Half-Elf on Tech

Thoughts From a Professional Lesbian

Tag: stories

  • Plugins: Threatening to Go Public

    Plugins: Threatening to Go Public

    A lot, like a lot a lot, of people threaten to go public with how evil the Plugins team is. That rarely works out for them, since most of the time I’m very good about covering my bases, giving people just enough rope to hang themselves, and documenting it to CYA. Also most of the time they’re wrong. If I’m wrong, I apologize and try to make amends.

    But they still threaten. Few people it’s rarely going to be what they want, since they’ll say “I was banned because I refused to fix X” or “My plugin was rejected because wouldn’t change X” and that reflects on them, not me. Now that does depend on what X is, like sometimes it’s as weird as not documenting a remote call, or it’s not wanting to use the default jQuery. A lot of people refuse to stop including libraries that are default in WP for reasons I cannot fathom.

    Today’s story is about one of those where X was a security issue.

    Security Closure

    One of the fun/annoying parts of plugins are security reports. We get a lot and they’re rarely well written so they take time to unpack what the plugin is and what exactly the issue is. Dion has since crafted a way to collect more of the details to expedite (which helps a lot), but back then? I did it all manually, checking and testing every time.

    That routine and practice is a large part of why it’s taking so long for folks to catch up after I left, I had a routine and muscle memory working for me on top of a decade of experience. They’re individually about as fast as I was when I started, and back then we had a lot fewer plugins and a lot simpler ones!

    This report was for a valid XSS and SQL injection issue on a plugin untouched for 6 years. No big deal, mistakes happen and this was clearly a mistake. The plugin was closed and the dev emailed.

    Now these old and non-updated plugin closures usually fall into two categories:

    1. The developer replies, fixes the plugin, all is happy
    2. The developer never replies, plugin is closed forever, sadness reigns

    But then we got the weird one.

    Note: My wife always laughs when I say ‘and then it got weird’ because it’s usually already pretty weird.

    This guy, let’s call him Glen (not his real name), emailed back and said he hadn’t updated but he tested the plugin and it worked on the then stable version of WordPress. Great. But he has to fix the code. So he was told “If you have not updated the plugin on SVN, we will not review it” among other things.

    Glen complained that he did this shit for free (join the club, Glen) and he was the reason WordPress was popular (… what?), and for sure he would not be able to update on short notice. The plugin was already closed and if you’re wondering what notice, he meant the time to disclosure. Remember after 60 days the site will say (in broad terms) why a plugin was closed.

    Now. Saying you can’t fix the plugin asap is totally okay. Take the time you need, but I am not reopening if it’s not safe. Period. It was already 0-day’d.

    Glen wanted me to call him (Hah!) and he would tell me all about WordPress’s many, obvious, security issues.

    No Phone Calls

    I told him no, I would not give him my number.

    He was reminded that the plugin is his responsibility, not mine. I don’t work for him any more than he for me. We’re all volunteers, yadda yadda, and by the way, here’s how you report WP core issues. Finally he was reminded the plugin was already closed, and he could take the time he needed to correct it, even years.

    He agreed to update, when he could. Again, I told him that was fine, and to do what he could when he could, we understood. But Glen got all fired up over being “asked” to “look into” his security issues and continued to complain that he had to fix his own plugin.

    For the record, everyone has 60 days before the reason for closure is made public. There has never been an ultimate limit to fix the plugin after closure. The longest has been over a year. I never cared if it takes you 6 minutes or 6 hours or 6 years! But Glen? Well … he threatened to post on social.

    So let’s get it clear. Glen was going to post on social that:

    1. He was told about a security issue in a plugin he hadn’t touched in 6 years, his plugin was closed, and he was given a timeline for disclosure of why it was closed.
    2. He ignored the security issue and said it worked on 5.X so it’s all good.
    3. He was told we would not reopen the plugin unless he updated.
    4. He decided it was rude of us to say that.
    5. He accused the plugin team of being rich (hah).
    6. He threatened to tell everyone the whole story.

    Besides the fact that it’s not going to go his way (people would read “You refused to fix your own plugin and demanded a known vulnerable plugin be restored?”), it’s pointless. It wouldn’t change anything. The plugin would remain closed and he’d get banned for threats. Because the textbook word there is he was trying to extort us by threatening … dog shaming?

    Stop Hitting Yourself

    I pointed out that his ‘version’ wasn’t going to make him look good. He was welcome to go public if he wanted, but again, all he was being asked was to fix the plugin when he could, and no, I would not reopen it until it was fixed.

    He doubled down, used some choice words about the matter, and was banned.

    I don’t think he ever did go public, but he never fixed his plugin or self-hosted it either.

  • Plugins: Mask of Many Faces

    Plugins: Mask of Many Faces

    There’s a term we use a lot in WordPress forum/plugin work, called Sock Puppets. That’s what we call an account someone makes with the intent of disguising who they are, usually to troll or for some other nefarious purpose. For plugin reviews in particular, the sock puppets are generally used to make fake reviews. Specifically they make a bunch of fake accounts to make five-star reviews for their own plugin.

    While there is a claim that people use sock-puppets to leave one-star reviews for other plugins, that’s really not common. In fact, I only remember three times, and all three ended with banned companies. It’s not worth it. We’re a lot more kind if you make fake reviews for yourself, than if you do it to hurt others.

    Fake reviews are a huge issue everywhere. Amazon and Apple have zero tolerance on them, and will punt you if you do it. On WordPress, I tried to be gentler and I would regularly warn people we caught them, please stop it, and we removed the reviews. If it happened a second time, their accounts were suspended until they replied to confirm they understood. The next step was the final warning (any non-security issues will result in a ban), and after that I would punt.

    Friends or Puppets?

    One day a trio of plugin developers reviewed each other’s plugins. They specifically made fake accounts to do it. They were caught and admonished. They each replied in pretty thoughtless ways:

    1. Replied 4 times, one saying they were all roommates, and said ‘god sees all’ (Zorro)
    2. Replied that he was thinking about quitting WP (Doug)
    3. Replied about bathing (Wally)

    All names are fake. And no, I’m not kidding about Wally:

    Stop brushing and bathing.

    A lot of viruses when will destroy you, then you will understand the importance of cleaning your body and mind.

    Your behaviour is abnormal. You are doing wrong use of technology made by others.

    Wally via email to Plugins

    Wally got the insta-ban because that one is off the wall weird and generally a good indication of trouble. I usually wouldn’t post the whole email but that one is pretty choice and hard to explain otherwise.

    After being banned, Wally said he was happy to leave, that ‘we’ were idiots, he wished that we would lose our jobs and have to beg so people would treat us badly. I got treated badly while I was being paid. Does that mean I win? He ended up saying this:

    May WordPress get a virus similar to Coronavirus and all of you die under debts and people like you who interfere with others lives beggars for people like me and in return I will not put a paise in your begging hands.

    Wally via email to Plugins

    Props for the capital P in WordPress.

    After jokingly calling this a soap-puppet, I figured it was done. But then…

    All For Ban, Ban For All

    Zorro replied to Wally’s email. You read that right. Zorro emailed a reply from his email address and so did Doug. Same email address. Zorro made more comments about God, Doug claimed he had friends in WordPress and I should watch my step.

    Be careful, you may be hurt harder than you expect and at places where you do not expect.

    Doug via email to Plugins

    While it is possible that Wally shared the email around, Occam’s Razor is pretty sharp here. They were all the same person. Three accounts, three separate plugins, a bunch of reviews. And the fact that they all replied in minutes is pretty damning.

