James Giroux

ACF Gets A Fork By WordPress.org

This is big.

Written By

jamesgiroux

Published

A series of forks in multiple colours.

Summary

Matt Mullenweg has taken the next step in his fight with WP Engine and Silver Lake by forking Advanced Custom Fields into Secure Custom Fields (SCF) to protect its security after WP Engine/Silver Lake’s ban from WordPress.org infrastructure. While emotions are high, this move highlights the importance of maintaining the security and integrity of WordPress’s ecosystem. Forking under the GPL is not unprecedented, and this action reinforces the need for WP Engine/Silver Lake to negotiate in good faith.

Up front, I just want to be clear that I work at Automattic and had previous knowledge that this work was being undertaken and began writing this post before the official launch. If you haven’t yet read the official post, I suggest you do.

My goal with this post is to provide a little bit of insight from my perspective on why this has been done and answer some questions that folks in the community might have. These views are my own and don’t necessarily represent the views of Automattic. I’m not saying that to distance myself from Automattic but just to be clear that these aren’t official positions by them and just my personal musings and thoughts.

A Ban Is In Place

Regardless of whether you agree with the ban on WP Engine / Silver Lake or not, it exists. The result of that ban is that folks affiliated with WPE/SL (employees and contractors, IMO) no longer have access to the infrastructure of WordPress.org. They cannot log in, update, or remove their existing plugins and themes. The ACF team have also provided an alternate way for people and teams using ACF to access ongoing updates.

While this is not the first time a ban has occurred, this is the first time it has happened where the scale of the plugin in question requires a more nuanced approach. For example, as a stop-gap, the WordPress security team recently rolled out an update to patch a vulnerability on behalf of the WPE/SL team. This worked to solve an immediate problem but it does not resolve the issue in the long term.

It goes without saying that yes, this could be fixed if WordPress.org lifted the ban on WPE/SL. However, as I have previously stated, the volume is going to continue to rise and WPE/SL is going to continue to feel the pressure to negotiate in good faith as the levers available to the Project Lead are exercised. WPE/SL has sued Automattic, WordPress.org and Matt Mullenweg, not the other way around.

Introducing Secure Custom Fields

Given that there are currently over 2 million active installs of Advanced Custom Fields and the developers of the plugin do not have access to dotorg to maintain its security, the decision was made to fork ACF.

There are rules on dotorg that govern forking in the Plugin Handbook: “We also don’t accept 100% copies of other people’s work or plugins that duplicate functionality found in WordPress Core. Basically, your plugin should do something new, or in a new way, or solve a specific issue.”

The WordPress security team is also within its rights as described in Point 18 of the Plugin Directory guidelines to assume maintenance going forward.

With Secure Custom Fields, its first launch is implementing a stronger patch on the security vulnerability patched in 6.3.6.1 of the original plugin and creating a divergent, non-commercial pathway for development and distribution. If you are extending ACF and have plugins in the dotorg repo, I highly recommend you test compatibility with SCF.

The new plugin Secure Custom Fields is also now open for contributions as well.

This will be a change for users but hopefully there will be minimal impact to most as at this stage there are no major changes to the core functionality of the plugin, just a lot fewer upsells and links to the ACF website.

Are Other Plugins Going To Have A Similar Experience?

The short answer is yes, but not for the reasons you may be thinking. If your code is in the dotorg repo, it’s under the GPL license and could be forked at any time. A modern recent example is when GiveWP forked Easy Digital Downloads.

Since then both have diverged from each other significantly and solved different and distinct challenges. That is always possible in the world of WordPress. Perhaps the real question being asked is, if I get banned or I end up on the wrong side of the Project Lead, could this happen to me too?

Honestly, I can’t answer that but I doubt what we’re seeing with WPE/SL is something anyone wants to see repeated. In Matt’s post he also calls this out as a “rare and unusual event.” My opinion is that WPE/SL has created the conditions that have put us in this spot, I’m aware others don’t share my position (that’s okay too). I would love it if both sides would get together to negotiate in good faith.

This is a really big deal, right?

Yeah, this is a big deal. If you’re feeling emotions, you are not alone. Fear, anger, frustration, and uncertainty are all reasonable. We’ve not dealt with anything like this in our community. If you’re leading a team or engaged meaningfully in the WordPress ecosystem it’s a lot. Especially if you are personally connected to individuals that are significantly impacted by what’s going on.

