[wp-forums] Security and Accountability

Scott Merrill skippy at skippy.net
Sat Mar 4 14:14:27 GMT 2006 

Caution: inflammatory post follows.

Podz wrote:
> There are many hosts with many setups and as such WordPress
> documentation cannot cater for all - so it approaches this by catering
> for none. It does this for the above reason and also for another - so WP
> cannot be blamed.
> The fault is pushed to the user.
> Yet no page at wordpress.org carries any advice on permissions.
> The readme.html with the package carries no advice on permissions.
> Codex carries no specific advice on permissions.

I place the blame for this squarely on Matt's shoulders.

I wrote the bit about recommended file permissions.  My recommendation,
absent any official information from the development team, was that the
/wp-content/ directory be read-only, and specific sub-directories inside
/wp-content/ have relaxed permissions on a case-by-case basis.  I
recommended this in order to minimize the number of writable directories.

Those recommendations stayed in place, online, and linked to for a
number of months.  It wasn't until the release of WP 2.0, with Matt's
modified version of my wp-db-backup plugin, that Matt finally stated
publicly that it was always his intention to have /wp-content/
completely writable.  This was, as far as I can remember, the first time
many (myself included) heard this news.

Not only do I disagree with the requirement for a writable /wp-content/,
I disagree strongly with Matt's casual -- almost dimissive -- attitude
regarding his involvement with the documentation.

I should point out, too, that I saw no effort from Matt to modify the
official documentation for his project.  He merely criticized it in a
trac comment, and left the documentation unmodified.  That's leadership
for you.

I understand that writing code is more fun than writing docs.  But I
feel that Matt, Ryan, and any other core developer has an _obligation_
to provide proactive assistance with the finer points of documentation.
 They know the code better than anyone else, and are _the_ authoritative
body for questions or ambiguities.  That they choose to adbicate their
responsibility explains a lot of the frustrations that have been
percolating throughout the community.

Matt's living it up, going to conferences and glad-handing people, while
the rest of us are left to struggle with confusing undocumented code,
and to try to distill meaning from the madness for the other users who
just want to use the damned thing.

> But sites either do not work because of permissions or are insecure
> because of permissions. So they look to codex, they look to official
> pages. And they find nothing because no-one will commit to writing
> anything because they fear getting the blame.

It's not just a matter of blame, Podz.  It's a matter of competing
interests.  Every time we try to write thorough documentation that
addresses as many conflicting configurations as possible, we get slammed
for making "confusing" documentation.

But Matt can sweep in and apply a new theme to the code which _breaks_ a
lot of functionality, and renders complex pages completely useless,
without so much as an "excuse me, please".

Rather than fix the codex (one mechanism of which would be to install a
fresh MediaWiki installation into a new directory, and then manually
copy-and-paste pages from old to new -- yes, we'd lose history, but we'd
keep the damn docs usable), Matt wants to write a new plugin for
WordPress to "solve" the problem.  This is perfectly acceptable from
Matt's point of view, even though the documentation continues to suffer
in the meantime.

But when others come along and volunteer to "solve" the problem of
inline function references, Matt poo-poos the whole effort as a waste of
time, saying instead that such documentation belongs on a publicly
editable wiki.  Forgive me for not leaping to participate when the
current wiki situation is abominable.

> But they ask in the forums don't they ?
> They expect an answer from those of us there don't they ?
> So devs and people who know all about perms and suchlike are content to
> let forum helpers get it in the neck when things go wrong because they
> won't write anything.
> Nice.

The devs don't answer because they don't care.  The devs care about the
fun stuff of writing code.  The care about making a revenue stream from
all the ancillary services they've developed around WordPress:
pingomatic, akismet, blicki, WordPress.com, and whatever other pokers
Matt has in the fire.

My recent withdrawl from all things WordPress has helped put some things
in perspective.  Matt and crew are poor project leaders.  Matt's
egomaniacal Automattic stuff is hurting the WordPress community.  The
code continues to grow hodge-podge without a clearly defined vision or
roadmap being presented to would-be contributors.  Contributions that
don't satisfy Matt's undocumented criteria are simply ignored.  Trac
tickets are closed with terse "wontfix" messages, rather than useful
explanations as to why it wont be fixed.

I would very much like to see WordPress thrive and succeed.  I would
like for the autocratic development model to be relaxed.  I would like
to read, and discuss, a plan for long-term development and vision.  I
would like to see specific product release projections so that testing,
documentation, and plugins can all be readied _prior_ to a release.  I
would like to see contributions of all sorts being _encouraged_ rather
than dismissed because they don't coincide with one person's particular
preferences.  I would like to see infrastructure and site issues be
dealt with in an open, responsive manner.

Basically, it Matt gets hit by the bus, much of WordPress's successs is
screwed.  It doesn't need to be that way.

-- 
skippy at skippy.net | http://skippy.net/

gpg --keyserver pgp.mit.edu --recv-keys 9CFA4B35
506C F8BB 17AE 8A05 0B49  3544 476A 7DEC 9CFA 4B35

More information about the wp-forums mailing list