Forking ACF is not the issue, automatic is perfectly within their rights to do that. Hijacking the ACF WordPress.org page and having everyone who uses WordPress.org for plugin updates to auto update to the fork is the problem.
is it a hijacking, if they own that page in the first place? The community placed trust on that owner of the page to be impartial, which was shown to be false here of course.
This means that this community page/list should no longer be trusted, and an alternative be sought out.
IANAL, but the only expressly illegal thing that they seem to have done is maintain the "acf" tag, and used the "advanced-custom-fields" URL, which could be trademark violations.
I'm sure there are other laws that are relevant here related to deception and misuse of the subscription to the plugin updates by the 2 million users involved.
Legal issues aside, this is an extreme erosion in trust for any user of the WordPress.org platform. They can no longer have confidence that their commerical (or non-commerical) plugin won't be chopped up and have its users stolen at any moment.
> Legal issues aside, this is an extreme erosion in trust for any user of the WordPress.org platform. They can no longer have confidence that their commerical (or non-commerical) plugin won't be chopped up and have its users stolen at any moment.
Not just the plug-in creators, but those (“stolen”) plug-in users, too. There is an example in TFA, the guy who had to update many (150, IIRC?) of his customers’ sites after the plug-in was switched out from under him.
> is it a hijacking, if they own that page in the first place? The community placed trust on that owner of the page to be impartial
I would say yes, it is hijacking. It is very very similar to any MITM attack ever, like anyone in the looong chain of trust deciding that they will do something with the trust they have. Like, can your ISP redirect google.com to their own google.com? They surely can, and it probably wouldn't even break their contract with you. It would be a trademark infringement, probably GDPR violation, but not much else.
Since WordPress.org acts as a traditional package repository, they can: serve you the package, or don't serve you the package for various reasons. Everything else is hijacking or worse, especially if the intent is just to turn you their user, and the result is to break your website. Even if you don't have a contract with them that they will serve WP Engine's unmodified plugin to you.
