← Back to context

Comment by tpmoney

1 year ago

Reading the rest of the document doesn't feel very illuminating either. As near as I can tell, the guy who made Nix is apparently also involved in a startup/company that also acts as a contributor of Nix and a distributor of some version of it. There's some concerns over a military contractor that uses Nix and sponsored a recent Con, and some potential conflict of interest between the the Nix creator as the head of the Nix project, and that person as an employee of a company allegedly tied to the sponsor.

And then there's a lot of referencing various "bad behaviors", but being honest, those seem the weaker points. Of the two I've looked through the links for, the one about not expanding the commit/PR approval team for CPPNix looks especially like prudent caution in light of what we know about how the xz thing played out recently, and the one regarding a PR that was ignored for "quite a while" reads (as an outsider to all of this) worse for the authors of this open letter. First, if the dates on the PR are correct, "quite a while" apparently means less than 1 day. And while the issue might indeed be something that needs to be reverted the PR author comes across quite hostile to everyone else trying to understand the use case, and there's a LOT of snark about breaking stable behavior. If this is frustration boiling over from repeated prior experiences, I hope the people the letter is aimed at have that context because to someone coming in cold, this is a terrible example.

13 comments

tpmoney

Reply
depr  1 year ago

The commit bit isn't about security, it's about control. There is no way open source projects can never give out commit bits again due to xz. And xz doesn't have an active team with multiple people in it so it doesn't really make sense to compare them.

Not sure what you are talking about wrt the dates. Why did you ignore the Meson example? And here is another example: https://mastodon.delroth.net/@delroth/112310645064859357 This is a guy who has implicit authority to veto anything. Sometimes he does so, and sometimes he just comments on something perhaps not necessarily intending to veto it but that is what happens anyway.

  • tpmoney  1 year ago

    Of course it's about control, it's in the name "source control". As an outside observer who only has the links provided available as information, I don't have insight into the actual motivations of the people in question, so without speculating beyond what's been presented how do I know the people who want and don't have control are the people that should have control? In light of what we know about how the XZ attack happened, I'm not inclined to look unfavorably on project owners being reluctant about expanding who has access to the projects source control, and certainly not when that reluctance is in the face of a coordinated pressure campaign complaining about a lack of speed.

    As for the dates, I am talking about this bullet point from the letter, quoted in full:

    > puck having to remind him multiple times to even read her PR message at

    > all and think about if he could be mistaken

    > https://github.com/NixOS/nix/pull/9911#issuecomment-19252073...

    > (after eelco ignored the PR for quite a while, also!)

    Clicking that link takes us to a PR that was opened on 2024-02-02. The initial response from the Nix author comes 7 minutes later. Puck has multiple back and forths with other members Github, but her next interaction with the Nix author comes the next day on 2024-02-03. This is also the first time in the conversation where she "reminds him ... to even read her PR message". There's a second interaction later that same day during which she does similar, but it's worth noting this is pointing to a different message and appears to be less a "reminder to read" and more re-iterating what they feel is their argument against the Nix author's own arguments. Puck then continues to have back and forth with other commenters but as of today, there has been no further comments from the Nix author after 2024-02-03, and no further comments from Puck after 2024-02-08.

    This hardly to my mind qualifies either as "having to remind him multiple times to even read her PR message at all" or "after eelco ignored the PR for quite a while, also!" So as I said it's a fairly weak claim, and feels more like a "bastard eating crackers" reaction to the PR than an actual showing of poor behavior.

    As for the "Meson example", I didn't ignore it. As I stated in my comment, I had at that point read two of the referenced discussions in detail, and thus commented on them. I didn't comment in the "Meson example" for the simple reason that I hadn't read it.

    I have read it now, and equally find it confusing.

    1) The claim in the letter is that the proposal has "passed RFC, for five years", yet the RFC itself only appears to have been opened 2022-08-24. It's been a while since grade school for me, and I'll admit COVID has warped all our sense of time, but I'm pretty sure 2022 is not 5 years ago.

