Slashdot Mirror
WordPress 2.3 Does Not Spy On Users [UPDATED]
Marilyn Miller writes "Popular open-source blogging engine WordPress has been upgraded to 2.3 — with some unexpected nasties in the mix. As of version 2.3, WordPress now periodically (every 12 hours) sends personally identifying information (blog name & URI) to the mothership, along with an alarming amount of information including $_SERVER dumps, a list of installed plugins, and your current PHP/MySQL settings. Most unfortunately, it does not provide any way of disabling this functionality, and WordPress does not have any privacy policy protecting this information. In a thread about the issue, lead developer Matt Mullenweg defends his actions and staunchly refuses to add an opt-in interface, telling users to 'fork WordPress' if they aren't willing to put up with this behavior." Update: 09/25 17:52 GMT by KD : This article is misleading enough to be called "just wrong." Matt Mullenweg writes: "As mentioned in our release announcement, the update notification sends your blog URL, plugins, and version info when it checks api.wordpress.org for new and compatible updates. It does not include $_SERVER dumps, or any settings beyond version numbers (for checking compatibility), or your blog name, or your credit card number. We do provide a way of disabling this feature; in fact I link to one of the plugins in the release announcement and in my original response to Morty's thread."
You shouldn't be. Developers gotta eat.
Linux, you magnificent bastard, I read the fucking manual!
And in this case, they're gonna eat their shit.
He can go fork himself.
Our sysadmin insisted we use textpad... I disagreed with him for a bit, but now I trust him all the more.
Cue OpenWordPress project appearing in Sourceforge in 5... 4... 3...
...But people are busy checking their posts from the "Sony DRM" thread last month to make sure they don't look like hypocrites.
telling users to 'fork WordPress'
Consider it done.
illegitimii non ingravare
PrivatePress
The world is made by those who show up for the job.
one way to disable it is to go into the code and remove the offending portion. couldn't be that hard to do. and once somebody does it and posts instructions, it gets even simpler. no reason to fork the project.
and wordpress isn't that complicated that this is something that no one but the most hard core will do. tons of wordpress users regularly go in and tweak it for their own uses. i haven't moved to this new versions with my site yet - i always wait a bit for things to shake out, and stuff like this is why. when i do upgrade, i'll just fix my install.
It's hard to believe that's how Micronians are made. Why don't we see it right now by having you both kiss one another?
So what does it send, according to the FA:
The blog's URL
A list of all plugins and versions
A list of the $_SERVER env variables
How is this information not necessary for a robust autoupdating/autonotifying infrastructure? Since the plugns are the source of so many vulnerabilities, you need to know their versions etc.
Since so much incompatibility may be caused by funky $_SERVER variables, you need to know their contents.
And the blog URL tells you who it is.
Windows Update has to send far MORE intrusive information.
Test your net with Netalyzr
It's always a good thing when PHP projects intentionally commit suicide. Opens up space for programs written in real languages. Hoprefully, the replacement for WordPress won't be written in ruby-on-rails, either...
Well if anyone is looking for an alternate upgrade path, I 'upgraded' my blog from Wordpress 2.2 to Pyblosxom and am really enjoying using it:
- its really light and fast
- I can edit posts in a text editor rather than a web based interface
- its in Python and very easy to customise
- theming far simpler, just rip your HTML template into a header and footer, rather than having to make 12 files with Wordpress.
Plug over... Move along...
My little Linux and tech blog
If this pisses you off enough, just don't upgrade.
My thought is that though information wants to be free, my information wants to be more private, so any software that blatantly violates my privacy rights tends to not get or stay installed on my workstation.
...Open Source isn't the only answer -- but it's almost always a better value than the alternatives...
Why can't they download a file with a list of "all updates" and check locally?
The versions it reports are for an autoupdate feature... and the $_SERVER and php/database settings are (I imagine) used to figure out what wordpress settings are common. How soon they can remove support for old versions of mysql and php, how many people use cgi instead of fastcgi instead of mod_php.
Tempest in a teapot.
Read the thread. This isn't a developer admitting to spying on users. This is debate over a new feature written to help you keep from getting your blog haxored. They are collecting server and plugin data to help you to keep your software up to date.
