Personally I felt people on GitHub were being way too harsh. He built something, moved on, and gave it away. He had no way of knowing the person who took it over would use it maliciously.
Seriously, some of the comments blew my mind. Because he built it, he had a responsibility to maintain it forever, and was responsible for everything that happened with that code forever?
Maybe calling free software "Open Source" was a mistake. If something is "free", then you have to accept you may get what you paid for. If you are using somebody else's code, is it their responsibility to look after it years after they have moved on, or your responsibility to make sure it's not full of bugs or malicious code.
People are dealing with a lot of negativity in their life, they shouldn't have to deal with that entitled bull-crap online, especially when doing unpaid work. Should the maintainer have been more cautious? no, he should have straight out closed the project and just ask people to fork it or use something else. If you are not going to maintain something anymore, don't even bother worrying about passing the torch. That way nothing is your responsibility anymore. The people who complain, insult the maintainer in Github issues right now will be at the root of a shift of mindset from contributors that will end the "golden age of open source".
I experienced a twist on this. A guy who had very different aesthetic taste wanted me to merge some patches. He got real entitled about it, eventually I banned him. THEN he did the "appeal to Twitter" and made malicious edits to the project page on wikipedia. He made a huge stink and wasted hours of both of our time. It was unreal! I wish I was joking.
I wrote about it, discussing my motivations for open source:
Users have to come to grips with the possibility that the "free" code they download might be malicious.
To mitigate the risk they have these options:
1 - Don't use the software.
2 - Audit the software themselves before they use it.
3 - Pay someone to do the auditing for them.
Even if they choose options 2 or 3, there's still a chance the some vulnerability of malware could sneak through (especially if they're getting a binary blob or source code written in a language like C that makes obfuscation easy).
But if they choose to use unaudited software, they're playing with fire and shouldn't be surprised if from time to time they get burnt.
> Maybe calling free software "Open Source" was a mistake.
This conflation is definitely a bad thing. Words with an actual meaning get over-used, simplified, stripped of their original meaning, and then merged. It would be 100% to the detriment of our language if it happens in this case.
Open source does not mean free (as in freedom or beer), free (as in beer) does not mean open source. Free as in freedom almost always means open source.
Side rant: Also, open source doesn't mean "open to contributions". Giving access to the source code does not mean obligation to accept contributions to said source.
Well they certainly couldn't call it "free software", that involves many more assumptions than "Open Source", and it might not even be free of charge. :) Blame Richard Stallman for using an incredibly common word with many meanings to refer to something that has one incredibly specific meaning which is unintuitive to most people, and to pretty much anyone who isn't a developer.
I think several decades of Open Source boosterism may have eventually given some people the wrong idea about what it's all about. Two annoying trends I've noticed in the last 10 years:
(1) (what this poor guy seems to be running into) People treating Open Source as anything other than charity from the people who put it out there. The people who make it generally don't owe anyone anything, including the people who use their code. I sometimes see very harsh criticism from people within the community that assumes anyone putting anything out there has to accept all sorts of responsibilities: maintaining a community, keeping on top of bug reports, acting as an integrator for people who want to send in patches, making sure that all packaging and documentation conform to some very high bar and/or specification, etc. Just because somebody puts something out there doesn't mean it has to be a second job for them, and doesn't mean that they are obligated to do anything for anyone, including responding to emails or dealing with bug reports or patches. It's perfectly fine to stop maintaining something after a while, or to just throw code over the wall and never touch it again after it's out there.
(2) (not this case) People treating Open Source as some avenue to professional fame or an eventual source of income. Yeah, that can happen, but it very rarely happens, and it's not a good reason to write it in the first place. This is the result of too many people using business arguments as a fundamental justification for doing Open Source, and people saying stuff like they only hire people who have projects on Github, and only if they like what they see. If someone's primary motivation is fame or money, Open Source is a terrible way to accomplish that. It's possible, just highly unlikely, plus I think it's much less likely to happen if that's someone's goal from the outset.
