> I've grown tired of continuously defending my inactivity and decisions against trolls on Twitter, the issue tracker, and elsewhere. It's draining and I don't have the patience or energy to deal with it any longer. These same people expect to impose their short-sighted and non-generalized values and goals on a project for which they have contributed nothing and are not willing to maintain. The sense of entitlement from a small but vocal minority that do not understand FOSS and refuse to understand it is very much a concern, and I'm simply not interested in shrugging that off anymore.
In the last three days, I've been accused of my code not being open source and that I should remove all mentions of open source from everything I owned, because I simply haven't pushed to Github in a month or two.
This was joined by another user who claimed that open source license legally forces me to make the 'secret' code I've been holding off public, which, again, does not exist, because the code on the repo was effectively current.
I've been working full time for the last 8 months, on my own savings, to provide a peer-to-peer mass communication tool, and I'm releasing it for free.
To say that this made me feel horrible for the past few days would be an understatement.
Sorry you feel bad. That really sucks to get messages like that. Personally, I'd just ignore the noise and focus on the good. Remember, it is far easier to be a keyboard warrior than it is to create something awesome.
People in the service industry see this all the time. A 1 star review on a restaurant really hurts. Everyone should know how much effort it is to run a restaurant and how much can easily go wrong... a bad review is really disheartening.
Thank you. I understand these folks are few amongst many, but boy, when you don't hear from the many, only from the few, it makes you think whether this was a mistake.
Regardless, I've removed all mentions of open source from my product (but kept the license unchanged), just so I won't have to deal with this again.
Certainly people can demand that. It's easy and simple to make that kind of demand. That's why this is a problem — nowadays we have convenient peer-to-peer communication, and there's a set of people who receive a significant amount of verbal manure, but don't have the professional filter staff of most public personae, so they have to deal with the manure themselves.
Ok, I didn’t mean it’s impossible for someone to ask you to do something during your free in a demanding tone. For example Arnt, get over here and make me a coffee...
But we have this word called No. Maybe it’s down to my personality but I have no problem telling people NO or when I’m in a mood to fuck off or when I’m feeling more professional to just reply with “Where shall I send the estimate?” Basically “Fuck you, Pay me...”.
But the ability to ignore the idiots comes probably down to volunteering me free time as a teenager coding and managing player ran games, the players took the game incredibly seriously, to the point I got harassed because I took action on a player for breaking the rules (issued a temporary suspension from the game), on irc, on the forums getting called a bad staff who should be ejected by the other staff got to me a little, until I told the other staff it was they just felt “I was handling it”. Once they knew they reassured me that they had no intention of doing so (kicking me off the team) and if they continued to feel free to delete their account off the game. I learned that they are not worth the stress and so not to give them the time of day, don’t rise to them because at the end of the day, they are not worth it.
So tbese days I just get on with something else or tell them “sure... but you gotta pay.”.
What I mean is, once someone if demanding of your time then you have to get something of worth in exchange.
In a relationship it’s the joy of having someone in your life to share things with and who can help you improve who you are. At work in exchange for being a code monkey you receive monetary compensation.
In open source its kinda a mix of both, it’s joy of helping others, either today for later down the road.
If someone is taking that joy away, they are taking away your incentive to work on that project so in exchange you have the right to change what you are getting out of the deal. Take your estimated time to do what they are asking, multiply by a figure per hour your happy with, multiply that by 3 (as these things always run over and there will always be support requests down the road) add on what the tax man will take off you and quote them that.
If they are happy to pay, awesome, take a deposit, and tell them you will start on their changes next week. If not tell them they will have to wait like everyone else.
If they continue to be an arsehole then handle it just like you would any other child throwing a tantrum, stay calm and ignore the behaviour.
Edit: I’m not saying it’s not stressful or my way of handling it is the best way for everyone just it’s the method I use to deal with such “children”. I understand the mental strain it can cause. I’m just saying that the person doesn’t have the right to demand your time or attention (including the time your thinking about them offline).
Your product is wonderful, and arguably if you'd just had the conversation on Aether instead of Github, the moderation tools you've spent so long building would have prevented you seeing that crap. Respect.
Building is hard. Listening to your customers is hard. But criticism is easy, and it hurts even when it shouldn't - take it from another builder. Deep down you have a massive moral high ground - it's a shame the human psyche can't internalise that against these stone-throwers.
This. Years ago I had the same problem with people making unreasonable demands within the first week of open sourcing, despite clearly marking it Alpha and versioning it as 0.0.n. I closed the whole project in disgust.
