19 Oct

The Lack of People Not Tied To Matt Mullenweg in Control of WordPress Is a Negative for the Community

Last week we mentioned another area beyond security where the WordPress community is getting harmed by the people in charge, accessibility when it comes to new Gutenberg content editor. In the wake of the resignation of the head WordPress Accessibility Team, who had pointed to problems caused by Matt Mullenweg in their resignation post, it had been proposed by an employee of Matt Mullenweg’s company Automattic to have independent audit of Gutenberg’s accessibility. To us it sounded like it might be done in way that would be skewed, considering part of the proposal stated:

Feature-for-feature, compared to a classic editor with similar capabilities (eg a bunch of plugins installed), I’d bet* Gutenberg is more accessible.

That sounds like less than an apple to apples comparison to us, in the guise of that. But even that was apparently too much, as that audit has postponed indefinitely. What are more relevant to us are the comments on the post about that at the WordPress Tavern.

In particular the first comment:

How about we don’t have Gary Pendergast an Automattician(!) managing the core merge of an Automattic-developed feature project into a wp.org release led by the CEO of Automattic? The conflicts of interest in this a release process are amazing me.

Release Lead: Matt Mullenweg, Automattic CEO
Core Developer managing the merge: Gary Pendergast, Automattic
5.0 Release Manager: Josepha Haden, Automattic
Twenty Nineteen Designer: Allan Cole, Automattic

Gutenberg Leads:
Accessibility: Matthew MacPherson, Automattic
Design: Tammie Lister, Automattic
Development: Matias Ventura, Automattic
Phase 2 Development: Alexis Lloyd and Riad Benguella, Automattic

These are all good people, but are they willing to put principle ahead of angering their employer? The accessibility lead said he can’t affect the timeline. Why not??

In all releases before 5.0 new features went through process with core teams to make sure they followed core standards. 5.0? Automattic decides. Why??

What we have seen is that people on the WordPress side of things in areas that we deal in don’t seem to have any concern or understanding of conflict of interests and how they should be properly handled. To us that seem to be a good indication of lack of professionalism and it hasn’t then been surprising to us that these same people cause a lot of problems and or are not up to handling the tasks they are in charge of. These are not just volunteers, but people to be paid in roles that they fill to handle. Like the head of the core WordPress security team who on the one hand couldn’t understand the issue of providing sensitive non-public information to his employer’s security partner that didn’t actually need that information (and then promoted themselves on the basis of getting that information), who also seems to be unable to make sure that security issues in WordPress are being fixed within a timely manner. Then are the ongoing issues with those involved in the really poor handling of security issues with WordPress plugins using their power of moderation of the Support Forum to shutdown conversations about those, which means that issues that are harming the rest of the community that could easily be fixed if not for them remain unfixed, for no good purpose.

What also speaks to the conflicts abounding, in responses to that the head of the WordPress Tavern, who works for Matt Mullenweg since he owns the WordPress Tavern, wrote this in response to that comment:

I see what you’re saying but why is this a bad thing? Can you point to instances or situations where having these people in these positions have negatively impacted the project? Automattic is not deciding, Matt Mullenweg is as the project leader.

As was already mentioned the head of Automattic is Matt Mullenweg, so Automattic is deciding. The WordPress Tavern is one of the few news sources that are included in “WordPress Events and News” portion of the WordPress admin dashboard, which seems unlikely to be unconnected to its ownership.

What is important to note from our area of focus is that it isn’t like those outside of Automattic are not interested in being involved, in fact with WordPress security plugins we haven’t seen an interest from them or anyone else to do the type of work we have done to make sure that the basics are handled, the problem is that you have people connected to Matt Mullenweg (who might be part of the problem himself when it comes to plugin security) that don’t seem to want to work with others or actively get in the way, making things worse. So for example right now you have plugins with at least nearly 3 million active installations that have known vulnerabilities that are still in the Plugin Directory because we have been the only ones making sure that something was done about them, but we suspended doing that until the mess on the WordPress side of things is finally cleaned up and unfortunately the people on the WordPress side of things are much more interested in being able to continue to act inappropriately than the security of WordPress plugins.

We suggest you read the rest of the comments because they really speak to what is going wrong with WordPress from the view of the community.