Remove jetpack from the plugin repository

Okay, I took a breather, I don’t want to be angry.

Company X that I frequent runs at least 100 blogs, all of them they managed their own subscriptions, which is not hard.

Setting up postfix is such a common task that the Internet is full of howto documentation, anyone who can’t figure it out shouldn’t be running a blog on their own but should be using a managed host where they can submit a ticket to get a mail server. So I have trouble understanding the need for jetpack to manage subscriptions. But anyway…

This company manages their own blogs and their own subscriptions to them. A new blog went up, I commented the same way I always have and clicked on the confirm not realizing it came from wordpress.com until after I clicked confirm. That was my failure, I should have paid more attention, but I figured new blog – probably just a configuration error.

I don’t actually run wordpress, I install it occasionally when I need to write a plugin for someone (and curse at stuff like emulated gpc_magic_quotes and lack of ability to re-use a prepared statement) so I figured it might have been a mistake on setup.

Went to another blog, one 5+ years old (same Company X) and commented – and subscribed to thread I was commenting on. Confirmation came from WordPress.com.

Suddenly I felt violated. I just changed my e-mail a month ago because of too much spam, and this new address I was trying to keep with companies I trust – and I trust this company X – and their policy says they don’t share with third parties and I know the owner and she’s serious about privacy yet here my address was shared with a third party.

Can you understand why I felt violated?

Their blogmaster contacted me, it was a mistake, she didn’t realize enabling your plugin was going to violate their privacy policy.

I’m willing to accept maybe your company is not as sinister as I am imaging, though the ability to track via gravatars is very scary indeed and I think wordpress core should address that – obfuscate by default unless a user opts to have their real e-mail address used – but I’m willing to accept the fact that I felt really violated by having my e-mail exposed may have caused a harsher reaction to jetpack than was warranted.

But I still strongly believe it needs to be made very clear to users when a plugin is going to share their e-mail address with a third party. It needs to be made crystal clear before it is shared with that third party. Give us the option out.

For your own information, the first run-in with wordpress.com that I had – that made me not like you – I use to happily use several blogs hosted by you, then one day I made my own, and as soon as I did – I could no longer comment on those other blogs without logging in and I did not like that, and I couldn’t even delete my account to go back to the way it was where I didn’t have to log in to comment. It seemed invasive that you required me to.

This sending of e-mail addresses to your servers without asking is also invasive.

You might do well to look at some of your policies from the perspective of us users.

Oh and the reason I didn’t want to log in to leave a comment on other people’s blogs, every time I log in – even though remote – there is a possibility of session hijack. Why even risk it I’m not doing something on my blog? Why risk it when I didn’t have to before I had my own blog there? What if I want to comment on a blog while using the wifi at the coffee shop? At the time, the blogs weren’t SSL – I could no longer do it from the wifi at the coffee shop because that would put my blog at risk.

I think a lot of web developers do not understand the security implications of what they do. That’s my speciality.

Setting up postfix is such a common task that the Internet is full of howto documentation, anyone who can’t figure it out shouldn’t be running a blog on their own but should be using a managed host where they can submit a ticket to get a mail server.

I feel your pain here, I really do. Believe me.

However, the truth of the matter is that we live in a world where people can pay their $10 for a domain name, get cheap shared hosting for $5 a month, use a one-click approach to setup a blog on it (be it WordPress or some other piece of free software), and be up and running without ever having to touch so much as FTP, much less SSH.

People post questions here asking how to reset their password when the email method does not work for them (usually because their cheap server can’t send email properly), and then have to be guided through what phpMyAdmin is, and have to have what a database is explained to them. And yet they run their own websites. And some of them want easy-to-do email subscriptions.

Running and managing a server used to be something that required sysadmin skills. That’s no longer the case. Like it or not, but it is what it is. I opt to go with pragmatism, myself. ??

Regarding SSL, I’m looking forward to the results from https://letsencrypt.org/ . Might make things a whole lot better.