WordPress.org

Support

Support » Miscellaneous » A strange offer from third-party to give them repository access

A strange offer from third-party to give them repository access

  • Hello.

    I’ve got a strange letter today from some “bestweblayout.com” company. Here is it:

    “Hello Vladislav.

    My name is Grigoriy and I am a representative of BestWebLayout. Our team specializes in WordPress development services.

    We saw that your WP-SynHighlight plugin was updated more than 4 years ago. We would like to offer you our assistance and participation in further development and maintenance of this plugin. In other words, we would like to get your permission and access to plugin repository on wordpress.org. In such way we will become the plugin contributors along with you and will be able to control testing and development of this tool within the WordPress community.

    Our activity will include plugin updates, compatibility testing, support, etc.

    We have already talked to WordPress support team (they said that WordPress is open-source community and such contribution is welcome), who asked us to contact you with such a request. Please let me know if you are ready to accept our offer. Feel free to contact me with any questions.

    Thanks!

    Grigoriy”

    Their website is VERY strange for a “team of professionals” they claim to be. And the offer itself is a little strange. If I want to contribute, I donate code. I don’t ask write access to the repository.

    Isn’t this a method of spreading some unwanted PHP code via WordPress plugins like it is now done with Chrome (virus or other unwanted crap authors buy popular addons and “enhance” them)?

    Does anyone actually know this company and can confirm we can trust them?

Viewing 15 replies - 1 through 15 (of 24 total)
  • esmi

    @esmi

    Forum Moderator

    If I want to contribute, I donate code. I don’t ask write access to the repository.

    However, you would have to give permission for their names to be added to the plugin as contributors.

    Isn’t this a method of spreading some unwanted PHP code via WordPress plugins

    I’m sure that some people do try this but the very hard-working plugin review team weed these out.

    If you are not comfortable with this “offer”, then you could always suggest that they fork your plugin and develop the new fork themselves.

    Well, that’s the main thing. It’s not about me being comfortable. I just want to know if they are trustable or not.

    The offer itself may be legitimate, but all depends on people making it.

    I got same offer and I suggested they should submit a patch to one issue before I can grant them access. Still they insist they need to be listed as a contributor.

    Seems incompetent or malicious.

    Moderator Jan Dembowski

    @jdembowski

    Still they insist they need to be listed as a contributor.

    Then don’t accept the patch and don’t list them. Or come up with your own patch.

    Seems incompetent or malicious.

    I think it’s odd myself but you don’t have to grant them what they want. You can even ignore the request. 😉

    If it get’s to the point of harassment (NOTE that I am not accusing anyone of anything!) please report that behavior to the plugins [at] wordpress.org email so they can at least be aware of that.

    Well, reporting them to plugins@. I don’t like this.
    Thanks.

    Guys at plugins@ responded, that they don’t have any previous record of any contact from BestWebLayout BTW.

    We have already talked to WordPress support team (they said that WordPress is open-source community and such contribution is welcome), who asked us to contact you with such a request.

    1) As FractalizeR said, no we did NOT ask them to contact you.

    2) If we DID we would have said “Try to contact the developer to ask if they’ll add you…”

    It’s possible they took that the wrong way, but at any rate, feel free to tell them no 🙂 It’s your plugin. Do what you want to do.

    Got a similar e-mail, don’t trust it for a bit.

    Can you forward the email (headers and all) to plugins at wordpress.org please?

    I’m about ready to hit ’em with a brick.

    Sent to plugins at wordpress.org.

    Thank you very much!

    done!

    We aren’t involved in any illegal affairs. Earlier on forum there was a question about the possibility of cooperation with the authors of neglected plugins. And it said that it is not a problem to cooperate with the authors. So we decided to help WordPress community with these plugins. We only collect information about plugins, which were simply neglected by authors and have not been updated with the latest changes of WordPress. Some of the authors refused, but some of them agreed. Sorry that it looks like spam.

    http://wordpress.org/support/topic/old-plugins-contribution?replies=10

    It looks like spam because you’re sending this out to a LOT of people, and as of yet, haven’t done anything with the plugins. Which is, sadly, a tactic of some spammers. They’ll take over legit plugins and turn them into guideline violation spam fests.

    Moderator Jan Dembowski

    @jdembowski

    We only collect information about plugins, which were simply neglected by authors and have not been updated with the latest changes of WordPress.

    I’m not suggesting any ill will but why would you insist on becoming a plugin contributor? Getting access like that to all those plugins really seems questionable and is something that can be abused as Mika said above.

    Submitting patches are cool but making that as a requirement isn’t something that should be done wholesale like that IMHO.

    If you have not been making that insistence then I apologize for any misunderstanding on my part.

    I received the exact same email this morning with the exception, of course, that they listed my older plugins. There are several issues with this approach that immediately made me flag the email as spam and alert others to a potential threat.

    One, anyone is free to fork a plugin and develop their own version. Many plugin authors are very appreciative if someone forks one of their outdated plugins, updates it, and makes it available to everyone on the repo. It is common courtesy to inform the original dev(s) when they wish to do this. In fact, one of my plugins listed in this email has already been forked and updated (the new dev notified me beforehand).

    Two, the fact that the email makes it appear that they have “approval” from the WP repo team to contact me is another big, red flag. No one requires approval from anyone at WP to contact a plugin author. I receive emails all the time about updating my plugins.

    Three, anyone whom I do not know that contacts me out of the blue and asks for login credentials, or access permissions to any of my repos, is just asking to be blocked. This is bad form. Providing such credentials to an unknown, therefore untrusted party, is never wise as it could be a significant security threat. Malicious code could be entered into your plugin and you, in effect, would be complicit in its insertion. If you do not know someone, it is never wise to team up with them without fully vetting their integrity and the quality of their work.

    Besides, the request is not even necessary as per item one above — they are free to fork my plugins as long as they give me credit and follow all of the WP repo rules and overall WordPress community common courtesies.

    The fact that this person (group of people?) is still using the exact same email template even after receiving feedback in this thread about the bizarre language and assertions, gives me even more reason to be suspicious. If they are truly offering an acceptable, innocuous partnership, they need to rephrase their email and stop implying an “approval” from anyone at WordPress.

Viewing 15 replies - 1 through 15 (of 24 total)
  • The topic ‘A strange offer from third-party to give them repository access’ is closed to new replies.