Seems like an innocent enough mistake. Remind me of when I once helped organize a volunteer hackathon with people from different companies. We created a Slack organization just for the occasion. At the end of the event, I was supposed to ask all attendees to delete all the data we had given them before they went home. The message I posted to #general (the channel everyone in a Slack organization is required to be in) with @everyone tagged was something to the effect of:
"Thank you everyone for contributing to our shared mission. When you are done with your work today, please delete all the data from your machines. Hope we see each other again soon!"
Slack gave me a dire warning that my message would send notifications to so many people across so many time zones. This didn't surprise me because attendees came from various countries for the event. So I dismissed it.
But I had accidentally sent it to my company's Slack organization instead of the hackathon-specific one. I didn't realize it until a co-worker sent me a private message asking why I had just tried to fire everyone at our company.
The real problem was that so many people felt the urge to reply to that PR making it so much worse than a single ping.
I can live with the random message that has nothing to do with me, but having to delete an endless stream of messages because so many people felt the need to reply already knowing that it would go out to everyone is really annoying
I happened to be hit by the Github incident. The worst is not the guy who made the mistake (happens) but the fools who hit Reply-All to first complain about spam and then to yell at each other to stop hitting Reply-All, making the problem exponentially worse ... facepalm
Oh and one has even posted a "goatse" image there ...
Happened in my wife’s company of around 40k people. Mail to all, replies to stop replying, many hours to stop the firestorm. Then next timezone 8 hours out started replying. I don’t know why they didn’t just kill permissions to the mailing list.
Similar thing happened at uni when I was doing a PhD.
The graduate office had some sort of mailing list which included all PhD students (or maybe even graduate students). There was maybe one mail a year to this list.
At some point someone replied to the list (don't ask why the allowed everyone to post), they want to be unsubscribe, trigger a torrent of emails of people wanting to unsubscribe, people telling people to use the link on the email, people asking why they get this email, others telling everyone to stop replying (the irony). It was a study of human psychology.
The whole thing lasted a week, I think in the end somebody was competent enough to restrict who could write to the list or maybe they just nuked the list.
I’ve seen this happen in some context at least once every five years throughout the 30 years of my career. The absolute best ones cause large scale incidents due to the volume of the messages. I always looked at it as a random celebration that brings all the trolls and introduces them to the idiots.
It's the "law" of numbers. 400k pings, even if only 1% clicked on the repo, and maybe 10% of them commented: that's 400 comments to make. Even on internal repos I've never seen productive discussion really happen past 50 or so comments.
And then the news broke out and that drove even more than 1% to check out the drama. Maybe even had some people sign up for Epic just to check it out.
All of those 400k people were notified because the author tagged a group containing 400k people. For every comment, 400k emails went out.
I never commented, but I received an email for every comment in that issue. The email queue was so backed up that I was receiving emails for quite some time after the issue was closed.
The worst is that it becomes clear eventually that people are responding just to troll.
The casual vandalism of hundreds of thousands of people’s time and attention is absolutely mind-boggling to me. I saw similar things at large (50k+ employees) companies when some reply-all chain got started — people who clearly knew better, replying just for the lulz.
If it were up to me, I would have fired them immediately. Nobody has the right to conscript other people into their personal sense of humor.
It's annoying to get useless email, but 95% of the non-spam email I receive everyday is useless crap: T&C changes, some company newsletter that somehow I never unsubscribed to, other notifications deemed so important I cannot unsubscribe to, a GitHub thread I subscribed to years ago and now has a very active discussion.
It's not like every single person received 400k emails in one go, it's 400k people receiving those 10 or 20 messages from the same thread over an hour. Annoying, waste of time, but not unheard of.
The attitude annoys me more than the actual effect.
I’d also fire someone who “trolled” the company by spraying graffiti on the side of the building. Trivial to remove or even ignore, yes, but the unprofessional and juvenile mindset, taking pleasure in annoying everyone else, is enraging all by itself even if no practical harm was done.
This is not an Epic employee that trolled the company.
This is random people on the Internet that probably didn't even know they were part of that notification group, as explained elsewhere in this thread, and then joked around a little longer than they should have. It might not been immediately clear to some that each of their responses was to be sent to all 400k.
Not at all the same crime as you paint it to be. In any case, there is no one that's fireable here, so no need to try looking for some kind of righteous justice here.
I don't think it's trolling, it's just having a lighthearted moment in an unexpected situation. You can't blame individuals for doing what they're supposed to do, i.e. replying to emails; at that point it's the moderators' jobs to kill mailing permissions or something.
>the unprofessional and juvenile mindset, taking pleasure in annoying everyone else, is enraging all by itself even if no practical harm was done.
People want GitHub to fix their system. Epic also has annoying process whereby you have to join their GitHub organization to access certain free tools, which is why they have a GitHub group with 400k people in the first place.
Edit: What great timing—someone just opened a new issue with the same tag. This needs to be fixed on GitHub’s end.
> If it were up to me, I would have fired them immediately. Nobody has the right to conscript other people into their personal sense of humor.
I’d just fire everyone with a sense of humor, that’ll show them.
I’ve heard some people spend whole minutes setting up a joke for the punchline. How many billions of dollars does that cost the economy each year one has to wonder.
I doubt it. If you look at the PR, it does not add any value at all, but introduces a mistake ("for our repositories"), plus the commit message is kind of strange.
I don't quite get the mindset here. I'm (slowly and lazily) learning a new language, and can't imagine going into some native speaker's repo and trying to correct it...
Blame the interviewers who require OSS contributions. Same with DigitalOcean and their "hacktobefest"¹, or whatever it's called. LKML is full of attempts at these. For some reason I remember a particular exchange (but it's quite typical) between Linus and some random 16 year old ESL student, who bugged Linus for days to accept his "typo fixes" (most of which weren't really typos), and Linus's replies in the manner of "lemme get right on that". From what I understand it's just something you have to deal with as a prominent OSS figure.
I am subscribed to the mailing list used to discuss development of the Django project. This is a very frequent occurrence. There is a constant stream of wannabe contributors that feel somehow inclined or compelled to ask the mailing list for a primer on contribution instead of reading the myriad disclaimers and existing documentation. It’s often obvious that they’re incredibly green behind the ears and barely know what Python or Django are, let alone how to use it. I personally find the combination of hubris and dishonesty jarring, though I appreciate that at the core of it is a cultural difference that I just don’t understand.
Bullshit. The number of jobs that require OSS contributions is minimal, and I've never seen that requirement for anything close to an entry-level job. This is people doing resume padding and making it worse for everyone: OSS contributors, interviewers and future candidates that don't engage in this spam.
And Hacktoberfest, before those incidents, was something for real OSS contributors. Not for spammers wanting a free T-shirt.
Blame the channels on Youtube that are teaching people to make inane contributions to game the system, the people spreading lies like "you need OSS contributions to get a job" and finally the people doing it. This is the reason we can't have nice things.
This kinda looks like an attempt to get a commit into a bigger open source repository. It'd look nice on a resume to say you "contributed to Unreal Engine on GitHub".