    In the end, all three were banned, but only Zorro emailed the Password Reset folks asking why his account was disabled. He offered a bribe:

    I would like to make donation in your account if you restore my WordPress account and plugins.

    You may send me any guidelines.

    Once my plugin start generating income again I will be able to send you 50 dollars monthly for cooperation from your side.

    Zorro via email to Password Resets

    The reset folks said ‘Nope.’ and that should have been that.

    It’s Never Over

    The story doesn’t end there, and I have to backtrack.

    Previously, before they were banned, I wasn’t quite sure they were all the same person. Three friends making puppets together isn’t new, so I laid a trap. This does not make me a great person, I know, but it’s important to be sure. And my trap was pretty benign.

    Each account got a slightly different email about fake reviews. I’ve done this before with good results, because usually people slip up and reply with the wrong email. It’s harder than it looks to be note-perfect with multiple accounts, which is why it’s not worth the time. In this instance, it panned out perfectly as a fourth account, Soren, replied to Zorro’s email!

    Bingo. That’s what I needed, and I banned all four telling them why. I did not cc them on the same email just in case I was wrong. I didn’t want to leak private data. At that point, they all replied with pretty nasty stuff about gods and bathing (what the hell? I shower every day!).

    Enter Aaron. He submitted code that linked back to Zorro and Soren’s website. In fact, it linked back to one of Zorro’s plugins! I banned Aaron and repeated the end of the original ban email, which says not to make more accounts or WordPress.org will have to take stricter measures that could hurt others (IP bans etc).

    Aaron didn’t reply. Another person, Derek, did. If you’re keeping track, this is the 6th account, and Derek said that he didn’t know who Zorro was, but Aaron (the account he was replying for) worked upstairs for a separate company.

    Gif of David, from "Schitt's Creek" saying "What the actual f*ck?"

    Who The Hell Is Whom?

    At this point, we have three people who (purportedly) live together (Zorro, Doug, and Wally) and all their plugins cited Zorro’s website. We also have Soren, who replied to Zorro’s email, and Aaron who submitted another plugin linked back to Zorro. Finally we have Derek, who replied to Aaron’s email saying he didn’t work with Aaron.

    Why did Derek reply to an email sent to Aaron?

    This, my gentle readers, is why having multiple accounts is a shit-show and not worth it. You’re going to screw up and reply with the wrong ones. When you do, you will pay the price. It’s better to just be yourself and be honest. And preferably not an asshole.

    Derek’s email went on to cite some things from Zorro (about gods), Wally (bathing and viruses, again!), and Doug (threats). I did not reply, I filed the email as blocked and ignored it. Derek replied again with basically “you can’t kick me out, I’m leaving!” … Except we already had kicked him out.

    He added we sucked at communication and we were suckers and idiots he didn’t want to work with.

    Signed Zorro.

    From here on out, I will always use ‘Zorro’ for his name. I’m pretty sure everyone was Zorro anyway.

    Of Course He Kept On

    Normally if you tell folks you’re leaving, you actually … leave. Right? Zorro didn’t. Every day for half a month he made new accounts and submitted plugins. He was really stupid about it, too. I mean, they all had the same naming convention and if there’s one thing I’m really gifted at, it’s pattern recognition.

    I had just finished my first pass of my shell-script plugin checker, so I used this opportunity to write a complex set of checks for them, using Zorro’s ‘tells.’ This is why that work is complicated to be made public, it tracks why a plugin cannot be hosted, and outs the person as why. I don’t want the evil populace to know how I’m catching them. And catch I did.

    Finally, Zorro emailed with a new story (and new email). Zorro’s new story was that his ‘accounts’ were hacked.

    Our accounts were hacked. All the emails linked to company were of multiple students who come here to learn WordPress free of cost. We provide emails to them, so that we can use their published plugins as part of project so that we can monitize it.

    Zorro via email to Plugins

    That last sentence threw me for a loop. To monetize? They meant the plan was to funnel people to their company as a free-to-premium flow. Sure, a lot of people do that, but Zorro just said he intentionally used multiple accounts to own multiple plugins to funnel users to pay them. So you know, basic deception where multiple accounts are hiding who they are. Right. Not okay.

    We are never going to stop publishing plugins, we can change IP address, we can ask students to use their own network to publish plugins, use different emails. We can relocate to different location if we do not generate income here. You can not stop us from what we are doing.

    Zorro via email to Plugins

    This kind of rant continued (along with how evil we are, blah blah) when Zorro stepped up the impersonation from the Wally email:

    An email that reads "You are terminated from your job on WordPress and is not allowed to work here anymore. Regards, Matt Mullenweg."

    Again, props for using capital P, but yeah, totally. That’s how Matt would do it. I think he has my phone number actually … I know he has my address after that August surprise.

    It Kept Going

    From May to August, this shit kept going. Eventually I figured out the regex to catch and close the emails automatically, and I built out the scanner to catch ’em faster. Zorro sporadically popped up now and then, making a total of 17 separate accounts by the end of that year.

    Once in a while that year I would catch another email from “Matt” firing me, and it was always good for a chuckle.

  • Plugins: Always Get a Contract

    Plugins: Always Get a Contract

    Sometimes people do stupid things. In the case of Gary (not his real name), it was hiring someone without a contract. This led to a complaint that a developer had taken Gary’s proprietary code and released it in public.

    Gary explained he’d hired Frank (not his real name) to write a plugin for his company, and the agreement was it was not for resale. That’s pretty normal to hear. Gary went on to explain that Frank was from Pakistan (this will come back later) and he’d asked Frank to take down the plugin and Frank said no. Could we step in?

    Time to Dig In

    The answer to Gary was ‘maybe.’ I explained that, per the GPL, Frank was allowed to take and fork the code and release it for free. However, WordPress.org didn’t allow that if the source was a premium plugin. So first of all, was the infringing plugin actually hosted on WordPress.org? You see, Gary hadn’t named the plugin.

    Once Gary linked to the plugin, I took a look for any obvious evidence that it wasn’t Frank’s. Sometimes people credit the source and it’s easy to see if it’s a fork, and other times they forget to clean it up and remove mention of the source. In this case, I saw no evidence, but I did see GARY had a number of warnings on his account for (basically) being an asshole in the forums. Never a good sign.

    In fact, here’s what Gary posted in the forums against Frank:

    [Frank] will take your money and then leave you with a plugin with bugs and [functions] paid for that he doesn’t deliver.

    Gary in the forums

    That’s it. That’s the review. Nothing about the specific plugin.

    I then asked Gary if this was a premium (pay for) plugin. Gary said no (!) but it was a bespoke plugin with a contract provision to not distribute. I pointed out that meant the code wasn’t GPL, so we could remove it, and asked Gary for a copy of the code. I’m sure you won’t take the sucker bet about what the code was licensed, because it 100% said it was GPL.

    Oh and yes, I had to warn Gary that his account was on mod-watch due to that review, which was not a review of the plugin. It was an attack on the developer. Right or wrong, personal attacks have no place in a review of a plugin. If some developer really did kick you in the goolies you should go to a lawyer, not the forums, to complain.

    We understand that sometimes contracts and arrangements go south. This does not give you permission to make multiple accounts and to aggressively attack the developer in question. This is especially true when you are directly contacted and told to come talk to the forums team in Slack, and instead you attempt to contact them personally via [Social Media].

