In the end you're only pressured as much as you allow yourself to be pressured.
"I don't feel like it, if it's important to you then feel free to fork".
That's really all that's needed. "I don't feel like it" is all the justification you need.
Some guy just made a compression tool, because some people like doing that kind of thing, or because it was useful for him. He didn't ask to be made "critical infrastructure" or to be responsible for the security of sshd or to have some business depend on it, or anything like that. No one even asked him.
When it was created, it was a different time. There was a sense of community around open source, much more tightly nit. And the more socially minded you are, the more vulnerable you are to these kind of attacks.
2007 wasn't that long ago, and these type of maintainership issues aren't new – they were a thing when I was starting out in the early 2000s as well. What changed are the stakes, and also the amount of effort bad actors are willing to spend to mine their cryptoblahblah or whatever.
And sure, I understand why people feel a responsibility. I'm just saying: there is no need to.
The entire point of this Free Software/Open Source is to give people the freedom to do whatever you want with some piece of software, without having to be beholden to the original author. That's pretty much the entire point.
Anyone in the world can be a maintainer for xz. By forking it and applying useful patches.
It was almost 20 years ago, and no, I generally agree with the person you're responding to that OSS has changed significantly in these regards since the early-to-middle 2000s.
I'm not even disagreeing with the rest of your take, just poking at this idea that time hasn't passed and changed things. Some days I look around our industry and feel like it's nowhere near the one I was working in before.
2007 was 17 years ago, and it was another world. This time 17 years ago, the iPhone had not been released. Facebook was still new and hot, the first big operation to be unashamedly built on PHP (!). GitHub didn't exist, opensource happened on mailing lists, Sourceforge, private Subversion repos.
It was definitely another world. I do agree that maintainership issues were already there, but I think they were smaller in number. Between the explosion of projects and the explosion of users, they are now on a different scale.
MySpace, Yahoo! Mail, eBay and probably other large scale operations were all built on PHP long before Facebook and I don’t think any of them were particularly ashamed about it.
I doubt eBay was originally built with PHP - when it was founded in 1995, the very first PHP version had been available for barely 3 months. I expect the original EBay was mostly Perl, which was the standard at the time.
The others I don't know, but MySpace was not a particularly big operation. Before WordPress, most sites started as PHP at some point were expected to migrate to something else, because maintainability of PHP3/4 projects was a big challenge (hence the "shame"). Facebook was the first company that simply refused to do that, and focused on improving PHP instead.
This ignores the very fact that peer pressure works and puts the entire blame on the victim. No, people react differently when pressured vs when not pressured. That's the entire reason why peer pressure works.
I didn't blame anyone; I just made some observations on how this type of thing can be avoided, partly based on my own experience doing volunteer work for the last 20 years (as open source maintainer and as scout leader), and being subject to the same pressures at times.
I hate this trend of shouting "victim blaming!" once someone tries to explain things or analyse anything. Not everything needs to be a value judgement. "X happened, and Y could have prevented it" is not a judgement.
Well, when you say "the victim could just not have succumbed to the pressure" I don't see how that doesn't blame the victim. I understand it's not your intention, but peer pressure works exactly because it gets around people's "wait, I don't actually want to do this" defense, and to say "just don't do it, nobody is physically forcing you to" ignores that fact.
If I were in the maintainer's shoes, and was feeling ambivalent about handing over maintenance to a fairly unknown person, this kind of social attack would definitely push me over the edge, exactly as it was planned to.
Anything can be viewed as a judgement statement if you paraphrase or stretch things enough. I don't think your paraphrasings are a fair representation of what I actually said.
But you can insert "I'm not trying to blame anyone, but here are some suggestions to modify cultural norms so these things are less likely to happen in the future" if you want. Or you can just assume good faith and take that as implied unless demonstrated otherwise.
Also: as far as I'm concerned there is no "peer pressure" here because these people aren't "peers". They're just some random people who, as near as I can tell, have done fuck all. There is not even an attempt to help out. Not even the question on how to help out. These people are supposed to be the maintainer's peers? Yeah nah. They're just shouty entitled internet nobodies that have not even attempted to contribute anything constructive or signal any willingness to do so (not even "I have been using the patch in production for half a year without problems", which would actually be a small but useful way to help out).
