I don't think anything about our update could cause the issues he describes and we've had no other reports, this is the only claim on the internet, and doesn't include enough technical details to tell if it's an actual bug or not.
If it's a bug, our bad and we'll fix ASAP. If it's a bug, it's a very rare one. There have been 225k downloads of the SCF plugin in the past 24 hours, implying a lot of updates. I would estimate at least 60% of the sites with auto-upgrade on and using .org for updates have done so already. https://wordpress.org/plugins/advanced-custom-fields/advance...
That said, I'm happy to pay system2 whatever he thinks his time was "spent" on a Sunday is worth. Just let me know an amount and where to send. You can contact me here: https://ma.tt/contact/ .
Matt, you say that you've had no other reports and this is the only claim on the Internet.
That's not true. You have users on the support forums reporting issues with SCF.
"this has caused an incident requiring unschedule maintenance on a weekend. I use this plugin on a couple hundred sites I help maintain, so this has been a very bad experience "
There's no justification for this whatsoever - it was your actions which meant that the ACF team couldn't manage the plugin on dotorg, and the issue you fixed was unbelievably minor.
IF you even had a point in the beginning, you've fatally undermined it. Hell, WPE's motion for a preliminary injunction even now notes that your actions here have potentially fallen into CFAA territory - https://storage.courtlistener.com/recap/gov.uscourts.cand.43...
Given you've been banning dissenters from Slack, I wonder "why" people might not be reporting issues where you can see them?
> I don't think anything about our update could cause the issues he describes and we've had no other reports, this is the only claim on the internet, and doesn't include enough technical details to tell if it's an actual bug or not.
Don't gaslight us. You've been removing negative reviews.
Thanks for improving on ACF. The plugin went downhill after the creator stepped away, IMO.
A while back, I bought a lifetime "Pro" license for ACF. It worked great for years. The last few times I tried ACF though, the admin experience felt degraded. My impression was their early customers had become an afterthought.
Looking forward to trying SCF. I have higher hopes for the plugin now.
In this lawsuit against you and your mother, is it you or her who is accused of sexual harassment and racism? I don’t have access to read the case details.
> In this lawsuit against you and your mother, is it you or her who is accused of sexual harassment and racism?
Both (and the company through which they employed the plaintiff) are accused of the various discrimination, harassment, wage theft, etc., violations.
(EDIT: Though his mother is apparently accused of doing the direct racially- and religiously-bigoted statements, and the persistent graphic descriptions of Matt's sexual escapades, Matt's role -- other than as ultimately responsible as employer -- is participating directly in retaliation by taking complaints about the behavior back to his mother who accelerated rather than taking action to curtail them.)
> I don’t have access to read the case details.
You don't need access, you just need to go straight to the court site instead of a third-party aggregator.
And, if you had a nickel for every currently-active lawsuit against Matt and his mom for that kind of thing filed on June 9, 2022, you'd have two nickels, which isn't a lot, but it's interesting that there is more than one...
Am I reading this correctly? This guy owns an LLC through which he directly employs a personal healthcare team for his mother? And Mr. "Post-Economic" couldn't pay his nurses a fair wage?
> PLEASE TAKE NOTICE that Defendants hereby respectfully object to the Case Management Order, Notice of Time and Place of Trial and Trial Related Orders dated May 23, 2024. Since the filing of Defendants’ Case Management Conference Statement on May 21, 2024, Mira Hashmall, lead counsel for Defendants, has had a 5-7 day trial scheduled with a start date of March 17, 2025. With the trial in this matter starting on March 10, 2025, and trial in Case No. CGC-22-600095 starting on March 24, 2025, that would be three back-to-back trials and potential overlap amongst them.
That doesn't move the needle as far as restoring the trust you've broken.
You should negotiate with WP Engine to drop their suit contingent on your resignation. Maybe they'll go for it. Resigning is the only thing that would prove you're serious about allowing your power to be checked. And perhaps the only thing that would stop you from cutting a huge settlement check (probably within weeks and not the years you've anticipated).
Do you think that's something you're capable of? Do you care more about the future of WordPress and of open source than you do about your own power and rivalries? Will you prove it to us?
To be frank I don't believe you will. I'm pretty cynical about this kind of thing. But I've been wrong before. It would take a very strong person to admit, not just publicly but to their bitter rivals, that they had lost control and damaged their own life's work.
