[00:00:00] Jason Tucker: This is episode number 23 of Dev Branch Active Growth Problems.
[00:00:17] Sé Reed: I couldn’t
[00:00:17] Jason Tucker: I’m Jason Tucker. You find me at Jason Tucker on Twitter.
[00:00:22] Sé Reed: That’s Jason Tucker. that’s Jason Tucker. There’s Steve, but he’s not here.
[00:00:27] Sé Reed: That’s.
[00:00:28] Jason Tucker: Zehngut. You can go find him over at Zehngut on Twitter’s.
[00:00:32] Sé Reed: Oh, hey, I’m Sé at, Sé Reed Media on Twitter for now, cuz you know.
[00:00:38] Jason Cosper: And y’all know who it is. It’s your boy Jason Cosper, AKA Fat Mullenweg, back at it again on the world’s most influential WordPress podcast.
[00:00:45] Jason Tucker: Speaking a podcast. You can go find us on Apple Podcasts, Google Podcast, Audible, Spotify. Pretty much wherever it is, you listen to podcasts and if you wanna come in, hang out with us, you can go over to Discord go w.com/discord, where you can go and hang out with everyone in there. We’d appreciate it.
[00:01:03] Sé Reed: I’ll figure out how to use it. I’ll use it soon. I’m there now, but
[00:01:08] Sé Reed: I like
[00:01:08] Jason Tucker: soon. You installed it already.
[00:01:10] Sé Reed: I installed it and I was like gonna reply and then I like, couldn’t figure out how to say hi to people and then I was like, I’m out. Okay. Anyway. but we have two folks here. Are you guys in the Discord?
[00:01:21] Matt Cromwell: your
[00:01:21] you’re in a Discord.
[00:01:22] Sé Reed: I’m sure you’re in a Discord or two.
[00:01:25] John James Jacoby: sounds like I’m about to be
[00:01:26] Sé Reed: Yeah. Hop in that discord. It’s cozy. we tend to keep the same informal atmosphere and if you have a problem with the channels, It’s this guy’s fault. This is this one down here, The kospi. Anyway, complain to him directly please. So our
[00:01:43] Sé Reed: guests
[00:01:44] Jason Tucker: are we talking about today?
[00:01:45] Sé Reed: Yeah, Our guests today are, please introduce yourself.
[00:01:51] Jason Tucker: John? Who are you?
[00:01:53] Sé Reed: Take the mic.
[00:01:54] John James Jacoby: John Jacoby. at Awesome Motive on the research and development team.
[00:01:59] Sé Reed: You work in Austin mode now.
[00:02:01] John James Jacoby: Yeah, I do work
[00:02:01] Sé Reed: think I knew that.
[00:02:03] and, they, sponsor me for the Five to the Future Initiative and work a lot on.org, security and. WordPress core for six one and review and keep an eye on some stuff and just try to generally be helpful.
[00:02:18] John James Jacoby: Also recently called a wire and, a bunch of other not very nice names. In the
[00:02:24] John James Jacoby: track ticket we’re gonna talk about. yeah,
[00:02:26] Matt Cromwell: sponsor you to work on the medi team? That would be useful.
[00:02:30] John James Jacoby: yeah. Pretty much whatever across the board, whatever we wanna.
[00:02:34] Jason Tucker: Nice.
[00:02:35] Sé Reed: to know. So you’re the five for the future of automotive, yeah.
[00:02:40] Jason Tucker: one of the five.
[00:02:41] Sé Reed: one of the five
[00:02:42] John James Jacoby: Is there, there are actually a couple people, yeah, five. Is it five? there
[00:02:45] Sé Reed: no. It’s 5%.
[00:02:47] John James Jacoby: Five. Five people in the five. There are five, five people. If for the future. That’s it. There are only
[00:02:52] Sé Reed: all it takes.
[00:02:53] John James Jacoby: That’s all it is.
[00:02:54] Sé Reed: All right, Matt, who are you and what are you doing here?
[00:02:58] Matt Cromwell: do have questions for me? That’s great.
[00:03:00] I do. I’m starting right off the bat.
[00:03:02] John James Jacoby: I’m Matt and I work at, Stellar wp, and, work on plugins there. we’re hoping that they grow one day, but we’ll never know for sure. No sad.
[00:03:14] Matt Cromwell: where.
[00:03:14] Sé Reed: I’m so sorry that was loud and I just moved my microphone here, so I apologize for the sound bite. Sound first, Spike,
[00:03:22] Matt Cromwell: Yeah,
[00:03:23] Matt Cromwell: and of
[00:03:24] Jason Cosper: Tucker will fix it and.
