Open Source is one person

Guys say it with me: vendor your packages! VENDER YOUR PACKAGES!

Yet still hype leads people to believe in single proprietor billion dollar software companies are just around the corner.

> And while most people don't prepare for war while choosing their packages, it's not unreasonable for a military to do so. During a war, the ability for people to govern themselves and their own projects often changes dramatically, even in democratic countries. It is entirely routine for countries to require cooperation by the force of law in war time, even the US can and has forced private companies to cooperate with war efforts. This is probably not in the security posture calculation for most of us. But it is for some.

Reading this I'm really hoping the DOD maintains mirrors of GitHub projects that are vital to them.

Still, we had a lot of security issues of people injecting themselves into these one-man projects.

It is ridiculous to force these people to do anything because you were to lazy to build the foundations of your infrastructure yourself, especially if you care about self-reliance.

Huh? The DoD would not have used the package if they hadn't read every line, locked it down for updates, and were ready to patch it themselves if needed. Can you really imagine in a war they'd be like "damn, if only there were a second person we also don't trust at all to do this work for us cause otherwise we'd just be SOL"

I didn't see it explicitly stated, but I think it supports the "overworked" part of this statement:

> Open source, the thing that drives the world, the thing Harvard says has an economic value of 8.8 trillion dollars (also a big number). Most of it is one person. And I can promise you not one of those single person projects have the proper amount of resources they need. If you want to talk about possible risks to your supply chain, a single maintainer that’s grossly underpaid and overworked. That’s the risk. The country they are from is irrelevant.

It depends. More common than getting hit by a bus is that the maintainer loses interest, or doesn't have the time to put into it anymore. When that happens I've seen all of the following happen:

* Someone forks the project, and eventually the fork replaces the original

* Another, possibly new, project that fills the same niche becomes more popular, and eventually replaces most usages of the first project.

* The original maintainer hands off maintenance to someone else.

* People keep using it, even though it is no longer maintained, and maybe make their own forks to fix issues they have, but none of the forks really catch on

One of the strengths of OSS is that if the developer disappears, or goes rogue, or changes the license terms, someone can fork the project and keep it going. With proprietary software, if the company (or individual) who makes it disappears, or decides to discontinue it, or change the terms to something unacceptable, you are just out of luck. Hopefully, you can find a competing product that meets your needs.

I would love to see a diligently researched episodic series, every episode covering the transition of a popular open-source library/tool/app/site from one maintainer to the next.

And that's why I don't run Netflix.

Here is one data point.

I bought ASIO Link Pro (software) something like 10 years ago to help route virtual audio devices on my system. The author sadly died and eventually the license key server went offline rendering it unable to start. His nephew looked into it and eventually made the tool free after a year or 2.

I stopped using it after the license server went offline because I still had to record videos. I ended up solving my problem with hardware, but that tool was extremely helpful when I used it for years. It was around $40 at the time. It's one of the few pieces of software I've purchased and felt really happy about it.

Closest example I could think of would be Hans Reiser/Reiserfs. It's a more sordid story than just getting hit by a bus, though. Ultimately the project just died.

I don't know about any broader statistics, but in my personal experience, I see all three of those. I think it's mostly a function of how large the user base is, how complicated the code base is, and whether or not there are any substitutes.

I think this is one thing that people fail to consider: if the code is open source, though it may take time to understand, worst case scenario you can just fork it.

The ones that come to mind are

- Hans Reiser, maintainer of ReiserFS. I think very few people use ReiserFS these days.

- Ian Murdock, creator of the Debian distribution. Debian lives on, but the project was also set up specifically to distribute maintenance.

- Jim Weirich, creator of the Rake build tool. I'm not a Rubyist so I don't know how it was affected, but I assume it's such a big part of Ruby other people took over.

- Peter Hintjens, co-creator of ZeroMQ. From what I understand, Hintjens was never the main developer but an active promoter. The project lives on as far as I know.

- Terry Davis, creator of TempleOS. I think development on TempleOS stopped.

If it's open-source, and the original breaks for any reason, it's typically forked and continues life. See: Redis (recently).

Unless something changes in the underlying infrastructure, most packages don't need active maintenance after achieving their objective.

If there is a major change (e.g., Python 3, React Native new arch), they are replaced/forked.

When Bram passed away Vim was passed on to the core maintainers there.

software once "perfected" (working well enough long enough) needs NO maintenance. No cleaning. No calibrating/tunning.

updating is a systemic issue, not a per-project matter

This is the exact reason I decided to avoid 11ty for my personal website and instead went with Jekyll [0].

[0] https://github.com/11ty/eleventy/graphs/contributors

Why?

The DOD is one of the world's largest organizations. There are people there who do things like publish newsletters and put up webpages for people like boy scouts to arrange tour bases. It is totally fine to use Node for things like that.

Those systems are not connected to the systems that fire missiles. If the sign up page for the 4th of July fireworks announcement gets vandalized, it isn't really an issue.

