
Fine Uploader is shutting down - netham91
https://github.com/FineUploader/fine-uploader/issues/2073
======
rolleiflex
> I've grown tired of continuously defending my inactivity and decisions
> against trolls on Twitter, the issue tracker, and elsewhere. It's draining
> and I don't have the patience or energy to deal with it any longer. These
> same people expect to impose their short-sighted and non-generalized values
> and goals on a project for which they have contributed nothing and are not
> willing to maintain. The sense of entitlement from a small but vocal
> minority that do not understand FOSS and refuse to understand it is very
> much a concern, and I'm simply not interested in shrugging that off anymore.

In the last three days, I've been accused of my code not being open source and
that I should remove all mentions of open source from everything I owned,
because I simply haven't pushed to Github in a month or two.

This was joined by another user who claimed that open source license legally
forces me to make the 'secret' code I've been holding off public, which,
again, does not exist, because the code on the repo was effectively current.

I've been working full time for the last 8 months, on my own savings, to
provide a peer-to-peer mass communication tool, and I'm releasing it for free.

To say that this made me feel _horrible_ for the past few days would be an
understatement.

~~~
latchkey
Sorry you feel bad. That really sucks to get messages like that. Personally,
I'd just ignore the noise and focus on the good. Remember, it is far easier to
be a keyboard warrior than it is to create something awesome.

People in the service industry see this all the time. A 1 star review on a
restaurant really hurts. Everyone should know how much effort it is to run a
restaurant and how much can easily go wrong... a bad review is really
disheartening.

~~~
rolleiflex
Thank you. I understand these folks are few amongst many, but boy, when you
don't hear from the many, only from the few, it makes you think whether this
was a mistake.

Regardless, I've removed all mentions of open source from my product (but kept
the license unchanged), just so I won't have to deal with this again.

------
davidjnelson
> I lack the free time at this point in my life to continue to maintain and
> develop a project of this scale, and the codebase has languished for a
> little while already.

> I've grown tired of continuously defending my inactivity and decisions
> against trolls on Twitter, the issue tracker, and elsewhere. It's draining
> and I don't have the patience or energy to deal with it any longer. These
> same people expect to impose their short-sighted and non-generalized values
> and goals on a project for which they have contributed nothing and are not
> willing to maintain.

> The sense of entitlement from a small but vocal minority that do not
> understand FOSS and refuse to understand it is very much a concern, and I'm
> simply not interested in shrugging that off anymore.

Not familiar with this project but would like to thank the author as well as
all the other amazing open source contributors in the world for doing
something that made/makes the world a better place.

I dream of a day when we have a solution to these problems. Where an engineer
can get paid as much as they would at a job to fix those issues people raise.
A platform that also allowed creators to block people who are clueless and
unkind.

Some day we as a community will figure it out.

------
DoreenMichele
I think the correct way to view this is as a courtesy notice that "Hey, that
thing you might have used for free is being discontinued." That's it.

There is zero reason to expect FOSS developers to be schooled in good PR or
something. He may think that spelling out his logic for his decision is useful
information to other people. He may even be right about such an assumption.

I would not infer that he is intentionally being petty, kvetching per se, etc.
It might be accurate, but who cares? He published a courtesy notice. He could
have shut it down with zero announcement.

I am reminded of this comment I made 3 months ago:

[https://news.ycombinator.com/item?id=17824166](https://news.ycombinator.com/item?id=17824166)

------
kvz
Disclosure: I work on a ‘competing’ file uploader.

I’d like to thank Richard for the relentless efforts in pioneering this robust
uploader. As a member of the Uppy team I have had the pleasure of a few
encounters with him where he adviced us on e.g. saving directly to s3. I
regard him more as a bright peer than a competitor, the ecosystem is large
enough that we can afford that luxury. And I guess being in open source helps.
Like, I’d dont suppose there’s a cutthroat mentality between Linux and FreeBSD
contributors for instance :)

I can relate to the gh-issue fatigue becoming unbearable if you yourself no
longer have a need, or a way to make it into a sustainable career. Worse:
others are building businesses with your free product and make wild demands.
Our team is fortunate enough that our own business can benefit from Uppy and
so that we can allocate paid-for-time; but if all that effort has to come from
your spare time, that could also have been spent on your family or making
money to feed them.. the weight really adds up and wears you down.

So: Much respect for keeping it up for so many years, breaking new grounds,
and being a big inspiration to us.

~~~
kvz
Of course it is Ray and not Richard, I am sorry. It is too late to edit now.
Should know better than to post on the move :o

~~~
rnicholus
This is Ray. I'm trying to lay low after archiving my project as I really just
want to move on at this point, but I couldn't help myself and read some of the
comments here anyway. Thanks for this, Kevin. Uppy is a fantastic library and
I wish you and the rest of the Transloadit team the best. If I were looking
for an enterprise-class upload library in the future, I'd absolutely choose
Uppy at this point.

------
NetOpWibby
The sense of entitlement people have of open-source projects is ridiculous,
ESPECIALLY if they haven’t contributed to it.

~~~
mikekchar
What is this comment in response to?

