Hacker News new | past | comments | ask | show | jobs | submit login
How the .NET Foundation kerfuffle became a brouhaha (robmensching.com)
449 points by ghuntley 8 days ago | hide | past | favorite | 329 comments

As I have no idea about .NET development, I don't really understand the relation between these projects and .NET Foundation.

Is .NET foundation paying them money? Or what is the relationship between the projects and Microsoft/.NET Foundation?

Reading the "apology" on github, it seems that .NET Foundation/Microsoft thinks those projects are essentially theirs, and they are free to put them under their enterprise account to "simplify billing"


But reading this article, and the one below, the maintainers think otherwise?


There are also some notes about copyright that I don't understand. Who owns the copyright? Microsoft or the maintainers?

edit: From the github "apology":

> Projects might not fully understand what joining the .NET Foundation means. We share a checklist with project maintainers on project changes they accept as part of becoming part of the .NET Foundation. That’s obviously not sufficient. We will post a new document that describes what you can expect when your project joins the .NET Foundation. This will include changes (observable or legal) and new benefits. It will also include changes that could occur later.

....ok? That seems scary, coming from Microsoft

Yeah, scary, in the "you signed an agreement without reading it properly and now your souls, er, your projects belong to us" sense. And in the case of WiX Toolset, they apparently never agreed to the terms & conditions of the .NET foundation in the first place. Also, being forced by the .NET foundation to give an account admin permissions for your repos, and then having that account move your repos to GitHub Enterprise without your permission, even without informing you... I can understand how that creates mistrust.

According to the article, the only thing the .NET foundation did for them was provide certificates, other than that they did nothing for a very long time. And then, of course, this...

Well, the .NET Foundation also holds the copyright and provides the CLA bots. But the great bulk of your point is correct.

This is not about the legal ownership. This is about operational ownership. All these maintainers understood what they signed. However, they expected to be supported to do their work mostly their way. For good reasons since other foundations do it that way. The .NET Foundation is however not communicating and supporting the community but focus on legal ownership including capabilities to enforce that (that is were some of the CoC and billing comments come from).

So it is mismatch of expectation. To blame is the foundation, because what you can read on the web page and the feedback of the maintainer community does not fit to their agenda so they could have understood this early and resolve it peacefully (they are the ones in power).

This is about open source leadership. They screwed up. Legally this is (mostly) fine, content wise it is (mostly) fine but the way how they operate is not okay. And saying sorry is not enough

This may have nailed the issue most closely yet.

It took you a lot fewer words than me too. :)

I am really struggling to understand how those projects cannot be under .NET foundation control. If you ever worked on an Apache Foundation or Eclipse Foundation project, you know that you must use their tools for code hosting and processes for maintainer/lead election. That said, as a project lead of an Eclipse Foundation hosted project (not Eclipse IDE related), I never had the Foundation do something major to our project without properly disseminating the info about on a publicly readable mailing list in advance.

P.S. I read that .NET foundation board now meets every day. I think Apache/Eclipse Foundation boards meet every 1..3..12 months, at least judging by the rarity of emails summarizing their meeting minutes. If a board needs to meet every day, something must be really wrong.

Something is really wrong right now that's why they might be meeting every day.

Your experience with the Eclipse Foundation is very different from how the .NET Foundation has interacted. On top of that, communication has been very poor for a long time. I believe those two differences are at or near the root of all of these issues.

While it's easy to see how this sounds scary; the flip-side of this is that it's not clear if there's more to it than misperception/miscommunication.

To take the example from the blogpost; the author was particularly scared by the move into github enterprise. I don't want to dismiss that worry; but on the other hand - the only consequence of that move seems to have been that logged in members of the project have a very slight UI change. Obviously that's not what people are worried about; they're worried about... well, what else does that mean?

Well, what else does that mean? Is this really something to worry about, or is this really just a misunderstanding - or both?

> Well, what else does that mean? Is this really something to worry about, or is this really just a misunderstanding - or both?

It means microsoft has hijacked the repo. I don't think their intentions or anything else matters. This is imo crossing a huge line.

I was always kind of wary of github, ever since MS acquired it, and I have always made sure to not get trapped by using any lock in features. But I never assumed their lock-in includes going full SourceForge and hijacking people's repos.

Honestly, if GitHub/MS don't come out with a very good statement on how and why this will never happen again, I'll need to figure something out and make sure people use a different URL instead of pointing to my github.

It's absolutely something to worry about. If someone breaks into your house, you should be worried irregardless of if they stole something, or not.

I’m not sure how this is related to Microsoft’s control of GitHub. This was the .NET Foundation using application-level permissions that it was granted on each repo. It wouldn’t matter what platform was used, if it supported re-organizing project hierarchy, this could have happened.

You are exactly correct here. This isn't about Microsoft or GitHub. It is solely about the .NET Foundation's actions.

The Director of the Foundation is a Microsoft employee and they are the creators of the Foundation.

In addition to the obvious issues, this is also about Microsoft and their relationship with the Foundation.

Just to reiterate: the observable consequences of that "hijacking" is apparently an almost imperceptible icon most people don't even see. That cannot be worth getting this worried about; the worry needs to be something else, probably something that hasn't happened yet but the maintainers feel like it (whatever it is) is something terrible they believe the foundation now has the capability for, and do not entirely trust the foundation to refrain from exercising this unknown power in some future circumstance.

If that sounds absurdly vague, it's because the concrete accusations are that vague.

On the one hand: it's possible this tiny UI change does signify some deeper permissions change, but it's not exactly obvious what that would be (especially given the already admin nature of the dnfadmin account). Nor is it clear both the foundation and maintainer really understood what that permission might mean, if it even exists. It's not clear the maintainers have any specific reason to object in the first place!

The one thing that seems clear is that the github UI wasn't clear, allowing the maintainers and dnf to read very different things into a superficially trivial change, and that there's some level of miscommunication at the very least. But it's still not at all clear whether the actual change made warranted the fears expressed, not at all.

Personally, while the dnf clearly and objectively failed in its task of keeping maintainers on board, I can't help but also feel that these maintainers deserve a bit of opprobrium. They essentially started a major social media freak out, and cannot even express exactly what it is they're afraid of, let alone point to any evidence that whatever mistakes the foundation made weren't fixable by measures with less collateral damage.

It's all very nice to blame some scary sounding not-entirely-defined shadowy corporate conspiracy between github, microsoft and dnf, but at the end of the day meltdowns like this do harm, and it's just not clear that was at all warranted.

It might not be clear to you but as a maintainer and member of the Foundation it's very clear to me. The DNF used temporarily assigned permissions (assigned under the premise that they needed authority to fix a CLA bot) to move several repositories to their own organization. This is unacceptable by any measure.

Technically no, they used their permissions to include the organization in the enterprise. But the more relevant question is why that matters. As I tried to point out above, this has essentially 0 impact so far; so people must be worried about some future impact. Which specific one? How does this move cause problems that otherwise would not exist?

I think it depends on whether or not you are operating in good faith and you think he foundation is too. It sounds to me like people are attributing bad faith to this whole misunderstanding.

It’s unfortunate that this has become our mode of conflict resolution: blog posts, public apologies that don’t grovel enough and a trivial issue that people have turned into a political football so they can run that shit into the end zone and spike the hell out of it.