    2) The first completed working implementation of the change doesn't appear to have been done until 2023-01-18 (https://github.com/NixOS/rfcs/pull/132#issuecomment-13874661...). Again this is much less than 5 years old.

    3) On 2023-03-20, the author of the PR for this change states:

    > the RFC has made it past most of the early stages and the current goal is to achieve parity with the current buildsystem before replacing it.

    (https://github.com/NixOS/rfcs/pull/132#issuecomment-14768433...)

    Again, this doesn't seem to fit at all with the claim that the proposal has "passed RFC, for five years"

    4) On 2023-11-01, the Nix author themselves asks for updates on the RFC implementation, an action which doesn't seem congruent with someone who is willy nilly single handedly blocking things and being a disruption to the process. And the author of the PR states:

    >the main block is actually a lack of free time for the main devs!

    (https://github.com/NixOS/rfcs/pull/132#issuecomment-17890770...)

    This doesn't seem to point to evidence that the Nix author is single handedly holding up this process.

    5) On 2024-03-21 the PR author notes:

    > currently working on adding support to build nix-perl, waiting for assistance

    (https://github.com/NixOS/rfcs/pull/132#issuecomment-20135356...)

    Not to sound like a broken record, but if the issue isn't finished as of a few weeks ago, it can hardly be considered to be held up by the Nix author for 5 years.

    I agree that one of the links in the open letter is to a comment on a PR from 2019, which is indeed 5 year ago, and does indeed contain the Nix author commenting that they are skeptical of the change because "he doesn't know meson but knows his own build system". But given that there's an entire wealth of history on the topic since then, including progress on the feature that appears completely unobstructed by the Nix author and an open PR that is a mere 3 weeks old for a current implementation, I find myself again unconvinced of this rampant bad behavior on the part of the Nix author. And I reiterate again that these complaints are very weak and don't do much to support the open letter at best, and act as contrary evidence at worst.

    Again there might be other context to be had that is missing, but if one is going to write a massive "open letter" complaining about bad behavior, I expect the links in that letter to point to actual bad behavior, and or provide the relevant context necessary to show how what appears to be normal dissent is a passive aggressive continuation of obstruction. I have to assume the links one provides in an open letter is their strongest evidence, and if this is all the authors have... I am unconvinced.

    • depr  1 year ago

      I am also an outside observer but it doesn't look to me as if the Meson issue was never finished, it looks as if it was held up and then new things were added to the main project, and the Meson build had to catch up, several times. This is an open source classic. Rather than the PR I am looking at the Discourse link where it says "@edolstra: Not convinced, knows the old build system but not Meson". Note it doesn't say "Meson is bad" or anything of the sort. This is a classic example of someone who wants to stay in control of something, to do so they need to understand how it works. That doesn't benefit the project, it only benefits the person.

      With respect to the xz stuff I simply don't agree. Are we never adding new maintainers to open source projects anymore until xz is no longer top of mind in a couple of years? Note that a commit bit does not imply the ability to make a release in many cases. The complete release can still be done by a smaller group.

      >certainly not when that reluctance is in the face of a coordinated pressure campaign complaining about a lack of speed.

      The screenshot is from before the xz backdoor so it definitely wasn't top of mind for them. And they (including Eelco) even agreed in a previous meeting to add more maintainers: https://discourse.nixos.org/t/2023-06-02-nix-team-meeting-mi...

      It's not about security, it's about being in charge. I don't think the letter is very good, but even before this letter and without ever using Nix, I knew about the Meson PR, and many other things that are taking a very long time in Nix.

      I see no real reason to doubt that one guy is holding the project back. You are talking about "rampant bad behavior" but that is not necessary to severely frustrate a project. Simply bad leadership is enough. I don't think the letter means to convey there is rampant bad behavior either. I wonder if there is anything except blatant bullying that would convince you that Eelco needs to relinquish his position.

      1 reply →