[00:03:25] Matt Cromwell: and that kinda stuff.
[00:03:27] given that heck of a segue, our topic today on dev branch, our dev year branch, is, something that I actually, I saw happen in the Meta channel. cause I’m in the meta channel. It’s really, more people have been coming in this past week than have been there lately. But, it’s an interesting place to hang out in the make slack.
[00:03:45] I’ve learned a. but I tweeted our WordPress, our WPwatercooler group chat, and I was like, I think this is gonna be a thing. And the next day I was like, Okay, it’s more of a thing. And then the next I was like, Yep. Pure thing, Definite thing happening here. but the thing that is happening is in a nutshell, we, anyone who’s listening to this show already knows, but just in case you just, came home from Burning Man or something.
[00:04:08] Sé Reed: The act, a commit was done. That actually,pulled back. Uncommitted, reversed, What’s the word? Why can I think of the word?
[00:04:17] Jason Cosper: Revert.
[00:04:18] Sé Reed: Reverted? Reverted a change that had been made.
[00:04:21] Matt Cromwell: The active installed
[00:04:23] Sé Reed: Yeah, a change had been made in a ticket from quite some time ago, that allow, that created what is called an active growth, installed chart on the advanced tab of the plugins page.
[00:04:35] Sé Reed: And, what that does, just so we’re all clear on what that does or so I’m clear on what that does, is that just. was a chart of all of the plugins that were checking back into the WordPress repository for a, an update check. Is that correct?
[00:04:53] Jason Tucker: And then displayed it as a chart.
[00:04:55] Sé Reed: And then just that data was just being quantified and displayed as a chart.
[00:04:58] Sé Reed: Yes. So how many an active install and that is, So what was not removed was the active installs number, which is a current number. What, which is on the front page of the plugins. Still there cause I checked. but the growth chart, which has cumulative data of that same number, I’m assuming is no longer there. Is this accurate?
[00:05:27] Jason Tucker: accurate.
[00:05:29] Sé Reed: there any nuance I am missing there from the actual very just like baseline description of what is happening
[00:05:35] Matt Cromwell: also a API endpoint, that was also removed.
[00:05:41] Sé Reed: and that API endpoint allowed people to call that data.
[00:05:45] Matt Cromwell: yeah.
[00:05:46] Sé Reed: And and that data was refreshed every 24 hours. So in theory, every 24 hours, anyone could get that data on any plug.
[00:05:56] Matt Cromwell: Yes.
[00:05:56] John James Jacoby: Any
[00:05:57] Sé Reed: totally open data plugin. So that’s the thing. And then that, that ticket that had created that was reverted, very suddenly.
[00:06:06] Sé Reed: But when I say suddenly, all commits happen suddenly. Cause they just happened instantly. But it was happened without discussion. And I know that cuz I’m watching in meta, so I know it wasn’t discussed before. We’re really talking about two really separate issues here. One issue is the active growth chart data and its need and or potential uses or. Problems. The other issue is a sudden change being made to the core, it’s not core WordPress, but the infrastructure of wordpress.org and the plugins repository without discussion slash notice. Correct. Two separate issues.
[00:06:50] John James Jacoby: Yep. I think it’s a good summary.
[00:06:52] Matt Cromwell: that did happen afterwards was also not so exemplary. So
[00:06:57] But that’s, so that’s a second issue. So I really wanna separate these two, and if we don’t have time to get to that second issue today of, then that’s okay, because that’s something we could even talk about on WPwatercooler itself. What I’d really like to focus, I mean it’s all WPwatercooler, but not on the dev branch.
[00:07:13] Sé Reed: So on Dev branch here today, since we have the two of you, I know, John, you were really, you were able to, because you have, Committer access, you’re able to actually review the code that is not publicly available also. Correct. Is that correct?
[00:07:26] That is
[00:07:26] Sé Reed: Yeah. Okay, we can get into the nuance and then you, So you were saying there are reasons for this, and Matt, you as a plugin, owner in the past, and I don’t know what your, developer, leader of plugins now, , I dunno what we call you,
[00:07:41] Sé Reed: that position plugin advocate, you are, you have used that data and so bringing you to on here, The intention is to discuss that from a technical perspective, understanding that,either one of you can go first, whichever you prefer.
[00:07:59] Sé Reed: And I think, John, you’ve talked a lot in the, the, you have a lot of documentation you’ve done in track and in the slack itself. So maybe Matt, you could summarize or maybe go off on a couple questions, which is, That I’ve seen out there in general, which is why is this so important to plug-in developers that they’re, that not, again, not the being taken away quickly, but just the actual data.
[00:08:24] what is the data used for?
