How did a hate symbol get into WordPress.org’s plugin repository? What can we learn from the community response? Will more transparent governance help us navigate the age of weaponized open source?

Since the Russian invasion of Ukraine began, the letter `Z` has been used as a symbol by the Russian government as a pro-war propaganda tool. It’s also being used by Russian civilians as a sign of support for the ongoing invasion of Ukraine. The colors and ribbon of St. George are often used with the ‘Z’, and the Lithuanian parliament has proposed banning and equating them with Nazi and Communist images.

Earlier this month, Masha Gessen described the ‘Z’ in The New Yorker as having come “to stand for devotion to the state, murderous rage, and unchecked power.” While Gessen’s definition stopped short of calling ‘Z’ a hate symbol in early March, it has been affirmed as one since then — definitely in the view of many Ukrainians.

At some point in the past few days, a Russian developer forked the “Stand with Ukraine” plugin, as Nate Conley later pointed out. (There are quite a few pro-Ukraine plugins in the .org repo.) The forked plugin’s author called it Zamir and made it “display the `Z` symbol in support of Russia.”

The plugin was submitted for review, and it was approved.

Here is how the Zamir plugin page looked before it was taken down.

First Reactions on Twitter and Post Status Slack

When Zamir appeared in the WordPress plugin repository, it was very quickly noticed with many negative reactions on Twitter. Apart from complaints about the plugin being morally offensive, many people felt it violated the guidelines plugins must follow to be accepted in the WordPress.org repo.

While reactions on Twitter exploded, a heated conversation opened in the main #club channel in Post Status Slack. Initially, there was shock and dismay that the Zamir plugin was appearing prominently on the new plugin list for all WordPress.com customers. One of the first to notice the plugin and recognize its significance, Carl Hancock fired off a terse takedown request to the plugin review team, which he shared in Post Status Slack. The request was denied, and Carl shared the response he received.

Among Post Status members, the discussion was focused on whether the plugin should (or could) be removed under current guidelines. There was no disagreement on it being offensive, although not everyone knew about the ‘Z’ symbol’s emerging significance. The lack of protocols and governance in place to handle a situation like this was noted by several people, including Lesley Sim:

You know what would be cool? If the guidelines had examples or precedents so that we would have something more tangible to go on. Not just subject to everyone’s interpretations which, clearly, we all seem to disagree on. Kinda like case law in the legal system.

The Openness of Making WordPress Despite Unclear Decision Procedures

The Making WordPress #pluginreview Slack channel had a Zamir discussion underway at the same time, including an initial response from Mika Epstein to confirm that the plugin had been approved. (Anyone interested in how WordPress gets made should read the open and transparent discussion in the plugin review channel for context.)

Very quickly a number of people in the WordPress Foundation examined the situation and took some time to make a decision. The plugin was taken down, and Josepha Haden Chomphosy posted an explanation of why Zamir violated community guidelines:

While it is true that there is no current plugin guideline barring plugins that “support” political leanings, this icon symbolizes something more complicated than that. Contributors were right to report this and, with their help and the help of WordPress community members, the plugin has been removed from the directory.

According to Josepha, “The plugin’s description eluded initial plugin checks.” Even if it was an honest oversight, which appears to be the case, it still raises some important questions about review procedures and governance for WordPress.org. To Josepha’s credit she does this address this:

I am aware that this issue leads to natural questions about clarifying our plugin policies moving forward. I’ll work with the community to explore our guidelines and create a clearer framework for how plugins can be evaluated in the context of current events.

Don’t Assume the Worst of Others

Matt Mullenweg also shared some thoughts in Post Status Slack after the Zamir plugin’s takedown:

Thank you to everyone who raised this issue, regardless of how you did it… Extra thanks to people who did it in a way knowing there are humans on the other side of the screen, and sometimes it may take a few hours to respond to something. This moved pretty quickly, but if it had happened in the middle of the night on a holiday or something similar it could have taken longer.

100% promise there will be mistakes or things we reverse in the future. What’s important isn’t trying to avoid mistakes, as that’s impossible, but responding to them in a thoughtful and hopefully fast way. Please don’t bash people or teams for making a mistake, we’re all human and fallible.

Thank you as well to those who didn’t jump to conclusions based on this one plugin being up for a few hours.

It doesn’t seem there was any ill-will from anyone involved in the plugin’s entry into the repo or in the removal of some hostile “reviews” in the plugin support forum before its removal. I hope we can take a lesson from this and reexamine the plugin review policies, including how takedown requests work. The procedures and policies for removal need to be clear to everyone.

Post Status Postscript

The saddest and most concerning part of this story — and the part of it that is not likely to go away soon — is how anger and suspicion quickly focused a very prejudicial eye on contributors who might be Russian and/or sympathetic to the Russian invasion of Ukraine.

The WordPress Plugin Review team and a moderator in the Support Forum who is also on the Russian language Translation Team became the target of hasty scrutiny from the outside. Even within the Make WordPress Slack channels for those teams, there was some emotional and accusatory communication.

That’s understandable; I had similar suspicions myself. But the reality is the plugin review team is constantly making good-faith efforts as they carry out a very difficult and essential task. They will never please everyone all the time. They are targets of complaints, criticism, and even hateful, violent threats directed at individual members.

The suspicion and distrust that flared up in the Zamir controversy underscores the very serious risks facing all open source projects now. Loss of the trust and goodwill that makes open source possible could kill it. David and I emphasize this in our discussion of “weaponized open-source code.” What a terrible phrase! Even using code as a form of political protest against a specific nation may harm open source by dividing us with deep distrust.

It’s probably good to have gotten through the Zamir plugin debacle as a relatively harmless learning experience. It could have been worse.

And it may well get worse. It will definitely get more complicated.

Other scenarios come to mind. What if instead of the ‘Z’ — a fairly explicit hate symbol — the flag of the Russian Federation had been used?

So what’s to be done, constructively? At a minimum, we need the greater transparency that’s increasingly being called for in the WordPress community. Formal guidelines, processes, and roles will provide clarity about who decides, and how they decide to include or exclude plugins, themes, reviews, etc.

Yes, it will always be messy, and there will always be mistakes. Project and community boundaries necessarily differ and disagree. That is exactly why everyone needs to know what the boundaries are and how they are negotiated.

— Dan Knauss

Source