Half-Elf on Tech

Thoughts From a Professional Lesbian

Tag: license

  • What Are You Paying For With That License?

    What Are You Paying For With That License?

    My friend Andrea recently complained about confusion between support licenses and the GNU Public License:

    This lead to a WP Tavern post about how Commercial WordPress Product Descriptions Can Mislead Customers into Purchasing More Licenses Than Necessary.

    GPL Freedom to Use

    WordPress is licensed as GPLv2 and in the preamble it says, rather boldly:

    The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software–to make sure the software is free for all its users.

    The GPL is intended to be about freedom in the code you acquire (be that for free or for purchase) and your ability to reuse it as you see fit.

    If you really want to understand the GPL and WordPress, I highly recommend you pick up A Practical Guide to WordPress and the GPL. It’s actually written by a lawyer and it’s $25 for the ebook, which seems like a lot until you realize that to hire a lawyer to go over all this would be over $400.

    The point for this post is pretty simple though. The GPL gives the user of a theme or plugin in WordPress the freedom to use the code as many times as they want, on as many sites as they want, for as long as they want.

    The Restrictions of Products

    I purchased a theme called Utility Pro from Carrie Dils. I love that theme. On her site, the various licenses are restricted by support.

    • Support for 1 Site
    • Support for 5 Site
    • Support for 25 Site

    All licenses come with “1 Year Support and Upgrades” and the ‘pro’ version has these extras:

    • DesktopServer Blueprint (quick setup for DesktopServer users)
    • Developer’s Edition (Grunt, Sass, and more)
    • WP Development Workflow course

    What am I paying for here? Support for X sites for 1 year, and updates. It doesn’t say if the updates are for all my sites, but I’m going to assume that if I get support for 5 sites, I get upgrades for 5 sites. The thing here is that the GPL would allow me to install this theme on 250 sites if I wanted, and not only can Carrie do ‘nothing’ about it, but she wouldn’t care. She knows how the GPL works, after all.

    This still leaves me with a couple questions:

    If I pay for support for one site, what happens when I put my license on two sites?

    The best case scenario would be I’d get a message telling me that I’ve used up the sites available to my license, and I’ll have to remove one to add another. I’d add in a link to buy more licenses personally.

    What’s to stop me from lying about the site I’m having a problem on?

    Well … Nothing. And unless I need Carrie to log in, she’ll never know! Even if I did let her log in, I could show her a demo site and explain “I’m working on a new version of my site and this is my code…” Which is a totally legit reason to be testing out her code on an ‘unlicensed’ site.

    Can she stop me from copying the updated version to an unlicensed site?

    Nope! In fact, if I’m super smart, I’ll always leave an unmodified version on a site that gets updates, and then use that as my base to update anything I’ve forked. Oh, and my version is so forked, it’s practically not her theme anymore. But that’s okay. I renamed it from utility-pro to utility-jo (it’s funnier to me).

    Change What We Pay For

    I’m going to propose a different way to handle licenses.

    Instead of paying for X number of sites for support, pay for X years of support + updates + features.

    That’s right, I’m suggesting this price point:

    • $80 for 1 year of support and updates on unlimited sites.
    • $200 for 3 years of support and updates and those nifty things on unlimited sites.

    The word ‘unlimited’ may sound terrifying. If you allow unlimited usage, what’s to stop me from opening a million tickets for my million sites for help? Nothing. Not a damn thing. Except there’s nothing stopping me from doing that right now anyway except my own pathological honesty when it comes to respecting the work of others.

    The people who will abuse this system are, for the most part, the people who already are. All the license has to check is “Is this license valid? Yes? Push the update!” Now the theme developer will always be pushing her latest, most secure, code to everyone, which is a win all around. Oh yes, did you think about that? If everyone always gets an update, then everyone always has the ability to be secure.

    Now there is one big pain point here. What if I give someone else my license key?

    Well… What if you just give away updates anyway?

    Genesis does. No license check needed. I can take my Genesis core theme, install it on any site, and if it’s out of date, I get an update alert.