[00:08:27] Matt Cromwell: way I’ll answer that is, that I remember back in my day, like way back, there was no active install count. we had just downloads and, You would always be like checking out, Oh, I got a bunch of downloads today. And then, all of a sudden you saw plug-in authors, especially larger ones that rhyme would toast, would, put out a lot of releases, in two or three in a week or so.
[00:08:53] and you’d see their download numbers. be really high. and that was really a good test case for how many people, how many websites are actually using this plugin?
[00:09:02] Sé Reed: So wait, when they had those download numbers, was it using those cumulatively? So if someone downloaded a new version with an update, it just counted as a download.
[00:09:11] Matt Cromwell: It’s just raw
[00:09:12] Matt Cromwell: So if I
[00:09:13] Sé Reed: So that number would be essentially artificially inflated.
[00:09:16] no, it’s not. It still downloads it. It is exactly what it is. It’s how many times it was downloaded. I can download it 1000 times and I would be 1000 of those numbers
[00:09:25] Jason Tucker: Not the first download, not the second download. Just all downloads.
[00:09:28] Matt Cromwell: Doesn’t
[00:09:29] Sé Reed: how many? How many like parenthesis, like 4, 5, 6. Do you have a various plugins? You’ve gone and downloaded
[00:09:37] Matt Cromwell: No
[00:09:37] Sé Reed: I have a couple.
[00:09:38] Sé Reed: Like
[00:09:39] John James Jacoby: How many bots have you written that just had how many machines that were just
[00:09:42] John James Jacoby: downloading like
[00:09:43] Matt Cromwell: a w get and a wild loop and you’re good to go. It’s Wow, where did I get all these downloads? Don’t
[00:09:48] John James Jacoby: man.
[00:09:48] Matt Cromwell: off. it’s, that, and everybody, all the plug-in authors just really were like, Eh, it’s just downloads. eh, it’s always gonna jump when you do a release, Eh, It doesn’t really mean anything. And, but at the same time, there was also commonly known it is possible to figure out how many websites, a plugin is on.
[00:10:06] but that.org wasn’t sharing that at the time. and then suddenly
[00:10:11] wait. When you say they weren’t sharing it at the time, you’re saying that.org has that information because it’s part of, they were getting that pain back, essentially.
[00:10:20] Matt Cromwell: Yeah, part of the way in which plugin updates work. So like in order for a website to say, Hey, I need an update, to this plugin, dot org receives that information
[00:10:31] So even though the downloads weren’t being displayed originally as separated out.org, still had the data, whether they were requesting a download that was fresh or a download that was being an update. So they had that data, is what you’re saying?
[00:10:44] Matt Cromwell: have the number, they have the
[00:10:45] Sé Reed: Yeah.
[00:10:47] Matt Cromwell: regardless whether, even if you go to the physical page and down hit the download button, that’s part of the downloads too.
[00:10:52] Matt Cromwell: updated it in your admin, that’s part of the downloads too, whether you installed it for the first time. That’s part of the downloads too.
[00:10:58] Sé Reed: Yep.
[00:10:59] Matt Cromwell: information is that they also have domains, that hit, the, they hit.org saying, I need an update for this plugin. And that’s the
[00:11:06] and then they did start, Let’s put active installs, as a meaningful number for plugin growth. and at the end of the day, it becomes meaningful over time, more meaningful over time. one, because people start to see that number grow. is also a search engine ranking factor in the wordpress.org plug-in ranking. So when you search for donation, a lot of different plugins will show up, including, PayPal and a couple others aren’t really donation plugins at all, but they show up high cuz they have a very high active install count. those things start to be significant and matter on that front.
[00:11:44] real quick though, Do you remember? Or know when the active install growth? both the number and the chart. Cause I assume they came in at the same time. Cuz why wouldn’t you just, put the number in the chart in it one time? that, now I just distracted myself. Sorry. Carry on. I’ll remember what.
[00:12:02] John James Jacoby: the number has been there for a while, but it’s always been obfuscated. They’ve rounded it or we’ve rounded it to, hundreds, thousands, tens, 2000.
[00:12:10] John James Jacoby: It’s,
[00:12:10] this one 6,000 active
[00:12:13] And then once it hits a million, it doesn’t go up until you’re past two. So you could be anywhere between one and two and not know where you are.
[00:12:21] Sé Reed: I
[00:12:21] John James Jacoby: That could be, maybe not real great, and could probably be improved, but it’s just how it’s been.
[00:12:27] Sé Reed: When that data was added, when that data was added, do either of, if the impact on the search, the plugin repository search was like, it wouldn’t be able to use that, data if it wasn’t intentionally included in that. So I’m assuming that the search engine, that the plugin repository search ranking, When did it start to use that feature?
