
Void Linux project leader has disappeared - MindTooth
https://www.voidlinux.eu/news/2018/05/serious-issues.html
======
gruez
>We contacted Github, but they declined any help to regain access to the
organisation.

>We have contacted freenode support. We see hope to regain access to the
VoidLinux IRC Channels. IRC is an essential tool for communication of the core
team.

what is github/freenode supposed to do in this case, allow a takeover?
allowing takeovers opens up a can of worms whenever a project gets forked and
both sides claims to be the "rightful" owner of the project.

~~~
anilgulecha
> what is github/freenode supposed to do in this case, allow a takeover?

Of course. The group has a reasonable case to ownership of the project, and no
one else (specifically the awol user) is contesting the handover.

[edit]: I did not even realize this would be a contentious point to make. I
see lot of what-aboutisms (and downvoting): but let's take this concrete
example for the story we're reading:

(1) Does anyone want to contest that the parent posters are not owners of the
project (with commit access, and regarded by the project's community as it's
leaders).

(2) We're not talking transferring away a govt. provided identity here. It's
the github/irc project handle so it's owners can use it given the prior owner
is awol.

(3) I agree there may be scenarios where this may not be as cut and dried,
which is why i specifically mentioned ownership of a project, and no
contention.

~~~
tannhaeuser
I hope you're kidding. GitHub has no legal basis for transferring ownership,
and it would be a publicity fiasco if they did. A "reasonable case to
ownership" at best would allow to bring the case to court.

~~~
282883392
"Github transfers organizational ownership after owner becomes inactive"

Sounds fairly benign. Ownership transfers happen all across the web with, to
give a few examples, subreddits, social media handles, messaging groups, etc.
Why can't Github do the same?

~~~
tannhaeuser
IANAL, but apart from a private entity having such power being problematic (to
say the least) who's going to put stuff on GitHub if it can be gamed to take
away your control?

Edit: GH could also be in for liability claims should the original owner re-
appear (at least in general, if not this particular case), and would need to
check identity of the involved parties and whatnot, which is going to be very
costly.

~~~
carussell
What's with all the legal bluster in your comments here? Not only do the
liabilities you're trying to conjure up not exist, but this is not even the
first occurrence of something like this happening with GitHub. They have a
documented policy for freeing up inactive names. (Spoiler alert: it's allowed,
and they've done it.)

------
niftich
The code != the project, and situations like this one demonstrate this. In a
typical open source project, it's relatively easy to ensure continuity of the
codebase, but continuity of the organization, and all the meta that enable
communication, collaboration, coordination, is a challenge. Doubly so are
hardcoded trust anchors that need to be moved: project and artifact names, IRC
channels, domain names, keys and certs(!), contributor rights and permissions,
URLs for artifacts.

Further, there's no good literature on what one's supposed to do in this case,
or how to architect one's organization to be resilient to such situations.
Even having a council of superadmins wouldn't solve all of the above -- if any
service dependency doesn't natively support more than one administrator, the
same credential would have to be shared among all admins, leading to a
comparable set of problems: arguably worse, as one rogue actor can take
control of portions of the management infrastructure.

There's a real lack of maturity in identity and access management for the
needs of multi-leader organizations in spaces like domain hosting, code
hosting, IRC channels, and, y'know, nearly everything else.

~~~
mseebach
> Further, there's no good literature on what one's supposed to do in this
> case, or how to architect one's organization to be resilient to such
> situations.

Perhaps not specifically tailored for open source software projects, but areas
such as key person risk and business continuity aren't exactly under-
researched. The "trick" is to know you need it, and it's not a particularly
pleasant conversation.

GitHub would actually be a good home for something like this. A secure
repository (as secure as cloud-hosted can be) of keys and stuff, and a
mechanism for "opening the vault" and naming new administrators (say, a
unanimous vote of n out of m listed contributors).

------
AdmiralAsshat
We had a similar issue with the Korora Project. Founder stepped down to focus
on life for a bit, main developer went AWOL. Between the two, all build server
access was cut off to the remaining members.

Unfortunately, this is really one of the only ways to test how "open" your
code is. You can have the entire source up on GitHub, but if the stack depends
connecting to a blackbox server which you don't control, the whole thing
quickly falls apart.

Redundancy and documentation are absolutely key for any kind of project,
particularly open source.

~~~
wainstead
Sharing the power is also really important. I founded the project PhpWiki back
in 1999, and eventually saw the need to grant admin access to other
developers. I haven't done any development on the project in about fifteen
years but it's still going.

[https://sourceforge.net/projects/phpwiki/](https://sourceforge.net/projects/phpwiki/)

------
keithpeter
Well I hope that Mr Pardines is OK and well and perhaps just having an
extended break. I remember the shock of Ian Murdock's death (founder of Debian
although long dissociated from Debian at the time of his death).

If the remaining team fork Void, I shall probably continue to use it, nice
system, easy to use and decent repositories.

Right now, a practical concern is the status of the update server and the
various mirrors.

------
mkobit
Sounds similar to the FindBugs project (discussed here [1]). The result from
that episode was a fork into SpotBugs [2].

[1]:
[https://news.ycombinator.com/item?id=12885549](https://news.ycombinator.com/item?id=12885549)

[2]:
[https://github.com/spotbugs/spotbugs](https://github.com/spotbugs/spotbugs)

------
robin_reala
What reasonable measures could have been put in place that would both avoid
this bus factor and balance the other way against the risk of a project
running into problems from split management?