    If you buy their Pro Plus All-Theme Package, it works like this. You shell out $499.95 at first and then $99.95 per year for access to every single theme they make, plus 3rd party themes, plus theme updates, plus support.

    The thing is I never put in a license number to Genesis core or my children themes. Ever. The updates just happen, even if I don’t have an account. So what am I paying for with Genesis? I’m paying for the code base, the support, the advanced documentation, and the access to everything I may need to make my site damned awesome.

    But What About Big Changes?

    The game is a little different with plugins. See, a theme actually rarely changes. Once you’ve made a theme, it stays roughly the same except for library updates and security issues. A plugin though, they can add new features. So instead, let’s take a page from the Apple. The Apple App Store does not charge you for updates. They charge you for mini-transactions which, love ’em or hate ’em, actually work. If you need to charge for an update, you make a new version.

    Think about that for a second. In the App Store, version 4.1 is a minor release, but version 5.0 is a major release. This is not the same as WordPress’ semantic versions where 4.1 and 5.0 are both major releases, but 4.1.2 is not. When someone has a major release on the App Store, they retire their existing app and add a new one. The upgrade process mostly works. There’s always a weird period of time where things are odd.

    When we look at plugins, it’s a heck of a lot easier but you would have to use a license check to restrict updates. Using your licenses and the plugin headers, you can check “If someone’s on version 4.1 and I have released 5.0 and their license is active, push the update.” That’s the easy check. The fun check would be “If someone’s on version 4.1 and I’ve released both 5.0 and 4.2, but the license is not active, update them to 4.2 only.”

    Hold the phone. Why am I saying this? Because now you’re pushing security updates to your 4.x branch while not giving someone the new 5.x features. You win, because you’ve made the internet safer. The user wins, because they’re safer and possibly inclined to trust you more. Slip in a little alert to the top of the 4.x admin screens to say “There are new features in version 5.x. Upgrade now for 30% off!” and you’ll be converting sales!

    While someone could change their plugin headers to lie and say that their 4.x version is really a 5.x version, there’s no benefit to them to do this if you’re simultaneously requiring an active license.

    So What Does This Have to Do With GPL?

    Going back to what Andrea said, it makes it clear what your freedoms are.

    You can take code, install it where ever you want, and no one should actually give a damn. But by making updates easier, companies have to worry less about people wrangling, leaving them free to handle the egregious issues, like reselling.

    • The GPL allows me to take StudioPress themes and resell them if I want.
    • StudioPress has the right to delete my account and break my ability to update if I do that.

    Without touching on the hot-button topic of the ‘spirit’ of the GPL, we’re talking two separate things. The GPL allows me to do what I want with the code. The terms of use of StudioPress as a service, providing me with updates, is not bound by the GPL, nor should they be. But Andrea’s point, that our terms of use and licensing (billing) structure can confuse people with regards to our GPL freedoms, is totally valid.

    The onus is on the seller, not the buyer, to explain the difference between the GPL freedoms (do what you want, basically), with the Terms of Use freedoms. GPL doesn’t give you the freedom to defraud a company, for example. If they chose to cancel your account because you resold their product, that’s their right. Your freedom to resell is not impinged by the GPL. You can go for it. But they aren’t obligated to give you free updates anymore if that’s the case, and they can probably slap you with a c&d order.

    The point is the GPL and its freedoms can live side by side with making a profit. We just have to be honest about what we’re selling. We’re not selling the code at all, we’re selling the service.

  • GPL Isn’t Protecting You

    GPL Isn’t Protecting You

    Some days I know my plugin reviews are going to wreck me. January has had a lot of complaints from people about aspects of the GPL. Specifically they wanted to know how to protect themselves with the GPL.

    The truth is the GPL is not protecting anything except the right of the next guy to take your code and do stuff with it. And that terrifies people.

    I’m not entertaining a discourse on the merits or legality of the GPL here. Those comments will be deleted. Simply put, a requirement of the WordPress.org repositories is that to be hosted there you must be GPLv2 (or later). At that point, every other argument is moot. Your code has to be GPLv2 to be in the repositories. End of story.

