If it is at all possible to post it somewhere?
Is it breaking any obvious NDA or can you share it?
I wish they added it to the SRE book. But it's not a hard sell if someone already believes that you need to distribute computation/data for higher reliability. Same goes for labor/know-how.
I do have friends at google who can get away with this approach, but have more who feel they would be fired for doing this.
They're not getting away with it. That's the way it be.
Your other friends need to take away the "internal document" part from this story not the "Let things fail"
part. They're not there yet.
Also, I'm going to guess that's something like five active contributors signed up, not five full-time engineers, meaning the actual number once you do the math for availability and such is probably closer to half an engineer. Could be five, but Heartbleed kinda put paid to reasoning like "pip is important, surely it has the funding for dedicated contributors who aren't distracted by something else being their real job."
People are all over the spectrum, with people like Stallman and developers at the FSF working mostly on ideological grounds and companies like Oracle only contributing when it would clearly be beneficial to the bottom line.
I used to think I would love to work on OSS if I didn't need money, but I've found that I just like working on stuff, and OSS isn't as much of a priority anymore.
Money is always decoupled from value ( Warren Buffet paraphrased ).
Sometimes people who add negative value like the oil men in the Permian basin get paid 100x then your pip developer.
Screw that, large amount of the surplus generated by technology companies ends up in the hand of land owners instead of stockholders ! let alone the engineers building it - who might be riding on the work of open source volunteers. Its turtle all the way down.
If you are a volunteer, you are forgoing payment and are subjecting yourself to exploitation by others by definition.
Unless you have a mechanism for enforcement you are shit out of luck.
Open source software fails like this even if it's valuable because fixes and improvements don't necessarily make it out into the open, whereas Free/libre software, if it's valuable, gets stronger over time because fixes and improvements must be available to everyone.
Software projects need someone to maintain its course, make sure changes match the purpose of the software, and most importantly, reject changes that create a burden on the project.
Besides that though, I wondered how much maintenance pip even needs. Shouldn't it be kinda stable?
But looking at https://github.com/pypa/pip/graphs/commit-activity it doesn't seem so.
I think there is a reasonable argument that that has been part of the problem with Python packaging.
And if five is not a good number, this is indirectly one of the reasons that I enjoy using python. It has a 'batteries included' release, where I often write code without feeling like I need to $ pip install anything at all. If the 3rd party package delivery system is fragile, that isn't good - but it doesn't represent a dire crisis for me as a user of python.
I wind up having to install as many packages as dealing with a Node JS project
Let's nominate them for PSF fellowship https://wiki.python.org/moin/PythonSoftwareFoundation/Fellow...
Five people literally enable entire ecosystems of developers across the world, multiplying their productivity by ungodly amounts and indirectly generating billions of dollars of value. Isn’t that extraordinary?
Really, it's less of a line than a region of negative width. Number of maintainers is not a good indicator for the security position of the project.
Maybe 2/3 people actively doing most of the contributions with sporadic other contributions.
Obviously it's a question of limited resources, but I wonder why projects don't offer a clear path to growing as a contributor. For example, once you triage 3 tickets and close 5 documentation tix, you get assigned a mentor and a few features specifically set aside for mentor+mentee to build together. Then use these not as methods of gatekeeping (let anyone contribute as much as they want), but as a way to pull in a few new people at a time.
I also think that many projects would benefit from having formal "apprentices". Being an apprentice for React would be an amazing thing to have on your resume, and would cost no money for the project.
It's pretty amazing like the post states. After openssl's heartbleed I remember hearing about a critical FOSS fund to help with things like this. Much like how wikipedia is funded,it makes sense to fund critical projects like pip and npm.
It's owned by a private entity and it's server side code isn't available to my knowledge.
> 2-3 devs at 5 hours per week. 
The Ruby Together initiative aims to make the situation better through recurring donations.
It's even worse for pipenv. It was last released in November last year and there are a lot of bugs fixed on master, but there is never a new release.