But if that person is you - it wouldn't be much, but you'd have my admiration.
---
Stark: Make peace with the Lannisters, you say? With the people who tried to murder my boy?
Baelish: We only make peace with our enemies, my lord.
Eventually you are going to have to confront that the distance between 'technical correctness' and 'moral correctness' is vaster than you apparently think it is.
Have you read them? Both are in pending status and not registered. "Advanced Custom Fields" most recent update before a last minute extension to respond to final notice was for: "Merely Descriptive Refusal - Registration is refused because the applied-for mark merely describes the function of applicant’s goods
and/or services."
I'd normally never say something like this, but: seek therapy, man. Seriously. This is not normal. It will end badly for so many people, including yourself. It may not be too late.
I've vouched this comment. I don't think we should be flagging this comment; it's not particularly out of line, and there's a significant interest in the community seeing Mullenweg's comments.
Business is war, I get it. But you chose to make innocent bystanders (your users) life difficult and you crossed a line by stealing code with an excuse that everyone sees through. This looks now more and more of a personal vendetta.
There must be a timeline in which this is de-escalated, compromises are being made and everyone's happy.
In your perspective - what does it look like? What could be done to go the opposite way and keep going?
Also, I'm surprised to see people only siding with WP Engine here. Usually the discussions here are much more balanced.. What do you think could be the reason for it?
I don't think punishing people for suing you typically plays well in court. Especially not if you, you know, publicly announce that's what you're doing.
This was my reaction as well. This sounded like tortious interference before, but to blatantly announce that he’s trying to kill someone else’s business, for exercising their legal rights no less, sounds like a summary judgement waiting to happen.
There is no dispute over the facts here if Matt is just going to announce his intents.
I cannot imagine his rage when not only does WPE not have to pay him, but now he’s paying them.
So, the ACF plugin is a useful contribution to the WordPress ecosystem? Significant enough to warrant bringing it in-house now? Is work on it included in your assessment of what WPE contributes?
Your shift of signifier here from WP Engine to Silver Lake is interesting. Clever tactic, private equity money is BAD! Unless it’s… I dunno? Black Rock p/e money?
Matt you propably don't remember me but we met briefly on WordCamp Vienna 8 years ago. I was hugely inspired by you for many years and still was until few weeks ago.
I have been unable to convince Jason Bahl to share the ~threats~ ~coercion~ terms you used to convince him to join Automattic. Your contribution via GitHub of the terms that you used to ~coerce~ persuade him into defecting would be appreciated.
Hey Matt, you're behaving like a normal abuser who's successfully managed to mask up to this point. None of your behavior is clever. If you continue down this path, it's not going to be good for you.
Unfortunately you have no proof of that, because the only relevant changes are actually neither introducing fixes, nor ever changing the plugin core code in a way that fixes security issues.
The only thing done is removing a LOT of references, links, and instructions that would remind of WP Engine, as well as all compatibility with the POR features.
However, these are no fixes. You just introduce a new variable, that you never use, and re-assign the same contents of that new variable back to the $_REQUEST
Unless you show proof of a security fix - which you could have pushed to users WITHOUT renaming the plugin, WITHOUT removing original, non-security related code, and WITHOUT breaking compatibility with the PRO features - you have LIED and STOLEN code in the name of WP.ORG
This will hopefully be recognized by WP Engine and if god wills, remove you from the equation once and for all legally speaking.
> However, these are no fixes. You just introduce a new variable, that you never use, and re-assign the same contents of that new variable back to the $_REQUEST
While this whole takeover thing is completely ridiculous, it's you who displays an "inexperienced eye" here. What do you think the $original_post variable (which was already there) is doing, huh?
The same. Nothing. The “security” issue here would be that the user callback can access post and request data. Tell me one place in the entire wp code base where that is NOT possible?
Security issues can be fixed WITHOUT renaming the plugin or removing links and text even if the original author has no access anymore
And that “fix” is ridiculous. If anything it breaks code of users who were actually adding callbacks using that data. It’s the nature of php that you can access those details - it’s up to the caller to know what to do with it.
If anything, the usage of user callback is an issue here.
And in any thinkable case this ain’t a security fix that was done.
A security fix would include that and only that change.
