
Lack of cdnjs activity - spirit23
https://github.com/cdnjs/cdnjs/issues/13524
======
thomasfromcdnjs
Hey everyone,

My name is Thomas, one of the original founders of cdnjs along with Ryan
(linked below by another commenter).

We originally posted cdnjs on Hacker News in 2011 ->
[https://news.ycombinator.com/item?id=2828516](https://news.ycombinator.com/item?id=2828516)

The project was originally created on AWS Cloudfront, Ryan and I thought we
could handle the bills. In retrospect that was incredibly naive so we were
fortunate to partner with Cloudflare.

At the time, cdnjs was a baby, Cloudflare had just started entering the
market.

In short, Cloudflare always owned the domain, cdnjs.cloudflare.com, meaning,
we were constrained to work under the DNS level.

We have both put considerable amounts of work into the project, but nothing
compared to the community and the "core" contributors. I put "core" into
quotes because for the last 5 years, cdnjs has largely been run by a highly
dedicated man named Peter.

[https://github.com/PeterDaveHello](https://github.com/PeterDaveHello)

Peter built enormous amounts of infrastructure to support cdnjs. He is
extremely diligent, intelligent and determined.

The project was Ryan's and I "baby" but we were happy to relinquish control,
sorry for all the "buts", but we were not in a position to control due to the
technical and commercial reasons.

Ryan and I have never personally profited off the project, we've only paid
bills and late night ssh sessions.

Conversations are underway to move forward, it is likely that the project will
move to an unpkg setup (assets are just mirrored to npm).

A lot to say, but I'm at a lack of words.

Happy to answer any and all questions.

~~~
suresh70
Do you guys have any plans for short term relief to clear out the pending PRs
and keep the show running?.

~~~
MattIPv4
Nothing that I've heard so far - though I'm happy to be corrected by Thomas or
Ryan.

------
petecooper
I am a former maintainer / librarian on cdnJS. I helped out some years ago
when I wanted to learn how version control and git worked. This was in the
pre-automation era (2013 to 2014 in my case), and I went through the existing
libraries to find outdated instances, located new versions of the same, raised
the PR to update it. All good.

Back then, and I don't know how much has changed, the libraries were
maintained on GitHub and CloudFlare did the hosting. I wasn't aware of any
problems with either organisation doing what they were doing, the system
worked just fine. The founders (see
[https://cdnjs.com/about](https://cdnjs.com/about) for confirmation) Thomas
and Ryan were around, but not super active. Thomas was involved in building
out some of the automation infrastructure, but the day-to-day of updating the
repo was largely undertaken by the maintainers, and that was fine. I never
'met' either founder, but we had occasional email back and forth and they were
grateful for my maintainer-ing.

I used the GitHub Mac app because I was finding my way. Whenever I changed any
library, the action of the app checking a HUGE repo for any changes pegged my
laptop for a few minutes every time. Not ideal, but the process of doing this
librarian-ing helped me learn about a heap of stuff.

According to [1] I stopped on cdnJS mid-2014. Things got a bit twitchy for me
when a library (edit: jPlayer) was pulled from the file structure because it
was compromised (edit: XSS) or found malicious at release. I had a couple of
user complaints directed at me because I was the one that added it in good
faith originally (it passed the malware checks I ran on it). The founders
stepped up to explain it wasn't me that was to blame, and one person didn't
take that too well -- basically they found me on other software forums, posted
threats to me and explained how the library that I had added, and someone else
had removed, was crucial to their business and they'd lost such-and-such
dollars in revenue with that library 404-ing without notice and that they were
coming to find me and extract the money from me by force. It all died down a
few weeks later.

[1]
[https://github.com/petecooper?tab=overview&from=2014-12-01&t...](https://github.com/petecooper?tab=overview&from=2014-12-01&to=2014-12-31)

Edits: clarity.

~~~
jlokier
> they found me on other software forums, posted threats to me and explained
> how the library that I had added, and someone else had removed, was crucial
> to their business and they'd lost such-and-such dollars in revenue with that
> library 404-ing without notice and that they were coming to find me and
> extract the money from me by force

Wow, that really takes "open source maintainer abuse" to a whole other level.

~~~
wongarsu
If cdnjs was an enterprise offering it would be reasonable to expect either a
notification of removal and a generous transition period, or just cdnjs
disinfecting the package behind the scenes (and then boasting about it).

