PluginMirror doesn't allow a mechanism for showing plugins that were asked by the authors to be removed from the repository.

[chriscct7]

One extremely annoying problem with pluginmirror.com is that it assumes plugins which are not published currently but are present in the repository have "licensing issues or security problems". For alot of plugins this simply isn't the case.

There's many reasons a plugin could be in the repo that has nothing to do with licensing or security problems, for example, an author asking for their plugin to be removed from wp.org keeps the plugin in the repository, but disables the public view.

In such instances, it looks really bad for the plugin author, because pluginmirror is basically stating that the plugins are either unsafe or not licensed correctly, which in many cases is simple not true at all.

Either pluginmirror.com should come up with a better system for managing cases like this, or better yet, pluginmirror shouldn't show plugins that aren't listed.

Let's say I went out and made a plugin called Bad Security which is approved for the repo. 3 months later, Bad Security is pulled from wp.org for a huge security risk. Meanwhile pluginmirror not only continues showing the plugin on its site, but in additition the GitHub repo pluginmirror makes then gains SEO ranking from Google since its the only front facing website now with that plugin. Users who then search for Bad Security now end up on pluginmirror's GitHub repo, and download the plugin, completely unaware that there's a gigantic security vulnerability.

Now, there are also legitimate reasons for pulling a plugin from WordPress.org. Maybe it doesn't work with newer WordPress versions, or perhaps, and more likely, maybe it integrates with a service that either no longer exists or no longer supports the API that the plugin was built on.

Another consequence of doing such a thing, is licensing. Lets say a plugin was submitted to the repository, and that plugin is just a copy of a commercial non-GPL compatible program. Since pluginmirror automatically forks non-listed plugins, doing so could get you guys in a heck of alot of trouble if say you're making a commercially licensed (non-GPL compatible) item available on GitHub. Avoiding the whole what license do WP plugins have to be debate, a plugin could be unlisted because they used a commercial Javascript graphing library. By showing that code publically on your site, Bluehost is risking getting into a license lawsuit or discussion, when it could simply avoid it.

By listing plugins that aren't publically displayed, and by forking the code on GitHub, pluginmirror encourages usage of insecure and/or non-GPL compatible and/or legitimate reason for removal plugins. The simple solution is don't show and don't fork non listed ones.

[tierra]

As you pointed out, there's many reasons a plugin could be de-listed from WordPress.org that may have nothing to do with copyright or licensing issues. Just assuming they are all infringing without any report of having done so would be unfair to those plugins. If a plugin really was infringing without question, WordPress.org would be liable for removing that plugin entirely (not just de-listing it), and when they do, it is in fact impossible for the PluginMirror to clone those plugins.

Of course, as it is user-generated content, it is possible for the PluginMirror to clone a plugin that has infringed upon copyright before it has been reported to WordPress.org and removed, however, we do work with GitHub to remove such plugins from the mirror when they are reported, as required by law (also note this comment).

The warning published for de-listed plugins is still fair from our point of view, especially since de-listed plugins are also frequently no longer maintained, there's no official location to provide patches upstream, and there's no support for such plugins. Perhaps this warning could be improved on wording? We're still open to suggestions on that.

[chriscct7]

If a plugin was infringing, said plugin would be held in trac until it could be proven definitively the plugin is indeed infringing. In doing so, pluginmirror would still show the infringing plugin.

I think there's also a pretty colossal difference between a plugin that's outdated thats being publically shown and one that is hidden. If its not being supported anymore, it shows on the frontend. It would only not show on the frontend if the author specifically requested it not be shown anymore.

There's also another problem with showing plugins pulled for this reason. Since they are delisted, if someone searches for the plugin they will find pluginmirror's git repository. If they then download the plugin and need support they will more than likely go to the plugin author and contact for assistance. If an author removed the plugin because he no longer wishes to support it, then pluginmirror essentially bypasses that desire.

From a technical point of view, does pluginmirror automatically remove a repository from GitHub if an infringing plugin is found on WordPress.org, delisted initially from public view (but still in trac) then removed completely? There's usually a window where authors get to prove the plugin is in complicate licensing wise during which the plugin is delisted.

Wording wise, the warning should be more simpler like "Notice: This is a plugin that has been removed from the WordPress.org plugin repository either on the developer's request or by the WordPress.org volunteers. We recommend not using this plugin." or something like that

[tierra]

The PluginMirror does not remove any plugins as long as the source is still available in SVN (unless it is specifically reported to us or GitHub that it has infringed on copyright, as opposed to being reported to WP.org directly). That's all it really comes down to. WordPress.org still provides the source for most of the ~10k de-listed plugins through SVN, and if WP.org doesn't remove it from SVN, it won't be removed from the PluginMirror.

Also, the PluginMirror does not provide any method to contact plugin authors that the plugin author hasn't provided in the description or source themselves. It's just a mirror, that's all.

[tedivm]

The problem of infringing open source projects is an existing and complex one. What about the people who already downloaded the plugin on their own computers or are running them in their blog?

People fork and spread open source code. That's kind of the point. I don't think the issues brought up here are as big as they're made out to be.

[havahula]

Is this being supported still? Apparently Bryan doesn't work for bluehost anymore and bluehost employees I spoke with didn't know about it.

[MikeHansenMe]

The PluginMirror is still running.

[havahula]

how does someone remove past versions of their plugin? on the repo you can remove your past tags but that isn't honored here.

[MikeHansenMe]

As Bryan mentioned above the PluginMirror does not remove any plugins. It is a Mirror and simply makes the code available on github.