    You were provided with the correct conversational methods, of which this email is in fact one, and instead you flagrantly disrespected and disregarded the directions.

    We will of course still hear your claim and, if there is proof to it, close the plugin permanently. But that won’t make us unlock your account, since you behaved in a manner unbecoming to our community.

    Plugin Team to Gary

    This means it’s down to contract law, and I’m not a lawyer.

    Let’s See That Proof

    I decided to ask the simplest possible option. “Did Frank sign a contract, or was this a verbal deal?” Gary insisted Frank had signed a contract. And he provided ‘evidence.’

    His evidence was a group of undated and unorganized screenshots about their work from Skype. Each screenshot was ‘dated’ in the name (thank you Apple), but that wasn’t actually the order of the conversation. I spent an hour or so trying to get the order correct, and what I saw was Gary asking for a lot of changes in a short amount of time. A lot. Like every other comment from Gary was “and I need this change…”

    Frank would update Gary at the start and end of his (Frank’s) day. I thought that was pretty reasonable, since Frank was in Pakistan and Gary was somewhere in North America. And finally in those screenshots I found where it went south. There was an email from the end of the previous year (remember we’re in January) where Gary said Frank needed to close the plugin on WordPress.org because Gary owned it, not Frank.

    Rather politely, Frank replied that he had only made public the code Gary didn’t want. It took more digging in those undated Skype logs to figure out that Gary had asked for a bunch of features, changed his mind more than once, and Frank had, quite clearly in fact, asked if Frank could use the un-used code elsewhere.

    You know that Gary said yes. Of course he did.

    Fool Me Twice, Shame On You

    I wrote a reply to Gary explaining he’d actually agreed to let Frank share the code, and if Gary would send us his version, we would confirm the private code wasn’t there. My email included a screenshot to prove where Gary said that, just to cover my ass. Before I sent it, Gary sent me another story about how after this incident, he’d hired Frank a second time.

    Y’all, if you hate a developer, why would you hire them a second time? What logic is that?

    In the second incident, though, it got better. Gary had started this second “contract” at the same time he’d complained about the code not being removed from .org. Frank had started to accept the work, changed his mind, refunded Gary, and blocked Gary saying he didn’t want to work with Gary anymore. I felt that was quite reasonable of Frank, all things considered.

    Gary also, as one would expect, took umbrage that he was suspended and Frank wasn’t.

    The fact that you won’t reenable my account because of terrible customer service and rude mods is not something you should hold against me […].

    […]

    If you think I will go down silently, trust me. You have not yet met a monster like me before.

    Gary to Plugins

    I put pause on my initial reply to Gary and emailed Frank. I was honest and told Frank someone was making a claim he’d put code on .Org that violated a contract. I asked if there was a contract at all, and what had happened from Frank’s PoV, because I wanted both sides. Rather politely, Frank said there was only a verbal agreement, no actual contract, and that he decided he didn’t want to work with Gary because he was kind of a dick.

    I chastised him for working sans contract and pointed him to where he could get basic dev contracts that would protect him from things like this.

    It Doesn’t Look Good

    So here we are.

    1. Gary hired Frank to make a plugin
    2. Frank did so, after a lot of back and forth
    3. Gary changed his mind and asked for a feature to be removed
    4. Frank asked if he could put the removed feature up on .org
    5. Gary said yes
    6. Frank did so and linked to the plugin on .org (I think … it was truncated in the undated screenshots provided)
    7. Gary then asked Frank to make a second plugin (knowing the original was hosted on .org)
    8. Frank sent Gary the cost estimate
    9. Gary complained Frank put the first plugin in public
    10. Later on the day of the complaint, Frank refunded the down-payment
    11. Gary complained about the refund being a breach of contract
    12. Frank told Gary he would not work with him anymore and blocked Gary

    From the outside, that looks pretty reasonable, right? And both parties (Gary and Frank) told the exact same story! I love when they line up. Gary had even shared the screenshot that confirmed he told Frank that the unused code was FRANK’S to do with what he wanted. The only difference was Frank said there was no contract, and Gary swore there was.

    Now there’s a funny thing here. I still had no idea exactly which plugin this was! Frank had around 10 to his name, and three were from the December/January period. I had a guess about it, but I asked (for the fourth time) if Gary would please link to the plugin so I could be sure.

    I also asked Gary for a copy of the bespoke plugin to compare (again, this was a repeat ask), proof of a contract (again, a repeat ask), proof Gary had said the plugin was not to be shared (again, a repeat ask), and to please be patient as we’re all volunteers here (a repeat reminder). Oh and to stop telling Frank he was mentally ill, that wasn’t okay.

    Finally Gary linked to the code on WordPress.org. Gary also complained that he had a stellar history on .org (he did not) and I could see his public work history on a freelancing website that has a number for the name. That website, you may be amused to know, showed Gary had nothing but 1-star reviews. Gary claimed he’d conceptualized the plugin and named it (neither of those things are copyrightable to the best of my knowledge, especially since the name included someone else’s trademark).

    The email also came with a mammoth rant about Frank and Gary’s history. Gary was of the opinion that a developer who quit/canceled a contract partway through was ‘too fragile’ to be a developer. Then he went on to explain he’d dealt with a family member who had a mental break, and he thought he saw the signs in Frank. And it came with a lot more screenshots, none of which proved anything.

    Note: I have a tendency to stop talking to people when they get like Gary. It’s not because I’m fragile (as some people like to claim). It’s because when I find the other person so lacking in human empathy and so unwilling to compromise, I see absolutely zero point in continuing the conversation. If there’s no middle ground, and it’s only your way or nothing, you get nothing.

    I read the email and the screenshots and replied:

    Just so we’re clear here, you had no contract and no verbal agreement that he wouldn’t make the plugin publicly available?

    Me to Gary

    The rest of my email explained we needed to see something prior to the dust up of the plugin being hosted on .Org, that in any way shape or form indicated there was any agreement to not host this code on WordPress.org. Remember I had the evidence from GARY that he said it was okay. I wanted the evidence he claimed existed to prove he had said the opposite.

    I also pointed out Skype absolutely lets you export chat logs, and that would be a lot easier to read than the disorganized grabastic piece of shit screenshots he sent (I didn’t say it like that, I said it would make this process a lot faster).

    At this point, it had been 4 or 5 days of emails.

    Why Bother With Directions?

    Gary sent more low-quality screenshots, undated, unorganized, and hard to read. They looked like those fake screenshots people make of texts. That’s how bad it was. The screenshots, once I thought I had them in order, told a story of Gary bombarding Frank with messages at a time he knew Frank was offline (remember North America vs Pakistan). They all took place after Frank had put the plugin on .Org.

    At this point I still had no proof from Gary that he’d ever told Frank to not post the code up on .Org.

    In none of those screenshots is there mention of even “Make this plugin for us and only us.”

    That’s why I asked if you had a contract with him, other than the alleged verbal arrangement in Slack. Even just something that has you saying “This plugin will only be for us, right?” and him replying “Yes” in chat would do […].

    Me to Gary in email

    I also told Gary to, in the future, not be an idiot and get a goddamn contract. Which he should know as a freelancer himself.

    Gary replied that he’d had an actual verbal conversation on Skype. No one had a recording. So we were clearly back to the he-said/he-said world. I hate those. Gary also said if I didn’t pull the plugin, he’d get his lawyer involved. Again, Gary still had not sent me the code Frank wrote for him, so I still couldn’t even check if there was a GPL violation which, at this point, was the only reason I might have to pull Frank’s plugin.

