zlacker

[parent] [thread] 8 comments
1. bsder+(OP)[view] [source] 2018-11-27 10:48:36
It could easily have applied to dominic and the earlier npm fiasco, though.

People are getting a bit entitled as to what an open source maintainer has to do for them.

replies(4): >>banana+12 >>Novash+e8 >>liveon+pi >>nathan+uO2
2. banana+12[view] [source] 2018-11-27 11:13:45
>>bsder+(OP)
I can sympathize with that. But I think Rich made a very bad choice of rhetoric, and this is probably going to bite him in the ass.
replies(1): >>the2be+EJ1
3. Novash+e8[view] [source] 2018-11-27 12:25:39
>>bsder+(OP)
It's exactly how video game audiences are.

But honestly the stakes are higher than video games. If you go around advertising your package, get people to depend on it, then compromise them later, that's malpractice on your part. That isn't how society runs so it's rather obvious when people get mad that there's a landscape full of anarchy when it should look more like modern civilization.

Like it or not, npm and the node community has not prioritized its reputation. And the mechanisms that keeps bad operators out of npm open source rely on a relatively small company considering the actual business livelihood that relies on npm integrity. It means the community is okay with continuing to use npm, and that means that the community doesn't have a healthy way to maintain itself and build trust. It's going to rot, I think (and hope). It's just going to be a bunch of tribal nomads moving from project to project until someone social engineers a compromise and they're off to find another huge dependency graph again.

At the very least, Clojure is telling people what it's about upfront.

Other package managers are not immune to this, btw. npm is just often the whipping boy.

replies(2): >>bartre+Rd >>bsder+Zw1
◧◩
4. bartre+Rd[view] [source] [discussion] 2018-11-27 13:28:05
>>Novash+e8
> If you go around advertising your package, get people to depend on it, then compromise them later, that's malpractice on your part.

I tend to agree with this. I've always had a great deal of sympathy with OSS devs and maintainers, but if you've gone out of your way to evangelise people onto your platform (OSS or otherwise), then leave them high and dry, resulting in a load of complaints/bitterness, you have to bear at least some of the responsibility for that outcome.

5. liveon+pi[view] [source] 2018-11-27 14:10:44
>>bsder+(OP)
you mean the guy who gave his project, including namespace, over to a hacker?
◧◩
6. bsder+Zw1[view] [source] [discussion] 2018-11-27 21:43:43
>>Novash+e8
> If you go around advertising your package, get people to depend on it, then compromise them later, that's malpractice on your part.

I'm not sure how much he advertised it.

This is part of the problem I have with things like npm, cargo, etc.

They defaults are set to try to suck up your work and get you to make it public.

Consequently, semi-useful things get loose probably long before people intended them to and probably long before people realize how much work they just signed up for.

◧◩
7. the2be+EJ1[view] [source] [discussion] 2018-11-27 23:34:10
>>banana+12
"Bite him in the ass" how?
replies(1): >>michae+pw2
◧◩◪
8. michae+pw2[view] [source] [discussion] 2018-11-28 12:18:34
>>the2be+EJ1
He clearly really cares about Clojure discouraging people from freeloading may be beneficial but a crummy tone may discourage people from adding value to Clojure which would be very unfortunate.
9. nathan+uO2[view] [source] 2018-11-28 15:04:39
>>bsder+(OP)
That was a different issue IMO. I've stopped maintaining open source projects that others rely on, and I owe them nothing. They can fork my code if they like.

And yes, it's users' responsibility to decide what code they trust. But "I trust developer/organization X" is a reasonable way to decide that, and auditing every single release is far, far more expensive. I'd be betraying their trust if I let a complete stranger release an update in my name.

[go to top]