It's impractical, on an individual level, to vet your entire dependency tree. Installing something like react alone will put 100+ modules in your dependency tree.
A more mature project will have a 4-figure number of dependencies.
Things like Node Security Platform (which was absorbed by NPM) exist for a reason. There's no reason for every person to vet every single package they use -- it'd be an awful lot of duplicated energy.
If there was no implicit trust in the community, and we had to act as vigilant as you describe, there would be no community.
This problem can be solvable by introducing “Verified Identity” on GitHub. Anyone who wants to be maintainer of popular project can be asked to get Verified Identity. If this person turned out to be malicious, he risks getting tracked down by law enforcement fairly easily. For getting Verified Identity, simplest thing might be validation of phone number. Bit more complex thing might be Verified bank account or credit card. Assuming GitHub has 1M active users and each user verification costs $5, the cost of solving this problem is less than 0.1% of GitHub valuation but can hugely improve trust levels.
> Maybe calling free software "Open Source" was a mistake. If something is "free", then you have to accept you may get what you paid for.
Since no one seems to care about the freedom aspect of it, maybe we could rename it to "fee software" - give it away for free and encourage everyone to contribute with time and money. Will people stop being selfish because we changed the name? I don't think so.
> I've shared publish rights with other people before. Of course, If I had realized they had a malicious intent I wouldn't have, but at the time it looked like someone who was actually trying to help me.
Can anyone cite perhaps a handful of examples where this malicious open source usage ultimately bit them?
>He had no way of knowing the person who took it over would use it maliciously.
Then it was, clearly, negligent of him to give it to this person. He gave a stranger the power to do things in his name.
He doesn't have to maintain the project forever - it seems like a much easier solution is: don't give away a project with your name on it to someone you don't know. Instead, encourage them to fork and release a new version under their own name. This is a surefire way to never have an exploit spread to thousands of people with your name on it.
Look at that URL. It has "dominictarr" in it. Now click on the URL. Look at the big "dominictarr/event-stream" in the upper left of the screen.
Many are going to conclude that this package belongs to dominictarr. Almost everything in the UI indicates this.
Developers don't trust code, they trust people and organizations. NPM and Github needs to make it very clear when ownership has changed. And needs defaults that properly inform all users when ownership has changed. For example, when I SSH into a server the first time, it asks if I trust the key. Then one day, what if it asks again? Then I can stop and investigate why the key has changed, what's going on, and if I should trust it again.
With the current NPM/Github there's no warning to users. A developer could've checked dominictarr's background and decide they are trustworthy, which would then extend to event-stream as well. But where's the warning to users when ownership of event-stream has changed and they need to re-evaluate whether to trust the new owner? And why does it look like the project still belongs to dominictarr when it actually doesn't? Those are the key issues here.
well the code doesn't write itself, so partially true. But ultimately it's about accountability. If Dominic himself added the backdoor, his presence in the community would end that day. If an anonymous alias does that, we don't even know who to blame. Dominic's fault is not the backdoor, but the irresponsibility of handing over a used package to an anonymous alias. Not being clear about the fact that the package is abandoned. I wouldn't depend on an abandoned package, if I knew that.
The NPM organization could go much further to make these attacks harder.
You pitch a really good one: Any time you npm update/install, display ownership changes (especially compared to your prev version).
Another one is to show the source code on the NPM website itself instead of hiding it in a tarball. NPM basically trains people to assume the published code == the code at the linked repository. It's a hacky honor system that only helps attackers.
At least, it seems that way to me. If I were ever in a burdensome positioning of maintaining a package I didn't want to maintain, I'd go for the explicit archive/sunset route. At that point if someone wants to fork and re-package, they can do it, but it won't mess with anything directly downstream immediately.
I agree that the author has every right to quit being a maintainer, for any reason, but I don't believe that he is necessarily absolved of all judgment just because it was a free project he did on his own time.
