Comment by depr

1 year ago

The commit bit isn't about security, it's about control. There is no way open source projects can never give out commit bits again due to xz. And xz doesn't have an active team with multiple people in it so it doesn't really make sense to compare them.

Not sure what you are talking about wrt the dates. Why did you ignore the Meson example? And here is another example: https://mastodon.delroth.net/@delroth/112310645064859357 This is a guy who has implicit authority to veto anything. Sometimes he does so, and sometimes he just comments on something perhaps not necessarily intending to veto it but that is what happens anyway.

12 comments

depr

Reply
tpmoney  1 year ago

Of course it's about control, it's in the name "source control". As an outside observer who only has the links provided available as information, I don't have insight into the actual motivations of the people in question, so without speculating beyond what's been presented how do I know the people who want and don't have control are the people that should have control? In light of what we know about how the XZ attack happened, I'm not inclined to look unfavorably on project owners being reluctant about expanding who has access to the projects source control, and certainly not when that reluctance is in the face of a coordinated pressure campaign complaining about a lack of speed.

As for the dates, I am talking about this bullet point from the letter, quoted in full:

> puck having to remind him multiple times to even read her PR message at

> all and think about if he could be mistaken

> https://github.com/NixOS/nix/pull/9911#issuecomment-19252073...

> (after eelco ignored the PR for quite a while, also!)

Clicking that link takes us to a PR that was opened on 2024-02-02. The initial response from the Nix author comes 7 minutes later. Puck has multiple back and forths with other members Github, but her next interaction with the Nix author comes the next day on 2024-02-03. This is also the first time in the conversation where she "reminds him ... to even read her PR message". There's a second interaction later that same day during which she does similar, but it's worth noting this is pointing to a different message and appears to be less a "reminder to read" and more re-iterating what they feel is their argument against the Nix author's own arguments. Puck then continues to have back and forth with other commenters but as of today, there has been no further comments from the Nix author after 2024-02-03, and no further comments from Puck after 2024-02-08.

This hardly to my mind qualifies either as "having to remind him multiple times to even read her PR message at all" or "after eelco ignored the PR for quite a while, also!" So as I said it's a fairly weak claim, and feels more like a "bastard eating crackers" reaction to the PR than an actual showing of poor behavior.

As for the "Meson example", I didn't ignore it. As I stated in my comment, I had at that point read two of the referenced discussions in detail, and thus commented on them. I didn't comment in the "Meson example" for the simple reason that I hadn't read it.

I have read it now, and equally find it confusing.

1) The claim in the letter is that the proposal has "passed RFC, for five years", yet the RFC itself only appears to have been opened 2022-08-24. It's been a while since grade school for me, and I'll admit COVID has warped all our sense of time, but I'm pretty sure 2022 is not 5 years ago.

2) The first completed working implementation of the change doesn't appear to have been done until 2023-01-18 (https://github.com/NixOS/rfcs/pull/132#issuecomment-13874661...). Again this is much less than 5 years old.

3) On 2023-03-20, the author of the PR for this change states:

> the RFC has made it past most of the early stages and the current goal is to achieve parity with the current buildsystem before replacing it.

(https://github.com/NixOS/rfcs/pull/132#issuecomment-14768433...)

Again, this doesn't seem to fit at all with the claim that the proposal has "passed RFC, for five years"

4) On 2023-11-01, the Nix author themselves asks for updates on the RFC implementation, an action which doesn't seem congruent with someone who is willy nilly single handedly blocking things and being a disruption to the process. And the author of the PR states:

>the main block is actually a lack of free time for the main devs!

(https://github.com/NixOS/rfcs/pull/132#issuecomment-17890770...)

This doesn't seem to point to evidence that the Nix author is single handedly holding up this process.

5) On 2024-03-21 the PR author notes:

> currently working on adding support to build nix-perl, waiting for assistance

(https://github.com/NixOS/rfcs/pull/132#issuecomment-20135356...)

Not to sound like a broken record, but if the issue isn't finished as of a few weeks ago, it can hardly be considered to be held up by the Nix author for 5 years.

I agree that one of the links in the open letter is to a comment on a PR from 2019, which is indeed 5 year ago, and does indeed contain the Nix author commenting that they are skeptical of the change because "he doesn't know meson but knows his own build system". But given that there's an entire wealth of history on the topic since then, including progress on the feature that appears completely unobstructed by the Nix author and an open PR that is a mere 3 weeks old for a current implementation, I find myself again unconvinced of this rampant bad behavior on the part of the Nix author. And I reiterate again that these complaints are very weak and don't do much to support the open letter at best, and act as contrary evidence at worst.