When it comes to these types of things you need to accept that you can't change every person in the world; you can only change yourself. If you cycle a lot you better learn to anticipate assholes doing asshole things. Is that fair? No. But it beats being run over and getting hospitalized, or worse.
> Also: as far as I'm concerned there is no "peer pressure" here because these people aren't "peers". They're just some random people who, as near as I can tell, have done fuck all. There is not even an attempt to help out. Not even the question on how to help out. These people are supposed to be the maintainer's peers? Yeah nah. They're just shouty entitled internet nobodies that have not even attempted to contribute anything constructive or signal any willingness to do so (not even "I have been using the patch in production for half a year without problems", which would actually be a small but useful way to help out).
That’s what I find incoherent about it.
1. The consumers are little ants that have no real power over anybody, certainly not to help the project itself
2. On the other hand they are powerful enough to peer pressure the only person who has the power to drive the project forward
> I don't think your paraphrasings are a fair representation of what I actually said.
I think their paraphrasing was a fair representation. You want to have it both ways. You said some incendiary victim-blaming thing, but now you're backpedaling with a "no no, you misunderstood".
Giving out advice for concrete steps someone can take to prevent a problem isn't victim blaming. Unless we're all content with people just sitting and whining all the time instead of actually doing anything to help themselves. And let's be real, we're talking about open source contributions, not getting mugged for wearing the wrong clothing here.
Peer pressure happens when someone like a teenager wants or has to be around some other peers (teenagers) but has to follow the whims of the peers in order to continue to be around them or to not be harassed by them.
The peanut gallery of non-contributors are only peers in the sense that they pretend to speak on behalf of some OSS community. And the fact that they are spokespersons is by default suspect. The attacker is a peer in the sense of being a contributor. So is he a peer pressurer? Again we come back to the teenager who has to follow the whims of his peers in order to be included. The maintainer is already inside of his own playground. So the pressure to be part of the “community” is really the incredibly abstract thing that the peanut gallery was referring to: you ought to do so-and-so in order to be whatever I think of in my head as an OSS maintainer.
This can be rejected out of hand if you really believe that maintainers don’t owe anyone anything (because of free labor).
But this gets incoherent if you want to assert both of these things:
1. There is no social contract for OSS maintainers: they can toss their PC out of the window and go on a five-year pilgrimage without telling anyone
2. There is some community which has power over the maintainer to peer pressure them
If you really want to double down on (1), the “cure” is what the OP suggested: say no and walk away.
Many maintainers want to please their users, and be helpful (which is admirable, and more power to them), which means #2 applies. Sure, the maintainer is entitled to say "fuck you, I want to sit on my project and you can fork it if you want", but he was, presumably, trying to be helpful and succumbed to pressure.
I don't think the maintainer is at fault to any degree here. Sure, this could have been avoided if the maintainer refused to be pressured and kept sitting on the project and letting it die, but it's not his fault that he didn't do that, and I wouldn't want that to be the default for maintainers either.
> Many maintainers want to please their users, and be helpful (which is admirable, and more power to them), which means #2 applies. Sure, the maintainer is entitled to say "fuck you, I want to sit on my project and you can fork it if you want", but he was, presumably, trying to be helpful and succumbed to pressure.
All the pro-social benefits with a side-dish of the nuclear option. That’s coherent I have to admit.
In that case one can limit one’s interactions to other invested parties, i.e. contributors. Granted then you are still interacting with the attacker but you’re spared from the peanut gallery.
In real life volunteering you don’t get random drive-by input from outsiders. The input (and whatever peer pressure) is only from other invested parties.
> I don't think the maintainer is at fault to any degree here.
I’m having a hard time understanding moral arguments. “Fault” and “blame”. Everyone is condemning the peanut gallery for complaining about passing on the maintainer stick to someone else. Yes, including people who say that he could have just “not got peer pressured”. To be clear it’s not about the maintainer having “fault” or the peanut gallery/the attacker being wrong. Both can have “fault” in different ways. Like, clearly the attacker is the one who did something bad. Now there’s only a question of what other people could have done differently.
> Sure, this could have been avoided if the maintainer refused to be pressured and kept sitting on the project and letting it die, but it's not his fault that he didn't do that, and I wouldn't want that to be the default for maintainers either.
