> The code, intended to steal users’ bitcoin wallets, had been injected by an unknown developer with the username right9ctrl. That person had gained commit access from event-stream’s author, Dominic Tarr, simply by asking for it. To many angry users, this was the equivalent of opening one’s front door to the first stranger who knocked, then grabbing one’s coat and leaving for the day.
No. A better analogy would be that a weary volunteer potato farmer for a large community garden is approached by a member of that community who also has potato farming skills. The community member tells him that he wishes take over maintenance of the farm. The weary volunteer accepts the community members offer and leaves the farm in the new volunteer's hands. The weary farmer returns to his home, and pursues other things. Meanwhile, the new community's potato farmer turns out to be malicious. Keep in mind that more than 99% of the time these volunteers are just wanting to give back to the community.
It is nothing like giving up the keys to your home. It is like giving up volunteer work to another volunteer, because that is exactly what it is.
In my opinion the farm analogy doesn't work because you can't fork a farm and continue working where the original left off. In my opinion Dominic should have simply stopped maintaining the package, and maybe added a message stating that the package is no longer being maintained. If someone wants to take over then they would need to fork it. That would force people to consciously switch to the newer forked versions and there would be no surprises about a new maintainer suddenly inserting malicious code.
That analogy might work with the original formulation of this idea: if someone opens a "big" pull request on a project you weary of, hand it over. That PR, even without substantial review, can show effort and familiarity, and you could argue there's a really good chance they'll try to be good stewards.
But in this case, it's not "a member of that community who also has potato farming skills", it's an absolute nobody, who you haven't seen doing any farming, or eating, before. It's a big world, there are crazies out there, they show up every once in a while.
And finally, it's the internet, it's not really like anything that came before. You can be more trusting in a small town than in a big city. The internet is 1000 times bigger than the biggest city, it's a whole new kind of thing. If 99.9% of people out there have good intentions, that still leaves millions of people on the internet trying figure out a way to take advantage of you.
> It is like giving up volunteer work to another volunteer
But without making it clear to anyone else in the volunteer community that that's what you've done. In other words, using your garden analogy, a weary volunteer potato farmer whose potatoes feed a lot of people is approached by another volunteer who wants to take over maintenance of the potatoes. The weary volunteer gives it to him, but doesn't tell any of the people who rely on his potatoes for food. The new volunteer puts a harmful substance in the potatoes and lots of people get very sick, because they thought the potatoes were still being maintained by the first volunteer, who they knew and trusted; they had no idea that the potatoes were now being maintained by a newcomer who they didn't know and whose trustworthiness they had no way to evaluate.
I agree with the sentiment but I think you are being too gracious with your analogy. The long and the short is a group of developers was relying on another group of developers to provide software with security concerns for free without vetting the implementation.
I don't know what is more unethical, the backdoor or the blind distribution of the backdoor.
The event-stream incident shows that npm has restructured the way projects work: rather than an end-user choosing a few pieces of software, each of which has a lot of maintainers, they install a huge number of very small packages each of which has a very small number of contributors. The "unit of contribution" is not a pull request or commit but spawning a new micro-project.
Community management and vetting remain hard problems that aren't fun to volunteer to work on for many developers, so they are neglected.
And some people are complaining that Python has too many batteries. I'll be happy when I can depend only on the stdlib, which I expect to have better reviewing process than a thousand random projects.
I'm curious how the new Github Sponsors development plays into the one or very few maintainer "issue." My gut instinct tells me it will be an added incentive to keep the governance of such projects small or solo because how do you deal with distributing the funds over numerous maintainers with vastly different levels of contribution? I guess one could argue that a project valuable enough to attract a large sponsorship would also be too unwieldy for some to handle alone.
But I haven't given that much critical thought and I hate to default towards cynicism immediately after getting presented with a way to help get open source developers some financial support.
I agree, it would tend to encourage a smaller core team and a larger number of unpaid contributors. But this is often a workable model. I don't think most drive-by contributors expect to be paid and that seems... fine?
> Almost every time I saw a substantive edit, I found the user who had contributed it was not an active user of the site. They generally had made less than 50 edits (typically around 10), usually on related pages. Most never even bothered to create an account.