Matt Mullenweg is being very reasonable and reasoned in dealing with a small but vocal groups paranoia. In the same breath that he mentioned forking Wordpress, he also mentioned that another option is using a plugin that disables this behavior.
The submitter should be ashamed.
If the developer decides to insert malware, or other forms of code not acceptable to you, the GPL gives you the freedom to modify it to suit your own needs. If that means you have to fork the project, so be it - that's within your rights under the GPL.
OTOH, the idea of using FOSS (good!) as a venue for spyware (bad!) is enough to make a guy's head explode...
Windows Update has to send far MORE intrusive information.
If you let it.
In Soviet Russia, WordPress forks YOU!
It doesn't provide you a way to stop it? Hardly. They provide full source code under GPL. Rip it out, publish changes, DONE.
The second way that the open source model has won, is that users who disagree with the direction the application is heading in can now fork. In fact, the head developer of the project suggests it. I'm pretty confident that this will happen and happen fast. Given that people "fork" (some say hack/crack) closed source software all the time to leave out all of the "evil" modules (See Kazaa > Kazaa Lite > Kazaa Lite K++; and don't forget cracked Windows XP) forking an open source project to leave out all of the "evil" modules should be pretty easy. I'm no developer, but I could see this being as simple as taking the original source, commenting out/removing the bad stuff, and then redistributing.
"It's not whether you win or lose, it's how drunk you get." -- H. J. Simpson
As to what the summary refers to, where Matt suggests a person fork Wordpress:
Again, he gives the solution to the original poster's complaint (Moritz 'Morty' Strube). If this Moritz is really concerned, he can fork and remove the new code that transmits this information - or if he isn't too concerned, just install the plugins matt suggested.
This is making something out of nothing. Definitely nothing to see here, please move along.
Nice choice of words, don't you think?
B-)
A friend will come and bail you out of jail, a true friend will be sitting next to you saying, "damn that was fun!"
You have the source code, right?
If you don't like the way the software behaves, you can change it. This is one of the fundamental freedoms the FSF endorses. In fact, I would say this is a perfect example of the open source model in action:
The sad thing is that Microsoft and other proprietary vendors have been so successful at convincing the general public that they should be at the vendor's mercy when it comes to bug fixes and feature requests that even Open Source users have come to believe the software originator's blessing is required.
Un-warp your brains. Experience freedom. Fork it if you don't like it, and let the people decide which version they like better.
The society for a thought-free internet welcomes you.
I love it when little guys act high and mighty. Yes, they're "little" as compared to say Apple or MS who can pull stunts like this and the general populous just acquiesces. I include myself in that statement as, at times, it still makes business sense to go with a product even if you don't agree with all aspects of what it does. This, however, IMHO is not one of those cases.
Ironically, I was considering global site licenses of this product for our public relations agency. Thanks for dropping out of the running!
That's just my POV... no more, no less.
Maybe I missed it, but it struck me that the developer's response was very civil, and well thought out. From the slashdot article you'd think he'd told the whole community to "fork off"?
So - did I miss something, or did everyone else not RTFA?
Since no had actually linked the Fork comment, http://groups.google.com/group/wp-hackers/browse_thread/thread/bdced7524fa79a18/f8b5bc6efc4a4005#f8b5bc6efc4a4005
> If you don't trust wordpress.org, I suggest you do one of the following:
> 1. Use different software.
> 2. Fork WordPress.
> 3. Install one of the aforementioned plugins.
Isn't lucrative! Are you insane?! Market minions would pay handsomely for even a whiff of the askimet database as it currently stands. This latest farce is their wet dream come true. Mullenweg can essentially name his price.
I recently installed Wordpress 2.2.3 on a site server. I'm now going to have to consider uninstalling it. Even though 2.3 is the only version confirmed as effected, as of now, the entire Wordpress name is justifiably tainted. I can't really allow a piece of software on the server to send out a deluge of sensitive information to a third party server. It's asking for trouble.
May the Maths Be with you!
If you're worried about the security of the copious data being sent to Wordpress.org, don't be, there's this guy named Barry, he's awesome and he will keep your private information safe!
