People are getting a bit entitled as to what an open source maintainer has to do for them.
It seems that way? To me, it seems like a reasonable response to how many people treat any kind of volunteer-led effort.
For example, I help mod a fairly popular subreddit, r/cscareerquestions. Now, we don't have a problem with people suggesting changes to sub rules or have meta discussions and even complaints. No community is perfect, the mods certainly aren't, etc.
However, the vast majority of complaints are of the completely useless variety. They're the vague one-liners -- "this sub used to be good, and is now bad for generic reasons I will not elaborate on" -- that usually have no clear basis in reality, nor any practical solutions even to the extent they're true.
And when I try to earnestly engage with people who have the most upvoted complaints, 95%+ of the time, there's nothing there. Probably half the time they just don't respond, half the remaining time they just loose another snipe or parting shot before disappearing, and most of the rest is something in the set of {doesn't actually happen/no evidence; assumes everyone agrees with them; problem is actually well-diagnosed but the proposed solutions are laughably naive}. The number of complaints or suggestions that are meaningfully actionable is very, very low.
What I've found looking at other subs and ours, is that generic complaints about sub quality and mod team actions are a quick and easy way to upvotes, but it's rare for someone to actually be well-informed on the topic and have actually thought through the problem and solutions they suggest.
So when Rich says, "Did you know that most patches/issues have poor problem statements, no description of the plan (read my code!), no consideration of alternatives, no tests, no designs, and are ill-conceived and/or broken in some way?" that doesn't surprise me in the least. Even when people nominally want to contribute, they usually don't seem to try very hard. For me, it's gotten to the point where I'm writing a guide for subreddit criticism and suggestions to try and improve the quality of the complaining.
tl;dr - even when something is reasonably well run by volunteers, people love their low-effort gripes and snipes
But honestly the stakes are higher than video games. If you go around advertising your package, get people to depend on it, then compromise them later, that's malpractice on your part. That isn't how society runs so it's rather obvious when people get mad that there's a landscape full of anarchy when it should look more like modern civilization.
Like it or not, npm and the node community has not prioritized its reputation. And the mechanisms that keeps bad operators out of npm open source rely on a relatively small company considering the actual business livelihood that relies on npm integrity. It means the community is okay with continuing to use npm, and that means that the community doesn't have a healthy way to maintain itself and build trust. It's going to rot, I think (and hope). It's just going to be a bunch of tribal nomads moving from project to project until someone social engineers a compromise and they're off to find another huge dependency graph again.
At the very least, Clojure is telling people what it's about upfront.
Other package managers are not immune to this, btw. npm is just often the whipping boy.
The former will remain exceedingly polite, up to and including the part where they tell you to go f yourself.
The latter are the ones you can actually depend on in a crisis, because they won't be busy playing social games to cover their own behind.
I'd argue that if someone is seen as a giant douche because they won't automatically cater to someone's sensibilities, that's a sign of a real douche, who is so used to being marketed to and "handled", that fair, reciprocal treatment is experienced as rudeness.
That is the gap between the kind of culture open source used to have, and what some want to turn it into today, and which is often incorrectly dismissed as a lack of civility.
Civility is that which allowed civilization to form, not what passes for it once others have already done the work. If that is a problem, it's because it's been manufactured into one on purpose.
I'm out of the loop and didn't get this sense at all. His points seemed fair enough to me. There's way too much entitlement evident amongst people who use, and sometimes even contribute, to OSS[1]. It gets frustrating, and Rich has explained why.
[1] I've never been an maintainer of a popular OSS project, and don't want to be, but a few years ago I was a custodian for a relatively popular free (as in beer, not as in speech) tool, and we'd often get emails from users acting like we owed them something.
Uh-oh. I hadn't been aware of this. Do you have a link, please? (Quick google didn't help much.)
I tend to agree with this. I've always had a great deal of sympathy with OSS devs and maintainers, but if you've gone out of your way to evangelise people onto your platform (OSS or otherwise), then leave them high and dry, resulting in a load of complaints/bitterness, you have to bear at least some of the responsibility for that outcome.
This is false dichotomy. Overwhelming majority of people care about both. When your tone and delivery is insulting or diminishing them, they see it and react to that too - those who don't tend to end up bullied and disrespected.
Also people who dont care about tone and delivery quite often backstab. Just like they dont care about others while there is no crises, they care even less when crisis is there.
https://github.com/dominictarr/event-stream/issues/116
Edit: it attempts to steal crypto-currency; it doesn't mine it.
I'm not sure how much he advertised it.
This is part of the problem I have with things like npm, cargo, etc.
They defaults are set to try to suck up your work and get you to make it public.
Consequently, semi-useful things get loose probably long before people intended them to and probably long before people realize how much work they just signed up for.
The dev isn't responsible for the giant mound of stupid that is npm but we all have to take the world as we find it or fix it.
In the context of the world as it is projects deps having deps having deps where the practical protection against a developers machine getting pwned and eventually millions of users getting pwned is more or less developers checking to ascertain that a given library is bob who works for google and not lame hacker number 2388 its poorly considered to hand over libraries to people you have no reason to suppose are trustworthy. A reasonable person could suppose that might not end well for a multitude of projects where 182 deps of deps of deps aren't vetted again per point release because in practical fact its impractical to do so while it is very practical for individual authors to not transfer control of names and publish info about their authorship.
Unlike never updating or expecting individual orgs to vet 182 deps written by anon people with every bump so a reasonable person ought to do their best to make the workflow that might have some hope of working work.
If you didn't want ANY responsibility whatsoever you could have not published it globally.
Anyone who imagines that responsibility is merely transcriptional that it only attaches when money changes hands has literally missed the majority of human civilization including the more recent parts where people that give away free food are still expected to wash their hands, get food handlers cards, practice food safety, pass inspections etc. You aren't required to provide a vegan or kosher option or even make good food but you can't behave maliciously or negligently.
Given how projects are actually used by virtually everyone authors actions appear negligent. Given the hypothetical bad actually already happened it appears that judgement is irrefutable.
You are your brothers keeper whether you want to be or not. Software isn't special it works like every other civilized endeavor. Wash your hands and don't scratch your ass please.
And yes, it's users' responsibility to decide what code they trust. But "I trust developer/organization X" is a reasonable way to decide that, and auditing every single release is far, far more expensive. I'd be betraying their trust if I let a complete stranger release an update in my name.
"You put at risk millions of people, and making something for free, but public, means you are responsible for the package."
"There is a huge difference between not maintaining a repo/package, vs giving it away to a hacker (which actually takes more effort than doing nothing), then denying all responsibility to fix it when it affects millions of innocent people."
Where do these people get off?