But expecting the same from a free service is unreasonable. Stalking people
and asking for damages because they didn't meet an unreasonable expectation is
beyond unreasonable.

~~~
diggan
> it would be reasonable to expect either a notification of removal and a
> generous transition period

For security issues like XSS in live and deployed libraries?

I mean, I don't agree that the library should ever be removed, but if you are
of the opinion that vulnerable libraries should be pulled, they should be
pulled quickly no?

~~~
wongarsu
What's worse: uninterrupted service with a time window where you are
vulnerable to a known XSS attack, or your service suddenly going offline,
customers calling your support but all you can tell them is that you will be
back in a few days, but at least they are not vulnerable to XSS in the
meantime?

Of course for a small startup a few days notice before removal is enough, but
for a large company a few days may be barely better than no heads up at all.
Not everyone can move with the same agility.

If you don't pull it at all you risk people staying on the library forever
because they don't want to touch a working system.

------
onion2k
There's a lesson here for anyone who dreams of getting famous maintaining
something in the open source world - if it grows huge and you're not willing
to share control (and fame, and maybe money) you can't take really a break
from it. You will always have to be there or risk losing it very quickly.

Software development at scale is about much more than code. It's about
maintaining relationships with people, being willing to trust other people can
do good work without your input, and sharing responsibility for what you
started. All the really awesome open source projects have people who are good
at those things at their core.

~~~
kilian
Yes. Please CDNjs, give us enterprise level support because all of us pay you
the gigantic salary of...

Nothing.

Wait. Okay, no, You can't take a break because we give you huge donations that
make it so the 5 maintainers can afford spend time working on it. You can
easily feed 5 people or families on the annual donations of...

$52.65 [1]

Okay. In all seriousness. No one doing open source owns _anyone_ _anything_.
Software at scale is a job. Jobs have salaries. Microsoft depends on it? How
about Microsoft spends 10% of an engineering salary supporting it?

[1] [https://opencollective.com/cdnjs#section-
budget](https://opencollective.com/cdnjs#section-budget) They also have
patreon, which is bringing in $0 per month.

------
bouke
I guess the lesson to learn here is that you shouldn't rely on externally
hosted assets. Just host it yourself, its not that hard. If you're concerned
about the bandwidth cost, you should probably charge more for the service your
providing.

~~~
lixtra
There is a downside though: a copy has to be downloaded for each website, so
each first website load is slowed down.

What’s missing is a way to tell the browser to use a certain resource
(identified by its hash) and a url to download it.

That way the browser could cache the object across websites and download from
a source that the requesting website controls.

It could look like this

    
    
        hash://sha256/71dc8dd15ea156387fa9efaf380e7f8d39187a549649bec62a39aee3cf4fdc55//https://raw.githubusercontent.com/cdnjs/cdnjs/2c95eae0dc3569f0cb15c8a5f9173220b49156bc/README.md
    

I also vaguely remember that magnet links were similar.

~~~
jefftk
_> a copy has to be downloaded for each website, so each first website load is
slowed down._

The major browsers (FF, Chrome, Safari) all fragment cache by the domain in
the URL bar now, for privacy reasons, so this doesn't apply anymore.

 _> the browser could cache the object across websites and download from a
source that the requesting website controls_

You can't do this without reintroducing the same privacy issues that cache
fragmentation was introduced to prevent.

~~~
jefftk
Sorry, checking, FF and Chrome don't do it yet, but they will soon:
[https://www.chromestatus.com/feature/5730772021411840](https://www.chromestatus.com/feature/5730772021411840)
,
[https://bugzilla.mozilla.org/show_bug.cgi?id=1536058](https://bugzilla.mozilla.org/show_bug.cgi?id=1536058)

~~~
lixtra
Thanks for the cache partition description. This will make projects like cdnjs
less beneficial. The proposed hash:// scheme at least would leave it to the
attacked site which resources to expose to such an attack.

Performance vs security trade offs seem to be popping up everywhere recently.

~~~
jefftk
A "share cache if hashes match" approach was considered with
[https://developer.mozilla.org/en-
US/docs/Web/Security/Subres...](https://developer.mozilla.org/en-
US/docs/Web/Security/Subresource_Integrity) but not included in the initial
version. There's been talk ([https://hillbrad.github.io/sri-addressable-
caching/sri-addre...](https://hillbrad.github.io/sri-addressable-caching/sri-
addressable-caching.html) , [https://github.com/w3c/webappsec-subresource-
integrity/issue...](https://github.com/w3c/webappsec-subresource-
integrity/issues/22)) about allowing sites to opt in, but then you're opening
up a new way of tracking users across sites.

------
zackbloom
Hello from Cloudflare! We're involved with CDNJS as we host the CDN-part of
the project. We will support CDNJS and the sites which rely on it, period. If
your site uses CDNJS you can trust it will continue to be fast and functional.