Dee and I recorded a special episode of our podcast where we talked about this. It got emotional and was raw for both of us. You’re welcome to have a listen to it and feel free to reach out (here or on social media) if you want to talk more.

Discover more from James Giroux

Subscribe to get the latest posts sent to your email.

Author

jamesgiroux

ACF Gets A Fork By WordPress.org

This is big.

Written By

jamesgiroux

Published

A series of forks in multiple colours.

Summary

Matt Mullenweg has taken the next step in his fight with WP Engine and Silver Lake by forking Advanced Custom Fields into Secure Custom Fields (SCF) to protect its security after WP Engine/Silver Lake’s ban from WordPress.org infrastructure. While emotions are high, this move highlights the importance of maintaining the security and integrity of WordPress’s ecosystem. Forking under the GPL is not unprecedented, and this action reinforces the need for WP Engine/Silver Lake to negotiate in good faith.

Up front, I just want to be clear that I work at Automattic and had previous knowledge that this work was being undertaken and began writing this post before the official launch. If you haven’t yet read the official post, I suggest you do.

My goal with this post is to provide a little bit of insight from my perspective on why this has been done and answer some questions that folks in the community might have. These views are my own and don’t necessarily represent the views of Automattic. I’m not saying that to distance myself from Automattic but just to be clear that these aren’t official positions by them and just my personal musings and thoughts.

A Ban Is In Place

Regardless of whether you agree with the ban on WP Engine / Silver Lake or not, it exists. The result of that ban is that folks affiliated with WPE/SL (employees and contractors, IMO) no longer have access to the infrastructure of WordPress.org. They cannot log in, update, or remove their existing plugins and themes. The ACF team have also provided an alternate way for people and teams using ACF to access ongoing updates.

While this is not the first time a ban has occurred, this is the first time it has happened where the scale of the plugin in question requires a more nuanced approach. For example, as a stop-gap, the WordPress security team recently rolled out an update to patch a vulnerability on behalf of the WPE/SL team. This worked to solve an immediate problem but it does not resolve the issue in the long term.

It goes without saying that yes, this could be fixed if WordPress.org lifted the ban on WPE/SL. However, as I have previously stated, the volume is going to continue to rise and WPE/SL is going to continue to feel the pressure to negotiate in good faith as the levers available to the Project Lead are exercised. WPE/SL has sued Automattic, WordPress.org and Matt Mullenweg, not the other way around.

Introducing Secure Custom Fields

Given that there are currently over 2 million active installs of Advanced Custom Fields and the developers of the plugin do not have access to dotorg to maintain its security, the decision was made to fork ACF.

There are rules on dotorg that govern forking in the Plugin Handbook: “We also don’t accept 100% copies of other people’s work or plugins that duplicate functionality found in WordPress Core. Basically, your plugin should do something new, or in a new way, or solve a specific issue.”

The WordPress security team is also within its rights as described in Point 18 of the Plugin Directory guidelines to assume maintenance going forward.

With Secure Custom Fields, its first launch is implementing a stronger patch on the security vulnerability patched in 6.3.6.1 of the original plugin and creating a divergent, non-commercial pathway for development and distribution. If you are extending ACF and have plugins in the dotorg repo, I highly recommend you test compatibility with SCF.

The new plugin Secure Custom Fields is also now open for contributions as well.

This will be a change for users but hopefully there will be minimal impact to most as at this stage there are no major changes to the core functionality of the plugin, just a lot fewer upsells and links to the ACF website.

Are Other Plugins Going To Have A Similar Experience?

The short answer is yes, but not for the reasons you may be thinking. If your code is in the dotorg repo, it’s under the GPL license and could be forked at any time. A modern recent example is when GiveWP forked Easy Digital Downloads.

Since then both have diverged from each other significantly and solved different and distinct challenges. That is always possible in the world of WordPress. Perhaps the real question being asked is, if I get banned or I end up on the wrong side of the Project Lead, could this happen to me too?

Honestly, I can’t answer that but I doubt what we’re seeing with WPE/SL is something anyone wants to see repeated. In Matt’s post he also calls this out as a “rare and unusual event.” My opinion is that WPE/SL has created the conditions that have put us in this spot, I’m aware others don’t share my position (that’s okay too). I would love it if both sides would get together to negotiate in good faith.

