SSL Labs ScoreSecurityHeaders.io Score

I've been writing Joomla extensions for a long time; something like 10 years. I'm no stranger to extensions that I write having their functionality absorbed into the Joomla core. I expect it.

Joomla 3.9 was concerning to me, because the core devs decided to absorb several of my extensions functionality into the core. I've been busy though, so I didn't really look into it much other than to identify that it was happening. Here's the short list:

  1. Privacy Consent - threatened to absorb my EU e-Privacy Directive plugin functionality
  2. Action Log - threatened to absorb my System - Software Log plugin functionality
  3. Repeatable field type - threatened to absorb my Fields - Subform plugin functionality
  4. User Actions Log - threatened to absorb my User - Profile History plugin functionalty

I could not have been more wrong about these updates to Joomla.

The privacy consent extension is a joke, it's not multi-lingual and doesn't offer an option to opt out, nor does it offer the granular control of my extension. Anyone serious about legal protection would be a fool to use the built in tool.

The Action Log doesn't record much of anything: User X changed something in Extension Y. Not what was changed, no log of the previous values - just that something was changed. This information is only useful if you really need to point fingers at someone, otherwise - you're still in a situation if your system has been changed and you need to restore the previous values without restoring a backup.

The repeatable field type - wow, I thought that was going to be a problem....but it isn't. You're limited to only a handful of field types, while my Subform plugin imposes no limitations - you can do anything that JFormXML can do.

The User Actions log is again, a monumental joke. It records that something changed and by who - but not what was changed. My profile history plugin is very granular, omitting only sensitive information like passwords.

All in all - I'm sure people worked hard on these improvements. I just need to keep my extensions at least one step ahead and I'll be fine. Nothing is getting pulled for redundancy, and from the looks of it - that won't be a problem for a while.

Discuss this article in the forums (0 replies).

Born 17 September 1991

Died 16 September 2018

Some may question the date of death, as Linux is still quite well. I chose that date because that is when Linus Torvalds signed the Contributor Covenant and turned the project over to Greg Kroah-Hartman. For those unfamiliar with these events, I will detail it below.

The Contributor Covenant (CC) is a code of conduct (CoC) that favors social justice over good and efficient code. The CC favors anyone and everyone over white males. No longer will the Linux kernel maintained and improved based on meritocracy (the best code implemented). This means that inferior code will be accepted into the kernel as long as its author is of a protected or preferred group, even over superior code that may have been written by a white male. The kernel will no longer be improved or maintained by the best and brightest if the best and brightest happen to be white males. Furthermore, the CoC allows for people to be banned from contributing for any reason, even without proof, and with no oversight or method of appeal.

The major problem with this approach is that the kernel had a widely diverse base of contributors. People from virtually every continent, of every race, of every religion, of every sexual orientation - all contributed and all benefited from each others contributions.

The first casualty occurred 4 days after the CC was signed by Linus. Theo Ts’o was accused of being a "rape apologist". Ts'o maintains /dev/u+random, a very important part of Linux security. It's speculated that his targeting is purely political, because his decisions kept Linux from revealing an Intel backdoor into /dev/random. The accuser was almost immediately accused of breaking the CoC for making the accusation. Of course, the conversation has devolved and over the past month has created some very bad blood.

The worst part of the whole thing is, people are threatening to pull their code from the Kernel - which is apparently a completely legal and valid possibility. When this happens, the kernel will begin to fail in spectacular ways. Any vacancy in required kernel code will be, of course, now filled by someone who is probably less qualified than the person who originally wrote the code. Bugs are guaranteed to abound.

I never consider ever switching from Linux to BSD - but that's looking like a distinct possibility now. The next few months will determine how this goes.

Linux may have just died. I never thought I'd see that.

Discuss this article in the forums (1 replies).

Independence Day is important to me, and many Americans. I thought I'd write something patriotic and non-programming related today.

Recently, Time Magazine published the now infamous "Welcome to America" cover. Featuring an illegal immigrant child crying in front of a very tall Donald Trump who was looking down on her, this was a very politically charged cover. The message of the cover was that Donald Trump was separating families at the border, but there was a problem. The little girl they used for the photo was never separated from her mother. Time Magazine was then self labeled "Fake News".

When I saw the Time special edition on "Founding Fathers", I was already prejudiced against the issue. Time had gone SJW, and the popular thing these days is to call the founding fathers terrorists. I expected the edition to maintain the current liberal talking points and historical revisions that are popular in liberal academia. My wife actually saw it first, and her reaction was "I wonder how bad they're going to paint the founders." Having a deep interest for US history, I said "Put it in the cart - I'll tear it apart (figuratively) later."

The expectation was that the magazine would paint all of the founders with the same brush that is popular these days. They're racists, they're slave owners, they're terrorists, they killed the native Americans... I don't deny that maybe some of them were racists (Thomas Jefferson was very much against, and worked to end slavery), and some were definitely slave owners. I'm sure that the British considered them terrorists, and killing indigenous populations was how colonization was done (it's not like the native Americans weren't in a state of constant war anyway). These things are known, and at the time it was the way of the world.

This magazine surprised me. Not only is it well made, but it appears to have been well researched. I've read a few sections now, and it doesn't appear to have been written with any agenda other than to provide information and context - I don't see a bias in what I've read so far. Much of what I've read is information I already knew, but there is also new information (or, new to me). I'm actually relieved that I don't have to go through this magazine with a fine toothed comb to find the inaccuracies. I was expecting to write something very different.