He's obviously a prolific and generous author, but that experience also means he's very aware about real-world practices (especially in the npm ecosystem) to know that ceding control of a popular library, without taking any precaution, has the potential to put a significant number of users at risk. Should the users be less complacent? Sure, but that's not currently the world we live in, and the author is not ignorant of that.
If an experienced electrician volunteers his time to a homeless shelter, and decides to quit halfway through a rewiring project, it's his right to quit whenever. But the manner in which he leaves the project is also important. There's a huge difference between:
- Confronting the shelter manager and saying "Hey, I can't do this anymore, and you get a professional ASAP to fix my work because I can't guarantee that I've properly grounded everything"
- Exchanging pleasant goodbyes with the shelter staff, and not giving them any reason to worry about what you may or may not have done.
The latter situation is akin to a silent failure -- even stomping off the job and telling the shelter to go fuck themselves is ultimately preferable, since the shelter staff at least are very aware that your work may be dangerously unfinished. While you may not be liable if anyone gets shocked/electrocuted from your leftover work, that doesn't mean the shelter staff are obligated to not grumble and warn anyone else who might be relying on you for volunteer work.
edit: that said, I don't have a major objection to the author's response, as submitted here. I was referring to people who think that any significant criticism is unwarranted, just because the work is free. The author, to his credit, made a decently detailed reply and continues to make thoughtful responses.
I think your example makes your point weaker rather than stronger, because unlike the electrician, this guy has no reason to believe he's done a bad by job himself, because he's not putting anyone's life in danger, and because others who are using his work are also supposed to be similar professionals in their technical fields and taking similar responsibility. Comparing it to laymen who know potentially nothing about secure wiring getting potentially electrocuted because of a malpracticing electrician is not a great comparison.
- Tell the manager you will no longer be doing any work.
- Not tell the manager you’re quitting and replacing yourself with a random stranger from Home Depot who seems interested.
It’s not wrong for the electrician to quit, especially when volunteering, but it’s wrong not to properly notify people and to just let a random stranger take your place without notice.
So much for "many eyes make all bugs shallow" I guess. Problem is that 99% of those eyes are turned only toward using the product of someone else's good will for their own personal profit. And 99% of the remainder are only looking for bugs in the features they use, or just aren't that good at spotting bugs. This only gets worse in environments like NPM, which make it easy for dependencies to proliferate beyond anyone's expectations, so people don't even know what code they should be looking at.
This is still better than the situation with proprietary software, but problems like these are kind of inevitable in an ecosystem where people typically write 5% of the code themselves and blindly pull in the other 95% from who knows where via unchecked package dependencies.
I've written a lot of software in my life -- almost all of it for myself, and I just never bothered to open source most of it, because if I'm going to open source it I want to make a good impression, so I want to clean up the code and write some docs and make sure it it builds ok for others, think of a name for it, upload it somewhere, etc. It's just so much easier to keep it for myself and not bother with any of that.
Despite all this, I have open sourced a couple of things here and there. Little things. Things that virtually no one ever used, as far as I know. But once I did get a very polite feature request from someone on something that I'd moved on from, so I told them I wouldn't do it.
That was more than a decade ago, and I still think about it and feel kind of guilty for not doing it.. even though I know I have nothing to feel guilty about.
I can imagine being the author or maintainer of a popular package must be like this times a thousand. You have to put up with so much negativity and pressure from people who demand you do work for them for free.
I feel for these people. Anyone who spends even the smallest fraction of their life to give a gift to the world does not deserve anything but praise from those who benefit from it.
> Despite all this, I have open sourced a couple of things here and there. Little things. Things that virtually no one ever used, as far as I know.
You wouldn't know, when learning every help and every practical example can be useful. I understand that not everyone likes to learn by reading someones code but it can be invaluable especially for students in places where books are prohibitively expensive compared to the living standards. You're doing good deed, even if it's just small things, but make sure to document it properly.