    In fact, if Gary could have proven any of the following, then I likely would have pulled Frank’s plugin:

    • Frank had agreed to never share the code he wrote while working for Gary
    • Gary had asked Frank to not share the code prior to it being submitted to .Org
    • Frank had used code from a non-GPL source

    The whole ‘premium plugin’ reason didn’t really apply here. It maybe was code from a premium plugin but, since I’d never seen that plugin, I couldn’t be sure. Making it even murkier, Frank and Gary both explained the code Frank posted was not part of Gary’s, but Frank had started it to do an above-and-beyond aspect of Gary’s request. Who knew who owned what anymore.

    Gary sent more emails of screenshots (still no log, still no dates, still a pain in the ass to decipher) and swore there was ‘proof’ in there.

    Sure was. Proof that substantiated Frank’s claim. I’ve transcribed so you don’t have to suffer the shitty screenshots:

    Gary: When we’re done with this [plugin] and it works, we’ll put this [on WordPress.org] and release it as a free/pay option.

    Frank: Okay.

    Gary: Free I guess can be the [extra] code which you have created […] then paid can be this version.

    Chat Log provided by Gary

    Later on in those logs was a bit where Frank specified exactly what code would be premium. Frank even said he was specifying so they were both on the same page, and there was no misunderstandings. And Gary agreed to that proposal. Only the ‘extra’ code (which was the only code in Frank’s plugin on .Org) was allowed to be on .Org.

    Tough Nuts

    Gary had no evidence that, prior to the code being on .org, he had ever said that Frank wasn’t allowed to post it. In fact, Gary had provided evidence to the contrary! All of Gary’s ‘proof’ about the code never being on .org happened after Gary found out the code was on .Org. Tough nuts here, Gary, but unless we can prove something, we’re leaving the plugin up.

    Gary replied that ‘the screenshot’ he’d sent was from before the code was on .Org. He’d sent 7 screenshots in the previous email, none dated. His points:

    • He pitched the gig to Frank
    • Frank was overworked and said he could look later
    • When Frank had the time, they Skyped and hashed out the details
    • Frank tells Gary there were issues with the name, according to the WordPress Team
    • Frank sent the beta code to Gary
    • Gary and Frank worked out some changes
    • Gary then “realized” the code was on .Org and complained
    • Frank told Gary the code was limited, and contained none of Gary’s bespoke code
    • Frank told Gary (at some unspecified time) via voice-chat that none of Gary’s bespoke plugin would be public
    • After the breakdown in their work-relationship, Frank put the code up for sale on his own site

    If you’re looking at the fourth point and blinking a lot, me too. Who did Gary think this ‘WordPress Team’ was if not us? I was more-so blinking because Gary concluded by saying I should confirm I knew the conversations took place before Frank put the code on .Org.

    I could not confirm his claim on the timing because …

    • Many of the screenshots were clearly after the build of the plugin (the ones that have him swearing at Frank for releasing it)
    • None of the screenshots were dated so I cannot be sure about timeframes (I asked for the logs because of this)
    • I had no screenshot where Frank asks to have a Skype chat
    • I had proof Frank had told Gary there was a problem with the plugin name according to the WordPress team (aka the Plugin Review team)
    • Gary didn’t pay Frank until after the free version went up on .org (possibly after Gary knew the code was up, timing was unclear)
    • Frank promised none of the premium stuff would be in the .org plugin and Gary said he was okay with that
    • Frank denies any such Skype conversation took place that agreed nothing would be public
    • Work continued after this, with Gary not asking org to remove a plugin that he was aware of existing
    • After the money was refunded, Frank purportedly was selling the premium version on his own site (no one ever linked to where that might be)
    • Only then did Gary come to the plugin team
    • WordPress.org has no oversight as to what Frank does on his own site

    So Gary was asking for WordPress.org to remove the free plugin that actually he agreed was okay to make and give away, with code he didn’t want in his bespoke plugin. Code he had, per his own screenshots, very clearly agreed to have hosted on .Org.

    After the Battles

    In the end, Gary got nothing. He remains banned from WordPress.org since, after that, he made a couple hate-attack accounts to go after Frank. Frank ended up taking that plugin down because, as he said, he was tired of Gary’s abuse. He also claimed he’d learned his lesson about having a contract and statement of work before doing work.

    Gary never provided his copy of the code to validate the GPL issue. Gary never provided logs (with time/date stamps) that confirmed the order of events was what he said. Gary had no contract, only a verbal agreement, that Frank disputed.

    This was memorable simply because I’d really never had anyone show me a screenshot proving the exact opposite of what their claim was before.

    It was not the last time, but that’s a story for another day.

  • Plugins: Double the Damage

    Plugins: Double the Damage

    Sit down for a fun ride in what I can only call … The plugin equivalent of Revenge Porn.

    Player 1 forked a plugin from Player 2. Player 2 attempted to claim Player 1’s work as his own. Insanity occurs. And if you’re thinking it’s a simple case of he-said/he-said, it’s actually not. They both agree on a number of facts, but disagree on what the facts ‘mean.’ And it is hard to work around that.

    I’ll start by introducing our players (not their real names):

    • Ken – an existing plugin dev who was already on thin ice for submitting the same plugin over and over, due to not reading emails
    • Andrew – a new (to us) dev who possibly stole code

    Before The Drama

    Ken. He’d been a plugin dev for a few years, but he’d always been a problem. Not worthy of an outright ban, but he’d had a number of cautions and warnings.

    Ken’s biggest issue was his own head-in-the-sand arrogance, and a refusal to read. No, I’m serious. He had a history of not reading the emails, even when they were one sentence. This made his reviews take a hog’s age, and it made dealing with him something I had to psych myself up for.

    I was already frustrated enough to leave a note in his user account about it. Ken would read subject lines only, if at all. It was maddening and he was on his last warning already about communication. To whit, if you cannot (or will not) communicate with people, why are you here?

    Submission Wars

    On Monday, doing the usual weekend clear-out, I started like always. See, I preferred to start with low-hanging fruit. I would reject the outright bad or incorrect submissions (like people submitting Akismet) and pend trademark issues. This is, if you’re wondering, why I ended up writing so many blockers for submissions. It took that morning ‘easy’ work from 2 hours to under 1! Doing that work takes little brain power, though it was always time consuming, and let me ease into the day.

    That day, I ran into Andrew who had a trademark issue out of the gate. The name of his plugin started with ‘WoCommerce’. Yes, one O. Around then was when I’d just introduced the blocker on starting with ‘WooCommerce,’ and for the life of me, I don’t know why people see that they cannot use a trademark and decide it’s smart to ‘tweak’ the trademark.

    Note: For the love of the flying spaghetti monster, DO NOT try to ‘get around’ a trademark issue with a clever spelling. The legal concept you’re violating is ‘intent to infringe’ and I have to tell you, Facebook has zero tolerance for that.

    Back to the plot, I emailed Andrew and explained the plugin was pended due to trademarks. Also it’s Woo with two O’s.

    Imagine my surprise on Tuesday when I saw the same plugin submitted with the same name typos and now a ‘Free’ at the end (because the original name was used). Now usually this happens when someone doesn’t fully read the email that says to reply with your code attached. Sometimes it’s two people with the same idea and, since we blocked multiple submissions, it’s often someone using two separate accounts to resubmit. Giving this new one the benefit of the doubt, I checked and saw it was an existing dev, Ken!