For some context how you MIGHT actually “fix” the true security concern in this code:
$allowed_callbacks = ['some_function', 'another_function']; // Example of allowed functions
if ( in_array($original_cb, $allowed_callbacks, true) && is_callable($original_cb) ) {
$return = call_user_func($original_cb, $post);
} else {
// Log or handle invalid callbacks safely
$return = false;
}
Tampering with global variables or else is NOT a fix, and this one in particular is like pointing out a crumb on the child’s mouth and grounding it for not brushing its teeth.
You could apply a filter to allow filtering the allowed callbacks, if you really want to allow more than the hardcoded whitelist.
In the end it still boils down to “do not use user callbacks” as the better security fix, which again shows how “they” didn’t fix a thing here. This is a blatant excuse for legal CYA.
If the codebase was built on the assumption that user callbacks will execute in a context where POST data is sanitized (which is evidenced by the code that was already there), then failing to sanitize $_REQUEST in addition to $_POST is certainly a security issue.
Of course, relying on such simplistic measures is still brittle and inelegant, but that's another matter. Reworking it would likely be quite invasive to that codebase and far beyond the scope of a security patch.
(also, frankly, the entire WordPress ecosystem isn't particularly known for its high quality codebase... this kind of "fix" is exactly what you'd expect there even without all that drama around)
> Security issues can be fixed WITHOUT renaming the plugin or removing links and text even if the original author has no access anymore
Not sure who you're arguing with there, but certainly not with me.
You have plenty of shitty behavior to call out there, so not sure why you decided to announce that there's no security issue being handled at all instead. It only makes your point weaker for no good reason.
If anything, the problem here is call_user_func, which when an attacker HAS ACCESS TO THE CODE, can be dangerous.
How on earth does emptying POST or REQUEST solve anything at all in regards?
How on earth does, no matter what crap ACF added BEFORE the takeover, this "Fix" justify a hostile takeover? If or not there is a security issue with this code (which there IS, but not with POST or REQUEST data) is not even the matter anymore - it was and is posed and defended as a "urgent action to fix a security issue in a plugin the author has no access to"
And I repeat - there has not been any security fix!!
Read my root comment:
> because the only relevant changes are actually neither introducing fixes, nor ever changing the plugin core code in a way that fixes security issues.
And I stand by that. Anyone reading this code can see it.
Why do you not actually provide some researched facts?
I mean, I am all ears to stand corrected. Yet it appears all you (and other automatticians, and/or else employees) can do is deflect and talk down pretending you know better. Do you? Then teach your fellow humans where they are wrong. So far, I still have not been proven wrong about this pretended fix, which fixed nothing at all.
I don't intend to defend Automattic's shitty behavior at all, it's indisputably shitty and I take offense at your suggestions that I may think otherwise, as I never gave you any reason to believe that.
That said, you clearly seem to be confused about the nature of the issue being fixed there. It's clear from the existing code that the contract between this function and the callback getting executed is that the callback is expected to execute in a kind of a sanitized environment with restricted execution abilities.
You can argue that it's a really weak sandbox and that the whole design is smelly, and I'll agree with you. However, that's how this code was designed and that's what users are running on their servers, and that's how they expect it to behave. It prevents the callback from calling functions with `wp_` prefix and it disallows it from reading or making changes to user's POST data.
Now, if you find a way to circumvent those restrictions, it's an obvious security issue. Someone may have deployed some code that relied on that contract, and now that contract is known to be invalid (it always had been, but it wasn't known before). Therefore, stopping that from happening is a security fix.
It may be a poor fix - and in fact, this one is, as it's incomplete. But it's a fix. The upstream project recognized that and applied a similar, but a bit more thorough approach in its repo:
It does exactly what the change we're discussing does, plus a bit more.
You still wouldn't convince me that it's a bulletproof sandbox and I already have some other ideas in my head on how it could potentially be circumvented after reading that code (though my PHP is so rusty I may very well be wrong), but the change in question is clearly a security fix, recognized and applied by both Automattic and WP Engine and I really can't understand why you're so keen on implying otherwise. As I already said, it only made your other (good) points seem weaker.
Thanks for the reply.
Actually that code (I mean the one where they started clearing POSTed data) was the "fix" WPE rushed into during the "grace period".