Anyone blaming Dominic for not being more responsible should blame themselves for the same reason. This isn't the first time Node has had horrible dependency issues. Have we forgotten left pad? https://news.ycombinator.com/item?id=11340510
Ultimately, you can't take dependencies for granted.
>Ultimately, you can't take dependencies for granted.
The problem is that JS dependencies are so modular that shifting the burden to vet your dependencies to developers is generally not realistic. Creating a new project with one of the current popular frameowrks will bring in hundreds or thousands of dependencies. Who can possibly vet that?
To compound things, this package could be a transient dependency of a transient dependency, so I may not even know the person who decided to depend on it in the first place, or the reason why, or what the package does.
It's not that people are taking dependencies for granted - it's that there is no reasonable alternative.
Does anyone have a big list of issues like this? Both for NPM and for other package repositories. I remember there has been more cases than leftpad. I'm trying to teach some people to not rely too much on them.
I have observed an ongoing pattern. People who create a thing (that becomes somewhat popular) in some sense get credit for it. They are mentioned as the creator of it, forever. It becomes part of their resume, their online reputation. Perhaps they go on to create another thing.
This happens to a far lesser extent for people who adopt a project later to become an ongoing maintainer.
A project might have an originator who works hard for six months, and rewarded forever, and some maintainers who work hard for six years and gets very little reward.
Out of respect for many people who do great work, I will not name names. :-)
Personal attacks are completely unwarranted. I think a more useful (and certainly more constructive) way to look at this is to frame it as a learning experience and figure out what we can do to minimize the effect of this in future.
It's almost impossible to vet every sub-sub dependency of a large codebase without dedicating huge resources. Perhaps there needs to some sort of a javascript code signing standard that requires a level of user identity verification. This is a solved problem with Authenticode and Gatekeeper for executables on Windows/Mac. We have been able to hide behind the fact that we're devs (we know what we're doing!!), but many consumer-level applications (mainly Electron-based) now run node modules with user-level (or higher) permissions. Maybe we need to become a bit more diligent in this area and look at less ad-hoc ways of managing dependencies and identity verification.
Dominic is a prolific contributor and compassionate leader in the JS and P2P communities - and it was a disheartening thread to read. The suggestions that he (working for free!) should have done more seemed unfair.
We should look to fix these:
- If we're going to rely on hundreds of packages per project, we need fine grained security like Android or iOS. deno seems to be doing node right - https://github.com/denoland/deno/issues/171
- Lock down versions for now. Use 1.2.1 instead of ~1.2.1 or ^1.2.1.
- If npm must remain at the center of node's module system, they might have to add auditing and approval tools. 'npm install' can warn about unaudited modules. The problem with that is that it will make npm (a business) even more central to the node ecosystem - which may not be a good thing.
I think this is a major loss of innocence moment for open source. The only sustainable solution to this sort of problem is to pay people to do at least minimal curation and maintenance of open source libraries.
In an ideal world, the payment would go to people who actually create open source value. However, I'm cynical enough about human nature and business to suspect that it will mostly go to middlemen like record distributors and academic publishers, who create very little actual value but somehow make themselves indispensable in the ecosystem.
Is there even a generalized guideline on how to handover npm packages?
It would seem like common sense to let something die and let any new interested maintainers fork the project thank to just wantonly hand it over to a complete stranger. But I could easily see someone getting into the habit of trusting people and not thinking about it too much.
Maybe a combination of better guidelines, some kind of code of ethics along with better means of communicating these changes through npm would've helped this issue a lot more. If not to actually prevent the problem then to at least have some ground to hold people accountable other than accusations of people should know better.
I don't know what it is about the current environment but it pains me to see people get the life sucked out of them for sharing code and making the world a better place. It's also equally disheartening to see prominent open source contributors essentially close their social media because they're constantly hounded by entitled "community" members and trolls.