Grievance culture is weak, and frankly, dishonorable.

I might agree with parts of what you are saying but when the channel to communicate back to the "powers that be" is broken and you face (what feels like) an existential threat, the public forum is an enticing, sometimes effective but very messy option.

Anyone here old enough to remember when SourceForge was The Place(tm) to stick OSS code and then how it fell from grace?

I’m curious in what ways the MicroSoft take over of GitHub is and is not starting to feel like that.

For me, one is just the difference in scale. GitHub is vast in both content as well as tooling compared to SourceForge at it’s highest points. And a commercial entity orders of magnitude smaller than MicroSoft took over SF. The rate of descent into Not Good(tm) territory also seems slower and more ponderous.

But while the magnitudes differ, the vectors look similar. Not exactly the same, because history rhymes with itself before it repeats itself.

Curious what other similarities and dissimilarities other old timers see.

I remember when I first released the WiX Toolset publicly to SourceForge. I was up all night getting CVS prepped and writing my blog entry to announce it.

But this issue now really isn't about the source control hosting provider. It isn't even about Microsoft. It's about my relationship with the .NET Foundation who (now) holds the copyright of the project I released on SourceForge over 17 years ago.

GitHub actually had the tools I needed to move the project back. Not much more I could have asked for, honestly.

Would you ask for the copyright back? As in, it doesn't seem like they're helping you at all, so maybe you could tell them you're leaving and you would like to have the copyright back.

It might force them to show their colors, and if anything turn the brouhaha into something more clear cut.

My case is a little special because I developed the WiX Toolset when I was an employee at Microsoft. I never owned the copyright (Microsoft did). So, I wouldn't be asking for the copyright back... I'd be asking for it for the first time.

And there are advantages to a legally well protected entity holding the copyright. One for example: my company (FireGiant) is "firewalled" from certain legal issues.

So I'm still contemplating the future and don't have a real answer for you yet.

Interesting. From that description, it kind of sounds like you're both wanting your cake, and to eat it too?

Not sure what I'd do in your situation though. It sounds like you've put a shed load of time into improving "their" product, and don't really have much recourse if they don't want to play nice. :/

Though if you do fork it, it sounds like most of the non-MS employees would switch across to your fork?

But you wrote a lot of code for the project since you left Microsoft, I would think? That code should be yours.

Sure but I'm most interested in the project as a whole. And:

> And there are advantages to a legally well protected entity holding the copyright.

I honestly see this specific bruhaha as more of a DNF issue and less of a github issue. Even though both are affiliated with Microsoft, I dont think this is the same as SourceForge’s fall from grace.

I can imagine copilot being another point in the not-so-good direction, but is there anything else you are thinking of when comparing Githubs trajectory to SourceForges?

> is there anything else you are thinking of when comparing Githubs trajectory to SourceForges?

Popups, notifications, etc

Hostile ui in general

You must be joking?

I'm curious about this. I've used sourceforge for nearly two decades, but I was skeptical of it well before the controversial takeover. There are certain UI elements that sourceforge used and uses that I always relate with early 2000s click-the-monkey style ads and malware. I still trust certain button styles more than others. I still trust certain website themes more than others. Well before GitHub was the juggernaut of open source it was, I felt like I had some instinct of legitimacy compared to sourceforge or self-hosted subversion or tortoisesvn.

I think this is an important classification. When I, and I assume many of the people here, see an email to them or a friend that looks legitimate, we check the sender's full email (as opposed to the shorthand displayed, which is meaningless), and often don't click on any links, opting to physically type a url into our browser and navigate to where we should instead. There's some feeling that something is funny, in the same way some people don't buy thousands of dollars of cheap makeup from Avon and others do.

I still trust GitHub and am a happy customer. I don't think they're going the way of the buffalo. I definitely can see how (again, not an opinion I hold), one could perceive UI/UX changes that they don't like as a sign of imminent downfall.

The understanding of natural instincts in relation to simpler interactions have some reasonable explanations, albeit not universally agreed upon. How dare we have the audacity to claim an understanding of human instincts when it comes to the youngest universal man-made change to our species possibly ever?

Weird rant. Nothing against anyone.

It's not to pick on you, but why do people spell it with a capital S? I've seen it in several comments over the years. But their spelling and logo, at least going back to the 80'es, have been "Microsoft". I think they might have been "Micro-Soft" for the first year, but that was 45 years ago.

MicroProse, on the other hand, went with the capital P.

I actually do write Microsoft usually. I’m not sure what came over me. I was a tired when I wrote the original? Maybe typing out GitHub and SourceForge triggered a StudlyCaps LoveFest in my brain. Thanks for the correction.

I've found that there's a cool git repo place called "Source Hut" - which takes the "hacker" and "open source" ethos. they've got some git and some other tools that github doesn't have, and are looking pretty interesting.


Yeah, I'm really pleased with sourcehut. Not many other forges let you ssh into a failed CI host to debug what's happened.

It's pretty easy to do with github actions.


Wow. Didn’t know you could do that. Very cool.

It took me a while to get this working, but once it did it is an amazing feeling.

This is literally the only feature I like in circleci.

Travis and CircleCI allow this.

Sounds pretty cool. Their native CI has an endorsement by Andrew Kelley, and while it might just be advertising based on something nice he said once, it works for me ! The ability to SSH in especially is a feature I could really use.

In any case I appreciate it doesn't try to cast itself as a free service while remaining affordable. I've got my fill of arcane, polymorphic subscription models.

Github _is_ the embrace phase. It is sad that a lot of OSS projects do not see it. MS has through Github control over OSS. As someone noted in another post they want admin access. This means that they can do what they want with your code even injecting malware. I wonder if people wanting to deprecate FTP do not have a hidden agenda. Because with https you are at the mercy of an organization.

The .NET Foundation wanting admin access to repos of projects under the .NET Foundation umbrella is very much not the same thing as how the people who run GitHub could backdoor any repo they like whenever they want, obviously they can they have the source code to the hosting platform.

Except that's pretty hard to do without developers noticing because you'd need to engineer some hash collisions to get their local git clones to accept the code changes.

So let's limit the paranoia to where it actually applies, shall we? The .NET Foundation has made a right mess of this, but it's not the same thing as Microsoft trying to backdoor all open source code on GitHub. I'm pretty sure the people there are smart enough to realise how much that would backfire.

Oh I think we’ve started the extend phase. Did you notice they put out their own GitHub specific git cli? And they removed ssh links and replaced them with links specific to their cli

At least in a couple of projects i just checked the SSH link is still there, between the HTTPS and the GitHub CLI command.

Only if you are logged in. It used to be there always.

Are you sure about that? I certainly don't recall that, and it seems like it would be a bad UX idea anyway: you can't clone a repo via SSH without having an account (and a pubkey registered), so showing the SSH string to people who aren't logged in seems counterproductive.

`gh`is great for handling pull requests and other GitHub specifics. I still use `git` for everything else, so I dunno how much it does, but it makes sense if `gh` overlaps with some `git` commands to round out the tool.

`hub` had the same functionality and could be used either standalone or integrated with git so `git hub` ran hub commands to e.g. manage a pull request.

gh is just trying to get you to stop using git itself

You've been lured by the "extend" phase.

Isn't GH's PR some awful sugar around the concept of merging a patchset?

The SSH links aren't replaced by the gh links, the gh links are just an additional option.