Or as the author of WordPress puts in TFA:
"In 2 years of running WordPress.com and Akismet, two extraordinarily
high-visibility targets, there has never been a problem on a server
Barry set up."
Uh, right.
As a rule spying on users shouldn't be a security concern as long as the person/corporation spying is honest, just and only concerned on improving their software and the user experience...
So... As a rule spying on users is always a security concern =P (name it WordPress or Windows Update).
Sigs are for morons... Wait a minute...
At a minimum, I don't see why sending this information is so "alarming", even if it's inappropriate. Are your $_SERVER env variables such a sensitive bit of information?
What I'm listening to now on Pandora...
It isn't what information they are looking at but how. If they want the information and it will make the software better, fine, but do they really have to go about it in such a sneaky and under-handed way? Even Microsoft allows you to control how your system is updated (I never let it run automatically; I prefer to know what it's trying to put on my system.). As to the "fork" comment, while I thin the generic blogging community will be clueless and have no idea what this is all about, this will drive the OSS community to develop a better version and they will wish the phrase had never been uttered.
GetOuttaMySpace - The Anti-Social Network
Gives new meaning to the term Web Monkey.
Wanna fight ? Bend over, stick your head up your ass, and fight for air.
I think I'd rather "fork" him -- right in a tender spot.
It's bad enough to do it in the first place.
It's worse to do it in secret. (Did he really think it wouldn't be discovered?)
It's worst of all to actually defend it afterwards. (Who does the think he is? Dan Rather?)
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
A good process is important. Of course I agree with that! But at some point, for any area where decisions must be made, you will need a person. Or a HAL 9000. But either way, the individual is what determines what will occur. Bad leaders are doom, good leaders are bliss. There is no way to from a distance or with a policy escape this fact. You need to make sure the people in power are good people you can trust, because power does not corrupt that kind of person, at least not in important ways. I'd rather have a good leader who splurges on a BMW with taxpayer funds than a bad leader who drives a Honda.
In the case of WordPress, it's advantageous for them to be able to get diagnostic and statistical information. They will learn more about their users's needs, and will be able to see where bugs crop up and eliminate them more quickly. I have no problem with people I trust having this kind of information about my servers, especially if I trust them to keep it securely. But I don't know the WordPress team, so it could be a problem.
There are no solutions you can implement from the couch for this issue. People keep looking for from the couch solutions like "no one should retain any information about us" or "trust the government, no more 911s." But these are not realistic answers. You will have to trust some leader and there will always be both good and bad leaders, and the only way to remove the bad ones is with a sword. Oh well. Life is struggle, get used to it.
technical writing / development
If he can't test this stuff without scraping real live user data, do you really think you should be trusting his code?
This guy is arrogant and his attitudes are potentially dangerous. If he was a truly good developer, this would not be an issue whatsoever.
Sheesh, and trying to justify this behavior based on what MS does for an entire OS...a) this is not an OS and b) it's a bad MS practice which certainly does not make it right for others to do.
It'd be one thing if it was opt in, but this is just pathetic.
No Comment.
His [Matt Mullenweg's], intent with that comment is irrelevant. This manner of action is unacceptable for the Lead Developer.
Using GNU/Linux -- Windows-free zone!
If you can't wait for a Fork, there's a nice package called Textpattern that I used to use. It's kinda like WordPress. I liked it. Give it a spin and see if it works for you. :D (End shameless plug for favorite php app).
It makes you wonder what they're going to do with the data. Anyone out there peeled out all the code that sends this data yet?
Why doesn't it work in reverse? Each WordPress install should download a list of updates from the server and do the comparison/testing locally; not on WordPress' servers.
Are you sure you understand the meaning of the word essential? WordPress made it to version 2.3 without this information... that doesn't sound very essential to me.
You probably meant "convenient" or "useful for monetizing."
Id that were the case, then rather than sending this information out secretly every 12 hours, pop a box up to the user and tell them that their software is obsolete, and a potential security problem, and these are the particular items in question.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
For those wondering what the big deal is, I expect a lot of the reaction is fueled by memories of Mullenweg being caught google cloaking in 2005. Once someone loses your trust, you don't really want to share any data with them.
