
CoreJS: State of the project? Looks like dead. Any official fork? - SenHeng
https://github.com/zloirock/core-js/issues/767
======
jakear
What a wild ride this has been.

Looking at the police report, I do wonder what the punishment would be in
other countries. It seems the victims were laying drunk on the ground in dark
clothing at top a hill (edit: hill not mentioned in police report, but seems
logical given the headlight statement), causing the headlight beams to not
illuminate them. On top of that, incoming traffic blinded the driver.

This is of course according to his testimony, but I can't imagine I (or anyone
else) would have been able to avoid such a situation.

Edit with source:

Citing the actual circumstances of the accident, he emphasizes that he could
not notice the pedestrians in a timely manner, as they were below the light
level of the headlights of the vehicle(R.G. - lay, P.A. - tried to lift it),
were dressed in dark clothes, street lighting was insufficient, he(Pushkarev
D.V.)was blinded by the distant light of the oncoming car. Further, the author
discloses the contents of the testimony of witnesses A.A., A.Y., A.M., I.K.,
A.S.,focuses on the behavior of victims at a pedestrian crossing, which
contradicted the requirements of p.4.6 of the Rules of the Road of the Russian
Federation. It notes that the victims were in a state of alcoholic
intoxication, behaved inadequately. It points out that p.14.1 traffic rules of
the Russian Federation provides for the duty of the driver to pass pedestrians
crossing the roadway, and not lying on it. He insists that he would have
noticed the victims and was able to prevent the attack if they were moving on
the crossing upright.

[https://kraevoy--
alt.sudrf.ru/modules.php?name=sud_delo&srv_...](https://kraevoy--
alt.sudrf.ru/modules.php?name=sud_delo&srv_num=1&name_op=doc&number=1733512&delo_id=4&new=4&text_number=1)

Transalted by Bing.

~~~
nostromo
If you'll permit a tangent, there are a lot of drunk pedestrian fatalities. I
don't think we talk enough about the risk of drunk walking.

Over one third of pedestrians killed in the US each year have been drinking
too much to drive.

[https://www.usatoday.com/story/news/nation/2013/08/05/drunk-...](https://www.usatoday.com/story/news/nation/2013/08/05/drunk-
pedestrian-fatalities/2621673/)

~~~
catalogia
How much of this is due to the immediate physiological effects of alcohol
(e.g. impaired reaction time, etc) and how much of it is chronic depressed
alcoholics disregarding their own well-being and possibly committing suicide?

I've walked home drunk from bars more than a few times and I've never
experienced any trouble using crosswalks like normal. I'm pretty certain it's
much safer than driving home drunk (not that I drive to bars in the first
place.)

~~~
fiblye
Driving at night down narrow streets, I've had some people pop out from behind
a wall in front of me. Fortunately everyone involved has always had good
reaction times, so I don't think I've killed anybody yet.

Somebody who's not really thinking, or just stumbling around and being goofy.
Lots of people including myself have said "DUDE wouldn't it be funny if we did
[X incredibly stupid thing]?" while unreasonably drunk. Normally calm people
start fights with people who can clearly kick their ass after a couple drinks.
Probably a few think they can take on or play chicken with a car. Some people
also just blink for a second and suddenly they're asleep, if they have enough
drinks.

Depression may be a cause, but honest accidents and impaired thinking are
definitely big reasons.

~~~
pvorb
> I don't think I've killed anybody yet

If you can't tell for sure, are you certain that you weren't drunk yourself?

------
saagarjha
Some background: CoreJS is a widely used JavaScript library, apparently used
for polyfilling by Babel. The author was previously know for asking for a job
in npm install logs ([https://github.com/zloirock/core-
js/issues/548](https://github.com/zloirock/core-js/issues/548)), and recently
seems to have gone to jail for vehicular manslaughter, leaving the project
without a maintainer.

~~~
jnbiche
Evidently, it was his legal problems that provoked the job request and console
ads, so I'm sympathetic. And based on the description above, it's highly
unlikely that he would have been charged in most countries. The person who
died was _lying_ on the road at night, in dark clothes, intoxicated. Sympathy
to her family, but that would count as an exculpating circumstance in most
Western countries, I'm fairly sure.

I sure as hell that I'd do whatever I could legally to avoid going to a
Russian (or American) prison, if what I'd done was an accident and of very
doubtful criminality from the perspective of most countries. Wouldn't you?

Now he'll be stuck in a Russian prison for 2 years because of a tragic
accident in which he was arguably not that negligent.

Edit: All of this is based on the facts as I have been able to find them
online. I may be wrong in my interpretation.

~~~
ivan_gammel
I can read Russian. According to the information from the court:

1) he lost an appeal, meaning that his case was in the court at least two
times.

2) the dead victim was not lying on the road, that’s false information. She
was trying to remove other victim from the crosswalk.