As someone who works with a lot of junior devs in India, I know the competition for early career roles in tech is immense, and so folks look at "open source contribution" as a "brownie point" to add in your resume. Having a "contributed to Unreal Engine" sounds great on paper and 3/5 companies would just take it at face-value and move this guy's resume higher up the stack.
And we have enough seasoned devs who try to be helpful to these junior folks and point out that the easiest way to get started in OSS is to provide/fix documentation for OSS since it's usually low barrier to entry + usually lacking in most OSS repos (The people praising the rr documentation is a great anecdote). But looks like the "quality" bit is lost in translation somewhere.
A company really wouldn't at least ask what the contributions were? What kind of 'competitive market' is it where you can lie so easily and get away with it?
When we hire people I usually check out the Person's github account and see for myself what the contributions were. For me it's more of a hint "these forked repos are worth a look". But that's because we are a small startup and everyone in the hiring pipeline knows how to use github. I can easily imagine that you can get some of the early filters in larger companies with meaningless OSS contributions because the people involved at that stage lack the knowledge or time to verify.
But that's so weird because even if that's on the resume, any interviewer would be interested in know what the contribution was. Maybe revealing that you only "fixed typos" would do more harm than good?
Depends on your level of honesty. Given that you're fixing typos to say that you contributed to a project, you'd probably double down and quote the number of PR (remember to only do 1 typo fix per PR) and then add a real bug you may have fixed or make one up.
Unfortunately the entire interview process is why I usually try to hire former co-workers.
I am in several communities that receive many users from the east and that is very common of them: absolute disregard for the rules, common courtesy or even common sense. If they want something, they will keep asking for it even if it's offtopic or even the wrong channel/group/forum/etc until they get it, regardless of whether they are disrupting ongoing conversations or whatever. I suppose that it's a cultural thing.
This reminds me of something that happened to me a couple of years ago, near the start of the pandemic and when we had recently switched from Skype for Business to Microsoft Teams.
I needed to set up a one-to-one Teams meeting with a colleague, so I hit the 'Schedule meeting' button, added my colleague as an attendee, filled in the meeting name, date and time.
I saw that Teams was asking me to select a channel. I didn't realise this was an optional field, so I just selected the General channel in my department's Teams channel. It seemed the most appropriate. And so I sent out the meeting invite, thinking it would only go to one colleague (the only one I had selected as a participant).
I realised something was wrong a few moments later when I started receiving out-of-office responses from people I didn't recognise. I checked the meeting invite in my sent folder and realised it had gone out to the entire department. Hundreds of people, including all the senior managers and even the CTO!
Turns out that when you specify a channel when creating a meeting in Teams, it also sends the meeting invite to everybody who has access to that channel which, in this case, was the entire department. There was no indication that this would happen, however.
Still, I learnt my lesson. Now I know not to select a channel when creating a Teams meeting.
I try to not mix work and personal content on the same laptop, I’ve seen too many glitches (although usually not quite that embarrassing). Slack has been my one exception (although only on my phone). Thanks for the valuable reminder.
> I try to not mix work and personal content on the same laptop
It's kind of jaw dropping to me at how this is still not the norm and how people gratuitously mix personal and work content on the same devices, both mobile and desktop.
Purchasing, carrying, and maintaining two devices is expensive, heavy, and tedious. Easy always beats safe. Not to mention that there may be significant overlap between work and play for some people. I code Magento (PHP) during the day and contribute to open source PHP efforts as a hobby. In which environment (work or personal) should my notes and bookmarks be?
When I have a company issued laptop I use two machines. When I don't, then I use two accounts on the same machine. Most Linux distros even allow fast account switching in different virtual consoles. I use a different background and panel color for the personal and work environments. It's not a perfect solution, but neither is separate devices.
My work and hobby life is completely entwined. I have one powerful machine and micromanage my time by switching between windows of work and leisure.
Add the fact that I do coding as work and video editing as a hobby which both need powerful machines, and it would be very stupid, unmanageable, and inconvenient to buy two MacBooks.
I remember when I worked at an Alphabet company and they offered the option of using your personal phone to sign in to work stuff. (It wasn't Slack, it was one of the seventeen different chat systems they had going at the time.)
There was a teensy-weensy little caveat: Google IT could wipe your personal device at any time!
That's... odd. Was this a long time ago? Because these days Android has work profiles that specifically exist to let you shove work stuff in its own separate space that can be managed separately from the rest of the device, and Google itself not using the feature that they built into the OS to support that exact situation would seem really weird.
Google does use Android work profiles - if you have an Android device. Unfortunately, iOS doesn't really have an equivalent concept (e: see comment below), so device-wide privileges are necessary there.
Everyone has their own level of comfort, of course. I've worked for two employers now whom I've given the power to erase my personal iPhone in exchange for the convenience of not needing to lug around a second phone.
Disclosure: I work at Google; opinions are my own.
Oh, thanks for the link. Looks like I'm out of date. Seems to be a relatively newish feature (~2020), but on the surface that does seem ideal. I haven't dug into the specifics, so I'm not sure if there's a gap preventing its use or if it's just a matter of priorities.
I don't have any real insight into this but my guess would be that enterprise stuff moves slowly and often has complaints about the new solution not having all the management features they used to use.
Yeah, it was a while ago, and it's possible that I could be remembering some details wrong. It just struck me as "no, I would rather carry a separate work phone if I have to."
That’s a widespread problem. I worked for a dramatically smaller IT firm and it also gave employees the opportunity to register their phones with the company’s Exchange service; when I asked my boss whether we should warn them about the power that gave us, he felt it would just cause unnecessary alarm.
well, probably, but maybe it meant that while it gave the power to do this he would never do it. However one should never say never in business, so maybe naive.
Umm, I remember a time when Personal Computers were seen as universal, do-it-all devices. And there was this expectation, you know, that your FOSS-OS will put all your security and privacy choices into your hand. That was roughly before folks took the red pill and went all-in on intransparent browser apps and would program their change-the-world app for themselves, to be released when ready. Unlike today where they flaunt non-novel, insignificant, uninspired crap on github.
I put a prepaid sim card in my old phone and use it exclusively for work 2fa. Now I can turn off that phone at my convenience and when this gig is over I can just switch to a new sim.
How so? Hopping around in your home network should not be possible by default and would be a gross overreach by any IT department, even beyond “you put data on this device and therefore we will search the entire thing”.
Indeed, my work laptop is heavily firewalled, always assumes to be on an unsafe network, and uses a vpn and zscaler. Say you are on an airport wifi - I wouldn't expect corporate IT to scan the neighboring devices. No way it's going to snoop around on my home network, that would just expose the machine.
Interesting perspective difference; I was referring to protecting the work computer from threats, not the home network from corporate. You must work at happy places…
Apparently you would also be surprised by how common it is to use a home printer, a home wifi access point, etc. and have IoT devices in the network. Corporate firewalls and scanners only protect against unauthorised connections and known threats; zero-day exploits can still be much more effective from a local network.
I have a pretty dim view of endpoint security, seeing it mostly as a thing that works against me rather than for me. I feel that any threat model that includes "zero-day exploits" is almost always poorly formed and sensationalist, rather than grounded in a genuine evaluation of security tradeoffs.
Many people are effectively sheep and will install a company app on their personal phone because "wow it's so convenient everything is all on one device".