Hey, slow down cowboy! We're talking about a blogging software here, written on a cross-platform interpreter called PHP, not an operating system with hundreds of components and different hardware configurations!
Windows Update might need the information, because it deals with a lot of programs and I guess it would be impractical to send a 2Mb+ list of current versions. There are no such limitations in case of wordpress. As far as I'm concerned the update checking tool shouldn't send anything at all, just retrieve the current version number and that's it.
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
If X is the new Y, and Y is "X is the new Y", solve for X.
Its not Microsfot...So we should not complain here...
Absolutely. However, you are assuming that I want my Wordpress installation to automatically update, and further that I am willing to give up a lot of sensitive information in order to get that done.
There should be a way to turn this feature off, plain and simple. There is no excuse whatsoever for forcing this down users throats. None. Yes, comment spam and other vulnerabilities are something that needs dealing with. Yes, many, many Wordpress users have the technical ability of Aunt Tillie, hence the 5 minute install. Yes, many of them will never update at all without an auto-update feature.
By all means, activate auto-updates by default. By all means, activate the logging by default. But what possible excuse is there for not allowing a competent end user, or indeed sysadm, to be able to easily turn it off? Simply laziness? Obstinacy? I suspect something else behind this debacle.
May the Maths Be with you!
The argument is not that the information is unnecessary for an autoupdate/autonotify feature. The argument is that people should be able to easily opt-out from this feature. Having said that, the contents of $_SERVER seem unnecessary. That can leak things like usernames and paths.
Why does anybody other than the owner of the weblog need to know this?
You can opt-out of Windows Update.
Bogtha Bogtha Bogtha
When our new boss arrived, he said "if you ever feel unappreciated or can find a place with better pay, leave." 2 years later, we've had 110% turnover in this department.
My guess is if he asked people to fork it, someone will.
Dear god, you know that your slashdot comments show your URL?!?? You'd better stop there!
Thank you Mr. Did-Not-Read-The-Fscking-Article.
Jason Lotito
I take that back. That was stated based on the title and summary of the story.
/., you should be ashamed.
Thanks for the flamebait there kdawson. That's about the worst case of it I've ever seen on
There is possibly an issue here, but not even remotely on the scale that this was made out to be.
No Comment.
I think you overestimate the OSS community, or you're confusing them with OSS developers, either way I'm not expecting a next-gen wordpress out of this.
You consider that an upgrade? MT4 is vastly more powerful than WordPress.
http://blog.plasticmind.com/cms/why-you-should-upgrade-to-mt4/
Skot Nelson music is my saviour / i was maimed by rock and roll
Beware of the Leopard.
Firefox also phones home.
I don't see why Firefox isn't also considered spyware.
MT3 has been so abysmal that I'd pretty much written them off. Maybe I'll rethink it now.
My blog: http://www.seebs.net/log/ --- My iPhone/iPad app: http://www.seebs.net/seebsfrac/
Can you imagine the water cooler conversation about Pyblosxom? How the hell are they supposed to go back and google about it? That'd be like trying to google for the symbol that represents the artist formerly known as Prince.
I mean, really, WTF. They might as well have named it slakdfjalskdjflaskjdf!
Do daemons dream of electric sleep()?
> Windows Update has to send far MORE intrusive information.
Good god man, you're not using Windows Update as a way of justifying intrusive behaviour are you?
If that's the kind of standard which you're judging against, what hope is there for rest of the world.
"It's better than Windows" has never been a good enough excuse in my books.
Skot Nelson music is my saviour / i was maimed by rock and roll
And not only is it a troll, it's tinfoil haberdashery and skating _really close_ to Libel.
Actually RTFA Matt's reasoning gives the opposite impression of the summary. Fork the submitter and Kdawson for greenlighting this.
--
BMO
This is how ports/portage works and is the obvious way to do it. What are these guys thinking?
I was thinking about moving my blog to Typo. This makes my decision easy!
