WordPress.org

Making WordPress.org

Opened 2 weeks ago

Last modified 2 weeks ago

#5509 new enhancement

Notify users of changes to plugin ownership

Reported by: ianatkins Owned by:
Milestone: Priority: normal
Component: Plugin Directory Keywords:
Cc:

Description

I've experienced a few plugins change ownership and it's really not clear as a user, developer and maintainer of sites when that has happened.

Whilst having a plugin continue to be developed is admirable - I do think it would be wise to inform users of that change, for the following reasons:

  1. There might be privacy policy changes that have impacts on what data is shared and how it is shared. Legally depending on location this may have to communicated to end users ( under GDPR etc ).
  1. The plugin may change direction or add features that were not originally included or required under the stewardship of the prior owner. ( Whilst this won't become clear until later down the line, at least informing users of the ownership change would make it clear as to why said changes are happening ).
  1. The plugin may have changed hands to a developer or development house that a user knows isn't as reliable as the previous owner. ( Not to name names, but there's a few developers I don't touch after various maintenance / quality nightmares in the past ).

In my case the plugin that made me raise this ticket was Members, originally by Justin Tadlock. Now it's a marketing entry point to MemberPress and features various paid add-ons and upgrades when the original plugin was a lightweight developer toolkit for editing capabilities.

Personally would suggest the change of ownership be notified by:

  1. Adding a requirement for the first release under new ownership to add a notification to the admin area, linking to the new developers privacy policy.
  1. Adding a requirement for the plugin to re-validate consent to share data ( if it's doing so ).
  1. Adding a notification to the plugin page on the wordpress.org directory page. ( It took me a while to work out why a once reliable plugin was veering so far in a new direction and I couldn't remember if the current developer was indeed the original developer. Slight moment of user gaslighting!) Whilst I try and keep track of who develops what, over 100s of plugins and 100s of sites, this would be much easier for the plugin page to communicate.

Speaking to the plugin team, you do currently review change of ownership of plugins - so hopefully these things could be easily implemented in part by a change of policy.

Attachments (1)

Plugins - Update notification.png (80.9 KB) - added by ianatkins 2 weeks ago.
Notification upon plugin update.

Download all attachments as: .zip

Change History (5)

@ianatkins
2 weeks ago

Notification upon plugin update.

#1 @Ipstenu
2 weeks ago

  • Type changed from defect to enhancement

Currently we do track (on the backend) when new users are added as committers and when the owner account is changed.

While we can make that a forward facing page (audit log) and in theory include things like "closed for security on DATE", the biggest flaw is that ... we sometimes won't know.

Take this for a practical example of what's happened before. Someone builds out a plugin and it's owned by a 'company' (CoolWPPlugins.com). They later sell the company (which includes the ownership of the user account) to someone else. New owners, but there's nothing we could track.

This would not be tracked by WordPress, nor could it be, any more than any other software you use. Microsoft bought out Skype and your updates merrily continued.

Basically ... I don't know that there's a way to monitor and enforce that, as much as I'd like it.

#2 @greenshady
2 weeks ago

I am actually in favor of this idea, at least in some form. Outside of company blogs (where I shared the ownership change of Members, and the new owners did the same), there's no good mechanism on the WordPress side of things to inform users when things change. It is at least something worth discussing, whether it is a guideline change or a UI notification. Not sure of the best route, but I like the idea of more transparency when these types of changes happen.

#3 @ianatkins
2 weeks ago

@greenshady Thanks for your work on Members. Sincerely hope you managed to be financially rewarded for your time spent. Wouldn't feel bad about selling it, I don't think the new owner is being too egregious - it's just you were such a reliable steward of the plugin that the new changes started to become obvious.

@Ipstenu With your example, for a company changing hands externally of WordPress, then presumably the brand and privacy policy would be less prone to change. But agree you'd be limited here.

Think for the most part, the issue here is individual plugins changing hands and not companies and/or portfolios of multiple plugins being brought ( but you guys probably have more insight here ).

Would suspect most ownership changes involve a change of the plugin into a different account and/or brand with retention on the plugin name. But if an account name doesn't change, but ownership does, perhaps a website or email domain change could be used as an indicator - and be fairly easy to identify.

Think anything that can be done, however small would be a positive for users - as searching over the forums this is something thats causes confusion and is going to keep coming up:
https://wordpress.org/support/topic/where-did-the-plugin-go-2/
https://wordpress.org/support/topic/last-update-details-suspect/
https://wordpress.org/support/topic/excellent-plugin-but-php-files-are-being-changed/
https://wordpress.org/support/topic/new-plugin-owner-2/
https://wordpress.org/support/topic/are-this-plugin-still-in-development/

#4 @Ipstenu
2 weeks ago

Think for the most part, the issue here is individual plugins changing hands and not companies and/or portfolios of multiple plugins being brought ( but you guys probably have more insight here ).

With regards to all plugins? Yes, it's more individuals than companies, however if you asked me to break it down by plugin 'type' I would say that more serviceware plugins are transfered to companies and don't always change hands in an obvious way.

I want to be clear, I'm not against this! I'm for this! I just want to be clear that we're going to get MAYBE half of the changes. (Honestly I think it would be great if everyone could see how weird some devs are about shuffling plugins between multiple accounts -- that gets them banned when we catch them)

Note: See TracTickets for help on using tickets.