David Heinemeier Hansson

October 13, 2024

Open source royalty and mad kings

I'm solidly in favor of the Benevolent Dictator For Life (BDFL) model of open source stewardship. This is how projects from Linux to Python, from Laravel to Ruby, and yes, Rails, have kept their cohesion, decisiveness, and forward motion. It's a model with decades worth of achievements to its name. But it's not a mandate from heaven. It's not infallible.

Now I am loathe to even open this discussion. Because I've weathered more than my fair share of bad-faith attempts on my own stewardship, and witnessed the show trials of several others. It doesn't take much for contentious issues within a project, or societal moral panics outside it, to seed dethroning mobs. Which will hijack then eulogize The Will of The Community, as though that somehow deserved the mandate from heaven.

Half the advantage of the BDFL model is exactly in allowing for unpopular decisions to be made without the lethargic mores of committees and bureaucracy! Open source is not a democracy, and we all benefit from that fact, whether we accept it or not.

So what follows is not a categorical argument. I believe in the social utility of an open source royalty. One crowned on the virtues of initiative, perseverance, contributions, and technical excellence.

Matt Mullenweg has earned his crown in the land of WordPress. He created the system, and for twenty years has been its prime champion and cheerleader. His achievements are obvious. Half the damn internet runs on WordPress! There's an industry worth billions feeding theme designers, plugin makers, hosting companies, and Matt's own Automattic enterprise. It's a first-rate open source success story.

But it's also one that has taken a dark turn since Automattic went to war with WP Engine (WPE) over a claim that the latter pay 8% of its revenues as a tithe approximate under the guise of "giving back more". The leverage of extraction started as a spurious trademark claim, but has since escalated into what WPE has alleged as extortion, and what I see as a seemingly never-ending series of dramatic overreaches and breaches of open source norms. Especially the introduction of the login loyalty oath, and now with the expropriation of WPE's Advanced Custom Fields (ACF) plugin.

That's a lot, so let's start from the end. The most recent escalation, and, in my opinion, the most unhinged, is the expropriation of the ACF plugin. Automattic first answered WPE's lawsuit by blocking engineers from the latter from accessing the WordPress.org plugin registry, which is used to distribute updates and security patches. It then used the fact that WPE no longer had access to the registry to expropriate the plugin, including reviews and download stats!! The ACF entry now points to Automattic's own Secure Custom Fields.

For a dispute that started with a claim of "trademark confusion", there's an incredible irony in the fact that Automattic is now hijacking users looking for ACF onto their own plugin. And providing as rational for this unprecedented breach of open source norms that ACF needs maintenance, and since WPE is no longer able to provide that (given that they were blocked!), Automattic has to step in to do so. I mean, what?!

Imagine this happening on npm? Imagine Meta getting into a legal dispute with Microsoft (the owners of GitHub, who in turn own npm), and Microsoft responding by directing GitHub to ban all Meta employees from accessing their repositories. And then Microsoft just takes over the official React repository, pointing it to their own Super React fork. This is the kind of crazy we're talking about.

Weaponizing open source code registries is something we simply cannot allow to form precedence. They must remain neutral territory. Little Switzerlands in a world of constant commercial skirmishes.

And that's really the main reason I care to comment on this whole sordid ordeal. If this fight was just one between two billion-dollar companies, as Automattic and WPE both are, I would not have cared to wade in. But the principles at stake extend far beyond the two of them.

Using an open source project like WordPress as leverage in this contract dispute, and weaponizing its plugin registry, is an endangerment of an open source peace that has reigned decades, with peace-time dividends for all. Not since the SCO-Linux nonsense of the early 2000s have we faced such a potential explosion in fear, doubt, and uncertainty in the open source realm on basic matters everyone thought they could take for granted.

So while I always try to keep things from getting personal, I'll break practice to make this plea: Matt, don't turn into a mad king. I hold your work on WordPress and beyond in the highest esteem. And I recognize the temptation of gratitude grievances, arising from beneficiaries getting more from our work than they return in contributions. But that must remain a moral critique, not a commercial crusade. You can't just extract by force that which you believe to be owed beyond the license agreement on a whim.

Please don't make me cheer for a private-equity operator like Silver Lake, Matt. Don't make me wish for them to file an emergency injunction to stop the expropriation of ACF.

It's not too late. Yes, some bridges have been burned, but look at those as sunk cost. Even in isolation, the additional expense from here on out to continue this conquest is not going to be worth it either. There's still time to turn around. To strike a modest deal where all parties save some face. I implore you to pursue it.

About David Heinemeier Hansson

Made Basecamp and HEY for the underdogs as co-owner and CTO of 37signals. Created Ruby on Rails. Wrote REWORK, It Doesn't Have to Be Crazy at Work, and REMOTE. Won at Le Mans as a racing driver. Fought the big tech monopolies as an antitrust advocate. Invested in Danish startups.