> There are too many NPM packages, and worse, too many people quick to add as many dependencies as possible, resulting in crazy dependency trees that you should never actually see in the wild. Additionally, it seems to only be in the node ecosystem that you see single authors with hundreds of packages. Why they do this, I do not know...
Nah it's less about the standard library and more about the fact that Javascript doesn't have dead code removal so keeping a package small is one way to ensure you aren't pulling in code you aren't going to use.
Of course the failure mode here is that you if you still choose a batteries included framework. (i.e. Angular, or a React powered framework) you end up pulling in a whole bunch of code you don't use and the list of dependencies is unmanageable. But because javascript was born in the browser and most javascript still has to be shipped to a browser it has constraints most other languages do not.
Maybe the most popular small libraries should be merged together into a single library that can be used to reduce the number of dependencies, in the hope it can become a standard. Like a jQuery for npm.
"Since the early days of node/npm, sharing commit access/publish rights, with other contributors was a widespread community practice. https://felixge.de/2013/03/11/the-pull-request-hack.html open source is driven by sharing! It's great!"
Yes, but, quoting from his post he cites:
"So should you really do this for all pull requests? Probably not. While I've given a large amount of users access to various projects of mine, I'm still looking for:
"Github profile: Does this user stand to lose a reputation by doing something stupid?
"Skill: Based on the patch, do I think the user could be a good developer?
"Usefulness: Is this patch solving a valid problem?"
[+] [-] gwicks56|7 years ago|reply
Seriously, some of the comments blew my mind. Because he built it, he had a responsibility to maintain it forever, and was responsible for everything that happened with that code forever?
Maybe calling free software "Open Source" was a mistake. If something is "free", then you have to accept you may get what you paid for. If you are using somebody else's code, is it their responsibility to look after it years after they have moved on, or your responsibility to make sure it's not full of bugs or malicious code.
[+] [-] aikah|7 years ago|reply
[+] [-] coleifer|7 years ago|reply
I wrote about it, discussing my motivations for open source:
http://charlesleifer.com/blog/your-idea-sucks/
[+] [-] madrox|7 years ago|reply
Seems there is a bit of a "boys will be boys" phenomenon going on.
[+] [-] pmoriarty|7 years ago|reply
To mitigate the risk they have these options:
1 - Don't use the software.
2 - Audit the software themselves before they use it.
3 - Pay someone to do the auditing for them.
Even if they choose options 2 or 3, there's still a chance the some vulnerability of malware could sneak through (especially if they're getting a binary blob or source code written in a language like C that makes obfuscation easy).
But if they choose to use unaudited software, they're playing with fire and shouldn't be surprised if from time to time they get burnt.
[+] [-] B-Con|7 years ago|reply
This conflation is definitely a bad thing. Words with an actual meaning get over-used, simplified, stripped of their original meaning, and then merged. It would be 100% to the detriment of our language if it happens in this case.
Open source does not mean free (as in freedom or beer), free (as in beer) does not mean open source. Free as in freedom almost always means open source.
Side rant: Also, open source doesn't mean "open to contributions". Giving access to the source code does not mean obligation to accept contributions to said source.
[+] [-] mwfunk|7 years ago|reply
I think several decades of Open Source boosterism may have eventually given some people the wrong idea about what it's all about. Two annoying trends I've noticed in the last 10 years:
(1) (what this poor guy seems to be running into) People treating Open Source as anything other than charity from the people who put it out there. The people who make it generally don't owe anyone anything, including the people who use their code. I sometimes see very harsh criticism from people within the community that assumes anyone putting anything out there has to accept all sorts of responsibilities: maintaining a community, keeping on top of bug reports, acting as an integrator for people who want to send in patches, making sure that all packaging and documentation conform to some very high bar and/or specification, etc. Just because somebody puts something out there doesn't mean it has to be a second job for them, and doesn't mean that they are obligated to do anything for anyone, including responding to emails or dealing with bug reports or patches. It's perfectly fine to stop maintaining something after a while, or to just throw code over the wall and never touch it again after it's out there.