[00:12:53] John James Jacoby: So the search. The search algorithm and the way that plugins were weighted in the elastic search Index went through a bunch of iterations to try to, come up with what eventually tested out to be what kind of felt. you tweak all the knobs and sliders and you play with the weights to go okay, this sort of, the results naturally are right.
[00:13:21] and it took a while. and it was mostly one person that worked on that, which was the same person that, largely worked on jet pack, search. And so there was some experience from there. And I don’t want to call people out cuz I don’t know how comfortable they are with it, but long
[00:13:36] Sé Reed: it doesn’t matter.
[00:13:37] Sé Reed: good information though.
[00:13:39] Sé Reed: there was a really smart, super talented person, that made it happen. And, I think since that shift, that has largely been untouched. and, it’s fine. So even with this change, Even with this change that is still, so that active install number, whether or not that’s active install or active install growth, that number in some fashion is still being used to affect the ranking in the plugins even though the data is not available on the front end or API wise.
[00:14:11] John James Jacoby: Yeah, I think so. Yeah.
[00:14:12] Sé Reed: Okay. That’s interesting.
[00:14:14] Matt Cromwell: I think, and part of the reason why I mention all of that in that context is that because the active install count is, it’s not just a factor, it is one of the most important factors in the search ranking. because of that, the way in which that number is created, and represented really significant.
[00:14:36] Sé Reed: and. So being able to jump, like when you are a smaller plugin, you go between, goes from like tens to hundreds, to thousands, and then once as it gets to 10,000, like John said, it only goes 10 to 20, 20 to 30 to 50, all the way up to a hundred, and then it doesn’t go again to 200. Between 100 and 200 is a big, it’s double of what. I’m telling you this cuz That’s a rough climb right there.
[00:15:01] Sé Reed: now. like it’s, it’ll take us four years to get to 200, at some point, we gotta be able to know, like, when is that gonna happen? do we have to know, is it just a vanity metric? Not really, because we know that it impacts how we rank against other plugins So you still have your downloads data. And let me ask another question is I, and I’ve seen this around too, and I thought this was the. Can you or can you not put in your free versions of the plugins that are coming from the repository, put in callbacks so that you could, in theory, get that data from the plugin without the WordPress data.
[00:15:36] if you enabled,had that as a, Yes. Send us your stats. or,you were talking about on their chat, Cosper about like freeness, if you enable that, I don’t know if you can do freeness on the free plugins. I can’t remember.
[00:15:48] Matt Cromwell: Again,
[00:15:48] Sé Reed: are additional ways to get that data right,
[00:15:52] Jason Tucker: but that’s opt.
[00:15:52] Sé Reed: but it’s opt in, so it’s not.
[00:15:54] Jason Cosper: you can do free, yeah, you can do free on a free plugin as long as it’s opt in. That’s the thing with, telemetry, at least in the WordPress repository, you have to basically have your users opt in to that data so you are effectively losing the segment of people who, actually, a brand new MacBook showed up for my wife, Sarah. This morning, and it asked, Hey, do you wanna send telemetry data back to Apple? And she goes, Why the hell would I wanna do that? I literally don’t want anything to leak back to Apple on what I’m doing on my machine. So she unchecked it. And
[00:16:33] Jason Cosper: now, that, yeah, she opted out and that data now is not getting, sent back.
[00:16:40] there are privacy.
[00:16:42] Matt Cromwell: MacBooks are going to get worse over time with
[00:16:46] Sé Reed: is your refrigerator and your thermometer.
[00:16:50] John James Jacoby: telemetry, she is still going to get software updates.
[00:16:58] So the thing that even with the previous. Is that when you go to, remove FIUs, it even asks you, which we all pick. The second to last one, which is I’m temporarily disabling this plugin. Leave me alone. I don’t care if I’m ever coming back or not, and you don’t need to know if I’m coming back or not, but it’s gonna ask you those sorts of things.
[00:17:16] Jason Tucker: So it, it, I don’t, it’s not good enough, I don’t think, I don’t
[00:17:20] Sé Reed: Opt in is not good enough, you’re saying.
[00:17:22] Jason Tucker: Yeah, I don’t think it’s good enough, especially if you’re gonna have
[00:17:24] Jason Tucker: Okay. you’re gonna be able to download a plugin for free and use it, then you need to have more data for it, which is just, it’s crazy that we don’t have that much data because for instance, like podcasts have statistics that are tied to them, and you can see the download statistics, the subscriber statistics.