It's sad that a once respected publication like Time has soiled its name to the point that the first reaction to an edition like this is to expect bias. There used to be a shame associated with inaccurate reporting and "fake news" - but it's become the standard operating procedure for many news outlets and publications. Maybe the red cover taught Time a lesson.

Happy 4th of July!

Discuss this article in the forums (0 replies).

The Joomla ecosystem is sick. The JED is corrupt. Joomla leadership has turned to censorship.

I've been writing Joomla extensions for more than 10 years. Much of the time, I get paid to write custom extensions and when my a customer chooses a pricing model that leaves me the rights to the extension, I release for free or as a paid extension (about 10% choose that pricing option). I have over 50 extensions in the JED. My entire business revolves around Joomla and writing custom extensions.

I often release extensions free, or as paid with a free (less functional) version. This gives me the opportunity to get my name out there and gives potential customers the opportunity to experience my extensions, which often leads to contract work writing custom extensions.

Joomla has, on multiple occasions, incorporated my ideas directly into the Joomla core. Here are a few examples:

Extension RicheyWeb Release Added to Joomla More Functionality?
System - Content Security Policy 2018-04-27 4.0 on 2018-06-20 less
System - Clean Response 2010-05-29 3.1.4 on 2013-06-27 less
DomainRestriction 2011-05-17 3.9 on 2018-08-08 less
Fields - Subform 2017-12-08 3.10-dev (pending) less
EU e-Privacy Directive 2012-06-11 3.9 on 2018-08-27 less
There are more, I just need to find them

In some cases, I've commented in the Joomla GitHub pull requests explaining that they're implementing functionality that is currently available in 3rd party extensions in the JED - but recently, those comments are being deleted. I can't even defend myself against this because Joomla leadership just deletes it. https://github.com/joomla/joomla-cms/issues/11905

I don't remember how I replied, but I'm sure it contained a link to my subform field in the JED. This is the pepperstreet message deleted by Joomla:

I'm not opposed to Joomla gaining new features, but when the features are ripped from my extensions and implemented incompletely - I'm left to wonder why I should ever release another free extension! Contributing to the Joomla core is something I've also done on several occasions. I would be honored if I was asked to create a core implementation for some of my free extensions - but that isn't happening. The functionality ends up being poorly or incompletely implemented and then I'm left to explain to my customers why they should pay for mine when they can get it from Joomla for free.

When confronted, Joomla leadership shows they have no interest in preserving the work of 3rd party developers.

What's really amusing is that I'm the person who brought the capability for Joomla to accept repeating custom form field values. https://github.com/joomla/joomla-cms/pull/19025 They're using capabilities that I gave them to step on my extension.

I did it first - and I get no credit. It's infuriating.

Discuss this article in the forums (0 replies).

I'm a reasonable guy. I spend a lot of time freely supporting extensions that I also give away for free. A few of my extensions are paid, and I support them as well. For users who buy my extensions, I give them a bit more attention - because they paid for it. I'm even willing to go the extra mile to make them happy, because customers remember that sort of thing and they come back for it. Even if asking for a refund, if the customer has a reason (usually, any reason will do) - I'll issue the refund. This is partly because it's not worth the time spent arguing over a few dollars, and partly because I don't want to be unreasonable....it takes too much energy.

My attitude changes radically when I'm threatened or given an ultimatum. I do not take kindly to threats. It's also not in my nature to accept false accusations.

When Jeff Hecht of clikzdigital.com contacted me about his Nomad Pro purchase, he started his message with an accusation of misrepresentation. Don't take my word for it, here's the email:

Almost immediately, I received another message (a reply to the automated paid invoice email he received) - this time accusing me of fraud and threatening a negative review in the JED:

I don't take this sort of thing lightly. I bend over backwards, 60-70 hours a week, to make sure my users and customers are happy. When someone makes a threat against my integrity and reputation, I don't take it sitting down. I agreed to refund his purchase, but first I asked him to point out where I stated that Nomad was a "login redirection" plugin. Knowing well that nowhere in my Nomad documentation, nor the Nomad download page, nor the JED page for either the free (last updated August 07, 2017) or the paid extension (last updated August 23, 2017) say it was a login redirection plugin - and in fact they all very clearly state (as the first sentence of the description) "Nomad is not login redirection, it's homepage redirection!!!". The purpose was to suggest that he had made a mistake with the claim that I advertised Nomad as a login redirection plugin. My response:

All of this is easily proven by looking at the pages themselves, and at the Internet Archive. The first sentence of the plugin page on the JED has remained the same since 2014!
Nomad 2014: https://web.archive.org/web/20141228065735/https://extensions.joomla.org/extensions/extension/access-a-security/site-access/system-nomad/

Because his accusations arrived within an hour of his purchase, I gave him a little time to respond. Then I received this notice from the JED:

So now I get to deal with lies posted on the JED by someone who either didn't bother to read ANYTHING about the extension he purchased and is trying to bully his way into a refund - or is trying to scam his way into a free copy. Either way, it didn't need to go this way. Naming and shaming isn't something I want to do, but it seems like Jeff Hecht insists on being a liar, so my only defense is truth.

I'm not an unreasonable person. If Mr. Hecht had responded reasonably (or at all), I would not be doing this. A simple "my mistake, I purchased this thinking it was login redirection" would have worked for me. Instead, I'm here...doing this. Just be reasonable and don't threaten to post lies about me. There's a reason I post my phone number, and other contact information - because I've never cheated anyone. I have done nothing to run away or hide from.

Mr. Hecht got his refund. But it's going to cost him some reputation.

Discuss this article in the forums (2 replies).