The DoD is a huge organization, so I'd guess they use almost everything.

The city of Troy kind of got fucked that one time by free shit.

(Off topic.)

Not only that, but Linus's parents were politically active communists and young Linus was a pioneer (like a boy scout but for communists). His father also lived in Moscow for several years on two separate occasions.

Curious, because just recently he expelled Russian maintainers from the Linux project, just because

Linux is a well supported project with a lot of maintainers and support, it isn't a one-man project by Linus.

> Too bad the notion of completed/finished/done software is very weak.

FWLIW, this simple definition suffices for me: software is complete insofar as it requires no changes to do what its maintainers would like to do with it at the current point in time.

"Complete" software frequently changes to "incomplete" as the desires of the maintainer(s) change(s), and may just as quickly revert to "complete" as changes are made.

This definition does not consider the desires of non-maintainers because there's _always_ at least one such person who wants a given pieces of software to do their one weird thing (which the maintainer(s) will not ever add).

I think it can go both ways... I've definitely copied code into a project more than once. I've also directly written the following line of code into a lot of places, just because of import overhead and convenience when needed.

    const sleep = (ms) => new Promise(r => setTimeout(r, ms));

I also with push for just straight SVG with JSX instead of the massive charting libraries everyone seems to bring in... similar when I seem moment.js ... I don't know why more people don't generate/refer to the resource usage outputs. If anything comes close to the base React or MUI libraries, it gets yanked if at all possible. Or at LEAST load it async and only where necessary.

> capitalism + technology relies on unpaid, voluntary labour

You are falling into the breadtube trap of faulting capitalism for a societal issue that has nothing to do with it. Did capitalism force people to have productive hobbies? Would you prefer a system, other than capitalism, that prevented people from having productive hobbies?

Often times this error relies on the assumption that capitalism is what's preventing us from having an "idealized" version of communism that I've heard aptly described as Gay Luxury Space Communism, where anyone can do anything they want and society just magically pays for it. The problem is that GLSC isn't real, we'd need ~infinite resources to do it.

I personally blame this problem on charities. This is the type of problem that charities and foundations should solve but there is no safeguard for charity money actually going to the charity's cause of action, instead the moment you create any kind of non profit it transforms into Non Profit (inc) and all the money it received goes to (1) professional non-profit people for the job of raising money and redistributing it, (2) shuffled to other non-profits, (3) thinly disguised political activism.

half way down the page:

> So now, let’s look at the number of maintainers for projects with over 1 million downloads this month.

You can frame the "unpaid voluntary labor" as "creative work" and it would start making a whole lot of sense. "Creative work thrives despite being unpaid in capitalist society."

I’d state that as capitalism + technology provides enough surplus money and time that people can work on hobbies

that and, i would argue that npm in particular is filled with lots of small projects and only very few large ones simply by the nature of the ecosystem. it is the wrong place to look. something better would probably be to eg count the contributors on github, or, on npm, analyze project dependencies and distinguish projects that are directly downloaded vs those that are loaded as a dependency. arguably, dependencies can be replaced by the developers of the project using it, so a developer of a dependency disappearing is less dramatic than if you use that project directly.

technically speaking, if you have a large project with many contributors, every contributor is often still only responsible for one small part of the project. linux kernel drivers and subsystems most have their dedicated developers. and very few of them each.

Maintainers and contributors have overlapping but subtly different responsibilities AFAIK.

Maintainers are the ones responsible in the end for the state of the repo while contributors suggest changes.

Even that would be mis-representative... I know of many packages with contributions from hundreds of people, but the bulk of the work was still 1 or 2 primary maintainers based on commits.

It seemed like an advertisement for the incompetence of Hunted Labs to me, from them:

> "This serves as another powerful reminder that knowing who writes your code is just as critical as understanding what the code does"

If who wrote some code matters to you, then your supply chain management is simply insufficient.

Yeah, the subtle way to plant an idea. It's a crime again to a person have "certain nationalities".

Aren't Russian developers on average more susceptible to the "wrench attack" though?

  The title of the register article is completely disgusting

Nearly all The Register articles are clickbaits or rage baits.

Yeah, it is pretty amazing but not surprising. The Register has taken to a certain kind of sensationalism as of late.

I found this interesting:

> "Every piece of code written by Russians isn't automatically suspect, but popular packages with no external oversight are ripe for the taking by state or state-backed actors looking to further their aims," Smith told us in an email. "As a whole, the open source community should be paying more attention to this risk and mitigating it."

Uh, I guess? The nature of open source is supposed to be that the dev provides the effort and the code, and that's where the guarantee stops. It is up to the people who uses it to implement and ensure security. People treat OSS like it is a business product that must have drop-in replacement ready at all times.

The modern nature of development is perhaps my biggest gripe as a professional. There is little care given. Projects begin with importing dozens of other packages and libraries that we never look at, let alone fully understand. And it is normalized.

You are not familiar with how Putin thinks. https://en.wikipedia.org/wiki/Foundations_of_Geopolitics