The maintainer could have done something different but he didn’t and that’s not his fault. It seems that we all agree that he had a live option. You just want to not associate it with “fault”.
In another comment[1] I asked what moral obligation a maintainer has to herself. Only to herself.[2] Focusing on that angle seems more fruitful than talking about “fault” in the abstract since that just leads to back and forths about whether people should protect their wallets better or whether or not people should just stop pickpocketing people.
The goal of this subthread seems to be about how maintainers might protect themselves (for their own sake) from this kind of thing. Laying out the options that are in their hands (and not just how the world around them should become better) seems pertinent to the issue.
Maintainers have an obvious contract with their users, even for open source projects. Everyone thinks what “Jia Tan” is unacceptable, even though he’s an open source maintainer! You have an obligation to not cause harm to people who use your software.
"I don't feel like it, if it's important to you then feel free to fork".
That's really all that's needed.
that's much harder than it sounds.
having someone fork your project can give you the feeling of loosing control over the project as potentially all your users might go with the fork. that fear is often strong enough to push yourself to do things that will avoid a fork.
You're right of course, but there are cultural norms and expectations at play here, which I feel need to be modified somewhat.
And that doesn't really change that things really are that simple, kind of. How do you stop smoking? By not lighting up any cigarettes. Of course it's not that simple, but ... it also kind of is.
there are cultural norms and expectations at play here, which I feel need to be modified somewhat
this is an important observation.
a change of culture is really what is needed here, because it implies that not only maintainers change their behavior, but everyone involved, and the question is not so much what any individual can do for themselves, but how we can help others with that change and spread it
It's impossible for everyone to change their behaviour, because that's too many people. Some people are just assholes and don't care. Or they're idiots and don't understand. Nothing we can do about that. Most people are alright, but with 8 billion people on the planet even a small percentage being an asshole means a lot of assholes.
For the most part, the people who care already care (you, me, most others commenting here) are not really the problem.
So ultimately the only thing you can do as a maintainer is set your own boundaries for yourself. And the original message in that thread ("there is no activity, what are your plans?") is a fair question, although the follow-ups are not.
All of this is true for a lot of the internet by the way. The best thing of the internet is that anyone on the planet can talk to anyone else on the planet. When I was a kid I did some ham radio with scouting, and you could talk to people from places like Russia and the US. Wow!
The worst thing of the internet is that anyone on the planet can talk to anyone else on the planet. You're constantly exposed to a seemingly never-ending stream of assholes and idiots, and a single asshole can ruin the day of dozens, hundreds, or even thousands of people every day. Maybe this is just 1% of people, but 1% of 8 billion is 80 million.
i would not say it's impossible, but for sure it's an uphill battle. and it might take a few centuries for people to change, just like it took a few centuries before we abolished slavery and we are still working on racism, gender, different orientations, etc.
being nice to each other is just one of the many things that we as humans need to work on. and we are working on it, and hopefully some day we will be able to achieve it.
This fear doesn’t harmonize with the mantra about how no one owes anyone anything. If the code is OSS then you can’t lose control over the project since you have no inherent control over it to begin with.
> potentially all your users might go with the fork
That's the issue right there. Why would you care?
Clearly, the maintainer is invested in having a "community". Why? They must expect something positive coming out of it, so they are invested in having that community, which then means they have something to lose if that community moves somewhere else and they are left behind.
That's what enables this social exploit. A takeaway can be not to get so invested in having a community. These are users of your software, and their "utility" is in helping find bugs, perhaps suggest improvements or even provide patches, making the thing you as the original author made better. But that can clearly become a burden.
xz should be pretty much finished as well, major overhauls like the "ifunc" feature to inject alternate function implementations are not really justified. Beware of busybodies and this whole "the community demands vibrant evolution of the project" thing. xz does its job already!
And being rude/mean is not a plus, it's a minus, but it does seem to correlate strongly with leading a high-quality project. Even if it's not the best way, this person has the guts to say no in unequivocal terms. You might just have to accept the downside of a rude/mean maintainer as a common unwanted side-effect of an effective maintainer. (Linus Torvalds also comes to mind of course.)