    Okay. So what’s there left to discuss about protecting yourself and your code? Three things: Trademarks, copyright, and theft. Here we go.

    Trademarks

    GPLv2 doesn’t protect your trademark, but that doesn’t mean your trademark isn’t protected. While any image you put in your WordPress theme or plugin has to be given as GPLv2 compatible, that doesn’t void your trademark. A freely offered image that is trademarked (say, the WordPress logo) can be used in your plugin, but it comes with restrictions after all. The inclusion of the SVG of the logo in GPL code doesn’t change that.

    One of the things that changed in GPLv2 and GPLv3 was related to this. Remember, GPLv2 allows all code that does not include any restrictions that were not already in GPLv2. As long as license was as free (or freer) than GPLv2, it was deemed to be GPL-compatible (see the WTFPL). The issue with that is some licenses were very easy to comply with but had clauses like you couldn’t use certain trademarks. This caused confusion, as it was read as a restriction. The thing was that it wasn’t! Regardless of what the license said, you never had permission to use the trademark.

    This is good for companies. You can trademark your logo and, if someone takes it redistributes a fork with the logos still in it, they’ve violated trademark law. And you can protect yourself there. I suggest you read Joomla’s post on the matter of Trademark protection to get a better idea of how it all works.

    Copyright

    Copyrights are another thing that the GPL doesn’t protect. Except it does.

    GPLv2 and GPLv3 are both copyleft:

    To copyleft a program, we first state that it is copyrighted; then we add distribution terms, which are a legal instrument that gives everyone the rights to use, modify, and redistribute the program’s code or any program derived from it but only if the distribution terms are unchanged. Thus, the code and the freedoms become legally inseparable.

    What does that mean? Your copyright is yours. By the act of writing code, you own the copyright (with some exceptions, like if you’re hired to write the code). When you contribute code to an open source project like WordPress, you STILL retain the copyright unless you give it away, but the license is whatever the project’s license is. Most of the time this is fine, but as I recently saw with Hugo, this can be problematic when a project wants to change their license. Hugo had to get permission from every single person who had contributed.

    This is, by the way, why WordPress will probably always be GPLv2.

    One way around this is to require everyone to waive their copyrights in order to contribute. I believe DotNuke did this. Whomever owns the copyright, if the code is still licensed in a way that allows for free distribution then nothing’s really changed. The code is still open.

    Of course, then there’s the jQuery Foundation does with their Individual Contributor License Agreement – In order to contribute to jQuery’s code or website, you have to sign that and provide a valid email. This gives them a way to contact everyone and also makes sure you understand what you signed up for. WordPress just has a checkbox when you submit your code to remind you that you’ve given it up.

    If you’ve ever looked at the jQuery Foundation License, you may have noticed this line:

    You are free to use any jQuery Foundation project in any other project (even commercial projects) as long as the copyright header is left intact.

    This is not imposing a restriction more than GPLv2. See the bit in trademarks. Legally you had to do that anyway, they’re just reminding you not to be a tool and leave this simple line in:

    • Copyright jQuery Foundation and other contributors

    I bark at developers a lot for removing the license headers from javascript files. Don’t do it. You’re violating copyright and, if the original devs complain, you’ll lose your code until you fix it. Which is the point here. Copyright exists beyond GPL, so the fact that it doesn’t actively protect it doesn’t make it not enforceable.

    Theft

    I don’t mean legal here.

    A lot (a lot) of people argue that their plugin should be able to be encrypted or obfuscated to make it ‘harder to steal.’ I hear that about once a week, if not more. And my answer to all of them is “Not if you want to be hosted on WordPress.org.” WordPress.org has an ‘above and beyond’ understanding of the idea of distribution and allowing people to edit. It’s felt that the spirit of GPL means your code should be easy for someone to read and fork.

    I said a dirty thing there, I know. The ‘spirit’ of the GPL is probably causing some of my friends to roll their eyes so hard they’ve got migraines. Sorry about that. But it really is the one time I use it. When I say the ‘spirit’ I mean the intention of the license and it’s application to WordPress.org’s repositories only. Right or wrong, agree or disagree, it’s straightforward. If you want to have your code in the .org repos, it’s gotta be human readable.