We have engineers currently working with the CDNJS team to get updates
happening again. Once that is done we will start to think about the best way
to keep CDNJS updating without requiring as much human intervention in the
future. Thanks for your patience and feel free to ask any questions here.

~~~
MattIPv4
Thank you for everything <3

------
manigandham
This is why I recommend jsDelivr instead:
[https://www.jsdelivr.com/](https://www.jsdelivr.com/)

It's a free CDN that automatically pulls from NPM or Github based on repo URL
without any submission/approval bottlenecks. It's also more robust with
multiple CDN and DNS providers.

~~~
greggman2
[https://unpkg.com/](https://unpkg.com/) as well

cdnjs doesn't work well with es6 modules or at least requires more manual
labor. unpkg and jsdelivr work because they keep the structure defined in the
package.json

~~~
root_axis
I would definitely avoid unpkg.com

[https://twitter.com/centrisimo/status/1190213354213838855](https://twitter.com/centrisimo/status/1190213354213838855)

[https://twitter.com/vdanielpop/status/1190234073987518465](https://twitter.com/vdanielpop/status/1190234073987518465)

[https://twitter.com/BaggaleyGeorge/status/119026004939189043...](https://twitter.com/BaggaleyGeorge/status/1190260049391890434)

[https://github.com/mjackson/unpkg/issues/176](https://github.com/mjackson/unpkg/issues/176)

------
piscisaureus
Looks like the "founder" is
[https://github.com/ryankirkman](https://github.com/ryankirkman). Doesn't look
like he's MIA but rather distracted / doing something else.

~~~
weinzierl
No activity since Oct 3. I wouldn't draw any strong conclusion from this in
either direction.

~~~
Thorrez
Looks like he made contributions to a private repository on Oct 25.

~~~
weinzierl
You are right, I missed that. One can clearly see it in the punch card chart.

------
oefrha
410 GONE is a potential problem in any important open source project with a
low bus factor.

~~~
z3t4
The problem is that if you spread the privileges between many people,
especially in a voluntarily project, it usually ends up with no-one doing any
work. I have experienced it over and over again. Meanwhile if there is only
one person in charge he/she will often end up doing a tremendous amount of
work. It's like, if the the whole organization depends on you, you feel more
responsibility.

------
ZoomZoomZoom
Well, I've read the whole linked Issue and only then understood that it's not
in fact CJDNS[1]. The latest commit there is Aug, 6, which is very
frustrating. I'd love to see HN crowd paying more attention to such projects.

[1] [https://github.com/cjdelisle/cjdns/](https://github.com/cjdelisle/cjdns/)

~~~
codetrotter
Is there a specific bug or missing feature that has you frustrated in that
project?

And also, note that yeah they last pushed to master in August, but they've
been doing work since then on at least one other branch.
[https://github.com/cjdelisle/cjdns/tree/crashey](https://github.com/cjdelisle/cjdns/tree/crashey)

Software _should_ mature and when it does, development _should_ slow down. I
don't use cjdns myself, but from what I've heard it seems to be a solid piece
of software.

If you had personally submitted a PR to the project and it was sitting there
unacknowledged, or you were seeing lots of PRs by others sitting unresponded
to then I could see a reason for being frustrated. But there are only two open
PRs at the moment, and only one of them is without any comments.

------
brightball
It’s one think to make and release open source software. It’s entirely another
to maintain a free service.

------
thinkloop
The entire cdnjs is one dude plus some "core" maintainers with no access?
Amazing.

~~~
paulddraper
Wait until you hear about OpenSSL.

~~~
boffinism
Can someone tl;dr for me?

~~~
cameronbrown
Heartbleed was a direct result of lack of resources. Billions of dollars have
been shifted through OpenSSL but nobody thought to contribute back to this
critical infra.

~~~
netsharc
NTP was being maintained by 1 guy in 2016:
[https://www.infoworld.com/article/3144546/time-is-running-
ou...](https://www.infoworld.com/article/3144546/time-is-running-out-for-
ntp.html)

And then some committee came along and thought everything was crap and they'd
do it better. Featuring ESR:
[https://lwn.net/Articles/713901/](https://lwn.net/Articles/713901/)

An Internet without a reliable way of figuring out the true time would be...
messy.

------
fks
Really sad to see this, I remember relying on cdnjs at a few old jobs over the
years. Hope they get this sorted.