Or actually, they aren't replaced everywhere: the "Code" tab still has HTTPS and SSH in addition to the GitHub CLI; the "Pull Request" tab has only the CLI.

The first time they did this with the hub tool, GitHub was only a few years old and many years away from any acquisition


The OSS projects”? Such a sweeping claim would need some proof or at least references to show what you drew your conclusions from. Until then, I'm booking this under paranoid phantasy.

SourceForge? What is that. That coffin is nailed shut, buried and long forgotten. I don't care if they have new management and have changed the trust I had in that site was forever damaged by spreading adware in every download.

Really? it feels nothing like it honestly, source forge amongst other things started and ended with poor developer experience, in part they died from being outclassed.

SourceForge is (and always was) more oriented towards end users, this is why when you visit a project's page you get a big fat DOWNLOAD button at the top of the page, a user score, buttons to be notified for updates, etc, when it was last updated, followed by a summary about what the project is, what its releases are, the categories it belongs to, its license and then UI to rate the project, comments by users, etc and the main buttons are about said summary, files to download, more reviews, support, mailing lists, forums, wiki, news (some projects have more or less, depending on the configuration) and at the end access to source code repository. At the sidebar there are even related projects and places where you may find other projects in case the one you are looking at doesn't meet your requirements.

For developers obviously only a small part of that is relevant but the service is not really primarily for developers and since developers "hold the keys" it makes sense that once services that care more about developers appeared many developers moved there. From a user's perspective it is sad though since pretty much every other supposed alternative does not provide a lick of SourceForge's features and the fact that there isn't any after all these years shows -IMO- how much most FLOSS developers care about their users.

On the other hand SourceForge always had a terrible UI, especially in its earlier days and while its current incarnation is the best its ever been (aside from the oversized elements) it still often feels like a mess of elements jumbled together and while they do provide a lot of useful functionality, it is often behind very clunky interfaces.

I wish there was a real alternative though.

> From a user's perspective it is sad though since pretty much every other supposed alternative does not provide a lick of SourceForge's features and the fact that there isn't any after all these years shows -IMO- how much most FLOSS developers care about their users.

Counterpoint: the readme (or GitHub.io site) in combination with lightweight features like the star count is a good enough replacement for all of the bespoke knobs on SF. OS app stores have also become a thing since SF’s decline and they’re a better route for most non-technical users.

I have never once been lured into clicking a sleazy download button on GitHub and I recall that happening on the semi regular when I visited SF back in the day.

This is pure hyperbole. There is zero evidence GitHub is anything but an evolving source control service.

A Microsoft employee pushed the move of Python to GitHub when it wasn't MS owned. Some time later Microsoft bought GitHub.

And? Loads of projects moved to GitHub when there was no Microsoft-employee involvement because it's just a very good service. And for a good long time, nothing else out there existed which could even start to compete with it. GitLab came along somewhat later.

SourceForge still has some good products but displays advertising a lot.

If you are logged in they disable the ads, or at least the generic ads. They still have the "business software" category which is essentially ads for SaaS and commercial software, but that is its own section you have to explicitly go at.

I’d be surprised if Microsoft saw owning GitHub as a major revenue source

They certainly see it as a funnel for their other services. Bringing developers onto Azure etc.

The .NET Foundation board doesn't even all work for MS.

I'm not trying to be lazy (ok maybe a little bit), but can someone please provide like a 3-4 sentence summary of what happened? Everything I've seen on this either assumes you already know, or is very long and rambly, or both.

Many projects joined the .NET Foundation after it was created. It didn't really do anything for them (I think they basically sponsor meetups), but it wasn't harming anyone either.

The .NET Foundation asked for owner access on the author's repository (for a CLA bot). The author declined and a workaround was organized.

Years later the .NET Foundation asked for "owner access" on the author's repository (to allow them enforce Code of Conduct across all repositories). The author declined.

The CLA bot stopped working. The author was told it would work if he gave it owner access. The author was annoyed because they previously had a workaround. They gave in and gave @dnfadmin owner access (temporarily, it was later revoked after the CLA bot was set up, thanks /u/ethbr0 for the correction).

Some time later the author realized that the project had now been silently moved to GitHub Enterprise (likely in the short window @dnfadmin had owner access). The author states that projects in GitHub Enterprise can be entirely controlled by the owner of the account (the .NET Foundation). This transfer happened silently.

Independently, this happened to another project (who had coincidentally had an issue with a Microsoft employee and former contributor force a pull-request into their project: https://github.com/reactiveui/splat/pull/778). The change itself seems innocuous, but the approach bothered people.

People are upset because of how tone-deaf all of this is. They would like the .NET Foundation to stop trying to gain complete control over the member projects. They would especially like for their projects not to have their ownership changed silently.

Edit: For the record, I do not believe this is part of some embrace, extend, extinguish plan on behalf of Microsoft. I think these accusations actually cheapen what has happened here. I suspect this was more of a "can we make this process easier and more convenient for the .NET Foundation"-type thing.

The people involved with this will have to do some soul searching. The .NET Foundation should operate in service of its member projects, not the other way around.

I think this is on point. We once had an issue with open street maps, that caused our routing system to not be capable of directing citizens and employees to the second biggest municipality in our country because a one way street had the wrong direction marked in OSM by mistake.

This had a huge impact on us. With thousands of employees and citizens calling our IT support staff of 5 people every day.

When I used our OSM official “City off X” account to fix it, I was an utter idiot and submitted both a real life picture I took myself as well as a Google maps and a krak maps (Danish map service) screenshots. I didn’t know this wasn’t legal, because I was an idiot, but it resulted in our fix getting reversed and a week long discussion with the OSM community members about fixing the damn street.

We made the street one way. But we couldn’t fix it in an OSS map service because the community wouldn’t let us because we made a stupid mistake.

We’ve now switched our services to Krak. But I can promise you that if we had, had the admin power to force our chance through during those days, we wouldn’t have given any regards to the OSS community.

If an popular tool wasn’t working within the .Net framework CLA I imagine the process would be somewhat similar inside Microsoft.

It’s just one of those things where the OSS community processes and Enterprise process of “get this fixed right now, at any cost by any means, ignoring every standard we may have, just get it fixed, now. Then make sure it never happens again.” that happens every now and then when the beast awakens, clashes. I’m not sure how you can avoid it, as Enterprise will never want to comply with OSS processes when it’s in a hurry.

Regarding the OSM part, how was that illegal? You had 3 different sources for your information. The pictures you took were only your own and you were free to use them for whatever you wanted. Using a copyrighted map to validate that the images were correct is entirely within the use allowed by those maps. The edit was based on the pictures and your real life observation, not those other maps, so you own the edit, which your are well within your right to contribute to OSM.

I get that the OSM community is trying to practice something equivalent to a clean room reimplementation, but that's equivalent to a person in the "cleanroom" being shown a public domain code library and then a file from that same library, but taken out of a ROM dump. Yes, they saw the copyrighted file, but they also saw the public domain file so they're entirely within their right to base their reimplementation either partially or fully on it.

There was no copying. ¯\_(ツ)_/¯

I'm not sure this observation is to the point. Most enterprises do not allow this kind of behavior either, unless you happen to sit at the right place in the hierarchy. If you had violated the terms of service of Google Maps, they would probably have banned you immediately too.

