No. A better analogy would be that a weary volunteer potato farmer for a large community garden is approached by a member of that community who also has potato farming skills. The community member tells him that he wishes take over maintenance of the farm. The weary volunteer accepts the community members offer and leaves the farm in the new volunteer's hands. The weary farmer returns to his home, and pursues other things. Meanwhile, the new community's potato farmer turns out to be malicious. Keep in mind that more than 99% of the time these volunteers are just wanting to give back to the community.
It is nothing like giving up the keys to your home. It is like giving up volunteer work to another volunteer, because that is exactly what it is.
But in this case, it's not "a member of that community who also has potato farming skills", it's an absolute nobody, who you haven't seen doing any farming, or eating, before. It's a big world, there are crazies out there, they show up every once in a while.
And finally, it's the internet, it's not really like anything that came before. You can be more trusting in a small town than in a big city. The internet is 1000 times bigger than the biggest city, it's a whole new kind of thing. If 99.9% of people out there have good intentions, that still leaves millions of people on the internet trying figure out a way to take advantage of you.
But without making it clear to anyone else in the volunteer community that that's what you've done. In other words, using your garden analogy, a weary volunteer potato farmer whose potatoes feed a lot of people is approached by another volunteer who wants to take over maintenance of the potatoes. The weary volunteer gives it to him, but doesn't tell any of the people who rely on his potatoes for food. The new volunteer puts a harmful substance in the potatoes and lots of people get very sick, because they thought the potatoes were still being maintained by the first volunteer, who they knew and trusted; they had no idea that the potatoes were now being maintained by a newcomer who they didn't know and whose trustworthiness they had no way to evaluate.
You mean like pretty much 100% of everything else going on in a typical open source community?
I’d wager at least 99.99% of the users don’t even knows who or how many maintains a piece of software, nor if updates are based on external patches or (core) internal development.
They just sit there entitled and expect free (gratis) software which works for them without providing anything in return.
I’m not saying that because I’m a bitter maintainer, but it’s just a fact of life.
You couldn't inform these users about any changes at all even if you wanted to, because they’re simply not involved and they never will be.
Anyway, if they cared, if they were somewhat involved, they would know. As it stands, it’s their own fault for blindly trusting random code from the internet.
And really: mostly changing maintainer for a new, more motivated one usually works out better, even for these users, so why should the burnt out previous maintainer feel bad about this?
I'm not talking about users. I'm talking about other developers who are using the package, and who deserve to know when the package's maintainer changes.
> it’s their own fault for blindly trusting random code from the internet
Developers aren't trusting random code from the internet; they're trusting a particular package maintained by a particular person who, from past experience, they have reason to trust. But if that maintainer hands the project over to someone else without telling all those other developers, that's betraying the trust those other developers put in that maintainer.
> mostly changing maintainer for a new, more motivated one usually works out better, even for these users, so why should the burnt out previous maintainer feel bad about this?
Because it's the previous maintainer's job to tell other developers when he turns over the job to someone else. Failing to do that means the previous maintainer is basically saying what you said above: it's those other developers' own fault for blindly trusting my code, hahaha, sucks to be you. Is that the ethos you want other open source developers to follow?
It wasn't Dominic's job, because you (and everyone else!) wasn't paying him.
He didn't just post the code on github; he had publish rights on npm, which is where node developers are supposed to publish code they want other node developers to use. Lots of other node developers used it. Then he gave the publish rights on npm to someone else and didn't tell anyone.
If you're entirely ok with that, you're basically telling any node developer not to trust npm. Which basically breaks all of node development. Is that your intent?
> It wasn't Dominic's job, because you (and everyone else!) wasn't paying him.
I see you are not clear on the concept of a volunteer job. If lots of people use your code and you don't give them any indication that (a) you're no longer actively maintaining it (as someone noted in the github comment thread, he could have archived the repo long before this happened since he was no longer actively maintaining it and hadn't been for years), and (b) that you gave the npm publish rights to someone else, then, whether you like it or not, it was your job and you failed to do it. You made a promise to all those other developers and then you broke it.
