Wordpress 2.3 is out today. And there was much rejoicing. Now, yesterday, someone on the Wordpress development mailing list noticed that the new plugin update notification server sends a list of your plugin names and versions, and your URL, to a server.
Cue confused core developers, much chatter, etc. It was, of course, Matt's doing, as with just about every silly development decision on Wordpress these past few years. I have mentioned previously, of course, the lovely not-at-all-connected-to-advertising BrowseHappy link.
And why, exactly, is the information collected? "...It could be useful in the future." Thanks, Matt. I'm sure that really reassures the users. He then advises people who don't trust Wordpress.org to fork the project. I think, though, there's a big difference between trusting Wordpress the open-source, reviewable project, and trusting Wordpress.org, that shadowy, Matt-dominated extension of Automattic.
There are actually a number of legitimate reasons for concern. First, if the data were ever leaked or stolen (bear in mind that Wordpress.org's webserver was compromised last year), then someone would have a list of plugin versions with URLs! This is a moderately big deal; all they'd then have to do is search plugin changelogs for security fixes, and they'd be able to produce a big list of vulnerable blogs!
And then, there's another issue. Matt hasn't said how this data will be used. Automattic notoriously isn't keen on terms of service; Wordpress.com only got them quite recently. Matt has previously been willing to engage in slightly shady advertising techniques (Wordpress.org spam link controversy, BrowseHappy ad with people using IE shoved towards BrowseHappy, those ads that no-one knew were there on Wordpress.com, etc.) From the plugins a user uses, you may be able to derive a fair bit of information about their hobbies and so forth. "Oh, this person has an animated cat in their an admin area and a plugin that displays the rugby scores!" Considering their history, I'd be reluctant to give Automattic any more personal information than absolutely necessary.
There are, by the way, patches to take out the URL-sending mentioned on that mailing list topic. If you are upgrading, I would strongly recommend you apply one.
We'll end with a little humour, I think, today. Take it away, Matt:
I would like to remind the participants of this thread that WP.org !=
Automattic, so to be fair to the members of both please distinguish
which you're referring to.
No comments:
Post a Comment