Knowing the motorcycle culture in Russia I would not be sympathetic to anyone
there - it has nothing to do with safety on the road.

~~~
jnbiche
Fair enough. That's why I wrote that disclaimer. If one victim was dragging
the other, that changes my perception somewhat, although not entirely.

And in terms of "culture", are there not people in Russia who just ride
motorcycles as an inexpensive transportation option, and not as part of any
particular culture or group? The guy in question looks like a typical geek,
not a motorcycle gang member or something similar.

~~~
ivan_gammel
It’s definitely not considered as inexpensive transportation option. Not with
Russian winter, roads and environment. Geeks though are the likely buyers,
because riding a bike is a kind of a statement.

------
ariabuckles
FYI it looks like this project isn't necessarily dead; another contributor who
merged a PR 2 days ago just posted a short update:
[https://github.com/zloirock/core-
js/issues/767#issuecomment-...](https://github.com/zloirock/core-
js/issues/767#issuecomment-603682034)

> Stop spam & panic! I have rules for this repo and i have some time for
> fixing critical bugs and major updates.

------
SaxonRobber
Jesus npm is a cancerous dumpster fire. Guy must have been a saint to continue
maintaining the project in spite of all of entitled "developers" using his
package and scolding him for DARING TO ASK FOR A DIME.

~~~
cycomanic
Actually, while I think npm is the worst example, I am of the opinion that
this is the largest issue facing OSS today.

Companies using lots of OSS packages without ever giving back a dime. The
argument is always that this helps developers get a job, but often enough the
jobs don't allow the developers to work full time on those packages, but they
are still somehow expected to continue the work in their past-time.

The guy posted the results of his call for funding, he got to $50 a month on
patreon! For maintaining a package that likely 100s or 1000s of companies
depend on for the work.

~~~
syshum
Which is the direct result of abandoning CopyLeft licensing moving towards the
BSD / MIT license model that creates the climate your speaking of.

I firmly believe that Linux had not used GPL it would not be anywhere as big
as it is today

------
chrismorgan
In bus factor
([https://en.wikipedia.org/wiki/Bus_factor](https://en.wikipedia.org/wiki/Bus_factor))
considerations, I guess I’ve never considered that legal matters can take the
driver out of commission as well as the person hit by the bus!

------
untog
What an ugly comment thread that is.

Anyway I doubt it’s fair to say the project is dead, something of this
importance will be forked and maintained. It’s an annoyance for sure, though.

------
enitihas
The entitlement in that thread is mind blowing. A lot of people who are
complaining about there being only a single maintainer, seem to have no open
source contribution history on github. If the project is important to so many
people, they sure didn't show it by donating to the maintainer. Saying XYZ
project is important to me, and there should be some js foundation taking care
of it, (implicitly also saying I have zero intention of making any effort)
sounds too hard to believe unless you see this in real life.

As Joe Biden said:

"Don't tell me what you value, show me your budget, and I'll tell you what you
value."

~~~
Frost1x
This really reminds me of most my interactions with the JS community. I'm sure
not everyone is that way.

Whenever my projects use FOSS I always remind them exactly what a 'dependency'
is. You should know and understand your dependencies and risks associated with
relying on them.

You need to be willing to lock-in to a version if need be or replace it
entirely. Some developers I work with that throw together one-off web
applications tend to inject dozens (sometimes hundreds) of dependencies (which
they like to dynamically pull from latest builds) into their projects, enough
to make me dizzy looking through the list.

Typically development starts, they meet some initial goal and keep gluing more
and more packages together to meet some goal/desired functionality. Then
something breaks and they conveniently have other internal work that has to
take priority, leaving a broken application they don't want to deal with for
someone else to fix because they know it's an absolute mess they created.
Rinse repeat.

Now you've established an expectation of functionality you have no clue how to
maintain and did not clearly explain that to your client when you took
shortcuts to glue everything together.

------
agildehaus
Couldn't someone he trusts just ask him for credentials? It may be harder to
contact him right now, but not impossible.

~~~
bdcravens
Jails have mail, and most have phones.

~~~
agapon
And Russian jails?

~~~
baybal2
1 box of Marlboro for the prison guard should do it

------
orliesaurus
I am really curious as to what happens here, remember left-pad controversy?
[1][2]

This is like round 2.

How will npm/github act now?

Especially now that it's Microsoft's npm /s

[1]
[https://www.theregister.co.uk/2016/03/23/npm_left_pad_chaos/](https://www.theregister.co.uk/2016/03/23/npm_left_pad_chaos/)

[2] [https://blog.npmjs.org/post/141577284765/kik-left-pad-and-
np...](https://blog.npmjs.org/post/141577284765/kik-left-pad-and-npm)

~~~
whoisjuan
Why would the registry do anything at all?

That’s why forking it’s a thing. It’s certainly inconvenient but transferring
the access of the original project to another party sets a very bad precedent.
Maybe when the maintainer dies, but this guy is very much alive.

It is his work and he chose to give it freely to others through an OSS
license. That doesn’t automatically grant anybody access to the original
project. If somebody wants and needs to keep updating it then they should just
fork it.

The left-pad issue is also different because in that case the original
maintainer took it down which broke a bunch of packages that had dependencies
on it. This project is still in the registry and it will still work as it is
for the foreseeable future.

