I’m getting pissed at the apparent technical arrogance of the WordPress core developers.
First, the disclaimers. WordPress is a miracle product, that embodies everything that is wonderful about open source software. It lets ignoramuses like me do amazing things without understanding dick. To accomplish that, it needs technological high priests who keep the code base in order and moving forward. I get that, I appreciate that, on a daily basis I am glad those people exist.
And yet, motherfuckers: if you expect me to upgrade my software three times in less than one month, you have got to tell me why. You have got to tell me why it’s important, and you have got to do this in English words that a non-technical user can understand. Or I am going to start bitching and cursing your name.
Between various blogs I run, am responsible for, help people with, advise people on, or answer questions about, I estimate there are close to twenty WordPress installations that I am concerned with. So even the simplest update is an ordeal for me, because I have to do the same thing over and over in different places, plus I have to answer the same questions over and over from different people. And to this I can testify: When a new patch comes out, the very first question that anybody asks is “Why do I need this patch? What happens if I don’t patch it?”
And so, the first principle of releasing security patches is, if you want your users to cheerfully apply them without hating you, you explain why the patches are important. “This patch does XYZ and protects you from blah-blah, which would be bad; so we urge everybody to apply it ASAP.”
Now let me share with you the actual explanation that accompanied the last three WordPress patch releases:
November 30: “This maintenance release fixes a moderate security issue that could allow a malicious Author-level user to gain further access to the site, addresses a handful of bugs, and provides some additional security enhancements.”
December 8: “This release fixes issues in the remote publishing interface, which under certain circumstances allowed Author- and Contributor-level users to improperly edit, publish, or delete posts.”
December 29: “[This release] is a very important update to apply to your sites as soon as possible because it fixes a core security bug in our HTML sanitation library, called KSES.”
Now the first two are at least complete; they’re low on detail, but they do at least indicate what the danger is that you are protecting against by making the patch. So if, for instance, you didn’t have any of the Author or Contributor users, you could rationally determine that the patch could be deferred until you had time to deal with it.
But this last one? It certainly sounds dire — “core security bug”, “HTML sanitation library”, it’s scary word salad anyway. But is it protecting against any actual attacks? Are people being hacked out there? Do we need to get this done right away? Is there a crisis? Or is this some obscure thing that some researcher figured out could theoretically be exploited by a man with a million smart monkeys if he had a thousand years to bash on our blogs? Is the HTML sanitation library something that kicks in when people enter comments? Or is it only to protect against malicious author-level users again? The patch info doesn’t say.
And worse yet, there’s no link in that “news blog” to a more detailed explanation. There should be, but there isn’t. We’re just being told “Do this; do it now; it’s necessary; trust us.”
That, to me, is infuriating. That’s the high priests of the technology getting arrogant, expecting compliance from the peasants without even bothering to do us the courtesy of explaining the doctrine.
Now, as it happens, if you’ve been around the barn long enough like I have, from their news blog you can sort of infer why this might be an important patch. HTML sanitation probably has something to do with code injection attacks, and it sounds like somebody has figured out some way in which somebody can inject hostile code into an input box somewhere on a WordPress install. If so, that’s really bad, and this patch really is vital. But you know what? If that’s true, people need to be told that, loud and clear. Not in 13 words of cryptic technobabble.
So anyway, all of this is what it is. It probably wouldn’t have been enough to trigger this rant. The open source product is great; the open source developers are contemptuous of us non-technical user-peasants, so they issue their edicts to us but can’t be bothered to explain why we should obey. That’s actually pretty normal in the open source software ecosystem; it’s tiresome but not outrageous.
What triggered the rant are the tweets I got when I dared to bitch about it.
@wordpress tweeted “Please update to WordPress 3.0.4, the most important security release of the year.”
There was a link to the so-called news blog with the 13 words of technobabble non-explanation.
I was annoyed, this being the third inadequately-explained upgrade in a month, and the worst-explained of the lot.
I tweeted “@wordpress GodDAMN I am tired of these “important” security releases that don’t ever explain why they are important or what is being fixed.”
What set me off are the two responses that triggered. One is from @wordpress, which is simply misleading and wrong:
“@ErosBlogBacchus If you follow the links in the tweets, the posts on our news blog explain the vulnerabilities, and what’s being fixed.”
That’s disingenuous, because there’s only the one post on the news blog, and it doesn’t explain the vulnerabilities at all. It speaks of a core security bug, but it doesn’t have a word to say about what’s vulnerable, what the attacks to fear are, or indeed whether there are practical attacks to be feared. In short, it’s utterly devoid of the information somebody needs to make an informed upgrade decision. It’s an authoritative-sounding “Trust us, do this right away” and I have no reason to disbelieve this source, but it’s extremely disrespectful to demand that level of trust while providing no useful information whatsoever.
So that annoyed me.
And then I got another tweet from a high priest, @nacin. His Twitter page says he’s Andrew Nacin, a WordPress core developer. So he’s one of the guys I have to thank for this wonderful product. But his tweet? Well, as politely as I can put this, it enhanced my annoyance level.
“@ErosBlogBacchus Our announcements are always going to be general. For the gritty, see http://bit.ly/fcecUN. It was an XSS flaw.”
Twitter is dangerous. Enforced brevity can cause people to leave out important nuance. But this tweet struck me as completely out of touch with the non-coder folk who actually install and use WordPress.
First of all, I’m not complaining that the announcement was “general”; I’m complaining that it didn’t have any information in it that I could use to determine whether the security patch was important to my situation. It assumed knowledge that I did not have, and was utterly worthless to anybody who didn’t have some idea what “HTML sanitation” might be important in accomplishing.
Second, go click that link in his tweet. Gritty? I’ll say. There’s code at that link, and that’s all. Utterly worthless when responding to a complaint about inadequate patch information for non-technical users. I say unto the priest “Your sermons in Latin, they are pretty hard to follow” and he answers me in Latin. Now you’re just fucking with me, right?
Likewise the last sentence in the tweet. “It was an XSS flaw.” Oh, nice. That would be useful…if I had ever fucking heard of XSS before this very moment. Which I haven’t.
Dudes, you’re smart, you’re working on a great product, you’ve made it so simple that even non-coders can install it and use it and modify it with themes and plugins. But at the end of the day, security patching is the one place where you can’t just demand compliance and say “Trust us.” You’ve got to sell your patches. You’ve got to explain them. You’ve got to come down from your Mount Olympus, put down the incense burner, and explain in terms that mean something to us why we should once again risk breaking everything from themes to plugins, for the third time in a month.
It’s annoying. It’s painful. It needs more than 13 words and a link to some code.