    There’s a simple reason for this. The GPL Copyleft is all about freedom and keeping that freedom alive. The Copyleft says that anyone who redistributes the software, with or without changes, must pass along the same freedom to further copy and change it. In order to allow people to change the code, we want it to be human-readable. We want people to be able to look at your code and say “Oh I understand how this works. I will improve it!” When you take away, or overly complicate their ability to do that, we feel you’re intentionally impinging on that freedom. You’re trying to find a way around it, basically.

    About the only time I’ve heard someone not claim they were smushing the code up to protect it from being stolen is when someone has smashed their javascript into a p,a,c,k,e,d() type compression file. I actually hate those files. Javascript is hard enough as is! Stop making it harder. Plus I need to tell you something really important.

    While minifying your javascript will improve a website’s performing by decreasing the load time, it doesn’t make it run any faster for the majority of code out there. Of course there are situations (large libraries or limited devices) where this is not the case, but trust me here. Your 7 line javascript is not going to be significantly faster just because you compressed it. I advocate using the .min version of common libraries, but unless your code is huge, leave it alone and let other people see how to edit it.

    Bonus: Distribution

    GPL comes into play when your code is distributed. If I put my code on my server and never give it to anyone, it’s not been distributed so licenses don’t really matter. As the GPL FAQ explains:

    But if you release the modified version to the public in some way, the GPL requires you to make the modified source code available to the program’s users, under the GPL.

    It’s the big if there. What constitutes distribution? Is your browser downloading a javascript file in order to run my site distribution? Is handing you a zip file distribution?

    I always recommend people play it safe.

  • It’s Not GPL and That’s Okay

    It’s Not GPL and That’s Okay

    I’m probably starting a wildstorm here, but I want to put this out there. I don’t always use 100% GPL products on my sites, and that’s okay.

    Please put down your pitchforks!

    I am a happy Open Source person. If you give me a choice between two equally good products, one being Open Source and the other not, I’ll pick Open Source any day of the week. But. There’s a reason I use Apple Pages and not Open Office. Pages works for me. It fits my workflow, it fits my brain, and it makes me write more easily. Since I’m often sprawled on the couch writing with my thumbs on my iPad Mini, it makes perfect sense to use Pages and iCloud.

    But there’s another place I don’t worry too much about GPL or Open Source, and that’s when I’m coding something that is only ever going to be for me.

    I was working on a new site and we were looking for icons to properly represent how we felt. We needed a toaster. We didn’t have one in Font Awesome or Genericons, so I pulled up Symbolicons! The catch? It’s not GPL. But the thing was, we knew we’d never be distributing these icons. It was for one website, so why did it matter?

    And the fact is that for this use case, it did not matter at all!

    patchwork elephant

    Understanding what I’m doing, who it’s for, and where it’s going to be used is highly important. And understanding what I want to support and maintain is equally important. For the most part, open source doesn’t come with Apple Care or companies like OWC who specialize in bailing people out or helping them extend things. WordPress doesn’t come with that, for good or not, it’s really a ‘figure it out as you go’ sort of product.

    There are use cases to consider. Who’s going to use the computer? What do they know? Is it worth teaching them Linux or can they keep using their Mac? Much like I do when I’m mentoring someone, I don’t try to push my ideals on someone, or assume my way and my solution is the only solution. When I look at GPL, yes, it’s my default. I always start there. But I don’t stop there and I don’t let it blind me to what things need to be, because the best solution may not be open source, it may not be GPL, and it may not be WordPress.

    So long as you’re not violating a license, use what suits your needs. But do pay attention to those licenses.

  • The Responsibility of Freedom

    The Responsibility of Freedom

    I’m sure you know there are clubs out there that re-sell WordPress products at a far lower cost than their original source. This post is not about that being right or wrong via the GPL, nor is it about the morality.

    This post is about responsibility.