~~~
sandov
>I've grown tired of continuously defending my inactivity and decisions
against trolls on Twitter, the issue tracker, and elsewhere. It's draining and
I don't have the patience or energy to deal with it any longer. These same
people expect to impose their short-sighted and non-generalized values and
goals on a project for which they have contributed nothing and are not willing
to maintain. The sense of entitlement from a small but vocal minority that do
not understand FOSS and refuse to understand it is very much a concern, and
I'm simply not interested in shrugging that off anymore.

~~~
mikekchar
Thanks! I read it a couple of times and missed it each time. It was before my
coffee, so I guess I'll blame that.

------
mr_puzzled
Somewhat related : are there any guides/tutorials about how to do secure file
uploads in webapps and how to avoid obvious security pitfalls?

Reading the Django docs
[https://docs.djangoproject.com/en/2.1/topics/security/#user-...](https://docs.djangoproject.com/en/2.1/topics/security/#user-
uploaded-content-security) , specifically,

>Django’s media upload handling poses some vulnerabilities when that media is
served in ways that do not follow security best practices. Specifically, an
HTML file can be uploaded as an image if that file contains a valid PNG header
followed by malicious HTML. This file will pass verification of the library
that Django uses for ImageField image processing (Pillow). When this file is
subsequently displayed to a user, it may be displayed as HTML depending on the
type and configuration of your web server.

is a little concerning. They recommend serving images from a different domain
and whitelist file types. Is that enough? Anything else needs to be done to
improve security? Does handling uploads alone give attackers an RCE
oppurtunity or is it safe to handle files in the server and then upload to aws
s3?

~~~
hyperpape
Here’s a start:
[https://mobile.twitter.com/olemoudi/status/10239768976618700...](https://mobile.twitter.com/olemoudi/status/1023976897661870083)

~~~
mr_puzzled
Thanks for that, great read.

I think for my use case going with s3 will be easier and better for security.
So how do I actually do it? Let users directly upload to s3 and have a lambda
function call my server to store the url? If the image file is maliciously
crafted, how does using s3 help, especially when serving the content? How can
I set the headers when serving images from s3? And is there a way to identify
that a specific user uploaded this file, so that I can have rate limiting? Is
it possible to generate a signature or something to identify a user that I can
decode server side to say "ok, this user uploaded the file and he is who he
says he is". Maybe sign using the cookie that django sets for each user?

~~~
PetahNZ
There is a few options, such as using AWS Cognito, or signed requests. I
personally use signed requests which allows you to specify where and what type
of files are allowed to be uploaded. First the user asks my server for a
policy and signature, then uploads directly to S3, then sends another request
to my server when done. My server will then verify and process uploaded files.

Likewise requests can also be signed so you can implement rate limiting on you
side, and just allow S3 to serve the payload. Or you can do thing like use
Cloudfront to server the objects which can use various methods of
authentication such as signed cookies, or Lambda functions.

Headers can be set in the S3 object metadata.

~~~
mr_puzzled
Thanks for the explanation. Follow up question : how did you implement the
signed cookies part?

~~~
harrisonjackson
Use the the aws sdk to generate credentials on your server, pass the returned
creds to your frontend. The request to generate the credentials allows you to
lock down the size and type of file. They can go directly into a form or used
in javascript. Lot of github libs and stack overflows that go into more
detail.
[https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-UsingH...](https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-UsingHTTPPOST.html)

------
nateweiss
Thank you for Fine Uploader. It's been really helpful.

A my-fault anecdote: I submitted a PR for a minor new Fine Uploader feature,
and when a few followup questions were asked about documenting the new
feature, I never got around to completing the tasks.

So, at least in my case, I intended to contribute and did "most" of the work,
but failed to make the time to bring my PR over the finish line. Perhaps there
were a bunch of well-intentioned-but-ultimately-not-usable contributions like
mine, and maybe they also contributed to the frustration.

I try (but sometimes fail) to remember that so, so much of the stuff I use
every day to maintain my livelihood was created by others, for the free use of
others. But it's such an embarrassment of riches that sometimes one forgets to
be thankful and that's when the feeling of open-source entitlement sets in (at
least that's how I see it).

In the past I maintained a bunch of little plugins that got a decent amount of
use, but it was a long time ago (1990's) and I think the culture was
different. There was some criticism, but most people were very appreciative
and if there was something they wanted added etc, they would just solve it on
their end without any complaints or drama. There was no PR type workflow,
arguments over licensing, or expectation of awesome docs/support for a free
thing. I'm not saying I want to go back to that per se, but when I think about
maintaining that type of project now, it sounds fatiguing instead of exciting.

Not sure what my point is... I guess just to say thanks and that I can totally
understand why you'd want to stop supporting the code. But it is used and
appreciated, and the fact that you nurtured it for so long is an achievement
on its own. Cheers!

------
wpietri
Has anybody written a guide on how to survive having a successful open source
project?