That said ... employment is at-will, so there are no real rules here. It's not that different from if you sign up to be an Uber driver you're expected to have a car and a phone that you are willing to use for work, or you can't take the job. Nobody says it has to be the same device as the one you use for your personal email, it's just that you are expected to have a device for the job. So nothing legally prevents them from requiring you to have a device with the company apps on it, in return for you accepting some hopefully big enough salary.
For software engineering, if the salary is on the low end of market I expect work to buy me a work phone, if they require me to install any apps. If salary is on the high end, then I wouldn't fuss about it too much, I could just buy myself a separate personal phone for work with the pile of extra cash, but them buying me one would still be a nice, appreciated gesture.
There is no right, just a personal choice. If you have to lug around the company provided laptop if you want to check your work calendar/email/slack/whatever, you may start to consider using your personal device.
My solution to this is to have two separate accounts on my work laptop.
One for work, the other one for side projects, personal browser, courses, learning, etc.
As long as you're not doing anything illegal and are running on a non Administrator account, I think it is a good compromise vs having to carry a second laptop.
Your company likely has full access to that account and I would generally not recommend using any devices owned by your employer for side projects unless they specifically allow you to in some sort of legal contract that says something along the lines of them not owning everything you do on that account.
No, they don't. At my company we buy our own laptops, and we expense them. There is no VPN and no company owned software installed. And most of what we do is Open Source anyway.
> specifically allow you to in some sort of legal contract that says something along the lines of them not owning everything you do on that account
Not a problem, my side projects are just for learning purposes. They're open source, and most of them end up abandoned. I'm not running a side business on a company laptop, so they can own everything if they want, I'm fine with that.
Did the slack warning not tell you the number of people it was going to ping? At least nowadays it says something like "You're going to ping X people in Y timezones".
Right you are, yes, it was that same message. I suppose what I meant to convey is, "despite the thoughtful safeguards built into Slack, I still managed to screw this up." :) I really appreciate Slack and it is my preferred workplace communication platform, so I hope no one reads my anecdote as criticism of the product. I can't think of any way Slack itself could have done more to prevent my mistake.
As more context, I do remember thinking, "that X number seems higher than I would expect, but maybe we had a lot of folks who signed up for the event that didn't show." I worked at a small company so the size of the company was on the same order of magnitude as the number of invitees to the event (~100). I explained away the Y time zones because I knew some people traveled internationally. I was also operating on very little sleep, so that probably didn't help.
Well I used to have a gmail lab plugin which forced me into answering arithmetic questions when it was past 23 hours in my local time and I tried to send an e-mail
Free Code Camp had a bug in their email notification system several years back. I suspect they weren’t incrementing the index in their loop… Since I was the first person in the email list, I got an email for every person in their list. I had to shut my phone off, as the notifications were going out of control and couldn’t keep up.
Fun fact, Gmail caps threads at 100 messages. So I had a full page of 100 email long threads in gmail on my phone.
I did that exact bug once. But I didn't just get one email for each subscriber, since the index didn't increase the loop never terminated. Took me some time to actually kill the process (PHP script running at some provider back in the day). Got over a 100k emails to my Gmail, so much that my account crashed and it took a few days before I managed to log in again (got an error saying something went wrong when opening gmail in the browser). So at least then it was very possible to ddos someone's mailbox.
Yeah, pretty much. I forcefully shut my phone off, as I was unable to just get to the settings, and then was trying to DM the guy via Twitter to try and get it to stop. Eventually it did stop and he reached out to tell me what went wrong.
It's difficult to strike a balance between "Are you sure?" and a message describing precisely what you're going to do and why it's unusual in these warnings. Slack could include the org in their message though
The only notable thing here IMO is the lack of limits imposed by GitHub on notifications. Apparently a random tag of `@microsoft` in the comments was enough to notify 4000 people [1] as well.
I have no idea why the user is even being mentioned in this headline. I haven't used GitHub in a while, and am unfamiliar with orgs and subgroups, but tagging a developer subgroup on a PR seems...a reasonable thing for a new contributor to do? How is it their fault that the developer subgroup has been hijacked by this organization to mean "Anyone who has ever signed the Terms of Service To View Our Code"?
The correct thing for Epic Games to do here would be to rename the group to `@EpicGames/terms-of-service-signatories`, and restrict `@EpicGames/developers` to people who have requested access to open a PR. Assuming that people should magically know not to mention `@EpicGames/developers` in their PRs because Epic is doing some ToS shenanigans is preposterous.
I guess I'll be looking carefully at mentions the next time I have to use this social network [2] masquerading poorly as a code review tool to submit a pull request.
[2] Looking at the profile of the contributor making the PR tells me that GitHub has apparently decided to let their users independently rediscover the experience of SuperWall on Facebook circa 2007.
> How is it their fault that the developer subgroup has been hijacked by this organization to mean "Anyone who has ever signed the Terms of Service To View Our Code"?
I was wondering why on earth epic has 400k github accouns. This explains it.
People who blame that kid are ridiculous. People who are asking to punish him somehow are pathetic.
There should be no way to send any non-premoderated information to 400k people (from the system that has some trust and is unlikely to be filtered) - “spam” is the most innocent thing that might happen. It's just a fly you should ignore.
Political, religious, and radical extremist groups could use it for a much more dangerous impact. If it so incredibly easy to send a message to 400k users, malicious actors could find some more sophisticated ways to get an audience of millions of users for their needs.
agree, whatever that kid did, it is not as bad as the first commenter there spamming everyone knowingly. which is not as bad as the second commenter who is even less original yet still seeking attention, ad infinitum. the last commenter is the biggest jerk IMO.
The kid was annoying but if the discussion was closed and restricted immediately it wouldn't have amounted to much (Granted, it was a very late Saturday night for Epic's timezone, so I'm not surprised it lasted a few hours). The follow up is what made this headline news.
Now the dude who posted goatse and ruined the whole thing should be completely banned from Github. I guess I see why image uploads were restricted for so long there.
part of it is timing. This happened late Saturday night in America. If this happened during normal daytime hours it woulda been shut down in a few messages.
Also, I'm sure Github has spam filters itself, so obvious attempts at ads may not even make it to the PR discussion.
> How is it their fault that the developer subgroup has been hijacked by this organization to mean "Anyone who has ever signed the Terms of Service To View Our Code"?
Oh, but hijacking developer subgroups for almost anything is totally kosher in Github. They do it themselves. That's how you get into some of their private betas.
> I have no idea why the user is even being mentioned in this headline. I haven't used GitHub in a while, and am unfamiliar with orgs and subgroups, but tagging a developer subgroup on a PR seems...a reasonable thing for a new contributor to do? How is it their fault that the developer subgroup has been hijacked by this organization to mean "Anyone who has ever signed the Terms of Service To View Our Code"?
At mentioning all admins and developers in general on a PR is bad etiquette. Look at the title of the PR here as well. "Merge ASAP"? What kind of attitude is that? Github should have some controls on notifications as should Epic games in how they manage their groups, but this highlights bad etiquette.
> At mentioning all admins and developers in general on a PR is bad etiquette. Look at the title of the PR here as well. "Merge ASAP"?