But yes, it may seem a little confusing that even though you can do X, it may not be appropriate.

I think that's also why people are upset in this case. They actually did try to protect themselves from power grabs, only to find themselves cheated.

By the way, there's a Danish mailing list for OSM. I don't know if you explained the issue there, but if you did, I think it's likely someone would have made the correction for you relatively quickly.

> I didn’t know this wasn’t legal, [...]

What was the problem? Why isn't that legal?

The screenshots are evidence of copyright infringement of commercial maps.

... how?

At best it's a breach of GMaps ToS by that user. And in this case the user attached a photo they took. The screenshots are just noise.

I think the google maps screenshot is poison?

But there was also the photo made by the user. I'm trying to understand the legal aspect of this. If Google felt they suffered so much of this, they should bring a (civil) lawsuit against the user that uploaded that photo. Why would OSM care in this situation?

Because OSM wants to be really really sure their data is not tainted and gets them or their users into trouble. As such, anything that suggests that you are using improper sources for editing and is noticed will get you looked at, maybe get someone to double-check your past edits, ...

And since its a community consensus thing, people will wait a few days to reintroduce a change once it has been challenged unless the challenge is obviously unreasonable. It's not like a change being delayed a few days is some unreasonable big punishment, it's just part of QA process to run. Maybe wasn't strictly necessary here, but it's a really obvious warning signal to trip.

(To make a (admittedly stretched) software analogy, if you submit a PR somewhere and show disassembly from the Windows kernel as evidence that it's a good algorithm others also use, it'll also cause some concern, and you would've been better of just showing your solution on its own)

I don't understand. Cannot you create a PR and fork the project (and use your fork in the meantime until the PR is merged)? This is what I do when I use opensource libraries. They being opensource shouldn't mean that you get blocked by them.

OSM is one big online database, like wikipedia. Sure you can fork it, but it's far from trivial to "maintain" that :)

Sorry, but what specifically was illegal? And as in laws, or OSM project governance?

You can't use copyrighted maps as a data source for OSM:


"Unless you have special permission, don't copy from online or paper maps."


Legal was probably the wrong word to use. It’s against the policy of OSM. It’s probably not actually illegal as far as the law goes.

I mean, we own the map rights. Google had to seek permission from us to map our area and publish it.

Nice story, dude. :)

> I suspect this was more of a "can we make this process easier and more convenient for the .NET Foundation"-type thing.

I suspect there was also just a different picture on what the .NET Foundation even meant inside and outside of MS. It's different people working on it inside MS than the ones who originally set things up, and the new people may not have even seen their actions as trying to take control of anything because they were under the impression that everyone considered them in charge already.

This issue is really only about the .NET Foundation and not Microsoft. Otherwise, you may very well be correct.

The leadership of the .NET Foundation changed twice since my project joined it. So it is very possible (likely?) norms and expectations did not have flowed from one set of leaders to the next. I don't know. I'm still waiting to hear.

> They gave in and gave @dnfadmin owner access

Temporarily gave @dnfadmin access, is my read.

> "The .NET Foundation had admin access to the WiX Toolset organization for a week, not more than a week ago"

Good catch! I didn't notice that on my read-through. I've updated my post to include this.

Minor nit: the admin access wasn't requested for the CLA bot but getting a non-functional CLA bot fixed was the reason I gave temporary access.

Otherwise, reasonable summary without as much flair and color commentary as the original. ;)

Thanks for the clear summary.

So, the proper, open-source-if-a-bit-dickish way to go about this would have been...

1) Microsoft forks the primary git repository and declares theirs to be "Microsoft-blessed".

2) Microsoft puts a skeleton team in charge of maintaining the Microsoft-blessed version, but mostly they just pull the original maintainer's patches.

3) People slowly migrate to the Microsoft blessed version.

NOT: We flipped this hidden switch under the table and now your repository in GitHub is controlled by us.

The proper way would have been to leave the project alone, notify the maintainers of problems if any turn up and remove the project from the .Net Foundation if the problems persist.

Of course from the issues that came up the last few days it seems that there is literally no point in joining the .Net Foundation and kicking a project out is essentially doing the maintainers a favor.

I don't understand your scenario. Microsoft isn't involved here. I mean Microsoft uses the WiX Toolset (my project) but they have never suggested forking it. I'm confused where you were going with this.

The proper "open-source-if-a-bit-dickish" way would be to do exactly what the .NET Foundation did here, but where the letter said "You will need to add this admin for compliance with our policies" that word policies would be studded with footnotes to policy pages, reams of meeting minutes, and archives of open mailing list discussions.

Apache and Eclipse and others all mandate that they control a lot of minutia of source control like what .NET Foundation seems to want to be doing with their GitHub Enterprise account, but their transparency policies mean all of the discussions of that are open and no one is surprised when changes happen.

As far as I understand the foundation is a distinct entity, it’s not Microsoft doing this.

Even the director of the .NET Foundation is a MS employee (Program Manager), of course in practice it’s a MS entity.

Have you interacted with the .NET Foundation much? Have you seen how the .NET Foundation interacts with Microsoft?

Posted a response to this elsewhere in this thread:


Incompetent workers, it's that simple really. MS assigns college degrees to projects, those college degrees understand very little about software, much less the culture of repository ownership and open source relationships. Too many employees, not enough experience heading them.

Microsoft and orgs like it are too big, you cannot trust a massive machine to be efficient, there's little incentive for proper management.

This issue is about the .NET Foundation, not Microsoft.

Au Contraire. From the bylaws posted publicly so far, it seems, they aren't truly independent of each other.

Microsoft is the "Founding Member" of the .NET Foundation. They are entitled to appoint an Exec. Director (ED) and the board has no say in this matter (The current ED is the person who forced a commit on a member project). The ED's tenure has no expiry other than when Microsoft feels the need to change (or they leave). All other board members are elected for a set term.

Lastly, the ED can block any board resolution; aka, the elected board needs Microsoft's blessing to do literally anything.

Source: https://github.com/dotnet-foundation/Home/discussions/39#dis...

I don't think you've seen the .NET Foundation and Microsoft interact then.

I have not. I am not a foundation project maintainer or have had any direct interactions with the foundation. My understanding mostly comes from following the community.

But this is what Rodney Littles is quoted as having said in his interview with The Register

> From Littles' perspective, though, the .NET Foundation is insufficiently independent from Microsoft, does too little to help its member projects, and lacks a strong sense of mission or purpose.

Rodney is closer to many things than I but my experience shows these are the root issues:

> does too little to help its member projects, and lacks a strong sense of mission or purpose.

That's on the .NET Foundation, not Microsoft.

This is definitely not the case. The .Net Foundation is not staffed by Microsoft, nor is it owned by Microsoft. It’s an entirely distinct entity though I believe some board members work for Microsoft.

That’s where the poor & questionable transparency comes in, they try to market it as independent but it was formed and funded by Microsoft with the Executive Director whose performing all the objectionable actions an MS employee who is also the only person that is able to approve all material changes made to the foundation whose position can only be filled by the founding member who is Microsoft, in effect they are the silent hand making all the power moves to its member projects without their consent, wishes or even a courtesy notification. Then to try downplay the bad PR you had the MS VP Director with no visible ties to the foundation willing to jump on a call to disgruntled members so they can downplay their MS foundation employees actions behind close doors.