    I downloaded this new plugin and then Andrew’s and compared. Guess what? Same code. The readmes, mostly, were different, but not in a good way. Ken’s was a half-edited version of Andrew’s, and Ken’s plugin headers also credited Andrew.

    This means, whoops, Ken submitted a copy. That gets Ken’s rejected and Ken is told that either he stole this (bad) or he’s working with Andrew and resubmitted instead of following directions (also bad).

    Meanwhile, I also emailed Andrew asking “Are you working with someone else and did you goof the reply?” Andrew replies promptly, with the new code, explaining a very odd story.

    Andrew said that Ken will claim Andrew stole Ken’s plugin. He named Ken! I was stunned and kept reading. According to Andrew, he made a more complex plugin and had offered it as a patch, but Ken said no. Then Ken stole it back from him since, per Andrew, Andrew’s code was cooler. Furthermore, Andrew said Ken was likely to claim Andrew stole it from him (Ken) who sold the plugin, but not with Andrew’s features.

    So this is already a bit of a mess as you can see. And no, Ken didn’t take it well, already ranting that we rejected his plugin.

    Who Stole First?

    My first thought had been that Ken was 100% wrong, and Ken had taken Andrew’s code. Now it looked like Andrew forked Ken’s plugin and Ken wanted to steal it back. Who is right in this situation?

    I did my due diligence and confirmed Ken was selling a plugin that claimed to do the same thing. It was over $100 USD mind you, and that’s a lot for a 3 file plugin (including the readme). I was surprised that Ken’s version was riddled with security flaws not all found in Andrew’s version (no sanitization, no escaping, no nonces, trademark abuse, broken translations, etc etc). No one was going to pay $100+ for that! Also why would he not take Andrew’s fixes?

    Since Ken had emailed claiming it was his work and I was wrong, I replied and pointed out his plugin submission was copying much of Andrew’s work. This means even if the core plugin was his, he would have had to credit Andrew. Oh and could we please see the original, premium, plugin to see what Andrew ripped in order to address that part.

    But looking at Ken’s bleak history, I realized this was going to be a big problem. Ken jumped right into the blame game and name calling, as I feared.

    After a gut check with others and confirming it sure looked like Ken made a spite submission, I was leaning towards a ban. He was already replying in anger and now he was shouting that Andrew stole from him, but he refused to share the premium plugin lest I steal it. While I’ve received hundreds of premium plugins to do an ownership/copying check on, I have never kept them without buying them. Once or twice I found a plugin I’d pay for, and I did. But the rest I deleted them as soon as I can. Ken’s claim was we would take his code and host in on .org for free. Which… no.

    Ken actually confirmed he did take Andrew’s ‘version’ of the code, but refused to credit because Andrew forked his code, and he didn’t have to credit since his was the original plugin. And anyway, Ken said he did it in order to hurt Andrew. This made it clear. He had made a SPITE submission.

    In Ken’s email about being banned I said this:

    After you submitted [plugin], which was clearly at least partly someone else’s work, we did some research on how you came to take that code and misrepresent it as your own. In doing so, we have determined that your actions were of an intentionally abusive nature. This behavior of yours is unwelcome here in our community.

    Me in an email to Ken.

    Andrew was given the benefit of the doubt as I tried to figure out if he really forked or not (remember I had not seen Ken’s original plugin yet!), but he too was flagged for possible naughty behaviour. The odds were he had a disallowed fork, and he was cautioned that if the plugin was a premium one, we couldn’t host it on .Org.

    At this point, here’s where we are:

    • Ken charged over $100 for a piece of shit code.
    • Andrew (may have?) forked it because it’s shit and submitted it after Ken said he didn’t want it.
    • Ken submitted the same code as Andrew’s version.

    Since Ken’s been a known bad-egg, was is now intentionally acting badly, and already started to rant, it was a no-brainer. Ken was a problem, Ken was acting hatefully and spitefully, and Ken had a bit of conspiracy paranoia going on.

    What Did I Expect?

    I did not expect over 40 emails over a week, ranting. Most made it pretty clear Ken only read the subject lines of the emails, and never the content.

    First Ken claimed it was originally his, even though the version Ken submitted literally credited the other guy. Then Ken claimed he just copied the readme, but again, the code credited Andrew. It had the same formatting to boot. You can see where this is going right?

    Next, Ken claimed he ‘accidentally’ uploaded the nulled version Andrew had posted to the web prior to uploading on .org … except Ken’s version has his partly rewritten readme. That is pretty weird. How does one upload a partly ‘corrected’ nulled version? The obvious answer is that he realized (as had I) that Andrew’s code was better than his and stole some of it! Actually a lot of it.

    Ken’s argument became “I am releasing the basic version as a Albert is stealing my code!” And if you just went “Who the flying fuck is Albert?” so did I. Five emails from Ken came in, including claims we ‘stole’ his plugin.

    Yes. The Plugins Team stole his plugin. How you ask? Well it transpired that Ken believed the plugins team, by accepting the submission from Andrew, had commited theft, even though we had not approved the plugin. It was in pending, at this point.

    I suppose you could maybe argue someone attempted to use WordPress.org as a fence for stolen goods, or a money launderer. But since the Plugins team did not accept the goods, we stole nothing.

    Where Are the Clowns?

    At this point, Ken kept linking to his code (still too much money) and saying I should look at his code (not going to pay for it). Ken also said he’d sue if we didn’t reply to his emails (there were like 10 separate emails from the last time I’d replied, I was trying to catch up). He also claimed he wrote the plugin with two other guys, one of which was Albert! Our mystery guy!

    Officially once you say the magic words invoking legal action, the Plugin team stops talking to you, save to point out we aren’t qualified for legal stuff and here’s the foundation’s contact. Keep in mind, Ken’s emails were minutes apart, so no one had a chance to reply even if we wanted to.

    Naturally Ken went on to claim we were “in cahoots” with with Andrew and he would handle it from his legal team. Then he demanded we do the “right thing” and reinstate his account and host his code. Also he claimed Andrew was a scam artist who was harassing Ken. (Remember this, it comes back to haunt Ken.)

    I said ‘no’ because it was damn clear Ken was operating in bad faith, not to mention he had a history and had been on a final warning at the start. This prompted Ken to claim he wasn’t warned, except he was. Not only was he warned, the read-receipts in HelpScout showed he’d opened the email! When that was pointed out, Ken said he’d not read the email, as he’d been asleep.

    I found the hypocrisy of not reading emails while being pissed I was reading all before replying to be amusing.

    Either way, though, he was up and reading things now, and yet still hadn’t read the other email. This goes back to longstanding issues with him not reading. But hey, Ken claims he did read the chat logs and knows exactly who Andrew is (or Albert).

    Ken went on. Andrew was harassing him, stole from him, was a racist, tried to hack his site and so on. Also WordPress.org would be enabling him and we needed to stop hosting his code.

    I had not approved Andrew’s plugin and pointed that out. We didn’t host it. And when a plugin is rejected, the zip is deleted so we don’t have it anymore.

    There Is a Point

    All of that said, I absolutely DID take Ken’s claim seriously! Yes, Ken was an angry and vengeful man, but theft isn’t okay! So I pointed out (again) that Ken needed to email the code of his premium plugin to the plugins team. I had zero intention of signing up since I was sure he’d take that information to abuse/harass me.

    Finally he sent the code, and guess what?

    Andrew’s code was not the same.

