Support » Plugin: WP-SpamShield » Plugin removed from repository?

Viewing 15 replies - 16 through 30 (of 46 total)
  • Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    πŸ³οΈβ€πŸŒˆ Halfelf Rogue & Plugin Review Team Rep

    @redsand – Sorry I thought it was clear that it’s issues regarding the forum guidelines (see https://wordpress.org/support/guidelines/ ) and rule #9:

    Intentionally attempting to exploit loopholes in the guidelines

    To whit, you were asked to make a change and did so incompletely. If this was not intentional, then I apologize.

    I’ve sent you a followup email, trying to clarify what we would accept as solutions to the issue (I came up with 3 options, but I’m open to hearing more).

    I understand why you’re angry and we will respect any decision you make regarding this. Nothing that has happened thus far is insurmountable or permanent.

    Plugin Contributor Red Sand Media Group

    (@redsand)

    @ipstenu,

    Wow…just wow.

    Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    πŸ³οΈβ€πŸŒˆ Halfelf Rogue & Plugin Review Team Rep

    Jos, sorry about not catching your question!

    Can you tell a little more about the chances this gets resolved?

    I feel it absolutely can be resolved. Scott’s a good person at heart, and I completely understand why he’s upset about the situation and why he’s reacted the way he did. I don’t hold any animosity to him for any of this nor anything he’s said in the blog post. These situations are always contentious and feel personal, even when they’re not. It’s the nature of the beast, and the least favorite part of my responsibility here.

    @ipstenu, as an observer, it seems to me like you and @redsand are kind of speaking in code.

    Do you have a secret handshake or something? Lol

    On a serious note, these cryptic replies from you are not helpful and frankly, do not add to the credibility of the plugin review team which you represent.

    I have no doubt the plugin review team is doing very important work but there is really no need for all this secrecy given the removal of the plugin was not due to a security issue (as you clearly confirmed)

    Why don’t you just explain exactly what happened (in public!) and then Scott can give his version (again, in public!) and then let users make their own informed decisions on whether they would like to keep using this plugin going forward.

    In Australia we have a term for that: be “fair dinkum” πŸ™‚

    Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    πŸ³οΈβ€πŸŒˆ Halfelf Rogue & Plugin Review Team Rep

    I’m hesitant to disclose everything because I fear it would do more lasting harm than short term good.

    Being the rep of the plugin team means my words have a lot more weight to them. Things I say get misinterpreted and misconstrued quite regularly. Personal opinions are heard as de facto law, and vice versa.

    Basically I don’t want to case Scott or his company irreparable harm. Sadly, it’s happened a lot in the past where people read what they want to from my words. I have a lot of perceived power πŸ˜•

    Should you keep using the plugin? If it works, fits your needs, and doesn’t cause you problems, yes, use this plugin. There is no code quality or security issue that I’m aware of.

    The problem is, that we (the users) don’t know what has been going on behind the scenes. In this case I have to create an opinion based on what is shared by both parties. The words both parties choose do give me a clear preference. If Scott doesn’t want this to get solved, I’m forced to start a search for a good alternative. It’s a shame, because the plugin was always great.

    @ginmi – Again I am just a user like you and have no actual knowledge of what happened. But I do know that in general the WordPress plugin team does not disclose reasons for removal of a plugin, so I think that we have already been given as much information as we can reasonably expect.

    I do know some facts about what happened publicly in the past couple of weeks. Apparently there is/was a functional conflict between the WP-SpamShield plugin and another plugin. That’s common and unavoidable– some plugins are incompatible with some others.

    But what was not common is that the two plugin authors got into an argument, each accusing the other of having “malware” in their code; and each created code within their plugin to specifically block or disable the operation of the other. In the case of SpamShield, with version 1.9.20, released 10/27/17 – there was an “anti-malware” module added specifically targeting the other plugin.

    Subsequently, each plugin author followed up with another update that undid that particular change — for SpamShield, that was version 1.9.21, also released 10/27/17.

    In the case of SpamShield, the “anti-malware module” was in the form of an MU plugin, titled “WP-SpamShield Anti-Malware & Functional Integrity Scanner” (See https://wordpress.org/support/topic/two-wp-spamshield-plugins/). An MU plugin is a little different from a regular plugin, as it runs prior to other plugins and also cannot be disabled by users in the same wasy as other plugins. While version 1.9.21 removed the reference to the other plugin, it left the anti-malware module in place, set up to scan for another known malware program that has a similar name to Spamshield.

    Within the file directory (via FTP), in the mu-plugins directory this shows up as “am-integrity-scanner.php”.

    Again, I am speculating, but it is possible that the WP team has requested (or suggested) a specific change, which may or may not involve the use of the MU scanning plugin, and that the plugin developer does not want to make that change.

    I really don’t have an opinion about this one way or another, but any plugin developer who wants to be hosted on WordPress needs to play by the WordPress rules. And it is never a good idea (for security reasons) to download plugins from sources other than WordPress, unless it is a premium (paid) plugin from a highly trusted source. (A paid plugin creates a contractual relationship between the developer and the buyer; whereas a free plugin is distributed without obligation).

    So yes, I hope that this can be resolved within the next few days … but if not, then I see no choice for myself but to look for an alternative solution for anti-spam functions.