But the Github Enterprise admins, and people actually fixing the CLA bot probably are from MS?


> who had coincidentally had an issue with a Microsoft employee and former contributor force a pull-request into their project

It was the head of the .NET Foundation

Fiscal sponsors should never have access to code repositories...

I don't think this applies as a general rule. One could imagine reasons why they should have access (of different kinds), especially when they employ key maintainers and are the driving force behind the project.

Project maintainers had their projects moved from their public GitHub accounts to the DNF's GitHub Enterprise account without notice. Some maintainers only found out about the transfers of their projects because of this[1] discussion.

[1] https://github.com/dotnet-foundation/Home/discussions/38

Technically speaking it wasn't that discussion. That discussion was opened after we started realizing what had (and had not) happened. But your summary is otherwise correct. :)

So nothing changed with the source code or its licensing, only the location on github? That seems a bit inconsequential, tbh. Are there strings attached to the new location? If no, then move on.

Per post, being part of a GitHub Enterprise organization grants the GEO's owners control over any projects contained in that organization.

That's the change.

Thank you. That does seem consequential.

Yeah and is not wrong for the foundation and the projects. It is the absolute lack of community, communication and tone deafness.


You'd not say the same thing if the ownership of a domain changed hands quietly, in the background.

That would be worse though. This is like a subdomain changing hands quietly. E.g. you mypage.github.io.

There were also pull requests that were merged despite maintainers' objections to merging.

That didn't happen to me and there was a pretty comprehensive (IMHO) apology about that issue.

There are strings attached to the new location - the maintainers can (in theory) be kicked out of their own repositories.

I don't really know anything about this stuff but after reading the blog post I feel like I understand. It's a good read.

Thanks, that is good to hear. I wasn't sure I would post it because I was afraid it would actually confuse the issue. Thank you.

Now you know what working with WiX is like.

Hah, hah, hah, that's actually pretty good.

Maybe I should have added a tl;dr at the top?

Writing the whole entry was challenging because there is a lot of detail I wanted to provide to being everyone along the journey. I've seen some people drop in at any isolated point and say, "Why is this a big deal?"

Also I'll be the first to admit that when in story telling mode, I am not particularly terse. :)

Extremely bizarre that the main concern in this thread is with GitHub, even though they did absolutely nothing here: the repo that was transferred had given admin rights to the DNF account for a bit. What the DNF did here is questionable, no doubt, but seeing people here claim this portends the death of GitHub is disappointing.

You are exactly correct. It isn't necessary to drag GitHub or Microsoft into the conversation.

They aren't involved in this situation.

I realize it's weird to argue against you, because you wrote the article and are the one affected by this.

But, i disagree. Even if it were an entirely different company. The fact that GitHub didn't send an e-mail and that repos can be hijacked like that, is in itself something GitHub needs to address. And thus at the very least, GitHub needs to be dragged in.

Meh. Other people here have pointed out it sends email to the people in the GitHub Enterprise. So, they probably missed a place to add auditing.

To that point, I've had GitHub people tell me they never imagined the feature I used to get out of GitHub Enterprise to be used that way. I got lots of emails (since I owned the target organization) but maybe the GitHub Enterprise did not?

The email would be nicer, but what's the solution exactly? The admin of one project moved it somewhere else - how do you restrict that, if the admin has total control over a project?

Are there improvements that could be done to allow these bots to perform with less rights? That would be something maybe github could tackle but it's not the worst thing about this problem.

> how do you restrict that, if the admin has total control over a project?

This isn't a new problem, how do you prevent a rougue admin from kicking all other admins and taking over. The simplest and a pretty effective solution is to have another privilege level: Founder. Of which there can only be one, and admins can do everything, except strip the founder of their rights. (And/or transfer the repo, if the founder can't easily undo that.)

Why not just require admin consensus for privileged actions?

E.g. removing other admins, or other permissions-related actions like the re-orging in question

If your problem case is "one rogue admin," having multiple admins and requiring consensus seems an easy fix.

You should raise that feature request with GitHub. It's a good idea.

> The admin of one project moved it somewhere else - how do you restrict that, if the admin has total control over a project?

Even an admin shouldn't be able to avoid other admins getting notified and seeing an audit log of what they've done.

The executive director of the foundation is an employee of Microsoft, so they most certainly are. GitHub, less so.

Clearly the org is far too gone at this point. It's a dead project people are funneled into that doesn't serve a purpose. Maintainers should do like the history of software has. Drop it and organize anew.

A massive red flag for all this are the words "code of conduct". They're not "bad" to have, generally projects already have them, they were previously called "rules". But if the "code of conduct" is filled with title 9 speak then you know you're dealing with corporate types, not developers. For those that haven't taken title 9 training, you're told to be the gestapo morality police and actively go out of your way to vocally suppress any discussion that might involve something that could have the potential to be discriminatory. This is done for liability protection, for the company. Not because it would actually be discriminatory/immoral. Yet somehow its made it's way into software repos.

No, that's not the problem here. The author explicitly states they were totally fine with enforcing a code of conduct on their mailing list.

The problem here was about trust in the foundation and power over the repositories.

That's fine, the point given is that when orgs push for it, and they're doing so like they did here, that's a massive red flag that whom you're working with is not qualified to be doing that work. Call it an "org smell".

Yes, exactly. Thank you.

I also really dislike the fact that code of conducts usually present a very american-centric view, sometimes even a silicon valley-centric view, for projects that are supposed to be open to people all over the world.

What? Code of Conduct says stuff like, don't be mean to other people. It's a lot like: https://news.ycombinator.com/newsguidelines.html

I don't think that's true. For example, the recent changes to the Ruby code of conduct removed the parts about assuming good intentions. On the other hand, the guidelines:

> When disagreeing, please reply to the argument instead of calling names. "That is idiotic; 1 + 1 is 2, not 3" can be shortened to "1 + 1 is 2, not 3."

> Please respond to the strongest plausible interpretation of what someone says, not a weaker one that's easier to criticize. Assume good faith.

> Please don't use Hacker News for political or ideological battle. It tramples curiosity.

HN ideology is basically "we're all adults here, act like one". People that push for stuff like code of conducts usually consider that these guidelines are not enough to protect marginalized people. So they add stricter rules about how to act. That means that you have to agree with them about who is marginalized, that they need protection and how to protect them. I don't think any of this is universal. Note that I don't mean that this is a good or a bad thing, just that it's politically charged in some way. That's nothing new, since free software has always been politically charged. But the values conveyed by code of conducts are not always the same as the "old values of free software/open source". This is of course very vague, because everyone has their own values and most projects aren't very clear about what their values are. But you can see the consequences of that change when you see how the opinion on Richard Stallman changed, or how Linus evolved. Again, I'm not saying any of this is good or bad. I'm saying that things are changing and not everyone agrees with it.

Now on the American-centric part. I don't think I can add anything worthwhile to what's already in this article: http://antirez.com/news/122.

They generally have a strictly US-history based view of how to treat other people and deal with their insecurities and problems. They're also invariably passive-aggressive and just plain hostile in places.

When you are in a stage of pulling CoC rules out, you are already nuclear and hostility is already ongoing.

They are US based, yes, but they are usually good rules. Whether a CoC is bad or good is in the hands of the humans enforcing it. The .NET Foundation shows terrible human to human handling of a non CoC related topic.