If anyone is looking for alternatives, I created Pika CDN as a modern
alternative for cdnjs/jsdelivr/unpkg. It runs off of npm (so no approval
bottlenecks) and is 100% modern ESM (so you can `import` every package
directly in the browser without a bundler).
[https://www.pika.dev/cdn](https://www.pika.dev/cdn)

------
rpmisms
At the risk of seeming trollish...

What are we doing? Deploy the donations!

------
fareesh
Hypothetical question - what if a "founder" of a widely adopted service like
cdnjs becomes incapacitated or dead, is everyone supposed to just follow a
fork or is there some kind of provision to hand over control to someone? How
can the successor be chosen in such cases?

~~~
diggan
Just this happened in the Clojure community when Raynes (Anthony Grimes) died.
He made a lot of utils and projects for the community available open source
and since his passing in 2016, community forks have been available in other
organizations or willing users who fork and continue maintenance.

See for example
[https://github.com/Raynes/tentacles](https://github.com/Raynes/tentacles)
which now "moved" to clj-commons [https://github.com/clj-
commons/tentacles](https://github.com/clj-commons/tentacles)

Edit: just learned after looking up more about it that Raynes also seems to
have been behind the creation of Elixir's Mix toolkit (Mix is Bundler,
RubyGems, and Rake combined) so he touched on a lot of peoples life outside of
Clojure as well.

~~~
fareesh
Wow that's very sad to hear, I use mix all the time

------
bdcravens
How many rely on these CDNs as core (yet free) infrastructure?

~~~
sudhirj
CDN JS isn't the CDN. The gives you links and shortcuts to use other CDNs,
like Cloudflare, MaxCDN, Stack-something and others. Don't think any of the
libraries are served from CDNJS properties itself - how would they pay the
bills?

~~~
disiplus
are you sure ?

[https://cdnjs.cloudflare.com/ajax/libs/react/16.10.2/cjs/rea...](https://cdnjs.cloudflare.com/ajax/libs/react/16.10.2/cjs/react.development.js)

[https://cdnjs.com/libraries/react](https://cdnjs.com/libraries/react)

~~~
sudhirj
Yeah the fuse is the actual hosting and the second is the index page. So you
could fork the repo, reach out to Cloudflare and start on newcdnjs.com for the
index and newcdnjs.cloudflare.com for hosting.

~~~
MattIPv4
Whilst that's do-able, this means you'd be starting a new CDN on a new domain
from scratch. Bringing the existing CDNJS traffic over to something new would
be a very difficult challenge.

~~~
capableweb
Why is that? If CloudFlare is on-board, they can help adding redirects where
needed.

------
atemerev
Okay, this is what the fork button is for.

~~~
jimws
Forking is not as trivial as you make it sound. You need to setup CI/CD with
the new fork, then persuade the community to get on board the new fork. The
bigger problem is to get the infrastructure and money to host a live CDN that
serves the users.

~~~
codemati
To clarify: it looks like CloudFlare is the actual CDN behind CDNJS. And
getting on board the new fork would mean updates to every single reference to
CDNJS URLs (in codebases), on top of the community of contributors moving.
Yikes.

~~~
llarsson
Seems to me like Cloudflare would be in a position where they could
effectively decide on a new official fork and make sure it is one that is more
sustainably maintained, then.

~~~
manigandham
Cloudflare is already part of the jsDelivr network, if they're going to
redirect then they should just redirect to that completely.

~~~
diggan
Seems there is a vital difference in their operating procedures though as
jsDelivr is owned and operated by the for-profit company Prospect One and on
their whims, compared to cdnjs which is community driven (even if the core
community is really, really small).

------
jiofih
> No direct financial sponsorship (or any funding) for core maintainers to
> work on cdnjs

Unpopular opinion ahead: I find that demanding money after “voluntarily”
contributing to an open-source almost offensive to the spirit of OSS. Money
changes the incentives around a community project in an irreversible way. Note
that the issue here has nothing to do with financial support.

EDIT: This is regarding the “core maintainers” comment in the linked thread,
and not a judgement of anyone’s ability. I gave away years of my own time to
open source projects earlier in my career. It was very rewarding in many ways,
even financially - what I learned made me a lot better at my job.

Am I not allowed to be ok with that, and believe that a paid contribution
model is not ideal for OSS?

~~~
cristianbica
So if someone asks "why don't you do more voluntary work" and the answer is
"besides some organizational issues there no financial support" you find that
offensive?

~~~
jiofih
That was not the question, and the problem at hand has nothing to do with lack
of funding. That actually makes the pledge even worse.

When there are not enough interested persons to keep a project alive, let it
die. As shown in other comments, the same infra can be achieved in an
automated fashion without the need for lots of human intervention.