Again there might be other context to be had that is missing, but if one is going to write a massive "open letter" complaining about bad behavior, I expect the links in that letter to point to actual bad behavior, and or provide the relevant context necessary to show how what appears to be normal dissent is a passive aggressive continuation of obstruction. I have to assume the links one provides in an open letter is their strongest evidence, and if this is all the authors have... I am unconvinced.

  • depr  1 year ago

    I am also an outside observer but it doesn't look to me as if the Meson issue was never finished, it looks as if it was held up and then new things were added to the main project, and the Meson build had to catch up, several times. This is an open source classic. Rather than the PR I am looking at the Discourse link where it says "@edolstra: Not convinced, knows the old build system but not Meson". Note it doesn't say "Meson is bad" or anything of the sort. This is a classic example of someone who wants to stay in control of something, to do so they need to understand how it works. That doesn't benefit the project, it only benefits the person.

    With respect to the xz stuff I simply don't agree. Are we never adding new maintainers to open source projects anymore until xz is no longer top of mind in a couple of years? Note that a commit bit does not imply the ability to make a release in many cases. The complete release can still be done by a smaller group.

    >certainly not when that reluctance is in the face of a coordinated pressure campaign complaining about a lack of speed.

    The screenshot is from before the xz backdoor so it definitely wasn't top of mind for them. And they (including Eelco) even agreed in a previous meeting to add more maintainers: https://discourse.nixos.org/t/2023-06-02-nix-team-meeting-mi...

    It's not about security, it's about being in charge. I don't think the letter is very good, but even before this letter and without ever using Nix, I knew about the Meson PR, and many other things that are taking a very long time in Nix.

    I see no real reason to doubt that one guy is holding the project back. You are talking about "rampant bad behavior" but that is not necessary to severely frustrate a project. Simply bad leadership is enough. I don't think the letter means to convey there is rampant bad behavior either. I wonder if there is anything except blatant bullying that would convince you that Eelco needs to relinquish his position.

    • tpmoney  1 year ago

      >it doesn't look to me as if the Meson issue was never finished, it looks as if it was held up and then new things were added to the main project, and the Meson build had to catch up, several times

      I still don't see evidence that it was "held up" by the Nix author. There's continuous work on it since at least the RFC was filed in 2022, and only recently at a state where both the RFC process is complete, and there's something ready to be merged to the code. The PR in which the Nix author expresses their hesitation does have a comment from 8 days after the PR is filed where the PR author asks whether this is something that's likely to get merged if they keep working on it. They are told they should go ahead and work. There does seem to be a lack of definitive agreement on whether this is going to be merged in the end, but none of that seems to be a case of the Nix author is standing in the way. In fact, they clarify that they're not opposed to the change, just skeptical. In 2021 there appears to be a new flurry of activity, with others expressing their own concerns, but none of that comes from the Nix author themselves. In 2022 the recommendation is that it should be made into an RFC for a full discussion and consensus about how it should be implemented, and the timeline I previously mentioned follows from there.

      Certainly there is delay here, and some people definitely don't seem to have examined what was being proposed in depth, but these are all normal software development things. Nothing in this looks extraordinary for any large project with multiple stakeholders, nor does there appear to be any undue obstruction by the Nix author.

      >Rather than the PR I am looking at the Discourse link where it says "@edolstra: Not convinced, knows the old build system but not Meson". Note it doesn't say "Meson is bad" or anything of the sort. This is a classic example of someone who wants to stay in control of something, to do so they need to understand how it works. That doesn't benefit the project, it only benefits the person.

      Ok, great, they're not convinced. Are they actually holding things up though? If they were someone would have some evidence of this right? And indeed, the actual PR for this is approved for merge as of a few hours ago, with the note that while the Nix author wasn't convinced of it, they also weren't rejecting the proposal. Which is the sort of stuff that happens all the time in large project development.

      To be honest, I'm not quite sure I really understand this "the Nix author has doubts, so we're being obstructed" line of thought. A doubt is not a rejection, it is a doubt. And yes, the Nix author by virtue of being the project owner certainly has the ability to unilaterally stop something from happening, we're not given evidence of that, just them expressing their doubts. If a person expressing doubts about a change, even the project author, is enough to make the open letter writers give up I don't see how they would make better project managers.