    In my home office hangs a poster “Flynn Lives” which I have to constantly remind me “I fight for the users.” It’s a nerd level joke most of my fellow developers and support gurus get, but many people I help would not understand the point. My job, as a WordPress Support Guru, is to help people. This is simple, straightforward, and obvious.

    My other job, though, is to make their lives easier and better. It’s my responsibility, when I write code, to make it do something to make someone’s life easier. Even if the only person it helps is me, the point is that someone is being helped. If it’s just me, it’s really easy to support myself. “Hey, Ipstenu, you know this broke?” “Yeah, added to my list!” But when it’s someone else, how does that change?

    I firmly believe there’s an expectation of support with all plugins and themes hosted in the WordPress.org repository. Period. That means, yes, I have code I don’t put up there because I don’t care to support it. But I know that expectation puts responsibility on me as more than just “Someone who writes code.” I can’t just write code, drop it into the world, and never support it.

    “But Ipstenu,” I hear you say. “Isn’t that what WordPress.org does? It just dumps WP into the world. I never see the devs in the forums!”

    You’re not WordPress.org. You’re not that big, that complex, and that intricate. Unless you’re BuddyPress-levels of plugins, and you’ll notice they have support forums. Instead of directly supporting WP, the core devs of WordPress who are dedicated to WordPress have people like me, who traipse about the forums and help. And when I see broken things, I either take it to trac or help the person who found it do so. My determining line is “Can I fix it? Okay, I’ll trac it and patch it.” If I can’t, I help them. Low hanging fruit.

    The point here is that all this wonderful software came with a responsibility to make it great and help people. What does this have to do with sites like those Justice League Clubs that offer cheap/free versions of pay-wall’d software? They’re not helping you.

    FreedomOh, in the short term they’re helping you by giving you something for free. They’re getting you further in your site development than ever before. However that help ends at the provisioning level, because you aren’t paying for support from these resellers, you’re paying for product. That’s okay, so long as you know what you’re paying for, and a lot of people don’t. If people did know what they were paying for, they wouldn’t use nulled themes with base64 backdoors in them.

    The ethics and morals of reselling someone else’s work aren’t at play here. Yours are yours, mine are mine, and that’s just fine. What is at play is what are we paying for, what are we providing, and what are we devaluing when we resell someone else’s product?

    Devaluing is the easier one. People sell products at cost in order to make money. It’s simple. I work for a company that sells space on a computer and world wide availability from anyone to that space. We sell it at a price that allows us to make money, but also that allows us to hire amazing people like me who work on WordPress, write some of the code, test it, and otherwise spend all this time on WordPress, just because it’s software you use!

    The value of the product is, again, not just in the product, but in the service. And the service is more than just access and accessibility, but also in the support you get. No matter what people think, we aren’t just rolling around in money and laughing at you. We reinvest that money in ourselves, our hardware, the software (some of which we give to you). But what we always do is support that. Sometimes the support isn’t what you want to hear, but we do our best to solve problems, or explain why we can’t.

    So what are you paying for? Support! In the end, you’re pretty much always paying for support. You buy Microsoft Office and you don’t get the kind of support you get with WordPress, but you pay a lot more money. Where’s the support? When Word crashes, it sends (or asks you if it can send) a report back. That report gets noticed and acted on so that if it’s solvable, it’s solved. The next upgrade you get has a patch, and that crash doesn’t happen again. That’s support!

    You can also get actual support from Microsoft (though I know of no one who’s done so). They have people who write fantastic help docs and who monitor their forums and twitter. If you took Word (let’s pretend that was legal) and resold it, would you have all that?

    But that’s a quite extreme example. WordPress plugins are significantly smaller in scale than MS Office. So why is Office (and Adobe Photoshop etc) so expensive if they don’t give you half the help that the free WordPress product does? There are a lot of reasons. Patents and copyright are expensive, and frankly we’re all willing to pay for it. When Apple dropped the price of the new OS down from hundreds to $25, we were all suspicious. When it became free, we flipped out.

