguments about the ‘spirit’ of things. You’ve probably heard someone complain “He’s following the letter of the law, but not the spirit.” Basically what that means is someone is obeying the law, but not what it means.

    How can that even be? If the law is the law, then the law is the law and there should be no wibbly wobbly involved! It happens because of intent. The intent of the law in general is really something we shouldn’t have needed to be told in the first place, when you think about it. Primum non nocere: First, do no harm. Doctors are taught this, and you’d really think that’s self-evident! And yet, even the US Declaration of Independence starts out “We hold these truths to be self-evident…” If they were self-evident, why are we saying thing?

    People are selfish. We care about ourselves first, then the people closest to us, and so on and so forth. To say the ‘spirit’ of the law means we’re no longer actually talking about the law as a legislative statute, but about the idiomatic application there of. We’re now talking about how we feel the law should be, which is pretty iffy territory. Talking about the spirit of the law brings up things like the moral ambiguity of the law, and the ethics we try to impose on others. What’s ethical for me may not be so for you, and so on.

    So what does the moral aspect of GPL have to do with the recent forking of Jigoshop’s eCommerce plugin? Interestingly we can see how both parties ended up at the fork because they were selfish. Jigoshop didn’t want to give up control and neither did WooThemes. Neither was willing to concede, and in a way, they both ‘lost’ because of it.

    Melted ForkWas Woo being a dick to fork the plugin? Yes. And no. You have to keep this in perspective.

    You see, no one has made a ‘Killer’ eCommerce plugin for WordPress. Not even Jigoshop. From what I’ve been told, Woo has struggled to make their own killer plugin for eCommerce, and failed at it. I will leave it to others who actually use eCommerce on their sites to determine which plugin is queen, but I feel comfortable saying that taking someone else’s work, even when you credit them, can be a dick move.

    At the exact same time that WooThemes is being a dick for forking, they’re doing a right thing. No that’s not a typo, they are doing A thing that is right. We all know that ‘hacking core’ for WordPress (or any app) is a terrible thing. Merging changesets is a nightmare, no matter what tool you use, and a fork makes it just as hard to incorporate changes. So would not a better solution be to make a WooTheme add-on plugin that just changed the parts of Jigoshop they didn’t like? A Woo/Jigo integration plugin?

    That would be a wonderful, perfect world. Let me know when we get there. Sometimes the direction of a plugin is such that you have to fork it to do what you want. The developers don’t want to follow your dream of unicorns and puppies. Until we reach the perfect world, we fork. Now, it took a bit of reading to verify that WooThemes was unable to make their desired changes without editing core plugin code. That left them with only a few viable options. They could submit the changes to Jigoshop and hope for the best, or they could hack the Gibson. Basically, this was the best choice for WooThemes and really, nothing’s wrong with that.

    The problem is that WooThemes is going to be making money off this acquisition. Their WooCommerce plugin will be free, just like Jigoshop, but just like Jigoshop, they aim to make a living off the plugin. Off someone else’s work. To be fair, that’s what I do. I support other people’s ‘stuff’ all the time. I’ve not written a lick of code for Windows in years (except DOS and PowerShell scripts) but their products pay my bills. Does that make me a thief?

    No, it makes me an opportunist. WooThemes is being opportunistic as well. Remember how I said we are, all of us, selfish? Well so is Woo. They see a chance to make money and use a plugin that works, and not their own with a weird history. (Did you know Nacin was once going to head up WooCommerce before he was snatched by Matt? That’s fun to look at in retrospect.) Woo had a series of unfortunate issues with their own plugin, and it never worked right. They weren’t a dick because they talked to Jigoshop first (they didn’t have to), and I rather hope they said ‘Okay, we’re going to agree to disagree on the direction of the plugin and fork it.’ If Jigoshop first learned of the fork via Woo’s blog post, then they were entirely dicks.

    Was Woo being a dick to ‘head hunt’ the developers? Yes. And again, No. Yet again, perspective is important.

    I said before that the developers they ‘stole’ wouldn’t have left if they had a reason to stay. People leave companies all the time for myriad reasons. They also stay with companies for others. In the ‘traditional’ corporate world, people get a job and stay with it for a million years. In the freelance world, though, people switch jobs around a lot more. Even so, people only leave companies for three reasons:

    1. They hate it here
    2. They found something better
    3. They were let go

    That’s really it. So if someone chooses to leave a company, options one and two are there on the table, and you have to be honest to ask if they would have left if Woo hadn’t made the offer? And there’s where the dick move possibly lives. Was it Woo’s promise of skittles and beer that made them leave, or was there something wrong at Jigoshop? It’s far too early to point fingers at anyone, especially the developers who may discover they made a poor choice. You have to take risks, after all, or you never succeed.