I happened to have something [1] get a little usage recently and it took
effort not to get sucked in. There were people with questions and needs! And I
like helping people! But I also have a life to lead, so I set myself some
clear boundaries and worked to consciously accepted that the project wouldn't
operate at the standards I'd have for myself if it were my job.

It occurred to me that when I got started in the industry I didn't have the
boundary-setting skills I do now, and that I easily could have worked to hard
and too long, burning myself out, especially if my project were as popular as
this was. It'd be nice to have a guide from OS project leads on ways to keep
the project sustainable over the long term.

[1] [https://github.com/wpietri/sucks](https://github.com/wpietri/sucks)

~~~
aikah
> Has anybody written a guide on how to survive having a successful open
> source project?

No need for a guide. Close the issue tracker. Only accept pull requests,
problem solved.

~~~
wpietri
I don't think that's a very good approach.

The contributors I got for my project all first appeared in the issue tracker
and we had a few interactions before they decided it was worth their time to
write code. That makes sense to me. I would be unlikely to submit a pull
request until I was reasonably sure that it was welcome and and that the
person receiving it would be a good person to collaborate with.

~~~
aikah
> I would be unlikely to submit a pull request until I was reasonably sure
> that it was welcome and and that the person receiving it would be a good
> person to collaborate with.

The person you collaborate with do not owe you anything, and it goes both
ways. If a PR is rejected, then its author is free to fork the project. But
you can't have it both ways, you can't complain about people potentially
abusing issues then think there is a special technique to limit the problem,
while keeping an issue tracker opened, because there isn't.

Closing the issue tracker will ensure only people capable of fixing issues
will collaborate to a project.

~~~
wpietri
I understand the theory you're expressing, I just think it's pretty far from
optimal.

Closing the issue tracker might have the effect you describe, but will also
unnecessarily alienate people who would be excellent contributors with a very
moderate investment.

I personally didn't "complain about people potentially abusing issues", so I'm
not sure where that's coming from. What I'm interested in is helping less
experienced project maintainers find healthy ways to cope with having a
successful project.

But given your confidence on the topic, surely you can show us the successful
open source project you are running along these lines?

------
arvinsim
Does anyone know of an alternative to this library?

~~~
kvz
Disclosure: I’m on the Uppy team but you may want to check it out
[https://uppy.io](https://uppy.io).

I think we have feature parity, or close to that. Any extra feature is either
opt-in or can be opted out of

~~~
arvinsim
Thanks, I will look into this then.

------
BoorishBears
At the risk of sounding uncaring or such...

Ok?

I mean I don't get why the owner didn't try to find someone else to graciously
take the reins without a fork (maybe they tried and couldn't find anyone?),
but I don't get the dramatic post and very "taking my ball and going home"
tone I'm getting.

Again, maybe it's just me looking to wrongly but when 4 out of 6 reasons are
referring to yourself and not the project...

The bit about having to defend yourself on Twitter, I guess I don't know this
person and how bad they have it, but I find it hard to imagine someone just
_inundated_ with Twitter noise over a library to the point they need to walk
away in such an abrupt manner, like taking the slightest amount of time to
transition would be life ending ( _definitely get not wanting to deal with
noise over free work, but this is a known problem and they could have started
a conversation about that_ ), and I _definitely_ don't see how this will
_reduce_ the amount of attention they get...

~~~
ravenstine
Why even bother being on Twitter? I keep hearing developers encouraging each
other to be active on Twitter, but who gives an actual fuck what goes on with
Twitter? All it seems to do is generate drama on every front. Do developers(or
anyone) really need to be on there? If I were the owner, I would have just
closed my Twitter account in the face of demanding freeloaders.

~~~
BoorishBears
I respect their right to be on Twitter in peace, but yeah I'd probably block
users before I'd list Twitter complainers as a reason how I'm closing the lock
on a popular library and throwing away the key instead of just walking away
yourself... because that's definitely one way to get a lot of people (imo
rightfully) complaining about what you did.

Also kind of kills your credibility in the future. Walking away over toxicity
is fine, doing it like this? Not so great. (of course there's something
especially egregious we don't know about, but they're laying a lot out in that
post, I'd expect to see it there...)

~~~
justin66
> Also kind of kills your credibility in the future. Walking away over
> toxicity is fine, doing it like this? Not so great.

Credibility, yeah. _Sure, this guy gave away his work for seven years but can
we trust him to work for free in the future?_

~~~
BoorishBears
Exactly.

Because every day millions of people give away their work.

I give away my work. I've dealt with rude people using software I made since I
was pretty much a kid, those people didn't know who their vitriol was directed
at.

What makes this guy so special that to spite the vitriolic subset of all users
he gets to be the one who throws a wrench in a project?

I said this in a comment below:

You think the kind of person who would insult a library maintainer on Twitter
is going to read his Github issue?

"Oh it stopped getting updates" "Good, now my code won't break anymore!"
"Security vulnerabilities in libraries? What?"

He's literally only spiting the very people who make projects like this
worthwhile, the kinds of people who would want to submit PRs, make useful
issues, and people with a genuine interest in the project, exactly what he's
saying he lost.