[00:17:40] Jason Tucker: You can do all of that stuff just by going into like the Apple Connect for podcasts. And you can do one for Spotify, you can do one for all those. I don’t know. I just think that having that plug-in repository needs to have a little bit more data. If that’s the, like the official place where you can get this.
[00:17:55] Jason Tucker: And if you’re a developer on, on, on iPhone or on Mac and you’re gonna be put in a thing in the app store, you get that data and you can see how many people are downloading the thing.
[00:18:08] Sé Reed: So on that, and I, I agree. I, So now we talked about, stats useful, important, whatever, which I guess we, we all know that in a way, but, so John, you’ve looked at the code, right? And you were talking about this in the slack, and you have that, that privilege of having that access because of your status in the project in terms of being a core committer and what you’ve worked on.
[00:18:28] Without telling us what I have been trying to figure out what exactly is so possibly vulnerable. The only thing that, basically something that Matt said where it says it’s sending the domain name back, and the domain, it’s logging the domain names of where it is. So the domain name then could be in theory, scraped.
[00:18:46] I was like, maybe that’s what’s so vulnerable about the data, but What is okay, Not what is so vulnerable about data, but is it personal iden? Is it p personally identification in, what is that? I don’t
[00:18:56] Jason Tucker: Identifiable
[00:18:57] John James Jacoby: no,
[00:18:58] John James Jacoby: what you’re saying. I get what
[00:18:59] Sé Reed: is it? Or is it like, is it the domain name?
[00:19:01] Sé Reed: So it’s something like, that’s like bad? Or is it like, No, like it’s, there’s no credit card data on here. it’s not like there’s a credit card tied to this. So why would what? What could be so bad? In theory,
[00:19:15] that’s the interesting thing about watching everyone talk about it and speculate on it, is that when you don’t know, What happened? Your brain goes crazy. like you actually start like really going down the rabbit hole. when my car got stolen in Miami and I didn’t know who still went, man, did I cook up a bunch of theories about how they did it, where they took it, how, and it showed up a day and a half later stripped, which you knew was gonna happen, but man, the all for that day, I was making up crazy stories
[00:19:48] Sé Reed: I would like to submit as my own personal conspiracy theory. I don’t believe this one, but that it is in order to hide the, data on the Gutenberg plugin,
[00:19:58] Sé Reed: Oh, no, it’s not that. that was, I decided to come up with that. Just add it
[00:20:02] when I say crazy, I am
[00:20:05] John James Jacoby: not, I don’t want it. I’m not trying to be like dismissive or anybody. I’m really genuinely just Having experienced it myself, I know that’s what happens. and
[00:20:14] Sé Reed: So we do, but we don’t have that information. That is
[00:20:17] And then wait. Real quick. I don’t wanna get into that second issue of communication or whatever. Let’s like, We’re, You don’t have to say what the security vulnerability is. Could you describe something that is what it,
[00:20:33] John James Jacoby: Ha. I will eventually.
[00:20:34] Sé Reed: an analogy,
[00:20:36] I will. I definitely will. The thing is it, one of the sort of tenants of having. access to the data or the code or the things that are the inner workings of a thing is one, you don’t usually say that you have access to those things cuz you’re instantly a target.
[00:20:53] And so there are
[00:20:54] John James Jacoby: access to those things that, through whatever means that they have access to, they, they do. we have to, the systems teams. People that have worked on stats, people that work on.org, people that commit people that not just commit to core, but that commit to, the websites that commit to, track, that
[00:21:11] Sé Reed: There’s actually a lot of people.
[00:21:13] John James Jacoby: And tons right there, there is a significant number of people that have access to
[00:21:17] Sé Reed: Sometimes I get weirded out by the freeness with which credential Weirded
[00:21:22] John James Jacoby: is so much data on wordpress.org that. you folks, lots of people probably have some level of, access that they do not know that they might have access to. and depending on what you work on, it also determines what you end up being able to see. And so having worked on. WordPress org, Word camp, the buddy press BB press sites track.
[00:21:45] John James Jacoby: Having like over time I have, myself, earned an ability to have some access to some of the stuff. And so when, when, like across from working from different companies and different pieces of it that, when I saw this happen, and I think we all went Huh, That. Maybe is out of the ordinary.
[00:22:08] John James Jacoby: This is like a unique occurrence.
[00:22:10] Sé Reed: It was abrupt.
[00:22:12] John James Jacoby: yes. And so when I saw it, I was like, let me look and see what was not obfuscated the way that it was intended to be, and. because it, the, that if any time that you look at security releases for WordPress core, you will look at the commit message and they’re like, that’s not super useful.