This is a really big deal, right?

Yeah, this is a big deal. If you’re feeling emotions, you are not alone. Fear, anger, frustration, and uncertainty are all reasonable. We’ve not dealt with anything like this in our community. If you’re leading a team or engaged meaningfully in the WordPress ecosystem it’s a lot. Especially if you are personally connected to individuals that are significantly impacted by what’s going on.

Dee and I recorded a special episode of our podcast where we talked about this. It got emotional and was raw for both of us. You’re welcome to have a listen to it and feel free to reach out (here or on social media) if you want to talk more.

Discover more from James Giroux

Subscribe to get the latest posts sent to your email.

Author

jamesgiroux

13 responses to “ACF Gets A Fork By WordPress.org”

  1. James Avatar
    James

    I’m actually curious why you consider it WPE’s fault? I understand that Matt is mad because he feels like WPE should be contributing hours or monies back to WP since they’ve made a lot off the platform, but is there/has there ever been a mandatory requirement for it? I don’t know enough of the particulars to make an educated guess, personally, but from what I’ve read it doesn’t sound like there was anything legally binding. “Should have” doesn’t equate to “ have to” in the legal world unfortunately. If I’m totally off the mark though I’d love to know.

    Reply
    1. BW Avatar
      BW

      Because they sued him?

      Reply
    2. John Avatar
      John

      I know what you mean, but given the size of that company, they were using a lot of the .org network Ressources, that’s what people don’t know about. And Matt asked them to contribute for that, given their size

      Reply
      1. James Avatar
        James

        Which is fine, but are they required to? “Should have” and “have to” are very much not the same in the business or legal world.

        Don’t get me wrong, with their platform they could be doing a whole lot more. But if the requirement isn’t in writing almost no business is going to follow through.

        Reply
  2. not-applicable Avatar
    not-applicable

    There’s nothing in point in 18 which would justify change the project name. Care to point out which point of that list allows for such a change? Let’s see them:

    1. to update these guidelines — not applicable
    2. to disable or remove any plugin from the directory — well, you could say he removed ACF and then added SCF under the same slug. However, that would be piracy as defined in https://make.wordpress.org/plugins/2021/02/16/reminder-forked-premium-plugins-are-not-permitted/ If that blog post is old don’t worry, https://developer.wordpress.org/plugins/wordpress-org/detailed-plugin-guidelines/ has this “The use of trademarks or other projects as the sole or initial term of a plugin slug is prohibited unless proof of legal ownership/representation can be confirmed”. And yes, advanced custom fields has been filed for a trademark last December, https://trademarks.justia.com/983/21/advanced-custom-98321164.html
    3. to grant exceptions and allow developers time to address issues, even security related. — the exact opposite happened
    4. to remove developer access to a plugin in lieu of a new, active, developer. — it doesn’t look like the ACF team is not active given how they already published their own fix on their own website
    5. to make changes to a plugin, without developer consent, in the interest of public safety. — how is changing the name and ripping out the pro mentions is in the interest of public safety?

    So please be a little bit more specific as to how point 18 applies here in *YOUR* opinion.

    Also, I find it *interesting* how https://github.com/WordPress/developer-plugins-handbook/blob/75d06a1d9c8572e2ee20667c6f8e4364647221d6/wordpress-org/plugin-developer-faq/index.md differs from https://developer.wordpress.org/plugins/wordpress-org/plugin-developer-faq/ — a new section is present on the latter which tries to justifies this under “What happens to a plugin if the plugin owner gets blocked?”

    Reply
  3. Hydro Mattic Avatar
    Hydro Mattic

    They didn’t fork it. It’s still in its old location, with its old slug, and all of its many years of reviews and support posts connected to it. When you download it, the .zip file is still called advanced-custom-fields.6.3.6.2.zip https://wordpress.org/plugins/advanced-custom-fields/

    They didn’t fork it; they put their own name on it and claimed it as their own, but it’s not their work in any sense. They stole it, and anyone who knows anything about WordPress knows that’s true.

    Under ordinary circumstances, I would not be on WPE’s side, but these are not ordinary circumstances. I hope they take MM’s butt to court and make him cry like the toddler he clearly is.