    The code was not even close, except for one page, which had some of the same security issues as Ken’s plugin (most were fixed), and that means this was what would normally be considered a legitimately different fork. Even if you just compared Andrew’s code to the license-checked-removed code of Ken, there were distinct differences (some worse, some better).

    The problem, however, is that it was a fork of a premium plugin that was non GPL (same as the previous post). WordPress.org couldn’t host it.

    But before we could reply, there were another 10+ emails. Yeah, 10.

    After threatening to sue WordPress, Ken finally broke down and gave us the whole deal from his side. According to Ken, over and over, the real story is as follows:

    • Ken charged $100+ for his plugin.
    • Andrew bought and stole his plugin by putting a nulled version up for download a null software site. He linked to it.
    • Andrew used stolen credit cards to buy the plugin in the first place.
    • Ken did not take anyone’s code.
    • Andrew was a racist.

    The problem with that story is:

    1. The post on the nulled site did not match the timeline. It was made after the plugin submission, which was over the weekend.
    2. Ken’s submission literally said “Yadda Yadda Plugin Written By Andrew LastName”
    3. The code Ken (eventually) shared as his version was totally different save for one page (the settings page).

    Also we had no evidence that Andrew was anything other than a frustrated dev who just wanted the code to work without conflicts (Ken’s really didn’t), and was mad that Ken blew him off.

    Now. I do give people the benefit of the doubt, but that changes once people jump up and want to sue you. Not to mention Ken’s version of events didn’t pass the sniff test.

    Andrew forked Ken’s code, and Ken retailed by stealing Andrew’s.

    I (Don’t) Know The Law!

    At this point, we moved into lawyer stuff. Ken named his lawyer and I looked him up. He was a personal injury lawyer based out of California (Ken claimed to be from somewhere in the midwest). But hey, maybe he side hustles? The lawyer also does corp law counselling, which maybe would have helped Ken, if he had a leg to stand on.

    This prompted Ken to claim a judge would rule in his favour as WordPress.org didn’t follow “details” and didn’t investigate any copyright claims. I knew that was unlikely. A judge would say “They didn’t host the code, they rejected it. They’re not at fault here. They didn’t steal your code.”

    He went on to talk about how he had to read 26 emails (he sent all of them!) and proved his plugin was older (not in doubt at the moment). Ken continued, because the code wasn’t allowed to be forked (GPL), and a judge would certainly agree.

    He was wrong. Since I had rejected Andrew’s code already (because it was a fork of a premium plugin), I was sure we’d been in the clear. We had, in fact, agreed with Ken and did the right thing by rejecting Andrew’s plugin. And yes, I told Ken that.

    Ken replied and shared private information which actually … hurt his argument. In the “evidence” there was a bunch of screenshots of chats where in Ken called Andrew a “stupid [racial-slur] scammer” and a “dumb fucker” which frankly even if Ken’s right about theft, that’s not how you handle things.

    Remember how I said the racism thing would come back? Ken was the racist. He had some more slurs that made me feel a bit ill in his messages to Andrew who, at worst, told Ken he was a dumb bitch. Not nice, but nowhere near the level of Ken’s insults, and none were racist.

    The End Results

    Ken remains banned. He’s got anger issues and doesn’t understand how to play well with people. He has since asked to come back with a new account and was told no. But also:

    We will, at this point CONFIRM with you that we’re not hosting the code submitted by anyone else either, so don’t worry about that.

    We won’t allow anyone to host your code here.

    Plugins team via Email to Ken

    After that he asked to make a third new account and was told no, mostly because he jumped to suing.

    As I mentioned, Andrew’s submission was rejected as it’s a fork of the premium plugin by Ken, and we don’t allow that. Andrew read the email and said nothing in response, which is fine.

    I still have no idea who the hell Albert is.

  • Plugins: Bad Thief

    Plugins: Bad Thief

    The summary of this story is: The GPL does not mean WordPress.org has to host whatever code you want it to, regardless of what you think.

    I promise it gets there.

    Starting off bad

    The story of Donald (fake name) begins with a plugin submission he never finished. Back in August 2021, he submitted a plugin with a number of security flaws. And a review to which he never replied. The plugin was rejected in February ’22 and resubmitted in March (one month later).

    Per usual, Plugins flags those and asks the dev “Hey, you gonna reply this time?” because it’s a waste of everyone’s time to review shit they don’t use here. Donald ensured he would, so he got a full, lengthy, review.

    I’ll admit, his reply was pretty unique.

    It was a massive rant which I cannot share (privacy) but here are the key takeaways:

    1. He has been a developer for umpteen years
    2. He copied a plugin to make his own
    3. He thinks he bought the code via WordPress.org
    4. He would not make the security changes we listed
    5. The original plugin had the same flaws
    6. Other plugins have flaws too
    7. He thinks he bought the ‘source code’ (oh no…)
    8. He wants us(?) to fix it

    Oh no…

    A clip of an Alex Norris cartoon where the amorphous blob says “oh no”

    I pinched the bridge of my nose. Anytime someone jumps to the old chestnut claim of “I am a developer of a bajillion years!”, it never ends well. Seriously. If you’re a developer since day one of WordPress, you should know not to break the guidelines.

    I rejected the plugin and clarified a couple things.

    • In no way did Donald buy a plugin from WordPress.org
    • We don’t review every release of every plugin so yes, some have flaws
    • If it’s your plugin, you have to fix it
    • If it’s not your plugin, you can’t host it on .org
    • Removing the copyright and not making any changes isn’t a fork, it’s theft

    That went over about as well as wearing a Yankees hat to a Cleveland baseball game.

    What did he buy?

    People will argue left right and center that it’s not stealing if the code is GPL. The part they always seem to miss is that it’s not their work, and it’s a lie to claim it is (this is why you add copyright, folks!) and when it’s a PREMIUM plugin, like this is, it’s stealing because you broke their license. And yes, he did.

    But Donald was stuck on this weird part that he believed buying a plugin meant he owned it and could do whatever he wanted. Now if it was GPL, technically he could do that, but that doesn’t mean we have to do what he wants. And WordPress.org will not host code that you didn’t write, or at least reasonably fork.

    I purchased the rights to the source code directly from the author.

    Donald via Email

    And he cc’d the original developer, Adam (fake name)!

    I took a look at Adam’s account on .org and found his plugin. It was a free version of the one in question, and yes had security issues. In fact, it had been closed about a year ago.

    Adam replied before I did and said “bro, no you did not.” I backed Adam, explaining what Donald bought was the code to use, and the license on Adam’s website said it could not be resold (remember it was non GPL code).

    Good, we’re done!

    Donald replied with proof. What proof? A bunch of PDFs that (he said) proved he owned it.

    It did not. The attachments showed he bought a yearly license for a number of domains.

    Donald and Adam had a lot of back and forth about how that wasn’t how a license worked (Adam) and insisting he owned it (Donald).

    The next attachment PDF showed he paid for a license (again) and a new one that said it’s a charge and how much (though not what for…). I assume he paid that for the ‘source code’ and I made this face:

    Lucille Ball making an “ewwwww” face

    At this point, Plugins was never CC’d on any reply from Adam (remember Adam’s plugin was closed because of securit), and Donald just kept going.

    It’s Mine!

    It got a little hard to figure out what was what, because Donald would reply-all and Adam wisely only replied to Donald. However since Donald quote-replied, we ended up getting almost everything.