[00:22:36] John James Jacoby: But that’s the point, is that it’s supposed to be truthful and honest without giving everyone away what the
[00:22:41] Sé Reed: What did you see? I’m dying.
[00:22:43] Sé Reed: and so going. King Tut’s
[00:22:45] John James Jacoby: is. There, there are two pieces of it. One, the obfuscation part is exactly only what you think that it is. It is only. The raw number being, like reversed, calculated in a way that was accurate enough to completely defeat the purpose of obfuscating it in the first place.
[00:23:07] John James Jacoby: And so if wordpress.org is going to have an API end point that is going to go through all the work of hiding the real number, and then you can just get the real number anyways, then we
[00:23:17] Sé Reed: Whoa, whoa. This is just about the freaking number. This is literally about
[00:23:21] John James Jacoby: So there’s that part of.
[00:23:22] Sé Reed: to the generalization of the chunks.
[00:23:25] Sé Reed: that what you’re telling me?
[00:23:26] John James Jacoby: there’s, there, there’s that one aspect of it. The other aspect of it is that, there, in my opinion, and this is the part that I’ve gotta put on track yet, the other part of it is that this endpoint and another separate endpoint that I is still alive right now.
[00:23:42] Are just PHP files. They are not endpoints that map some other thing that do something else that’s clever or fun like these are. PHP files that load in Hyper DB that access the database, that give you js O. They are as simple of an interface tool into the stats data as you literally could possibly code to get it done.
[00:24:06] John James Jacoby: There’s no query cashing, there’s no object cashing, there’s just, you’re hitting the data and getting what you want. and some people were, people.
[00:24:14] Sé Reed: were here for that.
[00:24:15] John James Jacoby: People, people poke at what they see in terms of the parameters. It accepts, the slug, the limit, whatever. They, eventually people see what it is and they go, Let me see if I can get more out of it.
[00:24:26] John James Jacoby: Let me see what I can pass into these parameters and see how it works. Cuz they don’t have access to what I see. but they do have access to the endpoint and they can see what comes out. And so people experiment to see what’s the most amount of data that they can get out of it. And ultimately, What they were, what you could eventually, first part is, about a year ago, it started spitting out errors because people were shoving a bunch of data at it, that was not right, and it was causing, debug notices.
[00:24:56] John James Jacoby: PHP errors were coming through the logs, and it got updated to correct some of those issues to prevent people from. Group forcing it in specific ways that weren’t leaking data, but that were causing the error logs and WordPress org to fill up. so fix that problem in doing that, meant that it was returning different headers based on the errors that were happening.
[00:25:19] John James Jacoby: And so depending on what
[00:25:22] Sé Reed: It’s all reverse hacking
[00:25:24] John James Jacoby: Depending on what you sent to that endpoint, you could get a different header back to determine whether or not a plugin existed, whether or not that plugin had any installs, whether or not a plugin essentially. And so when people start, pen testing, they are just looking for ways in, Any amount of data that is returned, that is a glean full insight, is a security problem.
[00:25:51] John James Jacoby: It is unintended behavior for that endpoint to work that way. and There is the obfuscation part of it. That is true, but when people are able to determine a plugin existing or not existing, or an install count being zero or not zero, that is not intended to be how that endpoint works. It is leaking unintended data and responses that it shouldn’t be leaking.
[00:26:11] John James Jacoby: And so it is not serious in terms of all of wordpress.org got hacked and everything was my sequel injected and everything. Like when people hear security, they think something was breached,
[00:26:22] Sé Reed: thing, personal identification data. that’s what we
[00:26:25] That was not implied. That was not anything I said. That was not anything anybody else said.
[00:26:29] John James Jacoby: And I know Otto. I know Otto just said it’s not a
[00:26:32] Sé Reed: that’s cultural conditioning. That’s what that is. We hear security breach and everyone’s like, Where’s my wallet number? I have to call people and cancel stuff. So that’s, I think that’s a fair
[00:26:42] John James Jacoby: said security breach.
[00:26:44] people in people speculated that it was a security breach. People speculate that Matt wants to hoard the jet of people, speculate that there is more data available than there is people. All these things are, these are choices, these are decisions that people are making to have a, It’s one thing if you wanna have a conversation, around with your friends about what you think this is, but
[00:27:06] Jason Cosper: In this morning’s.
[00:27:08] John James Jacoby: Fact, or it becomes evidence to support that someone is acting in bad faith. that is a different problem for a different show.
[00:27:17] Sé Reed: And that’s the next, that’s next week. We can talk about it.
[00:27:20] Jason Cosper: Yeah.