    But Apple wisely noted that making us pay that much money wasn’t helping them as much as it might. Free gives you a certain brand loyalty because we get to try before we buy. And we will buy those apps and those app add-ons (though I don’t fully approve of games that force you to pay to play all the time). We buy them because after we get the base product for free, we see the real value in the cost of the other products and we’ll pay for them willingly. Apple takes responsibility for their free software in interesting ways. We have to pay for assistance (most of us via the Genius Bar). And in the WordPress ecosystem, that too is what you pay for. The help.

    Broken windowSo back to this whole “I’ll take your paid software and give it away” thing.

    What are we paying for? I’ve heard tell that ‘Paying for support’ is a rip off. So is paying for documentation. I can see why some people balk at paying $25 a year for ‘support’ they may not ever need, and I’ve seen some companies work by letting you pay per-ticket. Though that makes people feel like you’re nickel-and-diming them, and I do agree it can come across that way. And yet that support which they so casually toss aside like an old shoe is where these free-software-clubs fall down.

    There is one club that says they will support all the plugins they re-host. Many of us are suspect at the possibility of that actually working well, though given the odds of how small their sales will be to start with, it may end up sustainable. The problem is that they’re not going to be patching upstream. They’ll fix your issue, and then when the real source pushes the next version, they get to reapply their patches. Strikes me as a lot of work.

    Is the payment system for some WordPress plugins and themes broken? I don’t think so. I think it’s not optimal for the user nor for the developers just yet, but monetizing these things is still relatively young. There will be mistakes and bad choices along the way. Finding the balance between the freedom of the GPL and the desire to make a living is difficult.

    The ultimate responsibility we have with WordPress is to give back. We give back with support and with improving things for everyone. If we’re just doing things for ourselves, after all, we don’t share them. Are these clubs failing in those responsibilities? Not yet. But all eyes will be on them if they do.

  • Stolen GPL

    Stolen GPL

    I made a polarizing comment on Twitter back in November, which was perfectly plain to me, but apparently not everyone else.

    “GPL means that you can fork, but it doesn’t mean you can steal, and you know damn well what theft is.”

    I should have said ‘doesn’t mean you should steal, and you know damn well what that is’ but the point is close enough. Forking in GPL is not only okay, it’s encouraged. Many of us get our starts forking and improving plugins. But there’s a difference between that and stealing someone’s work and presenting it as our own. That’s stealing, plain and simple. If you fork, you attribute. I have a plugin that started as a fork and ended up 100% re-written in a totally different way, but I still credit my original inspiration.

    Why?

    Because of the community.

    Look, per GPL, taking someone’s plugin is not stealing it, in so far as taking the code goes. You have the right to distribute someone else’s code. And I don’t even think that taking someone’s copyright protected work is actually theft. What I do think is that is taking someone else’s work with questionable motives, and rebranding it as your own, is stealing.

    Here’s the GNU’s take on Copyright ‘Theft’:

    Copyright apologists often use words like “stolen” and “theft” to refer to copyright infringement. This is spin, but they would like you to take it for objective truth.

    Under the US legal system, copyright infringement is not theft. Laws about theft are not applicable to copyright infringement. The copyright apologists are making an appeal to authority—and misrepresenting what authority says.

    Unauthorized copying is forbidden by copyright law in many circumstances (not all!), but being forbidden doesn’t make it wrong. In general, laws don’t define right and wrong. Laws, at their best, attempt to implement justice. If the laws (the implementation) don’t fit our ideas of right and wrong (the spec), the laws are what should change.

    I agree with their explanation, and think it’s valid, in so far as it goes.

    Where it breaks down is the motive, as I mentioned before. If I buy a plugin or theme to use, I’ve bought it for the intended purpose. If I buy it to fork, I’ve bought it for another intended purses. If I buy it to sell as my own, now I’ve walked into asshole territory. Per the GPL, this isn’t theft and it isn’t stealing (again, forking is okay). But when you look at it dead on, you’ve taken someone else’s work, with the intent to profit from their work, without any attribution or credit or compensation.

    In any other situation, that would be, clearly, stealing.