The contract existing before, was that you throw in a user callback in a backend input and it executes that. It still did that after the rush fix (which was committed by Otto, but supposedly delivered to him by WPE), but with some more clearing:
- POST is cleared
- registered functions with wp_ are cleared
call_user_func was still called. Clearly, the idea behind is is not "some kind of sanitized env" since the start.
The idea was "the user can throw in a callback and it will be executed".
Then someone said "but that is unsafe" (And it is!)
But the unsafely thing here is not "You have access to POST data or wp_ functions".
That is the default in ANY code attached to WP anyway, and while being part of the danger here, the real danger is that an arbitrary POST EDITOR can throw in a callback and it executes that.
Which is why, yes, somehow, clearing posted data and excluding already existing methods like wp_ stuff is sort of a "fix" for that, since before the Post Editor did not even need to write the callbacks code: he could just have called a eventually bad (in context) registered method in core. So the "fix" does somehow mitigate, but not fix the issue.
I can see upstream builds on that idea even more. However the code still uses user callbacks, and those user callbacks can still be unsafe. You just need to throw in a callback that does something malicious, which does not even be an obvious malicious code. It could be a callback registered elsewhere, where the else context makes sense and is not flagged, but in conjunction with this ACF feature, would be malicious.
It should be clear that the security issue here is not what you can access during that callback - the security issue is that the callbacks are not whitelisted, and/or allowed at all (which can be considered a problem too, but would break potency of the features of course if removed)
Not putting my hands in fire for this, but I believe there is reason I Could not find a CVE yet for this alleged security issue, only a reserved one. I suspect that is, because the issue is still there, and publishing it, would immediately render it more dangerous.
I again would love to learn that I am wrong here.
I do stand by my original post that said:
> because the only relevant changes are actually neither introducing fixes, nor ever changing the plugin core code in a way that fixes security issues.
This stands true: the security issue was not fixed. If we start to call incomplete fixes a fix, then we can as well call anything anywhere a fix. Heck, I moved around some lines and cleared some of the data. It's fixed! That would never hold true. In all and every case, plugin review team would immediately review the FIX before you can even say "but", and they would immediately throw it back at you, asking for an _actual_ fix. Especially with call_user_func.
This has not happened here at all, which just adds to the fun of the day.
I feel the discussion should evolve around this, and The Guys who yelled "Security" should come forward and explain to the public what they actually fixed, if they truly believe this fixes the issue, if they truly believe that ACF (sorry, SCF) is now _safe_, or not.
My point stands that it (the core issue) has not been fixed.
You also said "you added a few irrelevant changes that to the inexperienced eye look like security fixes", and that was the part I objected to. "You just introduce a new variable, that you never use, and re-assign the same contents of that new variable back" causes more confusion to an inexperienced eye than that code could ever do.
The real danger is that an arbitrary post editor can throw in a callback and it gets executed unsanitized. Having a proper sandbox would be a perfectly valid solution - in the end, that's the whole modus operandi of the web browser you're using to write these comments. And yes, I also have doubts whether the implemented measures are nearly enough to actually sanitize the input; I'm also not sure whether you can sandbox that feature properly without making it effectively useless - and while neither of those justify Automattic's behavior, it's a different accusation.
I think we might agree - and my original wording was tainted by emotions.
- indeed, there was changes in code that can be sold as “attempted security fix”
- indeed, as I think we both agree, the main security issue still needs attention to this very day
So far as I can tell, when Matt talks about "the WordPress Community", he means:
- Matt
- the people who didn't quit Automattic last week
- _maybe_ the WP core developers who don't work at Automattic, so long as they keep their criticisms to themselves
And the community of people who _use_ WordPress to run their websites, and the people who help them to do that, and the 3rd party plugin and theme developers who make WP work for so many different kinds of websites - can all go and get fucked.
The maintainers [1] and the Wordpress project’s core security team lead [2] said that the fix was already published, despite your blocking them from publishing it directly and irresponsibly disclosing the issue out of spite [3].
All the information in the links you shared is totally wrong. Our lawyers have never said that WordPress.org is a non-profit or owned by the Foundation. It's owned and run by me personally, and I have a trademark license from the WordPress Foundation to use the WordPress name and brand on the site.
The author is identified as Neil Peretz, who it says is an associate general counsel at Automattic. He says:
"The Foundation also licensed the name WordPress to the non-profit WordPress.org, which runs a website that facilitates access to WordPress-related software."