    WooThemes was dickish if they bribed away the developers. But they weren’t if this was just one of those serendipity moments. What if the developers said ‘Wow! Woo shares our vision!’ We don’t know, so we have to speculate, but either way, the decision was the developers and not WooThemes or Jigoshop, so any dickery actually belongs to the devs and them alone.

    Twisted ForksSince I was asked, my personal opinion is this: WooThemes pulled a dick move which in no way violated the letter or the spirit of GPL.

    See the spirit would have been violated if, as another shop did recently, they lifted the plugin wholesale, made a couple tweaks, rebrand it, and released it without telling anyone. You know who I’m talking about here. That was violation of the spirit of GPL. But WooThemes was upfront about this. They talked to Jigoshop first, and everyone seems to have known what was going on before the news broke.

    While I dislike that WooThemes did this, I will defend their right to do so (and Jigoshop’s right to be upset) until the day we all stop using GPL.

    The whole reason I wrote the first post, however, was the high number of people I talked to who said that the spirit of the law was violated. It really wasn’t. Yes, these were dick moves, but the spirit of the law is the meaning, and the meaning of GPL is that you can’t impose more restrictions on a GPL product than it started with. No one did that. What Woo did was pretty shitty to their neighbor, don’t get me wrong, but it didn’t kill GPL. It hurt feelings and left a bad taste in the mouth, but that’s not the spirit of GPL either.

    The Spirit of GPL is freedom. It’s sharing your work, working together, and when you take someone’s work, being open about them and crediting them. And while you don’t have to like what Woo did, they did not harm the spirit of GPL, because we’re all here, talking about it and still abiding by it.

    I can but hope that the fallout from this is that we’ll finally have an eCommerce plugin that stands up as the best because of worth and not because that’s all we’ve got, but we’ll have to wait a couple of years for that to settle.

  • The Legality of Forking

    The Legality of Forking

    Update: This post is just about the legal aspects of forking. If you just want to talk about the morality of it, please go read The Morality of Forking.

    You may have heard about this. WooThemes hired a couple of developers who used to work for Jigoshop, and forked one of their plugins.

    Last week WooThemes announced the hiring of Mike Jolley and Jay Koster, as well as the forking of Jigoshop e-commerce plugin into the soon-to-be-released WooCommerce. Jolley and Foster previously worked for Jigowatt, a WordPress and Magento development shop, spending the last year working on the core of Jigoshop.(WP Candy: Jigoshop team and WordPress community members share thoughts on forking)

    When you read it that way, it looks a little weird, doesn’t it?  Shady even. After all, this is a case of one company cherry picking ideas from another, and then taking developers to continue working on their version.

    Here, read this view of events:

    But of course, open source makes it so easy to simply “steal” someone’s idea and hard work.  And justifying it by hiding under the umbrella of open source and “legal” forking. (WooThemes Forks Jigoshop and they brag about it)

    I’m going to go out on a limb here and present a point of view that many people will disagree with.

    It’s not theft.

    Freedom is a complicated, annoying, thing, and sometimes having a freedom means you accept the consequences of that freedom. In the US, we have freedom of speech, which means we can bitch about our government if we want to. But that also means someone else, who has the polar opposite of your views, has the exact same right you do. And I will defend that person with my dying breath that they have that right, no matter how much I detest what they’re saying.

    You have to keep that in perspective when you start talking about rights and legality. WooThemes had the legal right to do what they did. That doesn’t mean you don’t get to think that it was a dick move, and you may, but what it was, was 100% above-board. They were honest about it, and it was legal. The GPL affords us the freedom to make plugins, fork WordPress if we wanted, and do what we want, so long as we don’t restrict the freedoms even more.

    We pay a heavy price for these freedoms, don’t get me wrong. All freedoms have a cost. We all pay for them. Thomas Paine’s famous quote reflects on the ‘free’ part of open-source in a strange way: “What we obtain too cheap, we esteem too lightly; it is dearness only that gives everything its value.” The core code of WordPress is free to us, and perhaps we devalue it for that price. Certainly the unrealistic expectations of many users is that this is a free product, and as such they deserve all things for free.

    It’s possible that many people are dismissing this forking because hey, it’s a free world! WordPress is free, the plugin was free, the plugin was GPL, we’re all free to do what we want. But WordPress, when it hands us a dizzying array of freedoms in usage, is clearly giving us liberty that can be easily abused. It’s possible this is the case of abuse of that liberty. To judge that, we have to look at the whole picture.