~~~
juliansimioni
Here's a hypothetical, but extremely plausible scenario.

Lets say tomorrow a major security vulnerability is discovered in CoreJS. Full
root access because I'm making this all up.

NPM says core-js has 19k dependents, so it would be very preferable if an
X.Y.1 release could be pushed with a security only fix, to be picked up in as
many projects as possible.

In that case, I think it would be extremely reasonable for NPM to decide to
take action. For example, they could take the package over themselves and
publish a patch release.

Or they could temporarily add maintainership to a trusted member of the
community.

No solution is without problems in this scenario, but there would be good
arguments for either of those serious actions.

~~~
qeternity
You're conflating two things: the npm package, and the GitHub repo. In your
hypothetical, I agree with you that action would be needed: the repo should be
forked and patched, and NPM should publish the new release as the official npm
corejs package. This has accomplishes the same while trampling as little
"ownership" as possible.

------
meritt
Can NPM not just override "core-js" when performing dependency resolution and
point to a maintained fork?

~~~
jakear
Would you want all packages you're responsible for being taken over by
whomever happens to be NPM's preferred forker in the event of your getting
into legal troubles? I'd be strongly against that.

This should be handled the way any other fork happens: people create forks,
other people audit them for stability and choose which to update their
dependencies to. This isn't up to NPM to decide.

~~~
waterfowl
Now Microsoft's preferred forker. Yikes!

~~~
battery_cowboy
I'd rather hear Microsoft's suggestions on libraries to use than some random
Joe Developer. They have/had unethical business practices, but their tech is
really good and they have very smart people working for them.

~~~
foepys
A lot of people are making fun of Microsoft but most of them don't know or
appreciate that you can run software compiled in the 90s on the most recent
Windows 10 1909 without problems. Microsoft's backwards compatibility is off
the charts.

Try that with macOS.

~~~
Zardoz84
Well... Windows 10 have the record of the being the only windows that breaks
backwards compatibility sometimes. I saw Visual Basic 5/6 applications
stooping to work because Microsoft break something on a update.

Also, good luck trying to run any Windows 16 bit application on a modern
Windows 64 bit installation.

~~~
tim--
> Also, good luck trying to run any Windows 16 bit application on a modern
> Windows 64 bit installation.

The officially supported method is to have Windows 10 (32 bit) running in
HyperV. There is no 16 bit support in Windows 10 64bit builds.

------
ilyich
He will be able to maintain the repo. From the sentence [0] you can see that
he is sentenced to spend his term in an open prison [1] (Russian колония-
поселение)

It means he will be able to have internet access without any problems.

So no need to panic at all.

[0] [https://kraevoy--
alt.sudrf.ru/modules.php?name=sud_delo&srv_...](https://kraevoy--
alt.sudrf.ru/modules.php?name=sud_delo&srv_num=1&name_op=doc&number=1733512&delo_id=4&new=4&text_number=1)

[1]
[https://ru.m.wikipedia.org/wiki/%D0%9A%D0%BE%D0%BB%D0%BE%D0%...](https://ru.m.wikipedia.org/wiki/%D0%9A%D0%BE%D0%BB%D0%BE%D0%BD%D0%B8%D1%8F-%D0%BF%D0%BE%D1%81%D0%B5%D0%BB%D0%B5%D0%BD%D0%B8%D0%B5)

------
ssijak
What if the person lying on the road survived and the person driving the
motorbike died. Would the person lying on the road be charged for
manslaughter? And if yes, how is this situation different to shift the blame
from one person to another.

~~~
PeterisP
The court determined that in this case (on a marked pedestrian crossing where
pedestrians have right of way) the bike driver broke the rules of traffic as
he should have stopped before the crossing; and it did not determine that the
pedestrians broke the rules of traffic.

So if the person lying on the road survived and the person driving the
motorbike died, then it's plausible that the person lying on the road would be
_charged_ for manslaughter in order to determine the situation (I believe that
in case of fatal traffic incidents involving more than one party, in Russia
almost always a criminal investigation is opened) but would be found not
guilty.

------
fractalf
Don't panic! No need to bring out the towel, the dolphins aren't leaving just
yet. Someone else has access to this repo and stated that security fixes will
be maintained.

------
miguelmota
The CoreJS author blocked me and many other people on github for simply making
a suggestion to tone down the "looking for a good job" npm install logs
because it'll invoke other people to try the same thing which would result in
unnecessary log pollution. It seemed like strange behavior for someone
maintaining a very popular community driven project.

~~~
Strom
> _community driven project_

Check out the contributors page for this project. [1] This is not a community
driven project. It's a one man show.

\--

[1] [https://github.com/zloirock/core-
js/graphs/contributors](https://github.com/zloirock/core-
js/graphs/contributors)

~~~
miguelmota
What I meant is that he implements features based on community feedback and
responses. The community was largely opposed to NPM install log ads but he
became pretty passive-aggressive towards people with opposing opinions.