My advice would be to not take the road I took, but to realise that there will always be impatient people desperate for the free solution that you're providing -- it'll be better for your soul to be forgiving (I say this in hindsight). Don't let yourself get caught up in their dramas, but calmly instruct them to what FOSS is about.
When you read it, it’s too late. You generally don’t respond, but I didn’t even know I shouldn’t have. I’m very much a beginner at being in the spotlight.
> I lack the free time at this point in my life to continue to maintain and develop a project of this scale, and the codebase has languished for a little while already.
> I've grown tired of continuously defending my inactivity and decisions against trolls on Twitter, the issue tracker, and elsewhere. It's draining and I don't have the patience or energy to deal with it any longer. These same people expect to impose their short-sighted and non-generalized values and goals on a project for which they have contributed nothing and are not willing to maintain.
> The sense of entitlement from a small but vocal minority that do not understand FOSS and refuse to understand it is very much a concern, and I'm simply not interested in shrugging that off anymore.
Not familiar with this project but would like to thank the author as well as all the other amazing open source contributors in the world for doing something that made/makes the world a better place.
I dream of a day when we have a solution to these problems. Where an engineer can get paid as much as they would at a job to fix those issues people raise. A platform that also allowed creators to block people who are clueless and unkind.
I think the correct way to view this is as a courtesy notice that "Hey, that thing you might have used for free is being discontinued." That's it.
There is zero reason to expect FOSS developers to be schooled in good PR or something. He may think that spelling out his logic for his decision is useful information to other people. He may even be right about such an assumption.
I would not infer that he is intentionally being petty, kvetching per se, etc. It might be accurate, but who cares? He published a courtesy notice. He could have shut it down with zero announcement.
I am reminded of this comment I made 3 months ago:
Disclosure: I work on a ‘competing’ file uploader.
I’d like to thank Richard for the relentless efforts in pioneering this robust uploader. As a member of the Uppy team I have had the pleasure of a few encounters with him where he adviced us on e.g. saving directly to s3. I regard him more as a bright peer than a competitor, the ecosystem is large enough that we can afford that luxury. And I guess being in open source helps. Like, I’d dont suppose there’s a cutthroat mentality between Linux and FreeBSD contributors for instance :)
I can relate to the gh-issue fatigue becoming unbearable if you yourself no longer have a need, or a way to make it into a sustainable career. Worse: others are building businesses with your free product and make wild demands. Our team is fortunate enough that our own business can benefit from Uppy and so that we can allocate paid-for-time; but if all that effort has to come from your spare time, that could also have been spent on your family or making money to feed them.. the weight really adds up and wears you down.
So: Much respect for keeping it up for so many years, breaking new grounds, and being a big inspiration to us.
This is Ray. I'm trying to lay low after archiving my project as I really just want to move on at this point, but I couldn't help myself and read some of the comments here anyway. Thanks for this, Kevin. Uppy is a fantastic library and I wish you and the rest of the Transloadit team the best. If I were looking for an enterprise-class upload library in the future, I'd absolutely choose Uppy at this point.
However, couldn't this project have been handed off to new owners or simply left dormant rather than be archived? I guess it can be forked, but the upgrade path for existing users would be less clear.
>I've grown tired of continuously defending my inactivity and decisions against trolls on Twitter, the issue tracker, and elsewhere. It's draining and I don't have the patience or energy to deal with it any longer. These same people expect to impose their short-sighted and non-generalized values and goals on a project for which they have contributed nothing and are not willing to maintain. The sense of entitlement from a small but vocal minority that do not understand FOSS and refuse to understand it is very much a concern, and I'm simply not interested in shrugging that off anymore.
> These same people expect to impose their short-sighted and non-generalized values and goals on a project for which they have contributed nothing and are not willing to maintain. The sense of entitlement from a small but vocal minority that do not understand FOSS...
>Django’s media upload handling poses some vulnerabilities when that media is served in ways that do not follow security best practices. Specifically, an HTML file can be uploaded as an image if that file contains a valid PNG header followed by malicious HTML. This file will pass verification of the library that Django uses for ImageField image processing (Pillow). When this file is subsequently displayed to a user, it may be displayed as HTML depending on the type and configuration of your web server.
is a little concerning. They recommend serving images from a different domain and whitelist file types. Is that enough? Anything else needs to be done to improve security? Does handling uploads alone give attackers an RCE oppurtunity or is it safe to handle files in the server and then upload to aws s3?
Some (but probably not an exhaustive list) of pitfalls:
* Filename: Either force random data or only allow a whitelist through. Do not trust unknown character ranges.
