Long, rambling thoughts on WPMU

I’m posting this a bit late, but just about two weeks ago I finally caught a few spare minutes to upgrade this thing to the latest released version of WordPress MU. Things went surprisingly well, especially since until that point I’d been running a “custom” version (more on that later), and this was the release that synced up all the new admin changes released in the 2.5 “regular” WP release.

I run this domain (freepressblog.org) with several blogs as well as two other domains (“sites” in WPMU terminology), each with their own set of blogs. So far no reports of any problems; the transition went pretty smoothly. Prior to the upgrade, I heard a lot of noise about the new admin UI being a hard adjustment, but in my experience, I haven’t encountered any difficulties, and haven’t heard of any from the other people who use this install.

I’ve been wanting to the “big” upgrade for quite a while now, since it was kind of a pain to be maintaining my own hacked together version. The unfortunate thing was that I didn’t really have much of a choice in that matter, as the “main” line of development in the WP project had been getting all sorts of urgent security patches and MU just doesn’t really keep up with them to the degree that I’d like.

As an example, you may remember the password hashing / salting and cookie authentication vulnerabilities from WP 2.3. These two issues were initially reported (to “regular” WP) November of 2007, and patched in that code base relatively quickly (December 2007). There was a similar ticket for incorporating the same changes into WPMU, and it was arguably (IMHO) even more important to do there, since MU installations generally have more registered, non-admin users.

I’m using these two in particular as an example because I’m familiar with them; later that month (12/2007) I submitted a patch that corrected these two issues for MU users as well, and I’ve been running it without error here on this installation ever since. Unfortunately, it was decided that these changes should follow the same path as the rest of MU – namely wait and eventually do a huge sync-up release that ports all the latest stuff from standard to MU.

The problem is that this “sync-up” release only just happened earlier this month (May 2008). This means that for anyone running only “released” versions of the software, they had been lacking these (and other) security fixes for 5-6 months. Personally, I consider that to be a problem, since running only released versions of the software should be a reasonable and safe choice for people who aren’t willing or able to hack together their own code.

There are various things that have recently kept me from being as involved in WP development stuff as I was at one point. Mostly it’s just other priorities / demands on my personal time, but I do have to admit that part of the motivation I initially had after WordCamp in San Franciso last July has certainly faded.

Even that I won’t attribute entirely to the issues I’m “complaining” about here; a good deal of it is probably just a shift in interest for me personally. But I also have to honestly admit that I do not feel as interested in pushing for / working on the kinds of things I’d like to contribute to in a project like this, since I think it’s clear that they often don’t quite line up with the values / priorities of the people who control the direction of the WP project, for better or for worse.

I imagine it’s this way with any open source project with a healthy number of contributors, and I certainly do believe whole-heartedly in the benevolent dicatorship model of guiding changes in open source projects like this. It’s just a bit discouraging when you’re on the wrong side of that equation, and don’t have the time or energy to campaign for your position, getting your patches in, etc.

Even that I wouldn’t mind much, assuming that rational discussion would be an effective way to discuss / debate the differences. There have been some unfortunate situations in which such discussions, even from core contributors, were basically ignored (here’s one, admittedly very minor issue, but still). At other times I’ve seen (and once experienced personally) what I’d consider to be reactions more grounded in emotional involvement / defensiveness than concern for the actual issue at hand.

I’ve struggled with this state of affairs for a while now, but have yet to come to a satisfactory conclusion on what to do about it. At this point, I’d switch if there were a better alternative, but I haven’t seen one yet.

I still think it’s a great platform overall, but I do think that there’s certainly some room for more serious competition. I hope to see such strong competition arise, not just for my own benefit, but for the benefit of WordPress as well.

This entry was posted in Blog Posts and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>