A graphic included in the post similarly claims that "Right to use name as part of non-profit activities" went to WordPress. With the arrow coming from the WordPress Foundation.
We contacted Automattic's press email for clarification on that claim on Thursday. We have yet to hear back and the post hasn't been updated.
I will ask on behalf of the entire Wordpress community - is there any part of the Wordpress cluster of organizations that do not ultimately answer to Matt?
Hi Legitster. I will work with colleagues on a response to your question. It's a broad topic given how many facets there are to the WordPress community.
While I love pronouns, they can lead to misunderstandings if not carefully defined.
Above it was written "I'll take that as a 'no'".
Could you explain what "that" refers to in your statement.
I am asking because, lacking a clear definition of the question, I cannot say whether the answer is Yes, No, or something else.
So you interpret "is there any part of the Wordpress cluster of organizations that do not ultimately answer to Matt?" as being a YES or NO question?
I interpret it as a request for information about what is Matt's role in the ecosystem and I was gathering information to share about that.
However, if you are not interested in factual information, the answer is:
YES, there are various parts of the the Wordpress cluster of organizations that do not ultimately answer to Matt.
While I love the use of passive aggressive language, in this case, as it was originally written, "However, if you are not interested in factual information, the answer is: YES" causes some globule of confusion to the primary reader --
Is this to imply that the answer Yes to the question about Matt's control over the organizations named WordPress is _not_ in fact factual?
come on, Neil... you just published 700 words on the topic. You even made flow charts! Are you now saying you don't actually have a solid understanding of the situation?
So what you're saying is that you "fervently" think your boss should shut up because he is giving his legal opponent fuel for their case against his extortion and other charges? And that he's making you write things that you don't understand or particularly agree with?
I promise you, your integrity (or at least your license to practice law) are worth more than Matt's sinking ship. I hope you can move on to do something meaningful with you practice
Thanks for participating. I have an honest question:
How do you reconcile your post [0] claiming that Automattic controls all commercial aspects of the trademark with Matt's previous claim that "the most central piece of WordPress’s identity, its name, is now fully independent from any company" and that Automattic had "give[n] up control" of the marks? [1]
I appreciate the question and it deserves a lengthier blog post reply that I will work on and share. In the interim, some brief thoughts on the topic that may be relevant.
The WordPress community operates on an open source, non-commercial basis. The community decides what is included in each release of WordPress, how it's tested, what documentation accompanies it, etc.
Because the WordPress Foundation, not Automattic, owns the WordPress trademarks for non-commercial use, Automattic has no control or veto of what code is stamped with the WordPress label.
By contrast, if Automattic retained non-commercial control over the WordPress trademarks it could refuse to affix the WordPress label to work done by and released by core contributor groups.
Neil, thanks for your response. But (as you noted) there is still lots of confusion.
>Because the WordPress Foundation, not Automattic, owns the WordPress trademarks for non-commercial use, Automattic has no control or veto of what code is stamped with the WordPress label.
Respectfully, how the "code is stamped" wasn't the question, and nobody was worried about that. What people were worried about around the time of Matt's post (previously linked) was corporate control over the marks. That is the context under which Matt made the claim.
Given that context, would you describe the trademarks as being "fully independent from any company"?
If I may pick your brain some more; Where does this distinction between commercial and non-commercial use come from? The trademark assignment does not appear to make any such distinction: "..an exclusive, fully-paid, royalty-free, perpetual, irrevocable, worldwide, sublicensable right and license to use and otherwise exploit the trademarks...".
Which brings up something else I hope you can clarify: how can The Foundation grant wordpress.org a license if the licence granted to Automattic is exclusive? Wordpress.org as you know, is not a non-profit.
Hi mthoms. The question you asked is:
"how can The Foundation grant wordpress.org a license if the licence granted to Automattic is exclusive? Wordpress.org as you know, is not a non-profit."
One need not be a non-profit corporation to engage in non-commercial use.
Distributing open source software at no charge is not a commercial activity.
An analogy might be you or I volunteering at a community event. We are individuals, not non-profit corporations, however we would be engaged in non-commmercial activity.