I think this is highly dependent on your org. Usually you should look at previously merged PRs and follow what they were doing, if they mention admins/developers then it should be fine to do so.
I agree that with the admins ping and "merge ASAP" it seems that this particular PR is kind of terrible from an etiquette and usefulness perspective, but PRs with little usefulness and bad etiquette don't make it to the top of HN every day.
I am merely saying that the "sending notifications to 400k" people is a side effect that is entirely Epic Games' fault, not the author's.
>mentioning all admins and developers in general on a PR is bad etiquette.
I'm not trying to be argumentative, but why even is this? If you're trying to perform a pull request, is it not logical to ping the people who approve those requests?
Also, can you give an example of how one would perform a PR and follow this unwritten etiquette? I have only made a total of something like to PRs in GitHub, but I would like to stay on peoples good sides, if I can help it. I had no idea this was seen as some kind of obscenity.
I assume you work in tech. Let's say you work at Netflix, are you pinging anyone and everyone to review each PR you make or are you assigning a few reviewers (or better yet, does it just auto assign owners based on CODEOWNERS)? Are you titling your PRs this way? How do you describe the changes?
Now imagine, everyone at Netflix made PRs the same way this author did. How do we make sure there is not a lot of noise? How do we collaborate well together?
I don't think you are being argumentative. I definitely think Epic games is at fault here, and that this points to issues in how they've setup teams and lack of guard rails on Github's part in terms of spam protection. But separate to this, the author's behaviour is not what I would want at a workplace I am at.
The kid is barely 18. The emotion and stress resulting from mistakenly sending a notification to 400,000 is likely overwhelming. Now his real name is going to stay at the center of the internet for a while thanks to being 1st on HN. I would definitely not have coped well with that much internet attention at his age. Some Github replies are more immature than the initial action and I hope he does not receive any threat.
I hope the Epic developers reach out to him nicely with constructive feedback and maybe a thanks for his well-meaning PR.
> The kid is barely 18. The emotion and stress resulting from mistakenly sending a notification to 400,000 is likely overwhelming.
Huh? I don't think it's "the kid"'s fault that some random organization is using GitHub orgs as a proxy to get people to sign their Terms of Service. If the org or group is on GitHub, it's only a matter of time before someone is going to mention it.
The emotion and stress should be on the org admins who thought that asking every user who signs their ToS to a group called `developers` would be a good idea.
I don't think the parent commenter was arguing that the creator of the PR is to blame. But even they're not to blame, it's probably not a pleasant experience.
I disagree, the PR is some pointless wordsmithing and then to comment "Verify the pull request and merge asap" is a bit ridiculous. Also, no one is going to care in a day.
> An email requesting system access went out to all employees . It triggered a reply to all frenzy that resulted in my blackberry pinging constantly for over an hour with people replying-to-all asking to be removed from the distribution list. Even Mike Lazaridis replied to all asking this to be stopped. Then as different parts of the globe started work, they would reply to all. Classic evening. I think system admins eventually shut down the frenzy at server level. Some of the replies were hilarious though. I think I still have some screenshots somewhere.
> Verify the pull request and merge asap" is a bit ridiculous
I see you're not familiar with Indian-English. What he said sounds quite "reasonable" (if not a bit unnecessarily, but understandably urgent) to someone like me (am Indian).
Downvoting folks aren't understanding the context.
Understandable is in the Indian context. Generally a lot of things in India are slow/delayed so it's pretty common for people to want everything "fast" (which is probably "regular speed" in the US etc). I agree the content is hardly urgent, but for an Indian everything is urgent.
It is not reasonable at all for "non-Indian" English -- still that would perhaps be a reasonable explanation, just he should learn it is not reasonable.
The patch itself is indeed worse than useless, it's the kind of rephrasing just to say "I did something", but which actually makes it worse (adds useless words and English mistakes). If the "kid" is ready to send this kind of useless "contribution" (which takes some deliberate effort), they surely are ready for being reprimanded (or, more likely, they will be actually proud of it).
Either way, it's pointless to "reprimand" the perpetrator. This could have just as well been a deliberate spam attack eg. someone using the @-mention to promote their scam-coin or penis enlargement product (and some people in the thread seem to have already used the opportunity to promote their band etc.) Telling a spammer they are doing an evil thing is obviously useless as they are well aware of it. This should be viewed and handled as a security / access control failing on Epic's part - that this was ever possible was a mistake and only a question of timing when someone would stumble upon the vulnerability. Whether their purposes for exploiting it are nefarious, sincere or even accidental is irrelevant.
On the one hand, I agree that paying attention to the spammer is bad; on the other, I do believe there might be some use in publicly stating that such PRs will never be merged and are frowned upon; hopefully other people reading (many of them likely beginner programmers) will get the message.
But there's likely a better way to do the "teaching" without drawing any attention to the perpetrator.
Some have speculated based on the changes that it was not a well-meaning PR, that it was just an attempt to game the system (similar to what hordes of people do on Hacktoberfest). Of course it's hard to know
Does it actually matter? Like even if the PR is bad / the request to merge was demanding, I don’t think that justifies the response, which I guess was roughly the expected response to a the PR times 400k (plus network effects). I’m not convinced that the people responding can use the same excuse for their immaturity but maybe they should not be expected to be mature given the trivial requirements for becoming members of that org.
Speculating or repeating speculations on why he did this is not moving the ball forward at this point. It has been a harmless event so far. Github is now aware of an issue that would have come up eventually anyway and they can add future warnings when notifying >10,000 people, Epic can update the structure/permissions of their Github org, and the kid can keep his passion for tech intact. Win-win-win.
But also, this is a random comment thread on an unrelated site, no one here needs to "move the ball forward". Let people speculate, it makes no fucking difference.
> The kid is barely 18. The emotion and stress resulting from mistakenly sending...
Look at the actual contents of the PR. This wasn't an attempt to contribute anything remotely meaningful. It's not quite vandalism yet either, but only because it didn't do any harm.
Seems like he is trying to increase his reputation with minimal effort, see all the badges collected in his profile. It's the usual social network effect, and the same reason HN doesn't have notifications or actually relevant karma. Microsoft wanted a new social network, there they have their community of naive gamblers.
Yeah I’m sure they’ll institute some kind of control to make this sort of thing harder, but honestly I’ve never understood why people get so worked up about this sort of thing. It makes me chuckle. The person looks like a dummy or a shit-stirrer and a lot of people have to delete HUNDREDS (oh my) of messages and have LITERAL MINUTES of their time wasted. The megacorp I work for wastes more of my time with silly self-congratulatory org-wide emails about business deals and fake benefits like seminars on retirement planning for dummies.
I love me a good bedlam drama. One of the commenters on the PR had the best take: “I just wasted 2 minutes of my life I'll never get back.” The ones with the scorched earth PUNISH HIM attitude need to chill the hell out.
Yeah. Also their real names and them being immature and getting angry also went out to 400k people and is now effectively part of history. That's probably even worse than being the kid who did this, what if a future employer comes across this?
friendly reminder: 400k is an apertif for a competently configured production postfix server. its about 14 seconds of mail, and about 8 seconds optimized at hw and filesystem level.
the real issue here is shitty projects from shitty companies.
