
The rise of few-maintainer projects - tosh
https://increment.com/open-source/the-rise-of-few-maintainer-projects/
======
dustfinger
> The code, intended to steal users’ bitcoin wallets, had been injected by an
> unknown developer with the username right9ctrl. That person had gained
> commit access from event-stream’s author, Dominic Tarr, simply by asking for
> it. To many angry users, this was the equivalent of opening one’s front door
> to the first stranger who knocked, then grabbing one’s coat and leaving for
> the day.

No. A better analogy would be that a weary volunteer potato farmer for a large
community garden is approached by a member of that community who also has
potato farming skills. The community member tells him that he wishes take over
maintenance of the farm. The weary volunteer accepts the community members
offer and leaves the farm in the new volunteer's hands. The weary farmer
returns to his home, and pursues other things. Meanwhile, the new community's
potato farmer turns out to be malicious. Keep in mind that more than 99% of
the time these volunteers are just wanting to give back to the community.

It is nothing like giving up the keys to your home. It is like giving up
volunteer work to another volunteer, because that is exactly what it is.

~~~
tuesdayrain
In my opinion the farm analogy doesn't work because you can't fork a farm and
continue working where the original left off. In my opinion Dominic should
have simply stopped maintaining the package, and maybe added a message stating
that the package is no longer being maintained. If someone wants to take over
then they would need to fork it. That would force people to consciously switch
to the newer forked versions and there would be no surprises about a new
maintainer suddenly inserting malicious code.

~~~
zzo38computer
That is what I do too. (I also do not give commit access to anyone else, but
do accept patches after I review them. However, nobody ever sends patches or
other stuff, but if they did, then I will read them. I do, however, allow
others to edit the documentation, just not to edit the code itself.)

------
pjc50
The event-stream incident shows that npm has restructured the way projects
work: rather than an end-user choosing a _few_ pieces of software, each of
which has a lot of maintainers, they install a huge number of very small
packages each of which has a very small number of contributors. The "unit of
contribution" is not a pull request or commit but spawning a new micro-
project.

Community management and vetting remain hard problems that aren't fun to
volunteer to work on for many developers, so they are neglected.

~~~
gtirloni
And some people are complaining that Python has too many batteries. I'll be
happy when I can depend only on the stdlib, which I expect to have better
reviewing process than a thousand random projects.

------
chasote
I'm curious how the new Github Sponsors development plays into the one or very
few maintainer "issue." My gut instinct tells me it will be an added incentive
to keep the governance of such projects small or solo because how do you deal
with distributing the funds over numerous maintainers with vastly different
levels of contribution? I guess one could argue that a project valuable enough
to attract a large sponsorship would also be too unwieldy for some to handle
alone.

But I haven't given that much critical thought and I hate to default towards
cynicism immediately after getting presented with a way to help get open
source developers some financial support.

~~~
skybrian
I agree, it would tend to encourage a smaller core team and a larger number of
unpaid contributors. But this is often a workable model. I don't think most
drive-by contributors expect to be paid and that seems... fine?

------
TAForObvReasons
The problem with this type of analysis mirrors that of wikipedia:

[http://www.aaronsw.com/weblog/whowriteswikipedia](http://www.aaronsw.com/weblog/whowriteswikipedia)

> Almost every time I saw a substantive edit, I found the user who had
> contributed it was not an active user of the site. They generally had made
> less than 50 edits (typically around 10), usually on related pages. Most
> never even bothered to create an account.

Pandas might have had 4 core maintainers as measured by commit count, but the
actual work might have a much larger outside influence

------
skybrian
I'm reminded of Wikipedia and drive-by edits. When each repo is so small
(equivalent to a single article on Wikipedia, or even less), it seems like
they should be part of larger organizations with a bit more bureaucracy and
guidance?

~~~
yhoiseth
Yeah, like [https://thephpleague.com/](https://thephpleague.com/).

~~~
anewhnaccount2
Also [https://www.codeshelter.co/](https://www.codeshelter.co/)
[https://jazzband.co/](https://jazzband.co/)