    Moderator Sergey Biryukov

    (@sergeybiryukov)

    WordPress Dev

    Sorry I thought it was clear that it’s issues regarding the forum guidelines (see https://wordpress.org/support/guidelines/ ) and rule #9:

    Intentionally attempting to exploit loopholes in the guidelines

    Just to clarify, that doesn’t appear to be the correct link, as the forum guidelines have nothing to do with plugin development and don’t have the quoted rule #9.

    Detailed Plugin Guidelines is the correct link.

    I like and use the WP-Spamfield plugin for a while now and in multiple sites.
    It works like a charme and causes no conflicts what so ever.
    Sucuri scans says no security risks: https://wpvulndb.com/plugins/wp-spamshield

    As stated by Mika:

    Should you keep using the plugin? If it works, fits your needs, and doesn’t cause you problems, yes, use this plugin. There is no code quality or security issue that I’m aware of.

    this plugin just works fine and has quality code and no security issues.
    That ( in my opinion ) is reason enough to just keep it in the WP repository.

    Ofcourse it is unfortunate that both developers are publicly disputing this, but why withhold a perfectly good plugin from being downloaded just because of that?

    I get that monitoring this kind a thing must be a pain some times and that “the team” has no bad intent. However, let users decide if they want this plugin or not please.

    Further more, if knocking off a plugin, please at least inform the users that it is not beacause of bad coding or security risks. I get that sometimes it might seem a good idea to not tell why. On the other hand, you would not get this kind of questions and worried users bombarding you with these questions.

    I truely hope this fine plugin gets back into the repository very soon.
    it would be a shame to let it go over such a stupid dispute right?

    Annie

    I’d like the GitHub link, too.

    @ipstenu — is there any possibility of making past versions of this software available for download to current users, as was done in the case of Display Widgets (ref: https://wordpress.org/support/topic/display-widgets-2-7-is-safe/)

    I would like to continue using WP-Spamshield for now but to roll back to version 1.9.19

    I am guessing that the problem is with the introduction of the MU plugin in version 1.9.20 (modified in 1.9.21) — and I have decided that I don’t want that module installed on any of my sites. (It has some strange behavior that I am not entirely comforable with). There is no way to disable that within the settings mode of the current version– so roll back seems to the best way to safely remove that.

    I do think that there should be guidelines or limits placed on the use of MU plugins, as these behave differently than other plugins, and at least have the potential to create a lot of problems. While looking through my site I found an MU plugin placed by a different (totally unrelated) WP utility plugin that I had used on some sites but removed and deleted after use, but the MU plugin was left behind. In that case it was totally harmless and clearly related to the purpose of the plugin, but still something unnecessary running on my wordpress installation and I think a potential security hole (in the sense that any executable that is not needed for site operation is a potential security issue). At the very least these should be more clearly documented.

    Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    πŸ³οΈβ€πŸŒˆ Halfelf Rogue & Plugin Review Team Rep

    The code remains up in svn and will unless Scott himself removes it.

    https://plugins.svn.wordpress.org/wp-spamshield/

    We’ve removed code … twice? Once was for a backdoor, and the other I Remember was when someone posted private information by accident.

    Edit: unlike the widgets plugin, Scott asked us to keep this closed. I won’t betray his wishes by editing his code or taking it over. That would be disrespectful.

    We are ACTIVELY working on a way to keep plugin pages visible while closing them.

    * https://meta.trac.wordpress.org/ticket/2860
    * https://meta.trac.wordpress.org/ticket/2717
    * https://meta.trac.wordpress.org/ticket/2627

    We would appreciate help if you can code it, but we have a dearth of dedicated devs πŸ™

    • This reply was modified 1 week ago by  Ipstenu (Mika Epstein). Reason: Explain why this is different than widgets
    • This reply was modified 1 week ago by  Ipstenu (Mika Epstein). Reason: Clarified -asked to keep this closed, an important distinction
    ginmi

    (@ginmi)

    @abigailm you can use the wp-rollback plugin to roll to a previous version.

    Not sure though doing that will get rid of the MU plugin that was added in ver 1.9.20

    Personally, I think I am just going to jump ship and look for another plugin.

    Any recommendations?πŸ™‚

    Plugin Contributor Red Sand Media Group

    (@redsand)

    Edit: unlike the widgets plugin, Scott asked us to close this. I won’t betray his wishes by editing his code or taking it over. That would be disrespectful.

    Mika, that’s a blatant lie. I am going to ask again that you not lie about us. I never asked you to close WP-SpamShield. We had already received noticed that Otto had booted it. What I did say, WordPress.org was no longer trustworthy, and that we wanted you to close all of our other plugins.

    If you and Otto continue to lie about us publicly, I will be forced to start publishing the email thread so that you will stop lying about us.

    We’ve removed code … twice? Once was for a backdoor, and the other I Remember was when someone posted private information by accident.

    There was never a backdoor or private info in WP-SpamShield’s code.

    Abigailm

    (@abigailm)

    OK, thanks. It’s a little tricky to download and rollback from svn because there doesn’t seem to be a way to download a full zip file — but I see that the zip file for the version I am looking for available from https://downloads.wordpress.org/plugin/wp-spamshield.1.9.19.zip — so I think I can do what I want for now.

    I’d love to offer coding help if I could, but I don’t have the skills — but I certainly understand your limitations.

Viewing 15 replies - 16 through 30 (of 46 total)
  • You must be logged in to reply to this topic.