Yes but that’s on top of what GitHub is already sending, plus it must be multiplied by the number of comments left on top of that. It feels like 35 straight minutes of 100% usage isn’t great on any system. It presumably sent 61 million emails.
> Yes but that’s on top of what GitHub is already sending
When you send at the volume someone like GitHub sends, you will always see peaks and valleys in your sending patterns that are much larger than 400k. It might cause an issue if they were already under peak load, but even then it would just take a bit longer.
There was a thundering herd e-mail at Amazon about 10 years ago that I’ve heard stories about. It went on for days. There’s a funny internal talk with lots of data about it, maybe it’s on YouTube by now…
Looking around, everyone has a story like this, so I don't want to just pile on with my similar experience at Verizon. But what stood out at me there was the low quality responses from low-level managers in far parts of the world, demanding, by the power vested in them, to be taken off the email chain... you know... IMMEDIATELY!
Yeah that is one thing that I remember from one or two that I was copied into in roughly 2000s with more than 200,000 CCed. Mini-kings and also people with enough technical skills to know better keeping the threads alive and flooding the Exchange servers woldwide for days.
This happened at all my previous employers at one point or another. Most famously a thread about unsubscribing from a mailing list that nobody really knew about but had everyone in the company on it. For weeks there'd be some random field sales guy or a marketing person in random parts of the world replying all.
Something similar happened at Cisco something like maybe 5 years ago? Someone sent the Bay Area employees or whatever list (probably at least some tens of thousands of employees) an ask for a cook/chef they could hire to make meals for their family, IIRC. I think the reply-all's happened all week.
And Apple in 1991 [1]. It's a very fun story actually, good read if you're in the business of writing "reliable" or "recoverable" software (aka pretty much everyone). A bad design choice in sendmail caused a cascading explosion of emails. I also highly recommend reading the rest of the book (?), the Unix Hater's Handbook is a wonderful bit of history and discussion of the design issues of the NIXs we all know and love/hate today.
Compaq in the mid 90s on banyan vines a friend leaving the company sent a company wide email listing his house. It wasn't supposed to be possible to email *
When i worked at the NIH, a couple times an entire institute was accidentally cc'd instead of bcc'd on an email, and for weeks after the chain would continue, consisting only of people writing "please stop responding to this chain". I don't know what you do for that...
Would that happen to be the "wallet" incident? It was slightly before my time, but I also heard legends of it. During my time there, any email thread that looked headed for another reply-all storm had people replying-all to it with simply the word "wallet", apparently in an attempt to deliberately cause chaos.
> notifications are going to be scrutinized more in the future, from this point on.
This already happened with github & epic & unreal when it first did this organisation setup.
So, given no solution appeared after exact same incident, I wouldn't hold my breath
Something like this happened at my university a number of years ago. There was a side entrance that was ostensibly for usage by people with bikes (as it was part of the bike storage area), but it was much more convenient than the main entrance and all you had to do to get access was ask at the security desk. So anyway basically everyone on this campus with 10k+ students and more staff had access to the side entrance.
What everyone didn't know was that when you were granted access to this entrance, you were also added to the "bike storage mailing list". Long story short, at some point someone accidentally sent a message to the entire mailing list of ~100k people, which kicked off a long string off people reply-all'ing asking to be taken off said mailing list ("I don't even own a bike why am I on this mailing list"), which caused even more people to reply ("stop reply-all'ing for the love of god!"). I think there were 500 emails in my inbox from that by the end of the day.
Anyone could have done this by mistake, all it'd take is being a bit tired and @ing the wrong group.
The question is - why doesn't the platform warn you that you're going to send notifications to a large number of people in the same way that many email clients do?
Regardless of the mass notification or a bad quality PR - you don't just remove someone from a major internet platform like this, it's an inhumane response to someone making a mistake.
Not to mention it's just a notification, who really cares unless it happens all the time which is just more of an argument to fix the platform behaviour. Some people are so high and mighty.
If it's possible for somebody to unintentionally piss off hundreds of thousands of people, that's not the person's fault. It's the system's. The internet allows proliferation of information at scale and speeds that can be disasterous if left unchecked
I was 'removed from an internet platform' when I was a kid inadvertently breaking the rules by posting off-topic threads in the wrong Sci-Fi community subforum. So apparently we do just do it.
Totally excessive. In my opinion, people should treat this incident with the "blameless post mortem" mentality in mind.
Don't blame the individual for an innocent mistake (we don't know if he knew that it would trigger 400k notifications). He is young and might be inexperienced, so we should be forgiving.
Think about why the system is set up in a way that an untrusted contributor can trigger so many notifications with a PR that is of little value.
That is a much harder problem to solve, so that is why some people go to the easy solution ("ban him, he is an evil bad person, gross social misconduct").
The people who call for his ban in that thread should at least be consistent and call for banning themselves as well, because with their reply they just did the same thing.
Some people just want to be outraged for the sake of being outraged. Looking at the persons who wants the kid to be banned GH profile - I would not expect any other reaction.
Or in the way that `rn` used to do when posting to Usenet:
> This program posts news to thousands of machines throughout the entire civilized world. Your message will cost the net hundreds if not thousands of dollars to send everywhere. Please be sure you know what you are doing.
> The question is - why doesn't the platform warn you that you're going to send notifications to a large number of people in the same way that many email clients do?
The real question is why is it allowed to send at all? Depending on human judgment to stop spamming is a poor decision because bad actors don't care. I discovered this and GitHub s hilariously terrible setup a week ago when another large repository became a spam source and GitHub offered no easy way to unsubscribe.
They require you to acknowledge some terms that grant you access to the Unreal Engine source code. They grant it by adding you to their GitHub org which has the engine source code as a private repo.
Is it? How else do you selectively grant access to a repo? Orgs are the normal way, it's just not normal to have a project which is proprietary and somewhat private but available to 400k people.
Github just needs to rethink how tagging all users works and a way to prevent this.
I accepted those terms, and was added to Unreal's repo, but didn't get a notification. I think the mentioned group is some subset of the repo users, but 400k is such a big number that I'm not sure who they could be.
Unreal engine is open source but in a private GitHub repo. Anyone can link their GitHub account with their epic games account which adds them to the team.
That's a misleading, obfuscating way to make the difference. I guess the OP means an OSI-approved licence.
If you write your own licence (not recommended, but some developers and especially corporations do) it could be even fully compliant, but not approved.
"open source" and "free software" are two words for the exact same thing.
Both of them are pretty poor descriptors. "open source" doesn't convey the legal freedom you are granted (as you have just found out), and "free software" makes it sound like it's just about price.
If someone lets you see source code but doesn't allow you to do anything with that code it's not what people would call "open source", you could probably call it source-available or something. "open source" has a specific legal definition that means code released with a permissive license.
If you read the page you linked more carefully, you will see that OSI does not own a valid trademark for "Open Source", only for "Open Source Initiative".
OSI in fact tried to file for a trademark on 'Open Source' in 1999 [1], but failed because the term is 'too descriptive'.
You can download it via Epic Game Store without joining the org. Github organization is for contribution from non-employees as well as source code for various projects (like engine demos).