A CoC is always toxic, because it is the flag of a moderating team that is not adult enough to recognise that you can tell someone "no" without having some sort of "legal body" to point to.

More importantly, a CoC is a commitment by the moderation team to follow a certain standard, instead of giving it a position of "whatever we say is right, if we don't act, sucks to be you". (And at the same time, it's just that, a commitment, it can still be ignored or misused, it's not an automatic fix for anything)

A CoC is an admission that whoever moderates the community is not capable of doing so without having something to hide behind and point at. Culture is not improved by introducing rules-lawyering and avoiding personal responsibility, that is how you ruin it.

Edit: What good does a commitment do anyway, if it guarantees nothing and changes nothing? It's just someone shouting, hoping someone else hears and approves. If anything, that underlines my point about the fundamental immaturity of the decision to introduce a CoC.

Edit2: I understood your point to be that introducing a CoC means a commitment, which is somehow something that is good. When all this commitment does is deflect responsibility, that is not a healthy result. I feel like that addresses your point fine.

A CoC doesn't automatically deflect responsibility. As a moderator you still need to actually moderate, and you get the feedback for doing so. As a commitment, it actually puts an extra burden on the moderator, since there's now an explicit thing people can point to when criticizing your (in-)actions.

I happen to have gained a moderator role in a community that has a pre-existing CoC. I'm not sure why I would "hide behind" or "point at" the CoC when acting in that role, I'm perfectly fine with telling people off (or more if necessary) without doing so.

And yes, if you assume the worst of everybody commitments don't have any value. But people generally attempt to actually uphold things they commit to, and thus it is seen as a positive signal, even if it's not a guarantee. (Ideally we wouldn't need CoCs because the baseline established by them would be such a universal commitment in society that you could just assume it to be valid everywhere, but experience shows that's apparently not the case) Several community members told me that it has been relevant to their decision to interact/join.

EDIT: and even if you say just a commitment is worth anything (as said above, I personally also don't think "has a CoC" is that much of a signal without seeing how mods actually act, but clearly other people do), that's quite a difference from a blanket "CoCs are always toxic".

At least pretend to address a point made please instead of just repeating your earlier comment.

I think the problem for current members is that they gave away their copyrights for some small benefits (code signing and DNF branding??). Which might have been shortsighted but I think at the time it seemed like the DNF was going to give them more benefits. So they would probably have to create a new project name and stop using the old accounts?

Not in my case. The article explains how the copyright transfer was executed.

Thanks, I read your article, but I was under the impression that when you joined DNF they acquired your copyright from your previous sponsor foundation which happened on your decision?

Yes but I never had the copyright in the first place. This isn't about the copyright. I know I don't own it. This is about control of the project.

If they used some special microsoft insider access to github to move these projects... that's gonna really harm trust in github. They really oughta make it clear that they did NOT do this, or make it clear how it can never happen again.

I mean, they’re clearly heading toward stealing control of associated open source projects away from the founders/maintainers so I don’t think there’s even room to discuss “repairing trust.”

You might discuss repairing trust with a burglar you caught in your house after his criminal trial. At this point, Microsoft is the burglar and he’s still in your house with the ski mask on (unless you would prefer for the burglar to be a she).

With all due respect, this simply doesn't make any sense. The projects are all released with OSI approved licenses. To use your analogy, all the stuff is already on the front lawn with "For Free" signs.

Also, this is about the .NET Foundation not Microsoft.

I said "stealing control of"

I didn't say stealing the code.

Also, the .NET Foundation is Microsoft because a Microsoft employee is doing all of this behind the scenes.

They are not stealing it because in most cases they... Legally ... own it. However, doing something behind the back of the people operating it is tone deaf, stupid and shows a great degree of arrogance and mismanagement. They pulled nuclear options dozens of times in this move. For what: to reorganize billing and streamlining processes. That is not good enough a reason to go nuclear on a maintainer w/o conversation.

.NET Foundation is not Microsoft.

After reading the blog posts linked form this one I would consider this statement very questionable.

Maybe it's not MS on paper. But the DNF looks like it would be fully under MS control.


I think those affected have commendably kept their cool so far but I’d say this (diversity Trojan horse, “we need full control to enforce the CoC, whoops you’re fired goodbye”) is a playbook that will be often repeated in the coming years.

Only 2 of 7 board members are microsoft

One of them is the founding member appointee with veto rights.

These projects gave the .NET foundation admin access and then the foundation moved the projects. No insider access needed.

"Gave" is generous in that it fails to mention how that access was gained - supposedly needed for a tooling account to ensure inclusion/code of conduct guidelines being followed, IIRC?

Smacks of social engineering to me.

No, not supposedly, really.

We had a new repo where the CLA bot was not automatically working. I was busy with a deadline so to unblock the team, I granted admin access.

It wasn't social engineering. I did it. I just didn't realize what was going to happen after doing so.

I explain it all in the post.

My apologies, I read your post and understood the bot access part. However the timing of it sure as looked smelly to me, that's why I wrote "supposed".

I probably shouldn't have speculated it was all a set up, but even if it wasn't all kicked off with that intent, how it was then used sure was not ok. It reeked of trickery and deceit, which I construed as social engineering from that point of view - hope that makes sense (edit: #1).

Kudos on handling this, and hope you're doing well all considered. It was fantastic to read how you claimed the ownership back.

#1) that they requested "Yesterday we announced Foundation-wide Code of Conduct Enforcement. Part of making that work requires that the dnfadmin GitHub user has owner permissions to GitHub organizations."

No problem. I'm really just trying to keep the story straight.

The only issue I have with the timing is that I told them I was not comfortable with them as admin on the repo yet as soon as they were made admin (to fix the CLA bot, which happened to be only a week or so after my email) this happened. No social engineering necessary but really poor timing on top of non-existent communication.

And here we are, sadly.

Understood, and cheers.

> It wasn't social engineering. I did it. I just didn't realize what was going to happen after doing so.

How's that not social engineering?

I'm thinking the Oxford definition was used here by the author (ie tricked into giving up a password):

"(in the context of information security) the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes."

I didn't really want to argue it any further as the issue was inflamed, but I absolutely think that when an account privilege was requested purely for "trivial thing A and we really really need it because think of the children", for it to then be used in the next breath for "evil thing B" - then what else is it but a more sophisticated social engineering attack? (I would certainly like to know if there's a better definition of it.)

For the benefit of the doubt there could very well be things going on in the background where the account access was discovered by someone else than those who requested it, and then jumped on the opportunity. However that's giving a fair bit of leeway.

Article has a whole section on how @dnfadmin was given owner access, in a sneaky way (for a different context) - and how that was a mistake.

And how they suppressed the e-mail notifications to the (real) owners about the move of the org?

That part reads really fishy.

Someone answered my question:


That seems very strange given the fact that GH sends otherwise mails for almost everything done there if you didn't disable it.

Someone else noted that it may only send emails to the person that kicked the process off.

I don't know, I don't own a GitHub Enterprise to try.

Is it possible that anything which @dnfadmin is an owner of is automatically migrated by GitHub the moment it becomes an owner? Maybe they never realized that what happens?

I don't think there's any reason to believe that? That's why a good chunk of the story is setup leading up to adding dotnet foundation as an admin.