If your argument is that nobody will do open source development for free under those conditions, then there is a lot of evidence over the past few decades to prove you wrong. But nobody is forcing you to do open source development for free under those conditions. It's everyone's free choice whether they're willing to put their code out there and whether they're willing to actively maintain it for free once it's out there. What you can't do is change your mind and not tell anyone. If Dominic realized that he didn't want to commit to maintenance for lots of developers for free, he should have archived the repo to make that clear.
Literally not according to you. One 'git push origin master' and our contributor has signed up to your requirements.
Dominic made no promises to anyone -- he offered the world something and said they could use it if they wanted. Full stop.
I made no such claim. Did you read what I actually wrote?
> Dominic made no promises to anyone
Not by putting his code up on github, no. But that's not all he did.
> Not by putting his code up on github, no. But that's not all he did.
I don’t see how putting your code on npm is fundamentally any different.
No one is entitled to free maintenance of gratis software forever, just because someone once said “npm publish”.
That’s not how open source works. It works by people contributing and getting involved, as opposed to entitled freeloading.
I have made no such claim. If he didn't want to maintain it any more, he could have said "npm deprecate" and that would have been fine.
What's not fine is to say "npm publish", then actively maintain the software for years, then decide you don't want to any more (which, in itself, is fine, it's your choice how much effort you want to put in), but not tell anyone, not deprecate, not send any signal that you have changed your commitment to the package--and then hand over publish rights to some random person who emails you, also without telling anyone.
If you think that is fine, then, as I said several posts upthread in response to another poster, you've basically said no developers should ever trust npm, because people who say "npm publish" are making no commitment whatever, not even to say "npm deprecate" if they don't want to maintain the package any more, or to tell anyone if they decide to hand maintenance over to some other random person. That is not how open source works.
Nobody should. At least not blindly. You should check what updates are and who made them. On every update.
Anything else is irresponsible and your own god damn fault when things go wrong.
> That is not how open source works.
npm is a proprietary package-repo and has nothing to do with how open source works. You can also easily publish proprietary packages using npm.
Ok, thanks for putting everyone on notice.
> npm is a proprietary package-repo and has nothing to do with how open source works.
So event-stream is not open source?
I hate it, but this is what we have made it. I hope that we aren't getting riddled with backdoors and keyloggers and miners, but I wouldn't want to lay money against it.
I wonder if the node community will ever revert on the terrible idea that single functions should be separate packages.
I bet moving away from that model would make node dependencies much more sustainable.
False dichotomy. Developers are users too.
And trusting random code from the internet is still irresponsible as a developer, maybe even particularly as a developer.
> Developers aren't trusting random code from the internet; they're trusting a particular package
Let’s be honest. They did an act of “npm install gratis shit”, and they don’t give a shit where that code comes from. I.e. blindly trusting code from the internet.
If they expect more without getting involved, they are by definition acting entitled.
But most users are not developers, and "developer" is the relevant category here, not "user". So saying "user" is inaccurate.
> They did an act of “npm install gratis shit”, and they don’t give a shit where that code comes from. I.e. blindly trusting code from the internet.
I'm not unsympathetic to this. However, even if other developers were at fault, that doesn't mean Dominic wasn't. Not deprecating the package, and not telling anyone when he handed over the publish rights to a random person who emailed him, is still wrong even if the developers who used his package were wrong as well.
I don't know what is more unethical, the backdoor or the blind distribution of the backdoor.
Community management and vetting remain hard problems that aren't fun to volunteer to work on for many developers, so they are neglected.
But I haven't given that much critical thought and I hate to default towards cynicism immediately after getting presented with a way to help get open source developers some financial support.
> Almost every time I saw a substantive edit, I found the user who had contributed it was not an active user of the site. They generally had made less than 50 edits (typically around 10), usually on related pages. Most never even bothered to create an account.
Pandas might have had 4 core maintainers as measured by commit count, but the actual work might have a much larger outside influence
You mean like publishing a coherent library-package, rather than a million independent function-packages?
We know how to do this, but the Node-community just won’t have it.
Would make sense to pool volunteers for code reviews similar to what Stackoverflow does for questions, answers, edits etc.