Rubicon

On Saturday October 12, 2024, a line was crossed in the WordPress open source project that I fear will have a lasting and irrevocable impact on open source as a whole.

After locking out developers from rival hosting company WP Engine over a trademark dispute , project lead Matt Mullenweg announced the “Advanced Custom Fields” plugin had been forked and a new version titled “Secure Custom Fields” substituted into the supply chain to be automatically installed on every site running the plugin.

As a result, some 2 million websites, through no action of their own, now potentially run a new plugin maintained by an unknown group of developers unfamiliar with its design and function, while the original developers desperately try to reach their customers to ensure they get the latest updates from the original plugin . For some website owners, the change will cause confusion: They installed “Advanced Custom Fields,” and now they find a new plugin called “Secure Custom Fields” in its place. For others, the change will manifest as a security alert, or a function change, or even a system error . And for most, the change will be invisible - a silent substitution of a trusted product for an untrusted one.

In any other context, this would be considered a supply chain attack , and for many enterprise, institution, and government users of WordPress it will be read as such.

In my opinion, this action sets an indefensible precedent for WordPress and open source:

Expropriating an actively maintained plugin breaks any reasonable trust open source developers can have in distributing their plugins and themes through supply chain services like WordPress.org that are not under transparent and accountable management.

Forcibly replacing a plugin on millions of websites is contrary to the reasonable expectations of users that the software they are using is provided and maintained by their creators or appointed successors.

When one person can unilaterally block access to any developer, carbon copy their work, take over the software’s primary location and associated history (support forums, reviews, etc.), and then distribute the new version to existing users, no one can have a reasonable expectation that code posted to that service is safe.

These actions are the very behaviours open source adherents so deeply despise in closed-source platforms: the claiming of other people’s content and work as their own. This is the richest kid in the neighbourhood saying he alone decides who gets to play in the sandbox, and if he takes your toy, it is your fault for not playing the way he likes. This is the community waking up to the real tragedy: They were never in a commons, they were on private land, and the owner has decided he no longer sees value in keeping up the pretence.

In the oft cited (and too seldom read ) book “The Cathedral and the Bazaar ,” open source ideologue Eric S. Raymond uses the ill-fated Maginot Line as a metaphor to describe how traditional software development approaches are too rigid and static to adapt to the fast-moving and dynamic environment software operates in. Raymond proposes open source as a more adaptable and decentralized alternative. What Raymond did not predict was a new Maginot Line forming within open source, manifested as centralized control of the commons by project creators turned “Benevolent Dictators For Life” .

Open source is at an inevitable crossroad: It won the battle for web supremacy, but lost the plot when it comes to who gets to extract financial value from the work . As a result of the resulting massive inequity, the supply of people willing and able to volunteer their time and work to open source software is dwindling, and open source projects have become dependent on corporate support - the exact thing Raymond and his ideological compatriot Stallman said open source would rid the world of .

Meanwhile, open source project founders have built vast wealth and power on their creations. They extract massive amounts of capital from the volunteer labor of unpaid contributors, and invest some of it back into the project, often by populating central positions with paid staff that steer the direction of the project in ways that ensure continued corporate benefit for the founder and their friends.

The future of open source depends on what those with power choose to do with that power. Do they build an equitable system of governance where those who do the work are consulted about and compensated from the riches extracted from their work? Or do they submit to the allure of chokehold capitalism by crushing what is left of their communities with the iron fist of a dictator who no longer sees benevolence as a worthwhile investment.

The Usurping of ACF may set in motion events beyond the control of the WordPress community and even the greater web community. Ignored by the owner of .org and .com and his ilk, there are wolves at the doors to the open web and they are itching to get in. Big Tech platforms and their lobbyists invest billions to convince lawmakers that the wild and open web is a threat to the safety of children and stability of society. They say only their walled gardens can be trusted, and lawmakers listen.

Internal chaos in open source already has real-world impact outside the community: Mess with critical infrastructure, and you invite deep scrutiny . Both WordPress and ACF have become critical infrastructure, powering sites for enterprise level businesses, educational institutions, and government entities small and large. To lawmakers informed by Big Tech lobbyists the solution is obvious: Outside corporate control .

For WordPress, what happens next is largely in the hands of a single man who is increasingly isolating himself and consolidating his power. His choice: Tighten the grip, or let governance in.

Time will tell if the Rubicon has been crossed. I fear we are past the point of no return, but I have hope and faith in the open source community and in their mutual solidarity .

And to me, hope is a catalyst. I know it can be for you too.

Stay true to your values my friends, and build the world you want to live in.