The fact that moving WiX out of public Github did not generate any emails while moving it back did generate a lot of emails is the suspicious part. There's probably an utterly mundane explanation as to why, but it's also possible that there's a MS-only "move this repo without notifying anyone" option.

Moving it out back to public GH was done by transferring the repo(s) between organizations. The move into GHE moved the organization as a whole to GHE. So it's conceivable that moving organizations as a whole to (or even from) GHE does not send emails. To be clear that's still bad, especially given how the user could only know of this move if they were logged in and looking for one tiny bit of text in the repo homepage, but it's a non-malicious explanation.

If that's true and GitHub doesn't send mails for this particular thing, even it sends mails for more or less anything else if you don't disable it, paired with the fact that such a change is almost invisible if you don't know what to look for, makes it even more suspicious.

If there where changes post MS acquisition of GH to this parts this would look like planed long hand.

Repeating myself but it's applicable here too:

I'm curious about this too. I was told (by someone at GitHub) that the features I used to do the move are brand new and were not expected to be used the way I did. It is very possible pieces are missing in the audit trail GitHub creates.

Meh. I might be more interested if I actually had a GitHub Enterprise myself.

I'm curious about this too. I was told (by someone at GitHub) that the features I used to do the move are brand new and not expected to be used the way I did. It is very possible pieces are missing in the audit trail GitHub creates.

Meh. I might be more interested if I actually had a GitHub Enterprise myself.

There is no "special" access in GitHub, and no person as far as I know has such an access. I work at Microsoft, but GitHub side is very detached so I don't think there was any collaboration.

It would appear different. Microsoft stealing projects into a private enterprise space is a different action than putting them back to public. Stealing generates no emails, but restoring to public generates a lot of emails.

It would appear there's a backdoor system for them.

I've been an admin of an organisation that was moved into an enterprise org (with consent) and can confirm that this does not generate emails for the child org.

As I read it, there’s two different things happened. The foundation moved a repo they were given owner (or maybe admin) access into an enterprise GitHub account, which doesn’t generate a noisy trail of email.

The OP used a workaround of starting a new GitHub project a couple of project renames, and a project transfer - which did generate a flurry of notification emails.

(I’m surprised the “move into enterprise account t” action doesn’t at least notify all owners on the account. If it normally does, and these ones didn’t, that’s a super bad look for both the foundation and GitHub…)

What's the difference between "moving a repo...into an enterprise Github account" in the first paragraph and a "project transfer" in the second? I would have thought that "project transfer" is just another term for "moving a repo into a different account", so the only thing that seems different is going to enterprise versus going from. It seems kind of odd that email notifications wouldn't be the same in both cases.

I assume moving into an enterprise account is a single click (although I've never dione it, so :shrug:).

The workaround "project transfer" used/suggested for getting back _out_ of that enterprise account gets explained in the article like this:

1) Create a new GitHub organization, normally. For example, name it new-yourorgname

2) Rename your organization in GitHub Enterprise in the Settings to something like, dnf-yourorgname

3) Rename the organization from step 1 to your desired organization name. You want to complete this quickly after step 2 so no one takes your organization's name.

4) In the GitHub Enterprise dnf-yourorgname go into each repository's Settings and transfer the repo to the brand new yourorgname organization.

Not at all surprising that generates a flurry of emails, especially since in the authors case step 4 needed too be done 44 times, once for each repo in the org.

There is no reason to suspect that they did. As I wrote, I granted admin access to my GitHub organization. No other special access was needed after that.

I would be willing to bet it is just a "feature" of GitHub Enterprise. Automatic migration of anything an enterprise user owns.

listening to the wix video linked elsewhere here, they were essentially duped into adding a bot for other reasons

No. I was never duped. We've always had a CLA bot (a assignment agreement and later CLA was always requirement since the project's release in 2004).

What was not expected was the move to GitHub Enterprise while the CLA bot was fixed.

This is why microsoft loves open-source. Free code from others that they can point to while trying to sell their licenses.

Arguably, for those who want to / have to work in the .NET ecosystem, it is better that .NET is adopting an open source model, even if imperfect.

This actually lessens the vendor lock-in problem and also means less of a risk of Microsoft pulling out of providing security updates for key components.

So far as I can observe, C#, F# and .NET Core as a platform for web development have benefited from the OSS-ification in the form of more dynamic and transparent progress/evolution.

Disclaimer: I'm more of a Python/Django guy.

This doesn't make sense to me. My company (FireGiant) sells support contracts for the open source project for companies that want guaranteed incident response times/SLAs.

And Microsoft isn't involved. The .NET Foundation holds the copyright.

They "love open source" because that's what makes most business sense. FOSS is part of the developer zeitgeist so much that you can't avoid dealing with it. MS and others have bashed them for years, but it only got stronger. So it only makes sense to tone down the denial and start accepting that it won't go away.

Also they realized that there is a lot of free stuff that can be used for free.

For those who dont have the time to listen, this is basically the article but in audio format, from what I can tell.

C#/.NET ecosystem was doing great lately!, Microsoft should not harm their reputation by these kind of actions.

> C#/.NET ecosystem was doing great lately!, Microsoft should not harm their reputation by these kind of actions.

They already did.

And it was years in coming. The .NET Foundation was never a transparent organization and this now is the consequences.

It is not how it looks for those still targeting Windows desktop, a maze of incompatible GUI frameworks each competing for dev attention and a stagnate UWP .NET tooling, lack of comprehension to understand what AOT means, isn't doing great.

Totally agree about Desktop Applications. On the other side, C# is becoming great language to develop for web applications with Asp.Net Core.

I'm currently a grudging newcomer to the .NET ecosystem because I need it for work. Stuff like this doesn't ease my feelings.

Why? Were you planning to contribute source code to the .NET Foundation?

When you invest work into a code-base that depends on something like .NET, you are taking up some stake in the community and ownership of that base. You do need at the very least security updates, but you also need support and documentation. It's hard to describe fully in words. And most of the time, you can't just switch that particular part of your stack overnight. I'd rather be stuck with a community that looks healthy.

And you can argue about the trade-offs of different "ownership structures", and compare for example the .NET foundation over the Django/Python foundation over whatever Java is currently doing.

Do not worry. .NET is a good choice independent of this hickup. The maintainer will change their foundation backing and the .NET Foundation will serve its original purpose: owning the core .NET runtime so AWS, Google, Samsung and Microsoft can take save bets on it.

JavaScript had it nodejs drama, Perl its community drama, Swift it's drop of support from IBM, the Linux Kernel has Linus, etc. They are still there and strong.

Let this fold out for a while and reassess it.

Well, I would never choose .NET if I had any choice. It's much too verbose and is dominated in terms of productivity by many other frameworks/ecosystems. Some people seem to enjoy it, and more power to them, but if I ask, they often haven't done much of anything else.

Hm, the reason I am still in .NET is that whenever I try to move to something else, the productivity suffers immeasurably:

- Most of the stuff outside of .NET, Java pair suffers from lack of refactoring tools, and are therefore unsuitable for sufficiently large projects. The exceptions are TypeScript (which is OKish, but lacks performance) and Go (which is tailored for web dev and has a few major drawbacks as programming language).

- Most non-dynamic languages apart from .NET, Java, and C++ have very limited debuggers.