~~~
MisterTea
First off, I'm surprised an open project has such a high bus factor. There
should always be a contingency plan.

The IRC channel could have easily been protected if a second or even third
trusted member of the team was given admin privileges and/or access to bots.
The domain and github accounts are tricky because of ownership and financial
payments.

The right way to do this would be to form an organization (non profit, etc)
and register all the domains and accounts to that entity. Then delegate access
to one or more trusted members with the founder as the head.

And finally, let this be a lesson to open developers. If you want to
participate in a large open project, check the bus factor and proceed with
caution.

~~~
icebraining
The Software Freedom Conservancy might be able to help:
[https://sfconservancy.org/](https://sfconservancy.org/)

------
reflexing
Arch Linux and OpenWrt projects have successfully used Software in the Public
Interest [http://spi-inc.org](http://spi-inc.org) to resolve their problems. I
recommend it to use by Void too.

~~~
duncaen
> Furthermore, we’re in contact with a non profit organisation that helps open
> source projects to manage donations and other resources. We hope that we can
> announce further details in a few weeks.

~~~
reflexing
I think it'll be nice to mention what organisations are you in contact with
currently.

------
znpy
The sad things imho is that no one asked:

\- Is he/she fine?

\- Did something happen?

\- Can we help?

~~~
carussell
That's a strong claim. What led you to conclude that nobody asked any of those
things?

~~~
znpy
At the time of writing that comment, no one in this thread had asked those
question. Also, on the page linked, the author was not asking those question.

That led me to conclude that nobody asked those things.

~~~
carussell
After the leader of a substantial project disappears, in the ~20 minutes of
incidental contact you have with the issue after having only just been
introduced to it having not stumbled over a particular discussion out of sheer
dumb fucking luck, you conclude that means the discussion never occurred. Do
you _really_ think that's a sound conclusion?

Let me put it this way, do you really think that, in the _three months_ since
this person disappeared, out of the _dozens_ of people who have a far closer
relationship to him than you do and a far greater personal stake in his
wellbeing, that you are _really_ the _first_ person to consider whether
something might have happened—to the point that you're comfortable to
grandstand with a public indictment about how "sad" their behavior is?

You are _the worst_ kind of person. _Fuck you_.

------
WhitneyLand
I hope the PM is ok. But if they haven’t suffered some kind of severe illness
how do they even apply for a job in the future if this becomes well known?

If it’s some kind of pissing contest could they potentially have legal
exposure?

~~~
aeosynth
"Don't develop free software; if you ever decide to abandon a project, no one
will ever hire you again."

~~~
WhitneyLand
Not even close I think.

One common thread between a job, and contributing to free software, is that
you are often collaborating with others and helping each other as a team.

There’s nothing inherently wrong from moving on from either one, but there is
a vast spectrum of ways to make the transition - from productive and retaining
friends, to bridge burning.

If there was some unforeseeable emergency in the PMs life he shouldn’t be
criticized for that.

Let’s assume the positive, he’s probably a great guy, there’s a rational
explanation, and he’ll end up making things right. The problem is sometimes
other people might just be making dick moves, which really doesn’t help either
party.

------
tzs
Project hosting sites should perhaps have a built in mechanism to make it
easier to deal with these situations. Perhaps a dead man's switch that if
tripped allows those with write access to the project to appoint a temporary
replacement leader. If the missing leader returns he can reclaim leadership.
If he does not return, then after a certain time has passed, the temporary
leader becomes the permanent leader.

------
a-nikolaev
Wishing the best resolution to this situation. Have been a Void Linux user
since last May and enjoying it lots, the best Linux distro by far.

~~~
gnode
This is the first I've ever heard of it, and it seems like the distro that'd
suit me well.

Too often it seems the case that the first I hear of a promising project is of
its demise via Hacker News. Hopefully this isn't such a case, and the
organisation can get back on its feet in spite of this.

------
tmikaeld
Reminds me of Rubedo:

[https://github.com/WebTales/rubedo/issues/1477](https://github.com/WebTales/rubedo/issues/1477)

It's got an organisation behind it, but not a word for almost a year now.

~~~
duncaen
Its differnet, we have 10+ team members with full write access to the
repository and development is still ongoing.

[https://github.com/voidlinux/void-
packages/pulse](https://github.com/voidlinux/void-packages/pulse)
[https://github.com/voidlinux/void-packages/graphs/commit-
act...](https://github.com/voidlinux/void-packages/graphs/commit-activity)

The missing bits on the github side are permissions to add/change organization
team members.

~~~
tmikaeld
Of course, I'm absolutely not saying that it's the same situation - it just
reminded me about how bad it can actually become if you can't replace the main
developers of a project.

------
simlevesque
I'm kinda surprised that this does not happen more often.

------
ItsMe000001
I would like to take this opportunity and ask about another disappearance of a
project leader, even if it's only a minor project:

Ben Hsieh, owner of "react-native-fetch-blob", a native (iOS and Android)
module for filesystem access and network requests fro React Native.

[https://github.com/wkh237](https://github.com/wkh237)

Does anybody know what happened to him?

I'm asking because I had "Contributor" status for his project on Github and
was left with the pieces.