(2) (not this case) People treating Open Source as some avenue to professional fame or an eventual source of income. Yeah, that can happen, but it very rarely happens, and it's not a good reason to write it in the first place. This is the result of too many people using business arguments as a fundamental justification for doing Open Source, and people saying stuff like they only hire people who have projects on Github, and only if they like what they see. If someone's primary motivation is fame or money, Open Source is a terrible way to accomplish that. It's possible, just highly unlikely, plus I think it's much less likely to happen if that's someone's goal from the outset.
[+] [-] Y7ZCQtNo39|7 years ago|reply
A more mature project will have a 4-figure number of dependencies.
Things like Node Security Platform (which was absorbed by NPM) exist for a reason. There's no reason for every person to vet every single package they use -- it'd be an awful lot of duplicated energy.
If there was no implicit trust in the community, and we had to act as vigilant as you describe, there would be no community.
[+] [-] tathougies|7 years ago|reply
[+] [-] sytelus|7 years ago|reply
[+] [-] type0|7 years ago|reply
Since no one seems to care about the freedom aspect of it, maybe we could rename it to "fee software" - give it away for free and encourage everyone to contribute with time and money. Will people stop being selfish because we changed the name? I don't think so.
[+] [-] jxramos|7 years ago|reply
> I've shared publish rights with other people before. Of course, If I had realized they had a malicious intent I wouldn't have, but at the time it looked like someone who was actually trying to help me.
Can anyone cite perhaps a handful of examples where this malicious open source usage ultimately bit them?
[+] [-] AsyncAwait|7 years ago|reply
[+] [-] vernie|7 years ago|reply
[+] [-] bendmorris|7 years ago|reply
Then it was, clearly, negligent of him to give it to this person. He gave a stranger the power to do things in his name.
He doesn't have to maintain the project forever - it seems like a much easier solution is: don't give away a project with your name on it to someone you don't know. Instead, encourage them to fork and release a new version under their own name. This is a surefire way to never have an exploit spread to thousands of people with your name on it.
[+] [-] bit_logic|7 years ago|reply
https://github.com/dominictarr/event-stream
Look at that URL. It has "dominictarr" in it. Now click on the URL. Look at the big "dominictarr/event-stream" in the upper left of the screen.
Many are going to conclude that this package belongs to dominictarr. Almost everything in the UI indicates this.
Developers don't trust code, they trust people and organizations. NPM and Github needs to make it very clear when ownership has changed. And needs defaults that properly inform all users when ownership has changed. For example, when I SSH into a server the first time, it asks if I trust the key. Then one day, what if it asks again? Then I can stop and investigate why the key has changed, what's going on, and if I should trust it again.
With the current NPM/Github there's no warning to users. A developer could've checked dominictarr's background and decide they are trustworthy, which would then extend to event-stream as well. But where's the warning to users when ownership of event-stream has changed and they need to re-evaluate whether to trust the new owner? And why does it look like the project still belongs to dominictarr when it actually doesn't? Those are the key issues here.
[+] [-] trickstra|7 years ago|reply
well the code doesn't write itself, so partially true. But ultimately it's about accountability. If Dominic himself added the backdoor, his presence in the community would end that day. If an anonymous alias does that, we don't even know who to blame. Dominic's fault is not the backdoor, but the irresponsibility of handing over a used package to an anonymous alias. Not being clear about the fact that the package is abandoned. I wouldn't depend on an abandoned package, if I knew that.
[+] [-] always_good|7 years ago|reply
You pitch a really good one: Any time you npm update/install, display ownership changes (especially compared to your prev version).
Another one is to show the source code on the NPM website itself instead of hiding it in a tarball. NPM basically trains people to assume the published code == the code at the linked repository. It's a hacky honor system that only helps attackers.