Some leaders just need to issue “all hands” commands every now and then. These commands often make little sense to those at the receiving end. But those leaders need this to have their leader status confirmed. It serves also as proof of authority to their superiors.

This is particularly frustrating when an organisation switches leadership and goes from participative to hierarchical. I think this is what happened here: .NET Foundation leadership must have changed and with it came a new, hierarchical leadership style.

I don't know why this is down-voted. It happens literally in formerly open projects like Python:


Python is fully corporate now and free spirits have been removed.

That's just the release manager asking for help with getting the release out. The wording also strikes me as fairly playful (it's a maritime reference!) so I fail to see how that's "fully corporate" or makes python "formerly open".

This isn't a literal "I am your boss, you MUST work now", this is "hey, I'm the person who volunteered to get this release out, please help if you can!".

Apparently the view I voiced is controversial. I can see how some organisations vitally depend on a strong decision hierarchy. The military for example, or some startups. Someone running such an organisation will not be open to the view that such decisions can frustrating for their employees.

Does anyone else love these technology psycho-dramas? I really don't have a dog in this fight but I find myself following them more avidly than a netflix mini-series.

It is drama about people, power and emotions. People read books which are classified as drama. And honestly, this conversation is really civil (at least after moderation and ignoring everything which contains EEE and $ as a string) and therefore also a good read.

Can someone ELI5 why this is a big deal?

An open source umbrella organization pulled rank and the member projects are connecting the dots to see that Microsoft views them as unpaid employees.

No, it's not hyperbole. Go check the foundations website and you'll find that Microsoft has exclusive access to the highest level of power in the self-styled "independent" organization written right in to the bylaws.

Sigh. This isn't about Microsoft. It's about the .NET Foundation.

How are those two entities separate? MS has a non-removable seat on board and gets to appoint the director. I'm sure that DNF is seen as division from inside MS.

Because they are separate. Have you wanted the .NET Foundation and Microsoft interact?

Formally, yes. In reality though DNF is controlled by Microsoft through their pernament seat and an appointed director.

It was setup for failure. I am pretty sure this exclusive access thing was to protect core .NET not the community projects. But exactly that is a core mismatch between what the foundation is and what people expects.

The corporate hierarchical malarkey that gave Novotny the wherewithal and motivation to do this should be ripped out root and branch, as well as whatever specific job role that currently defines the executive directorship.

I'm not saying Novotny should be fired, simply that the Foundation has demonstrated a corporate behavior fundamentally at odds with its supposed reason for existence.

Respect for community and contributors was obviously not encoded into the design of the organization. That a board exists to rectify, rationalize, or abet mistakes isn't enough. They have to fix the root of the problem, which is that Novotny was able to do this at all. They need to make an explicit and ironclad promise to developers.

They allowed institutional structure to oppose their mission. That won't change with mere words and staffing shuffles.

I’m a bit alarmed by the many issues here. I’ve heard a lot from the maintainers but much from the foundation.

- continued lack of communication - for so many issues to occur to multiple parties paints a picture of it being routine - that no immediate reversals have happened with utmost immediacy - the ethos of the maturity model - the policies apparently being enforced - even now… - for calls to solve things privately

It’s culturally indicative of the foundation’s values whether they know it or not.

A healthy community is one where discussions happen in the open, good and bad.

This is not good, and I’d recommend the community coming together and maybe finding or forming an alternative - which is difficult I know.

I think apache.org could help here.

Yeah, the (continued) lack of communication is not great. But the timing is admittedly pretty poor for the .NET Foundation as well. They just brought on new board members this week. So delays are kinda' expected... but I would have communicated differently.

From the GitHub thread it seems like these projects willingly transferred the copyright to the DNF when they joined; is that not the case? If it is what grounds do they have for being upset?

Copyright is only with respect to the code.

What's being done here is changes to how the project is managed. Basically inserting an upper management over the heads of existing maintainers. AFAIK, this right was not given (or at least the maintainers did not intend to give) to the umbrella org.

Important to note, this extra layer was added without discussing it would be done before or after. The lack of communication eroded trust.

But if you gave away copyright you don't own the project any more. And if you don't own it, you don't own it…

The new owner can do further on how he pleases.

Sad in this case(es) but from a legal standpoint it's very likely like that, I guess (INAL).

Yeah, but a stupid owner does what they did as nuclear options, a smart owner has the power but never use them but convinces people and let them work loosely as long as this is possible.

This is a cooperate thinking applied to a foundation. Is a recipe for failure.

The copyright applies to the source code the copyright is written on. Lawyers then argue who owns the "project" (GitHub organization/repository). For example, the copyright is not applied to the issues in the issue tracker.

But the argument is about whether the .NET Foundation could do such a thing. The argument is whether they should. And, the .NET Foundation chooses that they should take over the projects, project maintainers can make different decisions themselves.

None of this has been decided yet.

I'm pretty sure the copyright is shared, at least that's how I've seen CLA's happen in the past, they grant joint ownership.

Some projects are "contribution" (like you describe) and some are "assignment" (.NET Foundation holds the copyright).

You willingly gave me the key to your garage so that I can mow your lawn with your lawnmower.

I used the key to steal your car.

Then you and I would probably no longer be friends.

They signed over Copyright.

Isn't a better analogy that they willingly gifted away their garage with everything in it under a _promise_ that they can still use the car?

Honestly, to me the only way out seems to exercise the licensee rights and fork.

Nitpick, but in general a verbal promise in exchange for something of value would be considered a legally binding contract in the US.

I think not just US, also Switzerland among other places. But either way, Copyright was signed over, and that has real implications. Although, in this case I gather that initially the Copyright owner for the given project was Microsoft, then some other foundation, and now .NET foundation. So, it's not like the maintenaners signed over anything they had, really. As sad as it is, legally it has never been theirs. Good thing the license protects some freedoms.

Forking is still one way this may resolve. The .NET Foundation can decide to provide other options.

I think if you read the blog post, it'll be clearer.

they didn't transfer copyright, they granted a nonexclusive license

Depends on the project.

So... about a decade ago, a guy was found guilty and convicted to 5 years in jail for unauthorized computer access because he scraped a data from open website (see this for details: https://www.zdnet.com/article/jury-convicts-hacker-over-at-t... ). Can somebody explain to me, why isn't foundation guilty of the same crime? Clearly, they were given an access so that they install a bot, not to take over the project.

Might be tangential but I have not seen a word addressing this fuckery from either Jon Galloway or Scott Hanselman or any of the "dev evangelist" type people. Weird

As far as I can tell, Jon and Scott are Microsoft dev evangelists. It really isn't their place to step into .NET Foundation issues.

It might be even more weird if they did try weigh in.

I think it is well established by now that this .NET Foundation is ultimately answerable to Microsoft. Also, Claire - who started the "kerfuffle" - is a Microsoft employee.

Given how especially Scott always has a big opinion about how great OSS is and how much Microsoft loves OSS, and given how it was ultimate MS employees that were responsible for creating this current distrust, I think it would be very appropriate for them to voice their opinion about this.

And, who knows, maybe they are doing something behind closed doors. But I very much doubt they'll embarrass their employer by speaking up in public. They know who pays their salary and are much to good at corporate politics to do that.

They’re long-time MS employees who know how to play the political game. Highly doubtful they do anything that put their cushy jobs at risk

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact