Misleading!

*Installs plugin (on a test installation), get’s exact same results.*

That’s… odd. From the screenshot it looks like it’s requesting that you install their library as well as harvesting your email address.

*Clicks on Install library*

That’s not good. The CaptchaClass.php file is obfuscated and I’m pretty sure that installing code like that from non-WordPress repo is a no-no.

To report this (which I’m doing now) please send the details to plugins [at] www.remarpro.com.

Plugin requires some library download from their site directly from the WP back-end. Of course, you need to provide a valid email for that! As far as I’m concerned, this may well be an elaborate email harvesting scheme.
This is mentioned nowhere in the installation instructions here on www.remarpro.com!

It isn’t email harvesting.

The plugin documentation on both wp.org and our captcha.com site is simply out of date. It describes b1.x version of the plugin while the plugin itself is already in the version b3.3.

We are working on getting the documentation up to date.

Regards,

Luka

Thanks for the reply, but why are you downloading an obfuscated PHP file onto user’s installation?

Granted it’s with their explicit “Push The Button Here” but downloading non-GPL compatible code and doing it from outside of the WordPress plugin repo is questionable.

Hi Jan,

The root causes of all issues are a) that we have extremely limited human / financial resources, and b) we completely underestimated the sheer size of wp community and how popular plugin will turn to be.
We simply found ourselves spread too thin, and solving problems much slower than everybody would like us to be.

The b1.x versions of the plugin DID NOT install the lib. The users had to go to our website and download and install the lib by themselves. Instantly, we found ourselves flooded with hundreds of support emails of the users who did not know how to do it by themselves.

Then we automated the process in the versions b3.x to escape being flooded with support emails. It helped non-technical users — but now it seems that it raises concerns of some tech-savvy users like you guys are.

I guess that in the future versions we will offer the both non-automated and automated ways of installation.
So techies will be able to do it all by themselves, while non-techies will be able to choose the automated option.

Hopefully, this explains the situation.

Regards,

Luka

Not to beat a dead horse but I get that you have limited resources. And I honestly appreciate all the work that you and others do providing code for free in these repos.

Seriously, kudos to you and all your efforts! It is appreciated and welcomed. ??

But what you are dancing around and completely not addressing is this question: why are you installing obfuscated non-GPL compatible PHP code on your user’s WordPress installations?

Hi Jan,

I was thinking that is fairly obvious that in fact the user is installing the lib — not the plugin itself.

In b1.x versions the user was doing it in completely manual fashion (following the GPL-ed plugin installation) by browsing to our website, filling the form, downloading the lib, and deploying it by copying it in appropriate wordpress folder.

In b3.x versions the user first install the GPL-ed plugin itself, then following the explicit authorization from the user (fill-in the email & click the ‘install’ button) plugin automates what before the user was doing manually.

And following your & “sunamumaya” comments we concluded that it might be wise to offer users with both the automated & non-automated lib installations in the future versions.

Perhaps you are suggesting that we update the ‘authorization text/message’ to tell the users that the lib itself is not GPL-ed?

Regards,

Luka

Hi! Otto here.

Generally speaking, we don’t allow plugins to install executable code from third-party sources. We even have this codified into our guidelines:

8. No sending executable code via third-party systems. Use of third-party systems is acceptable in a service-client type of model, but sending actual PHP or other executable code over the network is considered a security risk.

In short, I’d hate to have to de-list your plugin from the www.remarpro.com plugins repository, but you are breaking our rules.

To fix the problem, I would suggest the following steps:

1. Include the library with the plugin itself instead of downloading it.
2. Unobfuscate the library so that the code is readable by humans.
3. Place it under a GPL-Compatible license.

If you are unable to do these things, then I’m very sorry, but we will have no other choice but to remove the plugin from the www.remarpro.com Plugin directory.

It’s more than that. Users have a specific problem or task, and they search for a plugin to solve that problem or perform that task, and since we’re all busy, we rely on others reviews and author’s good faith.

To me, this is not good faith. Your plugin should have in bold, in Installation instructions, “IMPORTANT: This plugin requires you to download an additional, non-open source software, under a different license.” What about commercial use in heavy-traffic, high income sites that come to be dependent on code they do not own or control, for example? There are bothersome legal implications that could arise.

In addition to no being fair to the users, it’s also not fair to the other plugin authors. I skipped a few plugins and downloaded yours because it seemed the best for my needs, completely unaware of these issues. Had I known, I could have simply tried out other plugins instead (which I ultimately did).

Nothing against making a buck, you could simply create a premium plugin and say so, and sell that library or whatever. But the current situation remains dubious, I’m afraid, and it needs to be remedied. Fortunately, it would appear that the solution is as simple as forewarning users very strongly and clearly about what’s going on, before they download your plugin, so that they do so in fully aware of the implications.

I posted right after Otto, so I guess the relevancy of my previous post is now less.

I think Otto has made the right call.

I have sent an email to the authors about this matter. We will handle the issue via that route.

Hi Sunamumaya,

Your plugin should have in bold, in Installation instructions, “IMPORTANT: This plugin requires you to download an additional, non-open source software, under a different license.”

Fortunately, it would appear that the solution is as simple as forewarning users very strongly and clearly about what’s going on, before they download your plugin, so that they do so in fully aware of the implications.

This is both doable and within scope of the things I am authorized to decide about. It will be fixed in the next version of the plugin.

Nothing against making a buck, you could simply create a premium plugin and say so, and sell that library or whatever

This is of course also douable but outside of the scope of things I am authorized to decide about. I will need some serious counseling and help from both Otto and my colleagues in the following days.

Regards,

Luka

Works correctly, I did not receive more spam in the comments since I installed it