[+] [-] codezero|7 years ago|reply
At least, it seems that way to me. If I were ever in a burdensome positioning of maintaining a package I didn't want to maintain, I'd go for the explicit archive/sunset route. At that point if someone wants to fork and re-package, they can do it, but it won't mess with anything directly downstream immediately.
[+] [-] danso|7 years ago|reply
He's obviously a prolific and generous author, but that experience also means he's very aware about real-world practices (especially in the npm ecosystem) to know that ceding control of a popular library, without taking any precaution, has the potential to put a significant number of users at risk. Should the users be less complacent? Sure, but that's not currently the world we live in, and the author is not ignorant of that.
If an experienced electrician volunteers his time to a homeless shelter, and decides to quit halfway through a rewiring project, it's his right to quit whenever. But the manner in which he leaves the project is also important. There's a huge difference between:
- Confronting the shelter manager and saying "Hey, I can't do this anymore, and you get a professional ASAP to fix my work because I can't guarantee that I've properly grounded everything"
- Exchanging pleasant goodbyes with the shelter staff, and not giving them any reason to worry about what you may or may not have done.
The latter situation is akin to a silent failure -- even stomping off the job and telling the shelter to go fuck themselves is ultimately preferable, since the shelter staff at least are very aware that your work may be dangerously unfinished. While you may not be liable if anyone gets shocked/electrocuted from your leftover work, that doesn't mean the shelter staff are obligated to not grumble and warn anyone else who might be relying on you for volunteer work.
edit: that said, I don't have a major objection to the author's response, as submitted here. I was referring to people who think that any significant criticism is unwarranted, just because the work is free. The author, to his credit, made a decently detailed reply and continues to make thoughtful responses.
[+] [-] mehrdadn|7 years ago|reply
[+] [-] FakeComments|7 years ago|reply
- Tell the manager you will no longer be doing any work.
- Not tell the manager you’re quitting and replacing yourself with a random stranger from Home Depot who seems interested.
It’s not wrong for the electrician to quit, especially when volunteering, but it’s wrong not to properly notify people and to just let a random stranger take your place without notice.
[+] [-] notacoward|7 years ago|reply
This is still better than the situation with proprietary software, but problems like these are kind of inevitable in an ecosystem where people typically write 5% of the code themselves and blindly pull in the other 95% from who knows where via unchecked package dependencies.
[+] [-] wtracy|7 years ago|reply
[+] [-] pmoriarty|7 years ago|reply
Despite all this, I have open sourced a couple of things here and there. Little things. Things that virtually no one ever used, as far as I know. But once I did get a very polite feature request from someone on something that I'd moved on from, so I told them I wouldn't do it.
That was more than a decade ago, and I still think about it and feel kind of guilty for not doing it.. even though I know I have nothing to feel guilty about.
I can imagine being the author or maintainer of a popular package must be like this times a thousand. You have to put up with so much negativity and pressure from people who demand you do work for them for free.
I feel for these people. Anyone who spends even the smallest fraction of their life to give a gift to the world does not deserve anything but praise from those who benefit from it.
[+] [-] type0|7 years ago|reply
You wouldn't know, when learning every help and every practical example can be useful. I understand that not everyone likes to learn by reading someones code but it can be invaluable especially for students in places where books are prohibitively expensive compared to the living standards. You're doing good deed, even if it's just small things, but make sure to document it properly.
[+] [-] madrox|7 years ago|reply
Ultimately, you can't take dependencies for granted.
[+] [-] bendmorris|7 years ago|reply
The problem is that JS dependencies are so modular that shifting the burden to vet your dependencies to developers is generally not realistic. Creating a new project with one of the current popular frameowrks will bring in hundreds or thousands of dependencies. Who can possibly vet that?
To compound things, this package could be a transient dependency of a transient dependency, so I may not even know the person who decided to depend on it in the first place, or the reason why, or what the package does.