[00:27:21] in this morning’s, post status expert, NY said something really interesting, which is basically in the absence of, any sort of reasoning for this, and I understand if there are particular, security issues like you do have to be quiet until the security issues get fixed, but in the absence of a reason or a narrative, people just come up with their.
[00:27:42] Matt Cromwell: Yeah.
[00:27:43] Sé Reed: Yeah. the United States,
[00:27:44] Matt Cromwell: it needs to be said really clearly. We’re not talking about the communication stuff, there is a way to communicate
[00:27:52] Jason Cosper: It does link up.
[00:27:53] Matt Cromwell: down inviting crazy speculation.
[00:27:57] it’s. It’s the problem, the issue of the data, like I said, one thing, and it’s, that’s a technical issue. The issue of the community impact of that decision is exponentially more damaging in my opinion, than having that data available. And I think we should just talk about this next week, because there’s so much to talk about there.
[00:28:21] I have one quick technical question for. , which maybe you can’t answer John, but maybe you can. the scraped data have that data in it, like the stuff that people have already called from the api, like that data, there’s no like real vulnerability there other than people can crunch those numbers and come up with information.
[00:28:39] John James Jacoby: Correct. there’s nothing in the JSON that, Was
[00:28:44] Sé Reed: Yeah, it’s not sensitive. It’s just, it’s just numbers that can be used for whatever purposes. And that’s,
[00:28:52] Matt Cromwell: And they were being used for all of those purposes.
[00:28:54] Sé Reed: sure. Cause all the big corporations have money to pay people to crunch numbers.
[00:28:59] John James Jacoby: The end, the endpoint, all the employee returned was percentages. The endpoint just returned, like the. Obfuscated, dates and with numbers that were, intentionally not exact, and.
[00:29:16] Matt Cromwell: two big places do it very officially. WP Metrics and, Rank Math, both were pulling from that API daily.
[00:29:25] Sé Reed: Oh, and officially ranking.
[00:29:27] Matt Cromwell: rank Math is a product that people pay for it,
[00:29:29] Matt Cromwell: and, it’s, owned by automotive. and, it’s What they have a way of essentially doing math to figure out what your actual active install count is.
[00:29:41] Sé Reed: But now they can’t do that cuz they don’t have that number, that data anymore.
[00:29:45] Matt Cromwell: now they can’t do that. Correct?
[00:29:47] Sé Reed: How interesting.
[00:29:49] Matt Cromwell: Yeah.
[00:29:49] Jason Tucker: Does that make their product irrelevant? I have so many more questions. Oh, Yeah,
[00:29:53] Sé Reed: ask ’em on Twitter or in the.
[00:29:55] Jason Tucker: makes me wonder if we could double down on providing more information to developers or not, or if they’re gonna continue to just have to use opted in third party to do it
[00:30:06] that was one of the reasons why, I know that we’re going over, but are we, are we officially going over our
[00:30:10] John James Jacoby: time?
[00:30:11] Sé Reed: We’re going over.
[00:30:12] John James Jacoby: All
[00:30:12] John James Jacoby: right,
[00:30:13] Jason Tucker: going over for the first time here.
[00:30:14] John James Jacoby: woo, all shot out to oto. What?
[00:30:19] Matt Cromwell: Yeah, Yes. Some of the, Yeah, some of the bathroom was, Yeah.
[00:30:22] Matt Cromwell: to deal with like
[00:30:24] Sé Reed: I got.
[00:30:24] it’s fuzzy logic for a reason, and so like the,the reason that the data gets processed every 24 hours, and this is I think an important sort of distinction for folks to have is that when.
[00:30:40] John James Jacoby: The data comes in from an update check from wordpress.org, and it [email protected] to say, Is there a version of WordPress available or plugin updates available or theme updates available when WordPress makes that request? When everyone’s WordPress site makes their outbound request to api.wordpress.org, it sends along with the data that everyone can look at and see.
[00:31:00] John James Jacoby: It’s in the code. It’s all that stuff, but once it hits the end point, it get. Broken apart in a way that the intention of is so that it is not easy for people like me to reverse engineer that data to try and figure out who is who or what is what or where is where everything gets broken apart into very separate database tables or servers to obfuscate it in a way that.
[00:31:33] collective of any of it is not easy. And so the query that happens to even essentially bulk collect and aggregate that data goes to a separate database table every night. It does a big bunch of temporary queries and sub queries to get a bunch of data for all the plugins and then puts that data in a temp table and then the, that happens nightly because.
[00:32:02] John James Jacoby: just not stored in a way to make it easy to pull that data back out. And so anytime that there is something that we do choose as a community that we want to report on or that is, worth showing on a plugin screen, it’s not a simple, super straightforward thing that we just do when we look at the data and go, someone has to come up with the right way to get the right data.