Thanks Neil. I disagree strongly about dot org being non-commercial. Jetpack and Akismet (Automattic commercial products) have been "featured" plugins since time immemorial. That means they show up ahead of 60,000 other plugins, every time. There is massive commercial benefit to that.
Just one more question if you don't mind -
Where does this distinction between commercial and non-commercial use come from? The trademark assignment does not appear to make any such distinction: "..an exclusive, fully-paid, royalty-free, perpetual, irrevocable, worldwide, sublicensable right and license to use and otherwise exploit the trademarks...".
> Where does this distinction between commercial and non-commercial use come from? The trademark assignment does not appear to make any such distinction: "..an exclusive, fully-paid, royalty-free, perpetual, irrevocable, worldwide, sublicensable right and license to use and otherwise exploit the trademarks...".
Not the parent commenter, but I'm guessing it comes from the usage part after:
> in connection with the hosting of blogs and web sites that utilize any version or component of the WordPress open source publishing platform product or open source successor of any of the foregoing on or in connection with www.wordpress.com and www.wordpress.tv (each and collectively, together with any subdomains of any of the foregoing, "Automatic Sites"), providing support for the Automatic Sites, and/or substantially similar uses in connection with the Automatic Sites.
Right, but none of that says anything to the effect of "excluding non-commercial use". It's a blanket assignment for "hosting of blogs and web sites that utilize any version or component of the WordPress open source publishing platform product or open source successor..."
That means Automattic's rights ares not restricted in any way despite their claims that The Foundation has exclusive non-commercial rights and Automattic does not.
It appears you do not know what is going on with WordPress.
The person who ultimately controls what is included in a release of WordPress is the Release Lead. They are an employee of Automattic. We compiled a list of Release Leads going back to 2019: https://www.pluginvulnerabilities.com/2024/10/10/automattics...
It has been Matt Mullenweg 12 of 15 times. The other Release Leads were Josepha Haden Chomphosy and Matías Ventura, who were Automattic employees at the time.
So Automattic obviously does have control and a veto.
If the WordPress Foundation is controlled by Matt, Automattic is controlled by Matt and WordPress.org is controlled by Matt, how can there be independent decision making? As Matt has demonstrated by blurring the lines between WordPress.org and Automattic by introducing the ban on WP Engine "affiliates" accessing WordPress.org because of the lawsuit against Automattic, there's no distinction.
Matt has tweeted about his final approval over WordCamp events despite members of the volunteer groups operating under the belief they had the final say, which undermines any attempt to claim these volunteer groups have any control (only the illusion of control): https://x.com/ryancduff/status/1841834672059199590
Automattic just poached Jason Bahl from WPEngine to bring WPGraphQL into core WordPress, demonstrating very clearly that Automattic have control over WordPress core: https://wordpress.org/news/2024/10/wpgraphql/
Matt has shared that he owns WordPress.org personally but that Automattic employs hundreds of people to work on it and spends millions of dollars financing it.
Ultimately, you work for Automattic and report to Matt so you're obligated to share his version of the world, but the version of the world you're describing only exists in Matt's head. There's no way to frame what is happening as independent of Automattic. I know that it doesn't matter to you personally, this is just a job, and once you leave Automattic you'll look back and laugh at the absurdity of this situation. I guess the point of my comment is to say: we all know that you know this is nonsense, you're convincing nobody. If you actually believe this nonsense (which I doubt, you're not an idiot) then you need to do a much better job of convincing people.
In your article, you explain that Automattic has given all trademark rights to the foundation and has been given a license for commercial usage. That would mean that A8C can use and enforce the license in commercial contexts according to the terms set forth in the licensing agreement with the foundation, correct? But, in my understanding, that would not actually confer *ownership" back to Automattic, it would grant a license to use according to agreed upon terms, that could, as Matt himself explained in one of the Youtube interviews, be taken away from Automattic if the foundation would no longer consider Automattic a suitable guardian (I think that's the term he used) of the trademark.
Is this correct?
Could the foundation actually legally revoke Automattic's commercial rights? If so, what would be the requirements for that to happen? Are the foundations legal statutes available anywhere?
> Because the WordPress Foundation, not Automattic, owns the WordPress trademarks for non-commercial use, Automattic has no control or veto of what code is stamped with the WordPress label.
Who are the board members of the WPF, and how active are they? My understanding is that there are three, and two are active.