Vote Libertarian
I can understand the complaints about how this may be an additional security risk, or at least would make an assholes job a bit easier if they hacked that central WP database. What I find somewhat irritating is that some people have voiced privacy concerns over this. I was under the impression that if you're running a blog, it means you're one of those Web 2.0 exhibitionists that tell everyone in the whole wide world all their daily activities in embarrassing detail anyway. Am I missing something?
If a train station is a place where a train stops, what's a workstation?
These are not the urls are you looking for...
If he can't test this stuff without scraping real live user data, do you really think you should be trusting his code?
This guy is arrogant and his attitudes are potentially dangerous. If he was a truly good developer, this would not be an issue whatsoever.
Sheesh, and trying to justify this behavior based on what MS does for an entire OS...a) this is not an OS and b) it's a bad MS practice which certainly does not make it right for others to do.
It'd be one thing if it was opt in, but this is just pathetic.
I agree completely. Even though I'm not using v2.3, (I have 2.01 or the like), I will be removing WordPress completely from my site and doing it all myself. I already have the PHP/PostgreSQL setup installed, and I have a history of web development, so it shouldn't be too bad. Just as it was said above, its not the fact that it phones home, but how, and the fact that it cannot be disabled.
And they said zombies weren't real!
No point in forking. The codebase is a mess of security vulnerabilities already. A few years back somebody contracted me to break into their site and they had wordpress. I found a zero-day vulnerability in fifteen minutes and had it exploited in under an hour. I contacted wordpress, provided a way to patch it, and then a couple years later they reintroduced the same exact vulnerability when they refactored the code to add templates.
Please, don't fork it unless you plan on completely rewriting the entire SQL backend. It's a horrid mess. We don't need _more_ b2/wordpress forks around.
I would though suggest if you do fork it, do it well. Matt's done a lot of idiotic things (check the slashdot archives) with wordpress and he's a rabid commercializer, regardless of the cost. That his code absolutely sucks is the only reason he hasn't been able to make it big even with selling out at every opportunity.
Buckle your ROFL belt, we're in for some LOLs.
The entire open source community should be upset over this decision. Now everyone will be wondering what information their open source application might send home.
There have been a few fiascos with WordPress doing semi-evil things like SEO-hidden-linking every copy of wordpress back to his pay-per-ad site(s).
After a few arguments and releases later he finally removed it.
Face it, WordPress is a business and it has security/privacy issues that need to be taken seriously.
This post neatly sums up what should have been said in the summery; ie. nothing is going on. One person is over reacting, and the suggestions which were given including "fork" seem like a rather pleasant way of this being dealt with...
Basically, this is FUD.
*''I can't believe it's not a hyperlink.''
And when I installed Windows, I agreed to this information being sent. This not only provided me with a layer of protection on what the information can and can not be used for, but also provides Microsoft with their own protection. It appears this isn't the case with Wordpress. I can't find anything in any license agreement that they will be retrieving this information. Reading through the link, it appears that this was done very stealthy. Now why would that be?
that can be run in the wp directory as a 'patch' would easily solve that situation. provided that you give write permissions to all files it needs to fix, of course.
wouldnt be too long until someone produces a 'fix'.
Read radical news here
Anyway, i googled and found this link:
http://www.mitchelaneous.com/2007/09/19/9-wordpress-alternatives/
Now, my question is - how secure are they for you, sethawoolley? Which one would you choose?
yes and no.
... if I were running anything critical on my personal machine I would run Linux ... oh wait, I am and I do. Most web servers exist to run critical web sites or applications etc. that make money and keep businesses afloat. If something happens to them it's a very serious situation. Therefore you take the time to consider carefully what software you run on them and to design your security policies. I can't speak for others regarding their security policies and their choice of software but up until now I had no reason to mistrust word press. After all, it's a) open source and b) a LOT of people use it and trust it so, like PHP, apache, MySQL etc. I trust that exploitable bugs get found relatively quickly and thanks to auto update etc. I am comfortable running the software. My biggest beef is that if it weren't for Slashdot I WOULD NOT HAVE KNOWN ABOUT THIS! In fact, I was just about to install the latest version of word press on one server for an employee to run her blog and had I not read this article first I would have gone ahead and had no idea that it was relaying this kind of information to the WP authors.