[00:32:28] John James Jacoby: And serve that, with an endpoint that does exactly what it is intended to do. And the, there were, like I said, in the track ticket, but the, on the dev side of it, there, there was hesitance to show, precise numbers there. Not just in terms of like calculation and the code and the data, but whether or not it was.
[00:32:48] John James Jacoby: Healthy mentally to focus on that extra data. And was that the data that was the most important one to show? And I, and frankly, in my own opinion, which I know I’ve said already, is like removing it now, removing it and having everyone be upset about it. Yes, it’s important. Yes. Everyone relied on it.
[00:33:17] John James Jacoby: Yes, it’s a really super important metric in general. I get that. there’s way cooler data, there’s way cooler stuff that we could show that we could see, and, but it, what proves, what it proves to me is that once it’s there, removing it is really hard. So whatever we do,
[00:33:34] Sé Reed: away from someone than it is if you’ve, once you’ve given it, you can’t.
[00:33:38] Matt Cromwell: little information
[00:33:39] Matt Cromwell: to begin with and
[00:33:40] Sé Reed: Yeah.
[00:33:41] Matt Cromwell: are asking for more all the time, and the little that’s actually actionable is now gone.
[00:33:47] Sé Reed: So I, I
[00:33:48] John James Jacoby: add next, whatever the data is that we show
[00:33:51] Sé Reed: Okay, we don’t wanna get into the next, that topic of like the communication part, but basically this is where that bridge is because if you just remove all of the communication requests and needs. Matt Mullenweg, Matt’s response to. Everyone, which is like, what data do you need?
[00:34:10] Sé Reed: Which we talked about at the top of the show, right? Actually makes sense within the context of understanding what the problem was, but without the context of understanding what the problem was and what was actually taken away, what data was possibly the problem. Without that context, it looks like it’s just completely ignoring what everyone is saying.
[00:34:32] Sé Reed: So that is, Again, this is why it’s two separate things, because on the peer data side, the peer technical side, there is, this was a problem, it was dealt with. And then if we want that data to be returned, we can talk about what data we want back. Totally fine. not a problem, but turns out people are human beings and need that reasoning, need that understanding that part is, is impacting.
[00:34:59] Sé Reed: The technical explanation, and it is itself obfuscating. That’s for you Marcus, is it itself? Obfuscating the response and the actual solution, which in theory is actually positive, which is okay, what data do you want? Let’s find out a way to get that data in a way that doesn’t compromise whatever it is.
[00:35:19] Matt Cromwell: This is here, John, would it be extremely difficult to just going on? so that it could be properly obfuscated again. because it would be wonderful if that would’ve been the communication as well to say, Hey, we found an issue that is, that some of the status being misused in one way or another. patch it and bring the active install chart back again. but because that wasn’t the way it was communicated, it feels instead we don’t this data in the first place,
[00:35:49] So I just wanna, So technically I think we’ve got a really good understanding of that, and that makes sense from a moving forward on the track ticket, if there are technical ideas about how this, that data conversation, whatever, that can happen on that track ticket. And then next week we can get into the conversation, which is my favorite part about,leadership and community in the work way and communication and all those soft things that developers aren’t meant.
[00:36:20] Matt Cromwell: are
[00:36:20] Matt Cromwell: you trying to say that you’re in, are you trying to say you’re inviting me back next week? Is that what you’re
[00:36:24] Matt Cromwell: trying to.
[00:36:24] Sé Reed: if you wanna talk about this, then sure, absolutely.
[00:36:27] Jason Cosper: Absolutely.
[00:36:28] Sé Reed: We could just have the same conversation from that perspective. yeah, we went over 10 minutes. This is like a first.
[00:36:34] Jason Tucker: I know
[00:36:35] John James Jacoby: Wow. Thank you. So
[00:36:37] Jason Tucker: outro button right now.
[00:36:38] Sé Reed: Jason is like freaking out. He’s I gotta go by.
[00:36:41] Jason Tucker: All right folks. Thanks for hanging out with us. We really appreciate it. Talk you later. Here’s our outro. All right, 10 minutes over. Go over to day
[00:36:51] Jason Tucker: core.com/subscribe to subscribe to this content. We would really appreciate that We’re available on all the major podcasting places. Go find us. If you wanna listen to us as a podcast. If you wanna watch us, can go over to YouTube, you can go
[00:37:03] Sé Reed: If you get bonuses with the watch version,
[00:37:06] Jason Tucker: Talk later. You have a good one.
[00:37:08] Sé Reed: you should. You should watch us cuz we’re funny looking. It’s good.