      I worked a position once where the VCS system had been converted from ClearCase to Microsoft TFVC just a few months before I came on board because the project lead was an old Microsoft hand and that was what they were familiar with. I advocated for switching to git (or mercurial) and met with similar levels of skepticism. The project leads did not see the benefits, and certainly not so soon after having done a migration. That skepticism did not mean I should simply give up if I felt there were benefits to be gained (and I did), it meant I needed to provide concrete examples of the benefits and why it was worth the effort and churn to make yet another change and for people unfamiliar with DVCS to learn it. So I set up a side, parallel version control that used TFVC as an upstream, recruited a couple developers with a similar interest in making the change and we ran our system in parallel for a few months. We built up the tooling our process would need to make it work, volunteered to take on hard tasks that git made easier, tried a few different git flows to find one that worked for our stack and documented the process, recorded the pain points that other teams had with TFVC and compared those to the pain points we had in git, we built a process for lossless roll back to TFVC if a change to git proved to be a bad move. And once we had better more concrete arguments with real world use to back it up, we made the case again and this time convinced the skeptical people to give it a go. Some even still remained skeptical, and yet the change happened.

      Skepticism is part of working with other people, not everyone will see things the way you do. It's also not obstructionism or bad management for managers to be skeptical. It is part of their job to give a skeptical look over proposed changes to ensure they will bring benefits greater than their costs. If the absolutely mild skepticism of changing build systems expressed by the Nix author is enough to derail that change, then it seems to me the change advocates don't believe the benefits are worth making a stronger case for.

      >With respect to the xz stuff I simply don't agree. Are we never adding new maintainers to open source projects anymore until xz is no longer top of mind in a couple of years?

      This is the second time you've put the same words into my mouth, and I'll take it as a kindness if you would stop doing so. I have never said open source projects should never add new maintainers. That is patently absurd. There is a vast gulf between adding new maintainers every time people complain things are moving too slowly and never adding a new maintainer. This sort of catastrophic interpretation of mild objections and counter points is an unhealthy trend in online discourse.

      >The screenshot is from before the xz backdoor so it definitely wasn't top of mind for them. And they (including Eelco) even agreed in a previous meeting to add more maintainers

      I realize that it's from before the xz backdoor, nor did I mean to imply it wasn't. The phrase "in light of X, Y was a good idea" doesn't necessarily require that X happened before Y, it can also express a hindsight view. In this case the xz backdoor gives us a different perspective after the fact on how eager project maintainers should be to hand out access. As for the previous meeting, it's 8 months prior to the linked discussion in the open letter. So what happened in those 8 months? Did "@edolstra and @fricklerhandwerk" not get in touch with any prior contributors like they said they would? Was no progress made on this in those 8 months or did it come up again in 2024-02 because people felt not enough progress was made? Also the meeting notes say that they thought they could at a minimum use more people triaging, yet the open letter's complaint is that the users were "only" given that triaging access. It seems hardly fair to cite a discussion where a solution was proposed, and then be mad that was the solution taken. Further, it's clear from those meeting notes linked in the letter that there were other options to potentially solve the problem other than just adding more people. Just because one's favored solution isn't chosen doesn't mean the project is being mis-managed.

      >I see no real reason to doubt that one guy is holding the project back. You are talking about "rampant bad behavior" but that is not necessary to severely frustrate a project.

      I do see a reason to doubt that. When an open letter advocates the severing of the owner from the control of their own work, I expect to see a good reason to support such an extreme measure. And let's not delude ourselves here, that is exactly what this letter is asking for, support to strip control of a project from its creator and owner and give it to other people. Whether or not one is happy with how the owner has managed the project, the project is unequivocally their project. Wresting that control away from the owner if it is to be done must be done only on the back of strong evidence that it is both necessary and the correct thing to do.

      When that letter further opens with such charges as "exhibits several corrosive social behaviours that have created a culture that directly led to today’s governance problems, which are an existential risk to the continued viability of the project" and "[leadership] deleterious to the project by him undermining authority of others, by him avoiding giving away authority and thereby disallowing community leadership to develop, by ignoring issues which he relitigates after discussion was done, and by holding undeclared conflicts of interest that pose serious risks to the Foundation and the Nix project as a whole.", then I absolutely expect to see more bad behavior than a number of normal day to day software development disagreements that at worst merely rise to "Simply bad leadership".

      >I wonder if there is anything except blatant bullying that would convince you that Eelco needs to relinquish his position.

      I would think so, but whatever it would be, it would have to be something greater than "simply bad leadership" and that's not this. Maybe the conflict of interests would have been a worthwhile discussion to have, but the letter poisons its own case so badly, I'm disinclined to give the letter authors the benefit of the doubt. They've at best omitted relevant facts and events, linked to inadequate evidence of their charges and at worst misrepresented (whether knowingly or not) the events in question. I have no faith then that they are accurately representing that issue either, and frankly I've already spent more time than I should have so I'm not inclined to spend any more time trying to suss out more fact from fiction.

      Maybe Eelco does need to relinquish their position, but if so, the open letter authors have failed to make that case in any substantial way.