On the one hand, security through obscurity is a very bad default and sole security policy. On the other hand it can be a nice extra layer of security on top of an already well planned and established security policy.
Let's see what kind of details $_SERVER contains:
1. Absolute path to document_root on server
2. Absolute path to script being executed to process request
3. Contents of $PATH
4. SERVER_ADMIN which is an e-mail address that may not be public information - and apache can be configured, and often is, to not output this on error pages.
Now, having this information alone does not present a huge security risk. Using that information someone isn't going to be able to immediately compromise my system. But I would still prefer that it not be public information. I've taken steps on my servers to limit the amount of information that the web server offers about itself. I don't need software relaying that information to untrusted sources without even telling me about it. Perhaps I'm paranoid, but as a server admin it's my job to be paranoid.
Secondly, it is a privacy concern. Perhaps some of the information is required for a software update but most of that necessary information (such as filesystem paths) can be determined very easily by a script that runs on the server itself without ever transmitting that data to a 3rd party. The way I see it, it is absolutely none of WP's business what directories I installed my software in and what version of apache I'm running etc. (which, unlike the blog url + IP which is very much public information, apache versions, php versions etc. are often kept PRIVATE for security reasons by the admins when they install and configure the software).
Now for the argument that a lot seem to making of "Windows Update sends far more info blah blah"
I've got one of those big shiny (and above all sharp) BBQ forks in mind.
The $_SERVER variables are not sent out by WordPress, they're sent by Akismet during its spam-checking process. Akismet is a plugin that is bundled with WordPress which helps prevent comment spam. Activating it requires an account on WordPress.com as well, so it's not something you can turn on by accident.
The reason it sends those variables is that it does so when somebody submits a comment to your blog. Those variables and the comment are sent to the Akismet servers which send back a pass/fail for spam identification. The variables allow Akismet to more easily identify mass spammers across a wide range of blogs.
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
At a minimum, I don't see why sending this information is so "alarming", even if it's inappropriate. Are your $_SERVER env variables such a sensitive bit of information?
"If you have nothing to hide, then you wouldn't mind if we searched you."
"Congratulations, Boots. Your robot has become self-aware. You're a daddy now." -- Dr. Rho Bowman
I thought only MS could be evil. Well, Google, too. Now, you are telling me that open sourcers are evil, too? Now, how many of you that use WordPress dug into the code to find that out? Hands? Anyone? Anyone? Bueller? Nah, didn't think so. But, I bet a number of you upgraded. Doesn't matter, closed or open, you're argument about security is bogus unless you crawl through the code, otherwise, it might as well be closed.
Politics is the art of looking for trouble, finding it everywhere, diagnosing it incorrectly and applying the wrong fix.
Canada's privacy law is pretty strict against the unauthorized sending in of personally identifiable information, especially one that sends it to an American server. There, the Patriot act allows the government to capture Matt's database. And the kicker, he is not allowed to tell you.
Up here, we (being the government) can't buy any software package that stores the data in the USA. I can only imagine the tens of millions of lost dollars in contracts because of the Patriot Act. I would of hate to have added Matt's awesome editor to that list. Rock on Matt!
Management is doing things right; leadership is doing the right things. - Peter F. Drucker
How does this affect WordPress multiuser? Usually that's a few steps ahead of the single WP installation. Also, how does this actually schedule and send things? I'm on a hosted WP install, and as far as I know, I'd have to manually go in an set up some sort of job or something to get any sort of recurring activity. They're saying my hosted webserver PHP code is going to initiate outgoing requests or something?
It appears that the article is mistaken, and WordPress doesn't actually send stuff like $_SERVER. You might want to go ahead and switch.
But, if you want a blog with a central, auto-updating plugin repository, try Serendipity. It uses Smarty for its templates, and has a very involved developer base. It's also light, fast, and security-conscious. It's largely compatible with Movable Type, too.
For the record, its auto-update feature downloads the list of available plugins, then lets the local installation decide what needs to be updated. No private information required.