Only for those still using Windows. The head of Epic has some bizarre complex against Linux, so they refuse to release binaries (or the Epic Game Store at all) for Linux. So the only way to install Unreal Engine is to link your Github account to their org, clone it, then build it from source. Which takes a few hours and something like 70gb of disk space while building.
Huh. And yet why is that sort of annoying forced registration not considered 'antisocial', but this accidental tagging is resulting in calls for the poster to be banned?
They sell it (access to the source for the engine) under a commercial license. They were going to have _some_ sort of registration system, so that they can make sure everyone who downloads it paid for it. They reused GitHub for both distribution and registration.
Access to the UE4 source code is free. They probably sell licenses that let you do more than the free license, but the Github thing is not used to gate purchases. I don't know why they do it like this to be honest, they could just put the free license in the repo, that's pretty common practice.
Because it's not a free license. Once you get a million dollars or so in revenue, they take a substantial cut.
The idea is that nobody is going to get a million dollars in revenue from a game without being visible enough that Epic's receivables department can bill you. So they can ignore the 99.99% who download it and never get a hit.
I'm amazed that 400,000 people have downloaded Unreal Engine, though. It's really complicated, hard to use, takes hours to compile, and is only worth the trouble if you're making an elaborate 3D game. Not that many people do that.
This is just arguing semantics. You don't have to pay anything for the initial download, so there is no legal reason for this. They could just public the repo and put their license (including the $1MM+ royalties) in a LICENSE file.
I suspect the "real" reason for the current rigamarole is to get your details for their marketing team.
Oh, interesting. I thought you could download binaries for free and source access cost extra. I’ve never used it, so I suppose whatever story I read about it was less clear than I thought.
Looking at the content of the OP and the PRs you linked, my first thought is "Is it Hacktoberfest[1] already?". I mean, seriously, what's up with the such low quality PRs? Is it common to have people spamming repos with trivial changes absent some sort of incentive?
Sometimes fixing a typo would be a new coder’s first open source commit. It’s pretty stupid to assume every new PR would be a major new feature or bug fix. It makes OSS unnecessarily hostile to get into.
Although this commit in question isn’t even that sadly.
The problem here is that they’re not even trying. How can they not know that such PR would never be merged? For this reason I don’t think public contributions are why they send the PRs
The main repo I work on for my job is open-source, and yes, it happens fairly regularly that someone opens a nonsensical PR that might randomly perturb some Markdown or YAML file, or attempt to merge commits from some other developer's in-progress branch.
I'd say we only get them about once every week or so, but then the repo is not anywhere near as high-profile as the Unreal Engine, nor as likely to be on the radar of children.
It's just very common GitHub spam/abuse. Suspect these are automated accounts trying to look legitimate by doing legitimate-ish things (e.g. cryptocurrency mining via PRs that require one-time approval).
I would suppose some video aimed at schoolchildren teaching them how to use GitHub has gone viral and they’re taking baby steps. At least that what I think is most likely.
The problem here is that GitHub allows this - anyone could have taken advantage of it. I don't know if the guy did it deliberately or accidentally, but that's beside the point.
GitHub are in effect operating a spam relay by permitting anyone to email 400k people. I don't know what the solution is - whether it's limiting team sizes, or adding restrictions that only org admins can trigger such notifications when there are so many members. But if the underlying problem is not fixed, this will happen again.
> Lock it. Lock it now. This is the friendliest message I'm going to send, while I look for ways to get OP banned from Github for gross social misconduct. I imagine that "owner of bots universe" might be enough to get that account tagged as a bot, who knows how many communities across however many repositories that person just bothered across all of Github.
Wasn't the message send as in innocent mistake? Why is this man adding fuel to the fire (sharpening his pitchfork?). Did I miss something about this?
The original PR did nothing but add grammar errors to the README, with a mismatching PR description and title, then demanded that it actually be merged. I read this as a way to waste people's time, from there it's just a question of how many people. This user's bad intentions colour their entire interaction, both the deliberate and accidental parts, because this accident would not have happened if they weren't screwing around in the first place. If the PR were real, it should be treated as a teaching moment instead. If it were a PR made for learning purposes that was accidentally posted publicly, they wouldn't have demanded a merge.
The PR is still from a kid, who is likely figuring things out and looking at his commit history, I don't see any similar commits in other high profile projects. I agree it is a useless PR but the best thing here is to tell him not to do it and move on. Calling for a ban is excessive.
Ok! I'm sorry that I didn't look at the PR itself. I get a lot of these on my projects, mostly from kids/students who I think just want to look like they want to build "reputation" and say they've contributed to n open source projects.
However I still suspect the notification was unintended.
> Perfect for gorgeous looks, can push asap @EpicGames/artv2-admin @EpicGames/developers @EpicTeamAdmin
The entire diff of the PR is:
diff --git a/README.md b/README.md
index b0b4f5d..61b95bb 100644
--- a/README.md
+++ b/README.md
@@ -1,12 +1,18 @@
# Epic Games
+<div align="center">
+ <img src="https://cdn2.unrealengine.com/Epic+Games+Node%2Fxlarge_whitetext_blackback_epiclogo_504x512_1529964470588-503x512-ac795e81c54b27aaa2e196456dd307bfe4ca3ca4.jpg" width="20%" min-width="100px" />
+</div>
+
Unreal Engine is now [free](https://www.unrealengine.com/blog/ue4-is-free)!
-To access our repositories, sign up for a free account at [UnrealEngine.com](https://www.unrealengine.com) and register your GitHub ID using [these instructions](https://www.unrealengine.com/ue4-on-github).
+To gain access for our repositories, sign up a free account on [UnrealEngine.com](https://www.unrealengine.com) and register your GitHub ID using [these instructions](https://www.unrealengine.com/ue4-on-github).
-After that, you can find our repositories here:
+After that, you may able to find our repositories here:
* [Unreal Engine](https://github.com/EpicGames/UnrealEngine)
* [Unreal Tournament](https://github.com/EpicGames/UnrealTournament)
(Note that you must be signed into GitHub for these links to work.)
+
+Have Fun !!
Is, according to their github page, a nary 18 years old.
One cannot say in good faith that they were a beacon of perfect judgement at 18. Anyone who says so is either looking to buy or sell a bridge in New York.
The delta between good and bad faith/intentions on the internet may be much larger than the delta between me at 18 and me at 44. There's also very bright 18 year olds contributing usefully to GitHub repositories. So, for me personally, the recurring assertion that they are "only" 18yo doesn't do much for me.
Being bright doesn't make you infallible. I was contributing to lots of things at 18, including digging into kernel debugging in ubuntu. That did not stop me from making occasionally poor choices with consequences much larger than I realized.
Being 18 means being given the benefit of the doubt that your actions are at least an attempt at good faith.
> Is, according to their github page, a nary 18 years old.
Stop posting this like an average 18 year old is supposed to be an idiot like OP. This is the age people get drafted, can start drinking alcohol, marry and start being adults.
Nit: in the US you can't drink alcohol at 18. I know in other countries that's not the case. Also another nit: the user's birth date does not check out to be 18, so his age is not entirely clear.
