Comment by bananamerica
7 years ago
I don't have any reason to doubt the truth and logic consistency of either Rich's post or your reply. The problem is not the logic, it's the rhetoric. For anyone out of the loop, he sounds like an interstellar douchebag. And, because the article is public, this can become a problem.
In my experience there are two kinds of people. Those who focus on tone and delivery, and those who focus on content and consistency.
The former will remain exceedingly polite, up to and including the part where they tell you to go f yourself.
The latter are the ones you can actually depend on in a crisis, because they won't be busy playing social games to cover their own behind.
I'd argue that if someone is seen as a giant douche because they won't automatically cater to someone's sensibilities, that's a sign of a real douche, who is so used to being marketed to and "handled", that fair, reciprocal treatment is experienced as rudeness.
That is the gap between the kind of culture open source used to have, and what some want to turn it into today, and which is often incorrectly dismissed as a lack of civility.
Civility is that which allowed civilization to form, not what passes for it once others have already done the work. If that is a problem, it's because it's been manufactured into one on purpose.
> Those who focus on tone and delivery, and those who focus on content and consistency.
This is false dichotomy. Overwhelming majority of people care about both. When your tone and delivery is insulting or diminishing them, they see it and react to that too - those who don't tend to end up bullied and disrespected.
Also people who dont care about tone and delivery quite often backstab. Just like they dont care about others while there is no crises, they care even less when crisis is there.
> For anyone out of the loop, he sounds like an interstellar douchebag. And, because the article is public, this can become a problem.
I'm out of the loop and didn't get this sense at all. His points seemed fair enough to me. There's way too much entitlement evident amongst people who use, and sometimes even contribute, to OSS[1]. It gets frustrating, and Rich has explained why.
[1] I've never been an maintainer of a popular OSS project, and don't want to be, but a few years ago I was a custodian for a relatively popular free (as in beer, not as in speech) tool, and we'd often get emails from users acting like we owed them something.
I’m not in any loop and nothing about the post came across as douchey. In fact, it seems many people need to be reminded about who is responsible for putting open source code in any project especially after reading the disgustingly entitled comment thread on the recent nodejs security issue.
You think its disgustingly douchey for people to be dismayed that software from a trustworthy dev was turned over to someone who turned it into malware?
The dev isn't responsible for the giant mound of stupid that is npm but we all have to take the world as we find it or fix it.
In the context of the world as it is projects deps having deps having deps where the practical protection against a developers machine getting pwned and eventually millions of users getting pwned is more or less developers checking to ascertain that a given library is bob who works for google and not lame hacker number 2388 its poorly considered to hand over libraries to people you have no reason to suppose are trustworthy. A reasonable person could suppose that might not end well for a multitude of projects where 182 deps of deps of deps aren't vetted again per point release because in practical fact its impractical to do so while it is very practical for individual authors to not transfer control of names and publish info about their authorship.
Unlike never updating or expecting individual orgs to vet 182 deps written by anon people with every bump so a reasonable person ought to do their best to make the workflow that might have some hope of working work.
If you didn't want ANY responsibility whatsoever you could have not published it globally.
Anyone who imagines that responsibility is merely transcriptional that it only attaches when money changes hands has literally missed the majority of human civilization including the more recent parts where people that give away free food are still expected to wash their hands, get food handlers cards, practice food safety, pass inspections etc. You aren't required to provide a vegan or kosher option or even make good food but you can't behave maliciously or negligently.
Given how projects are actually used by virtually everyone authors actions appear negligent. Given the hypothetical bad actually already happened it appears that judgement is irrefutable.
You are your brothers keeper whether you want to be or not. Software isn't special it works like every other civilized endeavor. Wash your hands and don't scratch your ass please.
In the context I work, I expect external software to be audited when incorporated into a project. It should be a significant decision backed by clear rationale to depend on someone else’s code not simply a convenience because we’re all lazy devs. I review diffs when updating library versions and guide people to prefer writing in-house solutions over including pop-software libraries. I hold my team accountable for the software they produce. I don’t disagree that everything works better when we all play nice, but I also don’t agree with deflecting the blame when your software is compromised because it doesn’t actually solve the problem and allows the same poor habits to continue unchecked. If you don’t understand a dependency enough to implement it yourself were it to disappear or break, you shouldn’t be using it.
> recent nodejs security issue.
Uh-oh. I hadn't been aware of this. Do you have a link, please? (Quick google didn't help much.)
It's possible that they're referring to this crypto-currency backdoor that was slipped into the event-stream dependency?
https://github.com/dominictarr/event-stream/issues/116
Edit: it attempts to steal crypto-currency; it doesn't mine it.
2 replies →