For geek dads: Contraction Timer
Not trying to be snide, but RTFA. I just finished all 103 posts in the mailing list and it's not really as bad as it seems.
I could write a long explanation of what 2.3 does and what the pros and cons are, but they've been enumerated in other posts here, and more eloquently and correctly in the original mailing list. I run WordPress as well, and will likely update when all is said and done. The issue really seems to be one of ethics and privacy concern rather than security, and I think the privacy concerns will be addressed adequately to soothe even my paranoid ire. Read what Matt (the lead developer) has to say rather than KDawson (the apparent bearer of all FUD) and then decide.
I do (or should I say, "did") mine using Notepad. Christ, people, HTML isn't exactly assembly language!
-mcgrew
I agree that kdawson's original post was inexcusable - libellous even, but do you not think that the people who responded so negatively are also at fault? Slashdot isn't exactly known for its standard of journalism and routinely publishes sensationalist headlines/stories that lead the reader to form a misinformed opinion. After one negative Slashdot headline, numerous people were thinking of a new name for a Wordpress fork. Why would you place so much credibility on a Slashdot post? Frankly, it's scary how much influence and power the Slashdot editors have.
Go with Drupal. Get all the blogging goodness plus photo albums, iGoogle-like portal pages (that support iGoogle plugins!) and pretty much anything else you could ever possible want in a personal site. See my link above for an example.
Dewey, what part of this looks like authorities should be involved?
Maybe you could wait to see if it's actually true because, it looks like it might not be. THEN you can get upset and base decisions on it.
It appears as if this was going to be placed into the code without notifying anyone of it. It was people in the linked list that found out about this, which provoked a rather harsh response from the developer. Considering the amount of secrecy that was evidently intended with this feature, what is to prevent even more information to be sent in the future? A security update could come out next week and in that a developer decides to sneak a code in that also sends a list of all emails in your user database. Trust is something earned. The trust for Wordpress has gone down in my book. I will be moving my site to another platform this week. As a lawyer who specializes in tech related issues, I have written numerous privacy statements and end user agreements for software companies. They pay money for these to protect their own interests, as well as the interests of their users. Wordpress took none of these into consideration. That is ashame since Wordpress is a great platform for the person who isn't that technically gifted. Those are also the same people that deserve some sort of guarantee that their privacy is of utmost concern to the software manufacturers, and not be expected to learn programming or search mailing lists to find out about it.
Sort of...it's typical for a lot of people to jump on whatever is stated in the headline, others to jump on what is in the summary, and others to actually read everything linked to as well.
/. the benefit of the doubt, summaries aren't usually that completely and utterly wrong. I then read a bunch of posts to the thread and all seemed to be in the same vein, suggesting that the summary was accurate.
I almost always read everything.
But in this case, I read the headline and summary, opened the link and read the first few posts of the linked thread, and decided the summary was likely good enough...didn't feel like reading an entire blog thread just to see if the summary was right. Giving
Then I found a couple that indicated it wasn't accurate at all. At that point I read the entire linked to blog thread and had to change my stance.
At least KD changed his tune and updated the story.
While I do think the editors have a lot of initial influence on the direction of a thread (Same goes for ANY journalistic or editorial avenue, not unique here!)...I do think that more oft than not, as is the case in point, the masses figure out and call out the editors on misleading or mistaken headlines and titles. And usually, moderation eventually sorts things out. However, in many cases the moderations hinder things getting sorted out quickly as the typical result of calling an editor out on something like this is to be modded into oblivion quite quickly which is definitely a major problem.
No Comment.
PHP_AUTH_USER and PHP_AUTH_PASS are incredibly private pieces of information.
As a PHP developer myself, I must take extra caution so much as to not even print_r($_SERVER) when debugging my code with colleagues to prevent my username and password from being plastered across the screen.
I went to eat some animal crackers and the box said, "Do not eat if seal is broken." I opened the box and sure enough..
Now go RTFA, and see that when read in context his remarks are completely acceptable and civil. What is unacceptable is kdawson posting yet another FUD submission without bothering to check it out for facts.
...what the FORK is going on here?
Thank-you, I'm here all week...