> Is, according to their github page, a nary 18 years old.
a bit further down he actually proclaims being born 11/11/2004, making him just 17. No idea why he has 18 y/o in his user description, not that it'd make a difference tho.
Every large org I've ever been at has had someone reply-all to a company-wide mailing list and then promptly spawn a flood of more company-wide reply-alls. Slack's @channel/@here has made this even worse. On a good day, people have a laugh, tell them not to do it again, and we all move on. The only difference here is that it's in public on github.
I suspect there's some psychological phenomenon that convinces people that norms expected of them have somehow been broken because of the chaos.
I agree. Even if it's possible there was mischievous intent here I feel like the configuration issue or something being used in a way it shouldn't be is the real story here.
Fun fact: at some point I wrote @param in a PR comment, talking about a parameter's doc. I only realized after posting that there was an actual user named @param.
I am @3x and I get ~10 notifications a day of people mentioning me in PRs and issues. Whenever anyone writes the name of a file containing `@3x`, which is commonly used for hi-res assets, I get a notification. I quickly learned to turn off email notifications!
I had to turn off my paypal.me because I naively picked a number for a username and people kept putting that number in the send-to-username field and sent me free money, which they always tried to refund later, getting me stuck dealing with PayPal's customer service through no fault of mine. I would explain to them that I didn't ask for the money, I do not want to keep the money, and I am not accusing the sender of scamming. Sometimes I was able to refund instantly but depending on the sender and payment method, PayPal had to get involved for weeks of back and forth.
I honestly don't see what's the big deal, and, if anything, why this isn't grossly abused all the time. I mean, that's just how Github works, isn't it? Anyone can tag anyone, uh, yeah, ok, whatever. Looks like an intended feature to me. Does Github have problems with sending 400k notifications at once? Doesn't look like that, but if it did, I guess they shouldn't have implemented such a feature, or allowed 400k users to sign up. Someone sent you, or 10, or 400k people a message they are not interested in? Well, yeah, I guess that's pretty much the essence of internet messaging (or human communication in general), it happens to everyone daily. So, what's the problem?
It's somewhat unique because of the odd situation the UE org is in. It isn't an internal company org, you get invited after accepting their terms and conditions which grants you access to the source code. Which means literally anyone can join this org and then ping 400k users. I'm not sure there is any other org/repo which this is possible.
Yes it is expected behavior but its the scale and particular nature here that has turned expected behavior in to a dangerous tool.
Man it's still ongoing, and now the trolls have discovered it. The original thread somehow managed to crash my iphone due to the sheer number of replies.
Amazing GH even made this possible. Not sure if there's also a data leak, I notice my email was CCed, not BCCed. Now they've managed to email nearly half a million people, this could go on for ages as idiots keep responding to the original chains.
Wonder if EpicGames should temporarily mark their account as private till this gets sorted out. Glad I'm not the guy at the end of the phone trying to sort this car crash out.
It doesn’t really fix the “vulnerability” though? Some other jerk can open a new PR and tag everyone again. Or just tag @EpicGames/developers elsewhere, no PR needed.
Teams can be secret. This might be a secret team to begin with? Anyway, I highly doubt they deleted the team since it’s used as an authorization mechanism.
The thing that gets me, as discussed in this thread, is that the solution is often just super easy. Literally just pop up a modal when the recipient list is above 1,000 users that says “You’re about to send this to X,000 users, Are You Sure?”
Adding that check to every incoming comment in a large scale system and adding the previously nonexistent interactive UI for it is far from “super easy”. This is not a Todo MVC. There must be a thousand higher impact stories that are better targets of engineering time (unless this form of trolling become a new pastime).
In addition, there are lots of actually malicious skids you can’t stop by asking nicely.
Maybe this is annoying, but at least this came from something innocuous. A scammer could have very well used this to do something much worse - be thankful it was a mistake that did this!
From what it looks like it's a brand new coder. I hope he sticks with it, because this will be one hell of a story he can tell...
My freshman class (~4000) at university was sent an email by administrators via the freshman class mailing list. Someone replied, which lead to their email being sent to the entire mailing list... another email asking to be removed from the mailing list, etc, suddenly everyone was hit by a deluge of hundreds of emails asking to be removed.
Getting real flashbacks to that from the snarky / annoyed comments on this :)
When we migrated from on-premises Microsoft Exchange to Office 365, the default "reply" button in OWA was switched from reply-to-one to "reply all".
After the CEO sent the first all-staff email on the new platform, we had at least three highly
regrettable replies copied to the whole organisation, including one disclosing very confidential information intended only for the CEO.
I had this happen at my job maybe six months ago? It was surreal because I'm young enough that I knew the trope from TV shows and stuff from the late 90s/early 2000s of people not knowing when to use "reply" instead of "reply all" but never actually had to deal with it by the time I grew up and starting working.
The only thing more amusing than all of the people replying asking to be taken off the list is all the people who reply to tell everyone else to stop replying, as if that would solve the problem instead of making it worse.
> The only thing more amusing than all of the people replying asking to be taken off the list is all the people who reply to tell everyone else to stop replying, as if that would solve the problem instead of making it worse.
There's a very good chance that those replies are reducing the flood, assuming they're nowhere near a majority.
Hehe when I was an intern working on a big chemical industry site someone also accidentally reply-alled a plant-wide safety mailing list.
This quickly started a similar deluge of mails until someone high up the chain of command all-caps yelled "NO MORE REPLYING ON THIS MAIL, OR IT WILL BE AN HR VISIT FOR YOU"
So apparently https://github.com/orgs/EpicGames/teams/developers is a private group where anyone who wants to see the Unreal Engine source code has to join.
Do you have to be a member of a group to send out notifications for mentions? If so, this guy did nothing wrong (besides the useless PR and his "fix this asap" attitude) - it's Epic misusing a GitHub feature. Sending notifications for mentions of _your_ team sounds like the reasonable default.
GitHub has a public option for repositories which would have allowed anyone to see the source code, but instead EpicGames wanted to collect more private information on anyone that wanted to see the source code, and now they have a PR problem because of it.
They wanted a signed ToS because it is only ‘source available’.
Maybe GitHub just was not the best way to make a large readonky non-open source codebase available
Slightly OT, but it's always been weird to me how Epic requires you to add yourself to their organization on GitHub before you can access the Unreal source. I don't see how it serves any real authentication purpose; anyone can get added to it, and anyway, it's not like the code is secret when 400k people are on there
I got curious and just found PR #20, which made me think this scheme gives Epic a way to hitch onto GitHub's management of export controls. I.e., if you're in a country to which US companies aren't allowed to disclose software, GitHub likely has this figured out, and by Epic requiring a GitHub account, they don't have to figure out all the rules and regulations themselves (again).
Interesting. I'm sure it's still trivial for people in those countries to still get the code, but maybe it's sufficiently distanced from Epic's reasonable ability to control things that they're in the clear legally?
It's not really authentication. Rather, a way of saying "yeah, I agree to the terms yadda yadda". Seeing how there's no other way of handling it right now, they're using what tools they have
Anecdotal: I participated in the reddit secret santa back in ... 2012?! and we all "won" a certificate from guinness records. Except ... that you still had to buy it as a physical copy. And so some poor marketing person from guinness sent this email to all the participants - no bcc, not even cc. And then the frist person replied. Another. And another. It was a party.
