I'd been staying out of this conflict, partly because I'm not really <i>in the know</i> on WP Engine's behavior behind-the-scenes and, as weird as Mullenweg's plays have been, I don't like to comment on things I'm not fully read into.<p>But, this touches on a particular hobby horse of mine. It involves some old conflicts too, but I don't want to ruminate on them.<p>From about 2016 to 2019, I was heavily involved with trying to remedy what I considered an existential threat to the Internet: WordPress's auto-updater.<p><a href="https://core.trac.wordpress.org/ticket/25052" rel="nofollow">https://core.trac.wordpress.org/ticket/25052</a> + <a href="https://core.trac.wordpress.org/ticket/39309" rel="nofollow">https://core.trac.wordpress.org/ticket/39309</a><p>If that sounds alarming, consider the enormity of WordPress's market share. Millions of websites. W3Techs estimates it powers about 43% of websites whose server-side stack is detectable. At the time, it was a mere 33%.<p><a href="https://w3techs.com/technologies/overview/content_management" rel="nofollow">https://w3techs.com/technologies/overview/content_management</a><p>For the longest time, the auto-updater would pull an update file from WordPress.org, and then install it. There was no code-signing of any form until I got involved. So if you pop one server, you get access to potentially <i>millions</i>.<p>Now imagine all of those webservers conscripted into a DDoS botnet.<p>Thus, existential threat to the Internet.<p>Eventually, we solved the immediate risk and then got into discussing the long tail of getting theme and plugin updates signed too.<p><a href="https://paragonie.com/blog/2019/05/wordpress-5-2-mitigating-supply-chain-attacks-against-33-internet" rel="nofollow">https://paragonie.com/blog/2019/05/wordpress-5-2-mitigating-...</a><p><a href="https://core.trac.wordpress.org/ticket/49200" rel="nofollow">https://core.trac.wordpress.org/ticket/49200</a><p>You can read my ideas to solve this problem for WordPress (and the PHP ecosystem at large) here: <a href="https://gossamer.tools" rel="nofollow">https://gossamer.tools</a><p>Here's the part that delves into old drama: Mullenweg was so uncooperative that I wrote a critical piece called #StopMullware (a pun on "malware") due to his resistance to even commit to <i>solving the damn problem</i>. On my end, I reimplemented all of libsodium in pure PHP (and supported all the way back to 5.2.4 just to cater to WordPress's obsession with backwards compatibility to the lowest common denominator), and just needed them to be willing to review and accept patches. Even though I was shouldering as much of the work as I logically could, that wasn't enough for Matt. After he responded to my criticism, I took it down, since he committed in writing to actually solving the problem. (You can read his response at <a href="https://medium.com/@photomatt/wordpress-and-update-signing-51501213e1#.q1pfo5u7k" rel="nofollow">https://medium.com/@photomatt/wordpress-and-update-signing-5...</a> if you care to.)<p>The reason I'm bringing this old conflict up isn't to reopen old wounds. It's that this specific tactic that Mullenweg employed would have been <i>mitigated</i> by solving the supply chain risk that I was so incandescent about in 2016.<p>(If you read my proposals from that era, you'll notice that I cared <i>a lot</i> about the developers controlling their keys, not WordPress.)<p>I don't keep up-to-date on Internet drama, so maybe someone already raised this point elsewhere. I just find it remarkable that the unappreciated work for WordPress/PHP I did over the years is relevant to Mullenweg's current clusterfuck. Incredible.<p>Since my knowledge on the background noise that preceded this public conflict is pretty much nil, I have no reason to believe WP Engine hold any sort of moral high ground. And I don't really care either way.<p>Rather, I'd like to extend an open invitation: If anyone is serious about leading the community to fork off WordPress, as I've heard in recent weeks, I'm happy to talk at length about my ideas for security enhancements and technical debt collection. If nothing else comes of this, I'd like to minimize the amount of pain experienced by the community built around WordPress, even if its leadership is frustrating and selfish.