Of course Matt thinks the article is wrong. I did read the linked forum discussion from the day before this shipped. First, You shouldn't have to plug the app to enable/disable a feature like this. Are we really that bad for wanting this? The functionality should be included. Secondly, there is no privacy statement associated with the information gathering. They can do with it if they so choose. Third, they never provided convincing info on why they need to gather the info. Autoupdate would work without most the info they are collecting. I could go on with rational discussion of why people see this as a negative, but what's the fun in that. Flame away.
> Simply laziness? Obstinacy? I suspect something else behind this debacle.
Never attribute to malice what can be explained by incompetence.
- paraphrasing Hanlon's razor
Ok easy enough :) curling old source now.
It's time to start OpenPress guys ;)
--Javier Aroche
I don't particularly prefer WordPress, and while recently considering various blogging tools for my new blogs and a new website service offering hosted blogs that I am designing, I ended up building my own tool based on some pre-existing code: I got Drupal's HEAD and I am currently modifying its blog module to create exactly what I perceive as the perfect blogging tool for me and the blog service I am going to launch. I'll provide patches or a complete new blog module to the Drupal project when I finish the preliminary testing of my changes. I liked Drupal's blog module for its simplicity and small size, as I had a good base (posting system and Drupal's blog API support) to start adding features to, without having to worry about breaking an existing large complex system. I found Drupal's blog module easy to customise, so I think it's a good platform to base your own blog on, especially if you know PHP programming and you have special requirements that are not solved by existing packages (like in my case). So, if you feel that WP or MT or any other blogging tool does not fully suit you, I encourage you to have a look at Drupal and modify it to create the perfect solution just for you. After all, a blog is something personal and must fully express your individuality and personality, and this cannot be done simply by changing a theme, as the software code itself is also an expression of your personality, so my idea is that if you want a fully personalised blog you should run your own blog engine too.
Is anyone really surprised that this story didn't turn out to be all that?
kdawson has a penchant for posting 'stories' linking to shady blog postings, archived emails and usenet messages that tend to be little more than flamebait. If he's got anything going for him, he doesn't discriminate who he spreads FUD against.
For extra enjoyment when you read slashdot, try to pick out which stories have been posted by kdawson without peeking at who it was. It's a very easy game.
"What kind of music do pirates listen to?" -Paul Maud'dib
"Yeeeaaarrrrr n' Bee!!" -Stilgar, Leader of Sietch Tabr
I know that wordpress does make some profit. I guess the referrals for hosting is worth quite a bit. But I would have to wonder, how they would use whatever new information they are gathering (in addition to whatever they gathered in the past). I'm sure they plan to make $$$ out of it somehow. I personally don't trust anyone when gathering information (be it google, wordpress or the US gov).
Just for fun I thought I'd mention the past incident when Wordpress intentionally violating Google Adwords to make money.
Linux Resources
honourable goal, but why exactly does WP need to *send*
any data in order to do this? Wouldn't it be enough to
*retrieve* a text file containing the latest version of
everything, compare it to what it's running on and inform
the user accordingly?
In this particular case, concern for security is a cheap
excuse for invading privacy and actually causing a security
problem.
Um, because WP MU is basically the WP software, in fact it's codebase is based on the latest version of the software, currently 2.2.3.
But isn't that one of the main benefits of being able to see the source code? If you wonder what's going on, just look.
I just read Slashdot for the articles.
So in other words, everyone was too busy forking around to actually pay attention to what information was being sent.
The magic of open-source software is that any idiot with a text editor can go in and change it.
If someone's so darn concerned about the information in $_SERVER, then they should just grep the source and rip out the offending code.
And if they don't know how, then they should shut the hell up about $_SERVER. In the end, it's really not a huge deal, nothing an attacker couldn't figure out on their own in about ten seconds with readily available scripts.
-Billco, Fnarg.com
...since the only people we want to have using Open Source are people with the time and knowhow to dig through piles of source code? Most Slashdotters don't have that kind of time or knowledge to dig through any given open source project, even one like WordPress. Open source means code review is possible, it doesn't mean it's realistic to the general user. If you want to attract general users, the person putting out the code has to be trusted.
I love my sig.