Who is the CEO of Automattic? Let's not be naive and pretend that Automattic has "no control" over the WordPress Foundation when they share Presidents.
For one simple example, why did Matt Mullenweg, President of the independent, "no control from Automattic", WordPress Foundation disinvite WP Engine from a community event they sponsored, because they were in a legal dispute with Matt Mullenweg, President of entirely independent, arms-length Automattic?
Did Matt really send you here without even explaining what the conversation was about? And then you didn't even bother to read it for yourself?
The article you wrote claims "The Foundation also licensed the name WordPress to the non-profit WordPress.org, which runs a website that facilitates access to WordPress-related software."
Matt in his comment claims "All the information in the links you shared is totally wrong. Our lawyers have never said that WordPress.org is a non-profit or owned by the Foundation."
Don't white wash a completely inaccurate and misleading statement as a typing error - that treats people like fools.
ESPECIALLY since this is one of DOZENS of recently citable instances where Matt refers to WP.org, Automattic, and the Foundation almost interchangably.
"Rushing to fix years of (intentionally/conveniently) muddy waters on org structures" is not "a typo in the past" - this is insulting to your audience.
We don't have any questions, but there are possibly several inaccuracies in the post you wrote. At least the information appears to contradict other information provided on your side.
The post has been updated to say that "The Foundation also licensed the name to the website WordPress.org, which facilitates widespread access to WordPress-related software at no charge." Websites presumably can't have trademark licenses. There must be a legal entity. Matt Mullenweg is claiming that he personally has the second license for the trademark [1], so not a website. A graphic included in the post similarly still claims that "Right to use name as part of non-profit activities" went to WordPress. With the arrow coming from the WordPress Foundation. There doesn't appear to be a non-profit.
The post states that "The right to use the WordPress marks for commercial purposes (e.g., selling software, hosting, and agency services) is owned by Automattic." The publicly available license states that Automattic has the right to use the trademark "in connection with the hosting of blogs and web sites [2]." So it looks like Automattic's rights are more limited. Maybe the license has been amended or there is an unstated belief that the license has a wider scope than the plain language of the license suggests. Having the foundation release all licenses agreements it has would help to clear things up, possibility for you, but definitely for everyone else.
In explaining how the license agreement between the foundation and Automattic happened, the post says that 'In order to effect a valid license agreement, there needs to be an actual exchange of value from both sides, which lawyers call "consideration."' But Matt Mullenweg [3] and what appears to be an Automattic employee writing for the WordPress Foundation [4] both stated at the time that Auomattic donated the trademark. Legally, a donation can't involve a consideration [5]. That would suggest there isn't a valid license agreement or there wasn't actually a donation.
We would suggest you consult with a lawyer about all that, but you are a lawyer.
You wrote: "In explaining how the license agreement between the foundation and Automattic happened, the post says that 'In order to effect a valid license agreement, there needs to be an actual exchange of value from both sides, which lawyers call "consideration."
Indeed. And there was a lot of Consideration given in this exchange. Automattic owned 100% of the WordPress trademarks. Automattic's "Consideration" was to give all the non-commercial use of those trademarks to the WordPress Foundation.
Consider a simple, but apt analogy. You own a car. You decide to give someone else the right to drive your car on the weekends, however you retain the right to drive it during the week. Did you provide Consideration for the right to drive the car during the week? Of course - the recipient previously had nothing and you gave them the right to drive your car on the weekend. The only lack of Consideration here was that the person getting the weekend driving rights gave you nothing in exchange for those.
> Indeed. And there was a lot of Consideration given in this exchange. Automattic owned 100% of the WordPress trademarks. Automattic's "Consideration" was to give all the non-commercial use of those trademarks to the WordPress Foundation.
If I understand your comment correctly, you are saying that Automattic is still the owner of the WordPress trademarks, and granted licenses for non-commercial use to the WordPress Foundation?
It's clear from what he's saying that Automattic once OWNED the trademarks, but transferred those trademarks to the WordPress Foundation, and thus Automattic is NO LONGER THE OWNER of said trademarks.
What Automattic has is an exclusive license to use and sell the commercial licenses of the trademark.
>Automattic owned 100% of the WordPress trademarks. Automattic's "Consideration" was to give all the non-commercial use of those trademarks to the WordPress Foundation.