    Theft is taking someone else’s property without permissions and with the intent to deprive the rightful owner of it. Obviously we’re not depriving the owner of the product when it comes to software, but we are intended to deprive them of the profits of their software, by circumventing their established ‘sales’ procedure. This works the other way, too. If I take someone’s free theme/plugin and sell it, I’m stealing from them as well. However. In both cases, if I’m not selling the product, but selling my support of it, I’m not stealing anything.

    Stealing is presenting someone else’s works as your own, among other definitions, and taking without right or permission. When it comes to GPL, you have both right and permission to take, that is unquestioned. But again, once you start presenting this as your own, you’ve walked into asshole territory. You didn’t do the work, you didn’t write the code, and you didn’t do anything except copy/paste. That’s not coding. You’re being dishonest, and I feel you’re stealing.

    It’s morally ambiguous and sticky for me to just say ‘this is stealing’ which is why I have to come back to the intent and motive. Am I doing this for altruistic reasons? Did the developer take a walk and abandon their work, and I’m simply keeping it alive? Did the developer reject my patch so I forked it? Or am I doing this because I resent them charging $85 for a plugin when WordPress is free? If it’s that last one, then I’m a thief, because my motive is to stick it to the other guy.

    Separating ‘stealing’ and ‘theft’ is like undoing a Gordian knot. You can do it, but it starts bumping into all sorts of crazy semantics. That’s why, most of the time, we don’t bother. I have a very strong opinion on the subject of code-theft, and always have. I feel that the only way to keep the GPL going is to not only do what’s right, but mean it, and being a good steward of the community, be it WP or Drupal or even Expression Engine, means you have to do what’s right.

    The right thing is to thank the guy who came first. Even an ‘Inspired by a snide comment by Ipstenu’ is being a good steward. You’ve encouraged me to do more by taking the time to recognize my effort. With that encouragement, I’ll go on to do more. It’s positive reinforcement at it’s best.

  • Plugin Licenses, Upsells, and Add-ons

    Plugin Licenses, Upsells, and Add-ons

    This post is dedicated to WPEngine, who donated to help me get to WCSF. While I don’t use them, I think that if you’ve outgrown WordPress.com and aren’t quite ready to host everything yourself, but you still want the plugins and themes, then you should check these guys out. They aren’t cheap, but then again, I firmly believe in paying for what’s important.

    Read the comments before you comment. Otto haz the smartz.

    Phone HomeOne of the many rules of WordPress.org hosted plugins is you can’t phone home. Actually you can, and the rule really is ‘Don’t phone home without a damn good reason.’ To use Akismet as an example, it phones home with information to help verify who posted on your site, and are they a damn dirty spammer. That’s a damn good reason. But phoning home to check “Did Bob pay for a license?” is not. That’s considered abuse of the “serviceware” guideline, and essentially making an API just to make sure a license is okay isn’t okay. Now making money on your plugins is an awesome thing. But when your code is open source and anyone can see it, how do you keep people honest?

    To get down to brass tacks, I’m going to take a little jounrey the wrong way, before I get to some suggestions on how you can provide ‘free’ and ‘pay’ versions of a plugin on the WordPress repository, and not cause any guideline issues.

    Let’s start out with the most common way people restrict you: A license key. If you put in a plain license key check like this, it’s easy to crack:

    if ( $license == "yes" ) { // Licensed! }

    Okay, you say, I want to encrypt things so that I tell someone ‘your license is ipstenuisreallyneatsheismadeofturtlemeat’ but when I look at my code, it shows ‘774ffc4efce8da294dff77f35f75df98‘ instead (that’s md5(ipstenuisreallyneatsheismadeofturtlemeat) as it happens). Wait. We can’t encrpyt code. Or rather, we can’t include encrypted code in a plugin, it’s against the no-obfuscation rule. We’d want to decrypt that instead. So I give you the code string instead and run it this way instead (Just pretend that $options['license'] is a site option.):

    if ( md5(ipstenuisreallyneatsheismadeofturtlemeat) == $options['license'] ) { // Licensed! }
    

    But then I have the problem of anyone can just look and see what’s going on again. You could go the extra step like putting ipstenuisreallyneatsheismadeofturtlemeat in a file and then pull off something like this:

