So, you’ve created open source software to make it easier to provide update signing. It requires auditing but you ask WordPress to implement it with their system but, for now, they decline, simply because it’s not something immediately planned. However, Matt Mullenwegg agreed to donate towards getting the audit done.
What would you do the next day?
I’m guessing it wouldn’t involve posting a massive rant about WordPress, but specifically aimed at Matt, about how much WordPress doesn’t care about security, even to the point of trying to make popular a hashtag of #StopMullware? Well, that’s just what Scott Arciszewski did, via Medium.
I propose that we refer to any software that is marked by willful negligence towards security as mullware, in dishonor of Matt Mullenweg.
Matt turned to Medium too (for the first time), in his own words, as it “seems to be the most popular place for rants like this”. His response, represented in an interview-style had him answering questions he posed about questions raised by Scott. Needless to say, it was pretty damning. Scott eventually removed his post, although it remains cached by archive.org.
In a nutshell, though, the reasons for not doing it right now are…
We will [do update signing] at some point; it’s a good idea — can’t hurt, might help. There are, however, some more important security issues in front of it, that impact millions of sites in the real world, so we are prioritizing those issues above a nice-to-have, defense in depth effort
Scott, sadly, has fallen fowl of feeling pretty bruised about his pet project being rejected and so has kicked out in frustration. Unfortunately, it’s not done him any favours and is a fine example to anyone in such a situation of what not to do.
We’ll try to not let a decent idea be sullied by the messenger.