    Donald moved on to explain this was a fork, a term he learned from me, and he could prove it because he used fewer files and it was organized differently. The problem was the code was the same. About 80% or so the same. Not a small amount. And Donald insisted the GPL meant he could do this.

    Again, yes he could, if the original code was bloody GPL to begin with! And it wasn’t. Oh and he didn’t meet the GPL requirement for copyright (GPL says you gotta retain copyright and add yours) nor WordPress’ for disclosure (you gotta credit the OG devs). Thus, Donald failed the sniff test.

    This went on for hours and I didn’t reply.

    Now, if you’re wondering “Why didn’t anyone reply?” it’s because that bevy of emails came in between 4pm and 4am Pacific Time. At this point, though, it was crystal clear that Donald had:

    1. Copied code and did, in the end, make a fork
    2. Copied premium code from a non GPL source
    3. Did not disclose the copying/forking in his readme nor source code
    4. Thinks he bought the rights to the source code (… that’s not what that means, but okay)

    Oh and he was still insisting he bought it from WordPress.

    So I tried again. I repeated the facts (you didn’t buy it from WordPress.org and it doesn’t meet the guidelines to be hosted on WordPress.org as a ‘fork’) and then followed up with banning him since, after 14+ emails overnight, it was obvious the cheese had fallen off Donald’s cracker.

    I did take a moment to recommend he not post the code on GitHub due to the GPL issue, and if he did, Adam might have a legal case. I also told Adam I told Donald that, so Adam had a chance to protect himself.

    Enter Crazypantsland

    This time Donald agreed he didn’t buy it via WordPress.org, however he insisted he’d paid for the code (quoting half the price that was in the pdf I will note).

    Again, you are wrong, I DID NOT take the premium plugin. What I took was the code base of [the version] I purchased provided to me by the author after he received payment. Only [then did I rebrand] and modify […] the code as my own.

    Donald via email (removed identifying information)

    Honestly I sat back.

    His argument was he didn’t take the premium code, he took the code he purchased. I took a deep breath. I mean, maybe he just failed to make that connection? But I (and Adam) had already explained that before so who knows.

    Donald’s email went on to …

    • Agree that I was correct to not host the code
    • Disagree that he’d ever claimed he bought it from WordPress.org
    • Agree that he bought the code from Adam
    • Disagree he should be banned

    To be fair, few people would agree to that last one.

    I tried again to explain how what he did was harmful, and the fastest summary of what he did is this:

    Three panel comic. The first has someone showing off a ball and saying “I made this!” Another person takes the ball and says “you made this?” The next panel just has the second person holding the ball. The last panel has the second person declaring “I made this.”

    Donald put some bells on it, but that’s basically what he did.

    The gist again is “I did not take his code, I bought it and used it.”

    He took something, which in that moment he had the legal right to take! But it’s still taking. If you bought a copy of the Sherlock story “A Study in Scarlet” (which is public domain!) and then re-released it with your name on it and a modern update, it’s not YOUR work anymore. It’s Sherlock the TV series, who bally well credits the source properly. But they don’t call it their original work, they call it an adaptation.

    They credit.

    Donald did not, and would not.

    My Cousin Vinny

    Marissa Tomei aside, Donald explained his legal rep (a family member) had told him he didn’t buy the code the way he thought he did. Donald had bought a license to use the code

    Blessed hallelujah! I thought it was done. Alas, Donald went on to say he was going to clarify that little license matter with Adam (he never did, Adam refused), and then said that since it was legal to take code and reuse it, per GPL, he was good to go, please host his code.

    This is after he agreed we were right about the non-GPL thing.

    I explained, again, that the bottom line is WordPress.org will not host forks of premium code, will never allow non-GPL code, and would not accept forks that don’t credit the OG. Donald hit the trifecta. I recommended he ask his lawyer-family-person about the concept of “fruits from the poisoned tree.”

    Donald went on to make all sorts of entirely wrong legal claims that the GPL allowed this, so WordPress had to let him host the code, and on and on. Then he threatened to sue.

    At that point, I stopped. He got the final reply with the official “you are banned and we won’t read your emails anymore because you clearly do not get it” message.

    The weekend happened and on Monday I found an email saying Donald had complained legally, and they too marvelled that someone would have a lawyer explain they were wrong, only to double down on the wrong.

    I still need to send a sympathy gift to that poor person who had to deal with Donald.

  • Plugins: When It Changed

    Plugins: When It Changed

    Many people have told me that I should write a book about plugins and name and shame the shitty ones.

    I’m not down with that.

    For the past fifteen years or there abouts, I’ve been reviewing plugins at WordPress.org. In 2015 I took over as the rep. I stepped down entirely in July 2023 for personal reasons that have nothing to do with my passion for WordPress, but is in fact “because” of WordPress.

    In fact, it’s really “because” of plugins. But to be specific, it’s because of developers.

    Book Him, Danno

    I really mean this. It didn’t used to be this bad at all. Sure we had some rough devs, many of whom have left the ecosystem, but overall the level of ashattery was tolerable. You could have an argument and things were kind of okay.

    I distinctly remember when that changed. Like, I can tell you exactly where I was standing, talking to a coworker, when it dawned on me what was happening and that this was probably a turning point.

    It was 2010 and we got the weirdest email from a company (fake name Booker Inc.) who explained their former employee (fake name Liam) had stolen a plugin.

    Stealing a plugin is a weird concept to many when you think of OpenSource. You can’t steal something that is free, and anyway WordPress’ license lets you fork (copy and alter). A lot of people despise me for saying they stole, likely becuase of that. But the reality here is if you take something, created by someone else, put your name on it and proclaim it was 100% your original work … ya done stole.

    An employee stealing from a company though, that was fascinating. I replied asking for some more details and what really was going on. As it transpired, Booker Inc. made a booking plugin that was behind a paywall, primarily built by an employee, Liam, who then was terminated, took the code, and put a copy up on WordPress.org.

    The Investigation

    Naturally the first thing I did was check the logs. Since Booker Inc’s was a paywall’d plugin, I asked for a copy to compare to as well. The logs I wanted to compare to their timeline claim. Liam was fired on X date, and a week later the plugin was submitted.

    That told me that it was extremely likely Booker Inc.’s plugin came first. I downloaded both plugins and ran a diff on them using DeltaWalker. What I saw was a line by line copy, where all copyright and credit was removed.

    The copyright is the reason, by the way, that I use the terms “theft” and “stealing” when I talk about this kind of thing. Copyrights and trademarks are, as I often say, “things with which one does not fuck around.” Copyright and Trademark laws are serious shit, and the GPL even says you need to include copyright! In fact…

    If you have copied code from other programs covered by the same license, copy their copyright notices too. Put all the copyright notices for a file together, right near the top of the file.

    How to Use GNU Licenses for Your Own Software

    Translation? Don’t remove people’s copyright!

    That means in this case, we had copyright infringement (the second plugin had removed the copyright), and a copy of a plugin that was line-to-line identical except the name.

    Oh and it was copied from a plugin … that wasn’t GPL.

    Conclusion Clue(do): Close the plugin.

    The End is the Beginning

    After the second plugin was closed, Liam was emailed something to the gist of “Your plugin is a copy of your old employers, Booker Inc., and you broke copyright. On top of that, the code isn’t GPL, so we can’t host it.”

    That’s pretty reasonable, I thought. It wasn’t until about 10 years later that we sat and formalized all those emails as you see today (mad thanks to Josepha for being my copy editor back in those days!). Back then, 2010? Nah, we were winging it. But the email in this story was serviceable.