* File-existence: Never over-write files, resumed uploads should be handled VERY carefully (it's easier to just not).
* File-extension: (I) do not care; security design should never trust this data anyway.
* File-size: You don't have control of this on the host?
* Disk space: It might be a good idea to reserve at least some of this, or set a maximum ingress pool size.
I think for my use case going with s3 will be easier and better for security. So how do I actually do it? Let users directly upload to s3 and have a lambda function call my server to store the url? If the image file is maliciously crafted, how does using s3 help, especially when serving the content? How can I set the headers when serving images from s3? And is there a way to identify that a specific user uploaded this file, so that I can have rate limiting? Is it possible to generate a signature or something to identify a user that I can decode server side to say "ok, this user uploaded the file and he is who he says he is". Maybe sign using the cookie that django sets for each user?
There is a few options, such as using AWS Cognito, or signed requests. I personally use signed requests which allows you to specify where and what type of files are allowed to be uploaded. First the user asks my server for a policy and signature, then uploads directly to S3, then sends another request to my server when done. My server will then verify and process uploaded files.
Likewise requests can also be signed so you can implement rate limiting on you side, and just allow S3 to serve the payload. Or you can do thing like use Cloudfront to server the objects which can use various methods of authentication such as signed cookies, or Lambda functions.
Use the the aws sdk to generate credentials on your server, pass the returned creds to your frontend. The request to generate the credentials allows you to lock down the size and type of file. They can go directly into a form or used in javascript. Lot of github libs and stack overflows that go into more detail. https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-UsingH...
On your server, send "X-Content-Type: nosniff" and make sure the right Content-Type is returned by the server. This will prevent browsers to load an image file (Content-Type: image/png) as anything else than an image.
Thank you for Fine Uploader. It's been really helpful.
A my-fault anecdote: I submitted a PR for a minor new Fine Uploader feature, and when a few followup questions were asked about documenting the new feature, I never got around to completing the tasks.
So, at least in my case, I intended to contribute and did "most" of the work, but failed to make the time to bring my PR over the finish line. Perhaps there were a bunch of well-intentioned-but-ultimately-not-usable contributions like mine, and maybe they also contributed to the frustration.
I try (but sometimes fail) to remember that so, so much of the stuff I use every day to maintain my livelihood was created by others, for the free use of others. But it's such an embarrassment of riches that sometimes one forgets to be thankful and that's when the feeling of open-source entitlement sets in (at least that's how I see it).
In the past I maintained a bunch of little plugins that got a decent amount of use, but it was a long time ago (1990's) and I think the culture was different. There was some criticism, but most people were very appreciative and if there was something they wanted added etc, they would just solve it on their end without any complaints or drama. There was no PR type workflow, arguments over licensing, or expectation of awesome docs/support for a free thing. I'm not saying I want to go back to that per se, but when I think about maintaining that type of project now, it sounds fatiguing instead of exciting.
Not sure what my point is... I guess just to say thanks and that I can totally understand why you'd want to stop supporting the code. But it is used and appreciated, and the fact that you nurtured it for so long is an achievement on its own. Cheers!
Has anybody written a guide on how to survive having a successful open source project?
I happened to have something [1] get a little usage recently and it took effort not to get sucked in. There were people with questions and needs! And I like helping people! But I also have a life to lead, so I set myself some clear boundaries and worked to consciously accepted that the project wouldn't operate at the standards I'd have for myself if it were my job.
It occurred to me that when I got started in the industry I didn't have the boundary-setting skills I do now, and that I easily could have worked to hard and too long, burning myself out, especially if my project were as popular as this was. It'd be nice to have a guide from OS project leads on ways to keep the project sustainable over the long term.
The contributors I got for my project all first appeared in the issue tracker and we had a few interactions before they decided it was worth their time to write code. That makes sense to me. I would be unlikely to submit a pull request until I was reasonably sure that it was welcome and and that the person receiving it would be a good person to collaborate with.
> I would be unlikely to submit a pull request until I was reasonably sure that it was welcome and and that the person receiving it would be a good person to collaborate with.
The person you collaborate with do not owe you anything, and it goes both ways. If a PR is rejected, then its author is free to fork the project. But you can't have it both ways, you can't complain about people potentially abusing issues then think there is a special technique to limit the problem, while keeping an issue tracker opened, because there isn't.
Closing the issue tracker will ensure only people capable of fixing issues will collaborate to a project.
I understand the theory you're expressing, I just think it's pretty far from optimal.
