WordPress.org

Forums

[closed] A strange offer from third-party to give them repository access (25 posts)

  1. FractalizeR
    Member
    Posted 1 year ago #

    Hello.

    I've got a strange letter today from some "bestweblayout.com" company. Here is it:

    "Hello Vladislav.

    My name is Grigoriy and I am a representative of BestWebLayout. Our team specializes in WordPress development services.

    We saw that your WP-SynHighlight plugin was updated more than 4 years ago. We would like to offer you our assistance and participation in further development and maintenance of this plugin. In other words, we would like to get your permission and access to plugin repository on wordpress.org. In such way we will become the plugin contributors along with you and will be able to control testing and development of this tool within the WordPress community.

    Our activity will include plugin updates, compatibility testing, support, etc.

    We have already talked to WordPress support team (they said that WordPress is open-source community and such contribution is welcome), who asked us to contact you with such a request. Please let me know if you are ready to accept our offer. Feel free to contact me with any questions.

    Thanks!

    Grigoriy"

    Their website is VERY strange for a "team of professionals" they claim to be. And the offer itself is a little strange. If I want to contribute, I donate code. I don't ask write access to the repository.

    Isn't this a method of spreading some unwanted PHP code via WordPress plugins like it is now done with Chrome (virus or other unwanted crap authors buy popular addons and "enhance" them)?

    Does anyone actually know this company and can confirm we can trust them?

  2. esmi
    Forum Moderator
    Posted 1 year ago #

    If I want to contribute, I donate code. I don't ask write access to the repository.

    However, you would have to give permission for their names to be added to the plugin as contributors.

    Isn't this a method of spreading some unwanted PHP code via WordPress plugins

    I'm sure that some people do try this but the very hard-working plugin review team weed these out.

    If you are not comfortable with this "offer", then you could always suggest that they fork your plugin and develop the new fork themselves.

  3. FractalizeR
    Member
    Posted 1 year ago #

    Well, that's the main thing. It's not about me being comfortable. I just want to know if they are trustable or not.

    The offer itself may be legitimate, but all depends on people making it.

  4. Code Master
    Member
    Posted 1 year ago #

    I got same offer and I suggested they should submit a patch to one issue before I can grant them access. Still they insist they need to be listed as a contributor.

    Seems incompetent or malicious.

  5. Still they insist they need to be listed as a contributor.

    Then don't accept the patch and don't list them. Or come up with your own patch.

    Seems incompetent or malicious.

    I think it's odd myself but you don't have to grant them what they want. You can even ignore the request. ;)

    If it get's to the point of harassment (NOTE that I am not accusing anyone of anything!) please report that behavior to the plugins [at] wordpress.org email so they can at least be aware of that.

  6. FractalizeR
    Member
    Posted 1 year ago #

    Well, reporting them to plugins@. I don't like this.
    Thanks.

  7. FractalizeR
    Member
    Posted 1 year ago #

    Guys at plugins@ responded, that they don't have any previous record of any contact from BestWebLayout BTW.

  8. We have already talked to WordPress support team (they said that WordPress is open-source community and such contribution is welcome), who asked us to contact you with such a request.

    1) As FractalizeR said, no we did NOT ask them to contact you.

    2) If we DID we would have said "Try to contact the developer to ask if they'll add you..."

    It's possible they took that the wrong way, but at any rate, feel free to tell them no :) It's your plugin. Do what you want to do.

  9. PJvanErp
    Member
    Posted 1 year ago #

    Got a similar e-mail, don't trust it for a bit.

  10. Can you forward the email (headers and all) to plugins at wordpress.org please?

    I'm about ready to hit 'em with a brick.

  11. Code Master
    Member
    Posted 1 year ago #

    Sent to plugins at wordpress.org.

    Thank you very much!

  12. PJvanErp
    Member
    Posted 1 year ago #

    done!

  13. bestweblayout
    Member
    Posted 1 year ago #

    We aren't involved in any illegal affairs. Earlier on forum there was a question about the possibility of cooperation with the authors of neglected plugins. And it said that it is not a problem to cooperate with the authors. So we decided to help WordPress community with these plugins. We only collect information about plugins, which were simply neglected by authors and have not been updated with the latest changes of WordPress. Some of the authors refused, but some of them agreed. Sorry that it looks like spam.

    http://wordpress.org/support/topic/old-plugins-contribution?replies=10

  14. It looks like spam because you're sending this out to a LOT of people, and as of yet, haven't done anything with the plugins. Which is, sadly, a tactic of some spammers. They'll take over legit plugins and turn them into guideline violation spam fests.

  15. We only collect information about plugins, which were simply neglected by authors and have not been updated with the latest changes of WordPress.

    I'm not suggesting any ill will but why would you insist on becoming a plugin contributor? Getting access like that to all those plugins really seems questionable and is something that can be abused as Mika said above.

    Submitting patches are cool but making that as a requirement isn't something that should be done wholesale like that IMHO.

    If you have not been making that insistence then I apologize for any misunderstanding on my part.

  16. Jeff Sayre
    Member
    Posted 1 year ago #

    I received the exact same email this morning with the exception, of course, that they listed my older plugins. There are several issues with this approach that immediately made me flag the email as spam and alert others to a potential threat.

    One, anyone is free to fork a plugin and develop their own version. Many plugin authors are very appreciative if someone forks one of their outdated plugins, updates it, and makes it available to everyone on the repo. It is common courtesy to inform the original dev(s) when they wish to do this. In fact, one of my plugins listed in this email has already been forked and updated (the new dev notified me beforehand).