    At the same time we did that, I emailed Booker Inc. and said the plugin was closed and we wouldn’t host it because of the GPL thing. Done, dusted, situation over.

    Liam replied that the code was legally his and he had the right to do this and change copyright as the owner.

    And you know what? That might have been the case.

    Above and Beyond

    One thing about plugins that pisses off OpenSource purists is that the guidelines are above and beyond the GPL. Meaning, you have to meet all the requirements and restrictions of the GPL, but you also have follow the WordPress.org guidelines!

    So what guidelines kick in when Booking Inc. reports a plugin is not GPL and Liam says since the plugin was 100% his, and he can re-assign the licence? Is that still theft? Is it violating the GPL requirement (one of the few we cannot give a ‘pass’ on)?

    At the time, the guidelines had a lot more wiggle room. Today, WordPress.org is patently clear that even if the premium plugin is GPL, we will not host it because it hurts the ecosystem. I readily agree that all plugins behind paywalls hurts the ecosystem as well, but taking someone’s work and giving it away (usually claiming it’s yours), is a dick thing to do. You took money out of their pockets and could be wrecking a small business. It’s a balancing act.

    I immediately asked Booking Inc. if they had a contract for the work that clearly spelled out ownership. They did, and agreed to share it with Plugins. It stated the work would be the property of Bookings Inc.

    Next I asked Liam if he had a copy of his contract so we could validate ownership rights. He did, he shared it with us, and lo the contracts matched.

    Now, regardless of my personal feelings on this, it was pretty clear. The contracts spelled out the code would belong to the company. It also actually said that the code wasn’t GPLv2, which I’d never seen in a contract before. The contract also stipulated that Liam would work with a team. They did the UX, he did the PHP.

    So. I emailed Liam back and said I was sorry, but the contract made it clear that he did not have legal ownership, and thus couldn’t change the license. In addition, even if he was the owner, the contract indicated he was not the sole developer, and would have to get permission from everyone who wrote so much as a line of code to change the license.

    Booking dot Hell

    At first, Liam seemed to understand. He didn’t like it, but he understood he’d signed this contract. I told him something I have told many people before, and it’s always get a contract that protects you. If someone hires you for work, get that damn contract to protect you. There’s a story I will share later about a reverse of this situation, but basically that contract exists to clarify who owns the code, who has the rights, and it wasn’t Liam.

    About a week or so later, Liam submits a new plugin. Also booking related. I eyeball it because while that contract implied an NDA existed to restrict Liam on working on booking code, I knew that wouldn’t hold up in court in their country. However, there is a fun legal concept known as “fruit from the poison tree.”

    If a single line of code in that plugin was taken from Booking Inc.’s plugin, the entirety of the new plugin was not permitted. Generally we advise people to not try and submit a similar/related plugin, mostly for that concern, but also because of bad-blood. There was no way on earth that Booking Inc. would be chill.

    As it happened, the code was about 75% the same. It was summarily rejected and Liam was told why. I distinctly remember telling him not to submit another booking plugin, because the wall for him was so high, he’d have to start from zero and not use anything from the original.

    Liam said he was mad, but understood. He said he wouldn’t resubmit a booking plugin.

    Liam Lied

    For the next three weeks, Liam made a new account every other day or so, and resubmitted variations on the plugin. I rejected them all and would email his first address, explaining he needed to stop.

    He didn’t. We ended up banning first his email domains, then his IP, and there was a time he couldn’t even visit .org. I hate doing that kind of ban, because it impacted others, but again, hard choices.

    Then it got weird.

    Someone with another booking plugin emailed plugins freaking out because they got an email, impersonating me, telling them that their plugin was closed! It was a mostly copy pasta of my email. And Liam had spoofed the plugin email address.

    I had the new person check the email headers, and we confirmed it was not official. But then more people with booking plugins contacted us! Worse, those emails had “me” attacking those people! The closest I get in plugin emails to insulting people is when I tell them they made a stupid choice, or they acted like a jerk.

    We fixed the spoofing issue, and that stopped, but it was that second email, the second one impersonating me, that told me this was bad. Real bad. This was changing the game bad.

    Abuse is Now Common

    It’s been 13 years, give or take, and people like Liam went from being a once in a decade occurrence to yearly to weekly, and finally to pretty much daily.

    People hear “no” and decide the correct thing is to be a complete and utter abusive asshole. They believe they have the right to do what they want, and damn everyone else. These days people call it being a “Karen.” Oh and yes, they ask if they can speak to my manager.

    A creepy smiling woman, who is about to break down an annoying customer.
    I AM the Manager (unknown source)

    By May 2023, if a day went by without someone, somewhere, deciding that the plugins team could fuck themselves, I was surprised and relieved. You’d get three in one day, move their emails to the auto-block system, and it would be tense for a couple days because most people made fake accounts to try again.

    And again.

    And again.

    The Toll

    While Liam pissed me off, personally, in retrospect what he did was tell me we needed to clean up the guidelines, organize our rules, and make it more clear that being abusive needed to stop. Impersonation should be an instant permaban.

    WordPress.org didn’t get a community guideline until 2022, and yes, I was one of many people who regularly complained that we needed it a hell of a lot sooner. It became up to each team to sort out how to handle infractions, and what in fact was an infraction.

    Each team has suffered rage quitting and burn out, due in part to the loosey goosey guidelines like that. It feels like you don’t have real support. If we did, that saga I refer to as “my idiot harasser” would have been a lot shorter. Or over.

    I don’t blame WordPress directly for this. The community has done their level best to help and protect each other. So has leadership, as much as they could. But I really do feel the absolute lack of overall guidelines for “don’t be a dick” would have short circuited a lot of the pain people have had to deal with.

    No, this was clearly not a thing WordPress did. This was a shift in the world, and honestly? It’s only gotten worse.

    Why Not Name?

    I have a lot of stories like this, and I absolutely will be sharing more. But I will not tell you exactly who people are.

    Oh Liam probably sees himself in this, and that’s fine. What’s he going to do? Leave a comment to complain I’m not telling the whole story, and out himself as a human who felt impersonation was the right way to prove his point? He crossed a line and there probably is no way back at this point.

    But naming him removes the “probably” from that. Naming him means that he is forever branded as the asshole. And I actually still firmly believe that nearly everyone can come back from crossing that line.

    Otto has often called me an optimist for that. He’s right. I am optimistic that the human condition lends itself to empathy. We’re all on this rock together. We aren’t getting to Mars if we can’t figure out how to exist respectfully with people we disagree with.

    And I feel that most people want to be in a group. Humans don’t want to be alone. Getting excluded from the group hurts, and people will do anything to get back in if that’s the only group. That’s reasonable, right? And when people have a bad day, getting kicked out, they lash out.

    Likely Liam and most people like him never think about me again. I recently was reminded that for an adult, making a joke about a kid being chubby doesn’t stick in the adult’s memory, it’s just another day. But that kid will remember the time and place their parent called them fat.

    I’m not the parent.

    I remember the days, probably all of them given a prompt, I’ve had to tell someone no and close the door on them. Because it remains my secret hope that everyone like Liam feels a little bad, and sorry. Not sorry because he got kicked out, though. Sorry that he hurt someone.

    And if that happens? If a Liam developed the empathy to understand how his actions harmed others and sincerely apologized? I would be the happiest woman in the world.

    I want to leave that door open for the Liams in the world.

    I hope you will too.