It's important to note that rudeness is somewhat up for interpretation. Rejecting a patch because it's full of bugs might be considered rude to some people, but not to me. There are definitely times where Drew rubs me the wrong way, but I know he's good at what he does, and I know he's just as fed up as I am about the nonsense. He doesn't suffer fools, and that can seem rude and mean if, well, you're a fool. (To be clear, he's been totally out of line before, but I know he's been working hard to change that, and I think he's been successful.)
I've made absolutely stupid 'contributions' to open source projects in the past, not out of malice but pure ignorance.
If someone had slapped me down for being an idiot I'd have most definitely found something else to spend my free time on.
Today, I'm not super great at coding but can hunt down segfaults like a truffle pig and submit bug reports (with code) that demonstrates the exact issue if it's something I can't figure on my own.
xz sees continual improvement to e.g. make it faster. ifuncs are an important part of that. If you want to use the garbage slow version of xz that’s up to you but I don’t think most people would want this.
> xz sees continual improvement to e.g. make it faster.
Yes, that makes sense.
> ifuncs are an important part of that.
No, IFUNCs have absolutely zero performance benefit over regular function pointers for internal functions. If anything, they can limit optimization oppertunities the compiler has with other approaches. The only benefit IFUNCs bring is being able to avoid another indirection when replacing already exported library functions in their entirety. That's what they are there for - different optimized implementations for things like memcpy in glibc.
This is incredibly naive. Anyone that thinks that pressure doesn’t work is exactly who I’d personally put top of my list to try to social engineer. Everyone is human. Nobody has infinite strength against persistent pestering. Everyone is capable of finding oneself in a scenario where they feel unsolicited responsibility. All you’re saying here is that you haven’t personally experienced it.
The GP did not state that pressure does not work. They stated how to they think one should think about people trying to pressure. Or about contributions. They named the industry's self inflicted problems.
I didn't say that; I just said you can maintain these projects with different attitudes.
"I feel a huge responsibility to please every user who reports a problem, shortcoming, or asks for a feature, which I need to address ASAP" is one attitude.
"I work on it whenever I feel like it, and if you don't like that then I don't care" is another.
Those are on the extreme end and for most people it's somewhere in-between.
It's very common for people doing volunteer work to lean too much towards the first. They have trouble saying "no" and bite off more they can chew, even without direct pressure. Learning when to say "no" and setting boundaries for yourself is absolutely a vital skill for any kind of volunteer work – without it sooner or later you will burn out.
When I was a scout leader burnout due to this was a major cause of attrition. We made it very clear and very explicit there was no pressure for anyone to do anything they didn't want to, and that there was no shame in not wanting to do something just because you didn't feel like it. But it still happened, because people still feel this pressure, even when it doesn't actually exist.
Peer pressure works excellently against me as a teenager [when I was one] who just wants to fit in and have friends. It works much less well against me when I get unsolicited calls and contacts via phone and the Internet.
The maintainer did mention mental health issues. It can be hard to say no in the best of times, let alone when your own mind is trying to screw with you.
That's brave on his part and honest. I would never admit that in public personally and shows his personal level of honesty, unfortunately it can make you the victim of even more predators. Just say "no" and move on with your own agenda on your own personal projects. It's none of anyone's business, but one may share at times, just realize that others may try to take advantage. That's just my take.
This is harsh but tree, but it's not simple. People are different. Some shrug off things naturally, others try to be empathetic almost to a fault. I've learned to be the former, but when I was younger was much more the latter. I try not to act like it's easy because it took me a while to have that skill. And it is a skill and not built in to me, I still feel the urge but built up the skill of saying "no"
I'm curious: do you maintain a popular open source project?
The reason I ask is maybe the people who do are (in general) self-selected from the subgroup of people who don't just say "sod off" when someone is rude or inconsiderate.
If that was their stance in life, they would likely not put up with maintaining a popular open source project for very long.
"I don't feel like it, if it's important to you then feel free to fork".
That's really all that's needed. "I don't feel like it" is all the justification you need.
Some guy just made a compression tool, because some people like doing that kind of thing, or because it was useful for him. He didn't ask to be made "critical infrastructure" or to be responsible for the security of sshd or to have some business depend on it, or anything like that. No one even asked him.
reply