    Reply
  4. hashimwarren Avatar
    hashimwarren

    James you say you agree with Matt that this is a rare and unusual event.

    How does that view square with Matt purchasing the domain Thesis for over 100k to keep it away from a theme developer he didn’t agree with?

    Doesn’t that show a pattern of Matt using unusual tactics to battle against businesses in the WordPress ecosystem?

    Reply
    1. James Avatar
      James

      I didn’t say I agree with Matt anywhere in my comment. I said I understand that Matt is upset because he feels that WPE should contribute more, hence his meltdown. But I question the validity of his stance. Should WPE give back more to the community due to their very large success? Probably. Do they have to though? I want to know the legality. If they didn’t sign an agreement with Automattic or WP about a certain number of hours or money to give back, then Matt doesn’t have a leg to stand on other than “I’m mad because I’m mad”.

      I actually don’t agree with Matt’s stance at all.

      Reply
  5. Aaron Meder Avatar
    Aaron Meder

    As a long term WordPress user and developer with it since my teen years I cannot believe that this actually happened the way it happened.

    ACF is a very popular, very actively developed plugin that is a vital base to millions of websites. In fact I think as vital as WordPress is itself to these sites, for many years. We’re talking not about an abandoned plugin where it’s original maintainer doesn’t want to continue developing it and that might be pose a security risk to all the sites.

    I cannot understand how the way wordpress.org took over it’s plugin listing, replaced branding and naming can be seen as an appropriate legitimate action in that case.
    It deeply saddens me and I hope Matt and other people involved will be held accountable for the way the actions were taken and there will be some kind of safeguards in the future to prevent something similar from happening.

    Reply
  6. ACF Plugin Forked to ‘Secure Custom Fields’ Plugin – WP Tavern

    […] security consultant, has published an advisory about the ACF changes, while James Giroux published ACF Gets A Fork By WordPress.org where he says “While emotions are high, this move highlights the importance of maintaining the […]

    Reply
  7. Dom Avatar
    Dom

    Did Matt tell you to write this? It’s clearly not a fork, it’s a supply chain attack. Any security issues were caused by Matt blocking the devs from providing security patches. None of this is WPE’s fault, this is all Matt’s doing. Regardless of your feelings on whatever smoke screen he’s deployed to distract everyone atm, Matt’s the one who’s burning everything down.

    I get the feeling that you’re aware of all this though. I’m just not sure what the article is saying, other than being both a puff piece and a condemnation at the same time. I wonder what it would say if you had the freedom to speak your true feelings, without needing to fear a volatile abusive dictator.

    Btw, have you read Heather Burns’ excellent article “Say Their Names”?

    Reply
    1. jamesgiroux Avatar
      jamesgiroux

      Hey Dom! Thanks for engaging. I can confidently say that Matt had no idea I was going to write this. I didn’t tell him, seek his permission or have it reviewed by anyone internally at Automattic.

      I respect your opinion and perspective, even if I don’t quite agree. One of the things I’ve come to really respect about Matt and the culture at Automattic is that we are given many different ways to communicate how we feel. We can choose to comment anonymously or with our names attached. We are encouraged to challenge and ask questions (respectfully of course) and we don’t all always agree on things. It’s one of the things I’ve grown to love in my short time here. I feel much more freedom to speak my mind here than anywhere else I’ve worked in the past.

      I don’t think I’ve ever had my writing called both a puff piece and condemnation at the same time so thank you for that. It’s hard to get the balance right in trying to bring insight into a decision that has been made while also navigating issues I care deeply about (like contributing to open source). Thanks for your comment and I hope to hear from you again.

      Reply
  8. WordPress Bifurca el Plugin Advanced Custom Fields hacia Secure Custom Fields

    […] WordPress, ha publicado una asesoría sobre los cambios de ACF, mientras que James Giroux publicó ACF recibe una bifurcación por parte de WordPress.org donde dice: “Aunque las emociones están a flor de piel, este movimiento resalta la importancia […]

    Reply

Leave a Reply

Related

Discover more from James Giroux

Subscribe now to keep reading and get access to the full archive.

Continue reading

Discover more from James Giroux

Subscribe now to keep reading and get access to the full archive.

Continue reading