    Woo’s bid to buy out the Jigoshop project grossly undervalued the business and didn’t come close to covering our initial development costs, not forgetting the planning, time and effort both the Jigowatt team and community put into the project.

    Woo then made to an offer to ‘collaborate’ which led to their decision to fork Jigoshop. What hasn’t been made public is that collaboration offer included conditions which would have given WooThemes full strategic control over the direction and development of the Jigoshop project in the future. (Jigoshop: Our Forking Views)

    So clearly we can see that an offer of purchase, and collaboration, were made. They were felt to be not right. That was Jigoshop’s right and choice. Was it the correct choice? Only time will tell. That holds true of both Jigoshop and WooThemes. But up to this point, the whole deal is above-board, fair and just. And then WooThemes said ‘Well, they don’t want to work with us. That’s fair. We’re going to fork. And we’re going to take their core devs with us.’

    This is still not theft.

    See, WooThemes had no power to ‘take’ those devs unless Jigoshop undervalued them. That is Jigoshop esteemed their own developers too lightly. If the devs had been happy with their compensation, the direction of the plugin, and the company, they wouldn’t have left.

    If you are a company with an open source project gaining momentum, your core developers absolutely must have a vested interest in your company. And not 1%. It has to be a good chunk of the pie. Enough that the developers feel your company is also their company. Then if another company comes along to hire them, the developer is much more likely to tell them, “Buy the company or take a hike.” (Lessons learned from the Jigoshop – WooCommerce fiasco)

    In the corporate world, I’ve signed a contract that says, should I leave my company, there are jobs I have legally agreed not to take for 12 months following my termination. My contract also prohibits me from doing certain types of freelance work. Not that long ago, a friend complained that it wasn’t ‘fair’ that we were restricted like that. I looked at her and pointed out “No one made us sign these contracts. We read them, and we chose to sign them.”

    I’m no stranger to signing NDAs and other documents that restrict me from telling you things like who banks at the company I work for. I can tell you things that are publicly known, but not things that are not. That sounds fair, doesn’t it? I also can’t blog about my company with certain details, and on pain of being fired, I can’t talk to the press about anything. I don’t have to like it all the time, but it’s something I agreed to and that’s a choice I have to live with. Many of my friends who work in other ‘worlds’ can’t understand how a company can restrict my private life. I point out that I signed a contract that promised I wouldn’t, and I keep my promises. If I didn’t, would I be the person they liked and respected?

    No one here violated a contract, lied, cheated, or stole. So why are people chapped and are they right to be so?

    Right and wrong are tenuous. What’s right for you isn’t right for me, and that’s a part of why we have the law, which defines right for ‘everyone.’ Of course, we all know that even then, right is subjective. The law is imperfect, we know this, that’s why we have judges and jurys who listen to the situations that surround illegalities and make judgements based on not just the black and white of a situation, but the entire picture.

    What WooThemes did was legal and fair. End of story. We cannot stand and shout for the freedoms of WordPress and GPL without defending their actions. That doesn’t mean we have to like them. If this makes you decide to never support WooThemes or Jigoshop again, that’s your choice too, and one I will defend till my dying day. I feel that I should point out here that some people who are decrying WooTheme’s move are the same people who were all up in arms for Chris Pearson’s Thesis theme to abide by the GPL.

    We live by the GPL sword, and we’ll die by that sword for as long as we stay GPL. The community clearly wants to be GPL, or we’d not have gone after Thesis with such animosity. That means we have to accept that sometimes what’s right isn’t what we would do. But then again, no one’s making you use the forked plugin.

    Someone’s bound to bring up the fact that even Matt doesn’t like forking. That would be incorrect. WordPress is a fork of B2. Matt’s problem with forking is pretty easy to understand:

    Forking is not usually ideal because it fragments the market for users

    Notice how Matt doesn’t say he doesn’t like it, but that it’s not ideal? That does rather apply to this situation. By forking a plugin, you make two versions of it. Were we not all recently delighted when the TimThumb fork (WordThumb) merged with Tim to fix the problems? Were we not ecstatic when WPMU merged with WordPress to make MultiSite? Multiple plugins that do the same thing mean multiple places to have to patch.

    And yet. There are already a handful of similar plugins out there. Having competition drives people to make better products and prevents us from resting on our laurels. It’s great you made the best plugin ever, but now what? It’s true this fork may be damaging to the community, and it’s true that it may have caused hurt feelings. But what matters more is where are Jigishop and WooThemes going next? How will their plugins make themselves notably different?

    In the end, if you don’t like it, vote with your feet, but you owe it to yourself to defend everyone’s freedom with the same ferocity you defend your own. Even the people you hate.