Closing the issue tracker might have the effect you describe, but will also unnecessarily alienate people who would be excellent contributors with a very moderate investment.
I personally didn't "complain about people potentially abusing issues", so I'm not sure where that's coming from. What I'm interested in is helping less experienced project maintainers find healthy ways to cope with having a successful project.
But given your confidence on the topic, surely you can show us the successful open source project you are running along these lines?
I also like the "just give maintainer rights to people who submit good PRs" approach I have heard of. Used it successfully on one of my open source projects that I no longer cared about.
The best is probably Dropzone, but it doesn't have support for Amazon or some of the other features this does.
My impression is that until fetch supports cancel and upload progress, work on such libraries are going to have to be at least partly redone soon, and that has got to put a damper on contributions.
I mean I don't get why the owner didn't try to find someone else to graciously take the reins without a fork (maybe they tried and couldn't find anyone?), but I don't get the dramatic post and very "taking my ball and going home" tone I'm getting.
Again, maybe it's just me looking to wrongly but when 4 out of 6 reasons are referring to yourself and not the project...
The bit about having to defend yourself on Twitter, I guess I don't know this person and how bad they have it, but I find it hard to imagine someone just inundated with Twitter noise over a library to the point they need to walk away in such an abrupt manner, like taking the slightest amount of time to transition would be life ending (definitely get not wanting to deal with noise over free work, but this is a known problem and they could have started a conversation about that), and I definitely don't see how this will reduce the amount of attention they get...
Why even bother being on Twitter? I keep hearing developers encouraging each other to be active on Twitter, but who gives an actual fuck what goes on with Twitter? All it seems to do is generate drama on every front. Do developers(or anyone) really need to be on there? If I were the owner, I would have just closed my Twitter account in the face of demanding freeloaders.
I respect their right to be on Twitter in peace, but yeah I'd probably block users before I'd list Twitter complainers as a reason how I'm closing the lock on a popular library and throwing away the key instead of just walking away yourself... because that's definitely one way to get a lot of people (imo rightfully) complaining about what you did.
Also kind of kills your credibility in the future. Walking away over toxicity is fine, doing it like this? Not so great. (of course there's something especially egregious we don't know about, but they're laying a lot out in that post, I'd expect to see it there...)
Because every day millions of people give away their work.
I give away my work. I've dealt with rude people using software I made since I was pretty much a kid, those people didn't know who their vitriol was directed at.
What makes this guy so special that to spite the vitriolic subset of all users he gets to be the one who throws a wrench in a project?
I said this in a comment below:
You think the kind of person who would insult a library maintainer on Twitter is going to read his Github issue?
"Oh it stopped getting updates" "Good, now my code won't break anymore!" "Security vulnerabilities in libraries? What?"
He's literally only spiting the very people who make projects like this worthwhile, the kinds of people who would want to submit PRs, make useful issues, and people with a genuine interest in the project, exactly what he's saying he lost.
Block only works after you know which users. At a certain scale it stops being “particular people get a grudge against you” and becomes “they're acting this way out of being in a particular cultural milieu and set of expectations”, and trying to block that is like trying to block the tide one water droplet at a time.
The creator made their work available for free. Sorry you don’t enjoy that they decided to stop doing that, for this project, in a way you don’t find agreeable.
Looks like the opposite? Thread ends with saying someone new is taking the reins, that person is part of the FileUploader organization, there's even a commit to formally end the search made that same day...
> I don't get why [...] I find it hard to imagine [...]
Perhaps consider that your failure to understand how this person feels the way they do is just that: your failure.
It makes sense to me, though. I've burnt out before, and I know what that feels like. Open-source work can feel entirely thankless, and rarely pays the bills. It's very easy to get sucked into working hard to serve others while getting little in return.
He spent 7 years giving people a free gift. People should be grateful. But instead, as you so clearly demonstrate, people can easily be clueless and entitled, demanding more work and criticizing people they have no standing to criticize.
If you really think somebody should maintain this library, it's right there. Fork it and show us how a project really should be run. And if you won't, maybe reflect on why you think he's obligated to labor for free to live up to your standards when you won't live up to your own.
In the last three days, I've been accused of my code not being open source and that I should remove all mentions of open source from everything I owned, because I simply haven't pushed to Github in a month or two.
This was joined by another user who claimed that open source license legally forces me to make the 'secret' code I've been holding off public, which, again, does not exist, because the code on the repo was effectively current.
I've been working full time for the last 8 months, on my own savings, to provide a peer-to-peer mass communication tool, and I'm releasing it for free.
To say that this made me feel horrible for the past few days would be an understatement.