It's not that people are taking dependencies for granted - it's that there is no reasonable alternative.
[+] [-] Too|7 years ago|reply
[+] [-] kylecordes|7 years ago|reply
This happens to a far lesser extent for people who adopt a project later to become an ongoing maintainer.
A project might have an originator who works hard for six months, and rewarded forever, and some maintainers who work hard for six years and gets very little reward.
Out of respect for many people who do great work, I will not name names. :-)
[+] [-] davej|7 years ago|reply
It's almost impossible to vet every sub-sub dependency of a large codebase without dedicating huge resources. Perhaps there needs to some sort of a javascript code signing standard that requires a level of user identity verification. This is a solved problem with Authenticode and Gatekeeper for executables on Windows/Mac. We have been able to hide behind the fact that we're devs (we know what we're doing!!), but many consumer-level applications (mainly Electron-based) now run node modules with user-level (or higher) permissions. Maybe we need to become a bit more diligent in this area and look at less ad-hoc ways of managing dependencies and identity verification.
[+] [-] jeswin|7 years ago|reply
We should look to fix these:
- If we're going to rely on hundreds of packages per project, we need fine grained security like Android or iOS. deno seems to be doing node right - https://github.com/denoland/deno/issues/171
- Lock down versions for now. Use 1.2.1 instead of ~1.2.1 or ^1.2.1.
- If npm must remain at the center of node's module system, they might have to add auditing and approval tools. 'npm install' can warn about unaudited modules. The problem with that is that it will make npm (a business) even more central to the node ecosystem - which may not be a good thing.
[+] [-] raphlinus|7 years ago|reply
In an ideal world, the payment would go to people who actually create open source value. However, I'm cynical enough about human nature and business to suspect that it will mostly go to middlemen like record distributors and academic publishers, who create very little actual value but somehow make themselves indispensable in the ecosystem.
[+] [-] _nalply|7 years ago|reply
Summary:
1. Mark as deprecated
2. Change the name by adding "-archived"
3. Turn off Github issues
4. Give away ownership if there is at least a mini-community
[+] [-] ship_it|7 years ago|reply
[+] [-] preommr|7 years ago|reply
It would seem like common sense to let something die and let any new interested maintainers fork the project thank to just wantonly hand it over to a complete stranger. But I could easily see someone getting into the habit of trusting people and not thinking about it too much.
Maybe a combination of better guidelines, some kind of code of ethics along with better means of communicating these changes through npm would've helped this issue a lot more. If not to actually prevent the problem then to at least have some ground to hold people accountable other than accusations of people should know better.
[+] [-] unknown|7 years ago|reply
[deleted]
[+] [-] runarberg|7 years ago|reply
https://npm.community/
[+] [-] flocial|7 years ago|reply
[+] [-] Domenic_S|7 years ago|reply
Because javascript has a weak standard library.
[+] [-] zaphar|7 years ago|reply
Of course the failure mode here is that you if you still choose a batteries included framework. (i.e. Angular, or a React powered framework) you end up pulling in a whole bunch of code you don't use and the list of dependencies is unmanageable. But because javascript was born in the browser and most javascript still has to be shipped to a browser it has constraints most other languages do not.
[+] [-] PhilWright|7 years ago|reply
[+] [-] brians|7 years ago|reply
[+] [-] gumby|7 years ago|reply
[+] [-] nkkollaw|7 years ago|reply
I guess just let it rot and tell people to fork.
[+] [-] ptx|7 years ago|reply
Yes, but, quoting from his post he cites:
"So should you really do this for all pull requests? Probably not. While I've given a large amount of users access to various projects of mine, I'm still looking for:
"Github profile: Does this user stand to lose a reputation by doing something stupid?
"Skill: Based on the patch, do I think the user could be a good developer?
"Usefulness: Is this patch solving a valid problem?"
[+] [-] carapace|7 years ago|reply