You need to keep reading the rest of what we wrote there. We were not disputing that explanation of a consideration. We are saying there can’t be a consideration in a donation and two employees of Automattic contemporaneously claimed it was donation. Either there wasn’t a donation or there isn’t a valid license agreement.
It seems like they used "non-profit" in that sentence to mean:
"an undertaking being conducted for a purpose other than making a profit"
…rather than…
"an organization that has been recognized by the Internal Revenue Service as being organized and operated exclusively for exempt purposes as set forth in section 501(c)(3) of the Internal Revenue Code."
That’s a pretty meaningful mistake, given that the nature of the non-profit entanglement is fundamental to several claims. It seems like you were as confused as the community was, which sure doesn’t help any of Matt’s claims about everything being “open” and “transparent” all along.
Well, I guess this thread answers the question of “how can Matt’s lawyer possibly be encouraging this?”
I am not involved in the wordpress community in any shape or form but am fairly privy to what it is along with the open source world yet.. even I am finding it hard with confusing and/or conflating statements on what falls under the non-profit, foundation, commercial entity, etc.
But even if you ignore random stranger me from the internet, wouldn't it flag something in you that your own legal representative got it wrong on an official company post clarifying the structure? Even if I apply the most charitable interpretation, it seems Neil is also equally confused or at least not on the same page as you since he is unable to respond consistently in the other threads?
I am sure you will at least see why that everyone is just perplexed by how obtused the whole structure between the WordPress.org, WordPress The Foundation and Automattic.
As I noted above, we are preparing a blog post with further detail about Matt's role in the community. Of course, if that doesn't provide sufficient clarity, let us know.
How about how the non-profit Wordpress Foundation lists the Wordpress Plugins and Themes indexes as Foundation projects, while you maintain that they’re something you personally own, and are openly controlling for the sake of your profit-seeking conflict with WPE?
It’s ironic that you make analogies to “getting Al Capone” while you yourself appear to be engaged in a decade-long tax fraud. But like your constant allegations of “astroturfing by WPE” to explain why everybody holds you in contempt, I guess it’s easily explained as narcissistic projection.
It’s not astroturfing. Everybody can read you, Matt. And they don’t like what they see.
Considering you own wordpress.org and the third link, that you claim is hosting completely wrong information, is on Wordpress.org you should ensure it has correct information. Especially, since it appears to have been written by you.
Executive Director of WordPress.org is simply a job title at Automattic. Josepha found out about the WP Engine ban from wordpress.org in real time along with the rest of the community.
There is a wordpressfoundation<dot>org, so I doubt it. In my opinion <dot>org is software repo/wp-inc HQ.. and <dot>com is commercial and hosting enterprise. But of course, let's hear from the horse's mouth himself!! :-P
Wordpress.org isn't a legal entity. It's simply a domain owned by Matt. It seems Matt has a license to use the Wordpress trademarks.
The Wordpress Foundation is a non-profit legal entity with a tiny budget. It appears the only thing it does is serve as a holding entity for the trademarks and the for-profit company than operates the WordCamp conferences.
I suspect that Automattic is the one who foots the bill for the infrastructure behind Wordpress.org, but that's not clear.
Matt talks about transparency, but how everything operates is a muddled mess.
> The Foundation also licensed the name WordPress to the non-profit WordPress.org, which runs a website that facilitates access to WordPress-related software.
He's far too used to just referring to, and treating, all these entities synonymously, and now that someone is pointing out all these glaring little admissions of exactly that, he is frantically trying to alter the record.
He's obviously paying close attention to HN, even when he's not on a posting binge making things worse. One can only imagine WP Engine's lawfirm is doing the same.
Can you clarify when you're going to cease your public tantrums and your erratic idiotic behavior that is causing problems for Wordpress users worldwide?
If it's a bug, our bad and we'll fix ASAP. If it's a bug, it's a very rare one. There have been 225k downloads of the SCF plugin in the past 24 hours, implying a lot of updates. I would estimate at least 60% of the sites with auto-upgrade on and using .org for updates have done so already. https://wordpress.org/plugins/advanced-custom-fields/advance...
That said, I'm happy to pay system2 whatever he thinks his time was "spent" on a Sunday is worth. Just let me know an amount and where to send. You can contact me here: https://ma.tt/contact/ .