    Two, the fact that the email makes it appear that they have "approval" from the WP repo team to contact me is another big, red flag. No one requires approval from anyone at WP to contact a plugin author. I receive emails all the time about updating my plugins.

    Three, anyone whom I do not know that contacts me out of the blue and asks for login credentials, or access permissions to any of my repos, is just asking to be blocked. This is bad form. Providing such credentials to an unknown, therefore untrusted party, is never wise as it could be a significant security threat. Malicious code could be entered into your plugin and you, in effect, would be complicit in its insertion. If you do not know someone, it is never wise to team up with them without fully vetting their integrity and the quality of their work.

    Besides, the request is not even necessary as per item one above -- they are free to fork my plugins as long as they give me credit and follow all of the WP repo rules and overall WordPress community common courtesies.

    The fact that this person (group of people?) is still using the exact same email template even after receiving feedback in this thread about the bizarre language and assertions, gives me even more reason to be suspicious. If they are truly offering an acceptable, innocuous partnership, they need to rephrase their email and stop implying an "approval" from anyone at WordPress.

  17. bestweblayout
    Member
    Posted 1 year ago #

    We are not spambots. We are real people and real community members. We do not have "approval" from the WP team to contact with plugin authors, we just asked for the ability to become a contributor and how we can do it. And they said that yes, this is possible, but only with the consent of the author. So we write directly to authors. We just want to support great plugins (such plugins are selected by us) which were updated long time ago. And for this purpose we need to get access to repositories that existing users could receive updates automatically.

    We also have some stages of work like every project. At this stage, we write to the plugins authors who didn't update their products long ago. Of course, we study and analyze each plugin before sending the letter with contribution offer to the plugin authors. Probably our letters look identical or as spam, but it's only because there are a lot of authors and plugins, and we just cannot write a full review with future plans and changes which will be implemented (because we need to receive approval from author at first). After receiving a consent or refusal of all plugins that interesting us, we will start the following stage of direct development and introduction of updatings.
    We have no reason to add malicious code. This is stupid.

    We just offer our help to the community. You may accept this offer or reject it. We have already got approvals from certain number of authors who do not have any plans on updating their products.

  18. People would feel a lot better if you and your group do something with the plugins you've already taken over, and prove that you're going to improve our community.

    Like I said, it looks spammy because, in part, you've done nothing with them. Change that, change our perceptions :) oh and please stop telling people you've already talked to the "WordPress Support Team." It implies you talked to the plugin team (you didn't) or maybe the WP forums support mailing lists (you didn't). You may have talked to one person, but you did not talk to the team as far as I know, and I'm on both.

  19. bestweblayout
    Member
    Posted 1 year ago #

    We'll let you know about our done work! Currently we have a process of studying and analyzing of these plugins. Soon we will provide a progress report.Stay tuned!

  20. See ... that bothers me (personally). You didn't analyze or study them before asking to take them over?

  21. pandan1
    Member
    Posted 1 year ago #

    I got same offer and I suggested they should submit a patch to one issue before I can grant them access. Still they insist they need to be listed as a contributor.

  22. Allimaple
    Member
    Posted 9 months ago #

    Plugin authors who grant these folks access wind up with their plugin polluted with a Spam menu, i.e. BWL in the admin sidebar.

    Thus far they have infiltrated:

  23. bestweblayout
    Member
    Posted 9 months ago #

    Dear Allimaple,

    Thank you for your recent messages and topics created on WordPress. Your opinion is really important for us. However, we are not trying to pollute any plugins and would like our users to focus on the options they need rather than on the panel. It is just a collection of recommended tools which are compatible between each other and constantly supported by us and other WordPress contributors. Menu is is used to advertise authors of these plugins as you can see.

    The access to all these plugins were received from the original authors and it can be revoked any time. Besides, these plugins were old (more than 2 years without updates). We thought that WordPress is a community and we are able to support old themes/plugins it in such a way. But now it seems that is not true, and we need to remove our work completely, because some of the authors just don't like the way we do that.

    We will try to remove these changes during the week...

  24. Allimaple
    Member
    Posted 9 months ago #

    Please don't feign ignorance, such a child-like reply merely further illustrates you think you are dealing with easily duped amateurs.

    WordPress users are not rubes, and as such we are well aware of what you are doing, ergo:

    Adding a SPAM menu on plugins that meet your predetermined dormancy threshold and considering THAT an update, which is utterly absurd and is most often the purview of ne'er-do-wells.

    If you are concerned with focusing on the options of the plugin, then actually implement additional functionality and include the menu as a tab within the plugin's administration menu, NOT as a separate acronym and sole change that suddenly shows up on the Administration sidebar.

    There is no discernible benefit to updating for example DropCap Shortcode as there is no added functionality, i.e. selecting the font, color, size, margin, those customizations are still required to be entered via manually entered CSS.

  25. Okay, folks.

    The Plugin team is aware of this. We'll be contacting them via email about this situation and, if warranted, revoke access.

    Please note: When you are added as a contributor to a plugin, you are given the access to edit a plugin but with that comes the responsibility of managing it for the users and it's position in the community. You are always expected to add code of merit and functionality to a plugin.

    Plugin updates to 'game the system' are grounds for a plugin's removal. Period. Always has been, always will be. Plugin updates that do not make the change log are suspect, because you are expected to be honest. It's open source. We can see what you did anyway.

    We're on it.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.