    $md5file = file_get_contents("md5file.txt");
    if (md5_file("test.txt") == $options['license'] )
    

    No LicenseIs this easily decrypted? Yes. Is this easily circumvented by editing the code and removing the if? Again, yes. In fact the only way to really do this would be to use an API on your server to check the validity of the license (which you can’t do if you want to be hosted on WordPress.org anyway – no APIs just to check licenses), and even then I can strip mine your plugin and remove all checks like that. So why bother? Because you want to make a living on your code, and that’s certainly a fair-go! But as Otto rightly says, we can’t stop piracy, so why are we trying? DRM doesn’t work, and reverse engineering hasn’t proven sustainable. Maybe we’re building the wrong mousetrap.

    If we throw the code solutions out the window, because we know they won’t work, where are we left? The next most common thing I see is people offering two plugins. A free, totally open GPL one on the WordPress repository and then a version behind a pay-wall that you would ‘replace’ that free one with. For example, I have a Rickroll plugin, and let’s say I wanted to make a Rickroll Pro version that let you change the video to anything you want, just put in the YouTube URL. I would have a settings page on my free version that pretty much says “Hi, if you want to change the video, visit halfelf.org/plugins/rickroll-pro/ to download.” And now I have to code Rickroll Pro to check if Rickroll (free) is installed and active, and refuse to activate if so. Furthermore, my users have to be told to delete the free Rickroll.

    You know what? That’s a pain in the butt. What if instead I coded a Rickroll Pro add-on. No, I don’t mean ‘add this file to your plugin’ but ‘Install this second plugin, which will add functionality to Rickroll.’

    It’s a second plugin, yes, but now I can have Rickroll free look for Rickroll pro. Not active? The settings page (which I would keep in Rickroll free) would tell you ‘Hey, you don’t have Rickroll pro! Install it and get more things!’ or ‘Hi, you have Rickroll pro installed by not active. Don’t you know it’ll never give you up? Activate it and have fun!’

    Now the code muscle becomes a question of ‘How do I ensure my dependency checks work?’ First, Scribu wrote an awesome plugin dependency plugin, and the only flaw with it, is you’d have to install a third plugin. We don’t want that here, since yet another plugin is problematic. But looking back, that code grew out of a trac ticket about handling plugin dependencies. Now there’s a nice way to check: is_plugin_active()

    if (!is_plugin_active('rickroll/rickroll.php')) {
        // do not activate. Provide message why.
    }
    

    ProtectedYou could go to town with the checks in there. Like if the plugin isn’t active, deactivate the child and so on and so forth. I’m not going to write it all for you (though Otto wrote a lot about it for themes)

    Now going back in your parent plugin, you can run the same check:

    if (!is_plugin_active('rickroll-pro/rickroll.php')) {
        // Rickroll pro isn't active, prompt the user to buy it.
    } else {
       // Include rickroll-pro/adminsettings.php so they can use it
    }
    

    The one last thought I had on this was how to handle pro upgrades. Since I don’t like to upgrade a plugin a lot unless I have to, I’d make it an ‘upgrade both’. In Rickroll Pro I’d set a version constant, and then in that check to see if it’s active call, reference that version. So Rickroll, after verifying Rickroll Pro is active, would come back and say ‘My current supported version of Rickroll Pro is 1.5 and the constant is set to 1.0. You should upgrade!’ Then every time I write a new version of Rickroll Pro, I’d update Rickroll to point to the new version, and when they upgrade from WP, they would get notified about Rickroll Pro needing an update too.

    Probably not the most efficient or effective way about it, but the other option is a self hosted plugin update API.

    Bear in mind, because of GPL, all these hoops and ladders can be circumvented. Your plugin can and will be taken away for free. Don’t fight the pirates with registration circuses, and limit the weight of your code by selling the right thing. It’s a strange idea to think that giving your code away for free will help you earn money, but at the very least, not fighting against the pirates will give you time to write better, more secure, code. And that certainly will earn you more money. Then sell your support, because that time is money.