Pandas might have had 4 core maintainers as measured by commit count, but the actual work might have a much larger outside influence
I'm reminded of Wikipedia and drive-by edits. When each repo is so small (equivalent to a single article on Wikipedia, or even less), it seems like they should be part of larger organizations with a bit more bureaucracy and guidance?
> When each repo is so small (equivalent to a single article on Wikipedia, or even less), it seems like they should be part of larger organizations with a bit more bureaucracy and guidance?
You mean like publishing a coherent library-package, rather than a million independent function-packages?
We know how to do this, but the Node-community just won’t have it.
Hmm, review and certification of open-source packages could likely be a business. Something similar to commercial Linux distributions, like RHEL, that test and vet their packages, but not limited to that.
[+] [-] dustfinger|6 years ago|reply
No. A better analogy would be that a weary volunteer potato farmer for a large community garden is approached by a member of that community who also has potato farming skills. The community member tells him that he wishes take over maintenance of the farm. The weary volunteer accepts the community members offer and leaves the farm in the new volunteer's hands. The weary farmer returns to his home, and pursues other things. Meanwhile, the new community's potato farmer turns out to be malicious. Keep in mind that more than 99% of the time these volunteers are just wanting to give back to the community.
It is nothing like giving up the keys to your home. It is like giving up volunteer work to another volunteer, because that is exactly what it is.
[+] [-] tuesdayrain|6 years ago|reply
[+] [-] ploxiln|6 years ago|reply
But in this case, it's not "a member of that community who also has potato farming skills", it's an absolute nobody, who you haven't seen doing any farming, or eating, before. It's a big world, there are crazies out there, they show up every once in a while.
And finally, it's the internet, it's not really like anything that came before. You can be more trusting in a small town than in a big city. The internet is 1000 times bigger than the biggest city, it's a whole new kind of thing. If 99.9% of people out there have good intentions, that still leaves millions of people on the internet trying figure out a way to take advantage of you.
[+] [-] pdonis|6 years ago|reply
But without making it clear to anyone else in the volunteer community that that's what you've done. In other words, using your garden analogy, a weary volunteer potato farmer whose potatoes feed a lot of people is approached by another volunteer who wants to take over maintenance of the potatoes. The weary volunteer gives it to him, but doesn't tell any of the people who rely on his potatoes for food. The new volunteer puts a harmful substance in the potatoes and lots of people get very sick, because they thought the potatoes were still being maintained by the first volunteer, who they knew and trusted; they had no idea that the potatoes were now being maintained by a newcomer who they didn't know and whose trustworthiness they had no way to evaluate.
[+] [-] 0x445442|6 years ago|reply
I don't know what is more unethical, the backdoor or the blind distribution of the backdoor.
[+] [-] dgellow|6 years ago|reply
[deleted]
[+] [-] pjc50|6 years ago|reply
Community management and vetting remain hard problems that aren't fun to volunteer to work on for many developers, so they are neglected.
[+] [-] gtirloni|6 years ago|reply
[+] [-] JetSpiegel|6 years ago|reply
[+] [-] chasote|6 years ago|reply
But I haven't given that much critical thought and I hate to default towards cynicism immediately after getting presented with a way to help get open source developers some financial support.
[+] [-] skybrian|6 years ago|reply
[+] [-] brian-armstrong|6 years ago|reply
[+] [-] TAForObvReasons|6 years ago|reply
http://www.aaronsw.com/weblog/whowriteswikipedia
> Almost every time I saw a substantive edit, I found the user who had contributed it was not an active user of the site. They generally had made less than 50 edits (typically around 10), usually on related pages. Most never even bothered to create an account.
Pandas might have had 4 core maintainers as measured by commit count, but the actual work might have a much larger outside influence
[+] [-] skybrian|6 years ago|reply
[+] [-] yhoiseth|6 years ago|reply
[+] [-] josteink|6 years ago|reply
You mean like publishing a coherent library-package, rather than a million independent function-packages?
We know how to do this, but the Node-community just won’t have it.
[+] [-] tosh|6 years ago|reply
Would make sense to pool volunteers for code reviews similar to what Stackoverflow does for questions, answers, edits etc.
[+] [-] nine_k|6 years ago|reply
[+] [-] firethief|6 years ago|reply