So guinness issued an apology (and hopefully didn't fire the person). And we got the certificates - as far as i remember - just for shipping and handling. Yay.
Years later, people on the list still write to "all" - its a weird group, with secret giving in common but nothing else. I wonder if anyone from this list is lurking here ...
Is there a warning when someone @ a huge number of users?
Actually if one is never supposed to send notification to a large group, what's the point of creating such a group? I assume that maybe there is some admin value but then again the admin will trigger a notification storm, no?
This at tagging thing is sorta dumb anyway. Its a bandaid on the lack of reasonable user notification add/remove controls.
I made the mistake a few months back of saying something like "and if you use our @corp.com email address the internal filter does X", and the stupid "chat" program proceeded to ignore the .com part and notify the entire company of a small tech discussion on my team.
I believe the notification did not get sent out for the first PR until a comment was posted on it (the PR was opened 2 days ago).
I think the top commenter on this thread (Rob) may not realize his comment is the one that is triggering the first wave of notifications, based on his choice of sound effect.
Well, this isn't the first time something like this happened. Last time I wanted to try out Unreal engine things where much worse, I received a notification (every?) time someone forked the UnrealEngine repository. Not only that I was automatically subscribed to the notifications of those forks. That was in 2016. Size of group was probably smaller than 400k at that time, not sure if notifications and autosubscribe went every fork->every member but plenty of people where complaining about it. From the dates it lasted at least for 2 days if not week and I think ended up leaving the group before it got fixed.
Some people have their email set to live ping which would make it much more annoying. I imagine it also cost a small fortune for Github to send this many emails.
> Some people have their email set to live ping which would make it much more annoying.
That sounds like a "those people" problem. We don't hold people who use door knobs to account for the sake of a small number of people who like to lick door knobs and then get sick.
> I imagine it also cost a small fortune for Github to send this many emails.
That sounds like a problem for Github for not implementing any kind of checks and balances on their perfectly open feature if for some reason sending emails is expensive for them.
That’s not the kiddo’s fault.
GitHub should have a feature when you tag a group, it should show how many people will be notified and ask for confirmation.
Anyone will be afraid if they see a warning like “This message will notify 400k people. Are you sure?”
Why would GitHub let a random person notify 400k people? Maybe I'm not fully understanding this. I've never really looked into limits around @'ing people. Could I just open a random PR and @EpicGames/developers to notify 400k people just to annoy them? Why doesn't this happen non-stop?
I think my most cringe-inducing story (of this kind) is receiving an 'is this thing working?' email test from a sender, identified by name, at a professional sports team (probably you've heard of the team). I didn't know the sender and had no work or business connection to the team - they seemed to have sent it to everyone in their customer database, which I guess is > 1 million. I felt so bad for the sender. (And also for whoever made that possible!)
Come to think of it, I don't recall any reply-all responses, so they must have effectively bcc'd everyone at least. Thank goodness! I can't even imagine ...
Looks like the OP is an 18 year old, this is a mistake that anyone could have made and it's certainly not their fault. Scrolling through the comments, some of the behaviour by other users is absolutely appauling. Shout out to this user: https://github.com/EpicGames/Signup/pull/24#issuecomment-114... for the worst possible response to an accident like this.
Do we have any estimates how many emails github sends every day? 400k might be a rather unnoticable increase on a global level?
Edit: Of course if dozens or even hundreds of replies "Why am I on this list?", "Please (do what I say not what do) stop replying" go to 400k again then it gets "interesting". Could not see from the submission or discussion whether that happened. I think it should not happen by default or what kind of Reply-To: those messages have?
The problem is that GitHub's default subscription behavior is terrible. Unless the repo is mine or my account is directly @'d I shouldn't receive anything.
I don’t necessarily agree. For example, I work in some OSS projects where the core maintainers are in a GH group, and the group is just pinged if their feedback is needed on a decision/conversation/PR. Only a couple dozen people in the group, and it gets maybe 3-4 notifications a day. Easy to ignore if I’m not needed.
It seems like teams of 400k people aren’t quite within the spirit of the intended feature!
There have been more PRs created with the same tagging and apparently, you can’t unsubscribe from individual PR notifications or taggings of organizations. That is what this is all about.
There was another PR created in the repo tagging the same group which someone posted a shock porn image to, which happened to embed and display in Gmail when I opened the notification email.
We use slack internally where I work. There is a somewhat unwritten rule that you should not use @here or equivalent as a general user. There are a few cases where it's ok to if you really have something for everyone in the channel ( Aka don't run this it's broken type stuff ...) so some channels leave @here enabled. Still, I go From mildly amused to feeling sorry for the unsuspecting newbie who didn't look at the size of the channel and think: Do 4k people really need to hear about my problem?
Poor kid and a good lesson learned. Hope he doesn't get demotivated because of it. It reminds me of the old "everyone@company" email threads that would flood everyone.
I was on the receiving end of this. The notifications continued to pour in for another few minutes after I unsubscribed from the thread, totaling 104 by the time the madness stopped.
It does but each comment adds 400k emails to the queue before you, so all of the comments that happened before you unsubscribed are already queued. I unsubscribed and it did eventually stop.
I was sleeping and the constant new mails notification woke me. By then it was too late to unsubscribe as the topics was already locked, but I was only on like 60-70th mails.
Ah yes, the non working unsubscribes of SaaS and social media companies. I prefer the straight up mailchimp type marketing campaigns with one click to unsubscribe
It may be intended behavior, but for a trivial change like this to easily, without warning, mass ping ~400k users that is not desirable behavior. The submitter thought he was pinging developers of the project, but instead pinged mostly people who do not handle accepting upstream changes. Discord for examples handles mass pings by showing you a warning dialog saying you are about to ping X many people and if you are sure you want to do that.
Sending email notifications to 400,000 users for unimportant things is antisocial. (If 0.1% of those users then reply on the thread, it'd be another 400 comments sent to all 400,000 recipients).
I don't think anyone sits down and thinks the intentional behaviour should be "we should make it easy for someone to send a notification email to 400,000 people". That would clearly be annoying.
I think the behaviour is accidental, arising from "notifying all people in a team is useful".
Creating a team with 400,000 users is antisocial. GitHub teams, and all their inter-related features, are built around a small group of people collaborating together on code. GitHub teams are not intended solely to grant access to source code after signing a EULA. Making a team with 400K users is just a bad idea and this problem was waiting to happen. Unreal needs to find a different solution for what they want.
What other solution? What tools does Github provide to give access to a private repo without creating a namespace which can be pinged? It seems like exactly the use teams were created for just on a scale not seen before. The answer would be Github adding a feature to mark a team as semi public and remove the ability to tag it.
They will probably get a special treatment from Github and Github's code will get an unnecessary `if` clause for the special cases (right now probably only the epic one).
> Sending email notifications to 400,000 users for unimportant things is antisocial.
What about requiring people to join a specific team to access the source for no apparent reason? In other words, how are the conditions which led to the creation of this inflated team not antisocial as well?
I empathize with that kid - his intentions were probably good but I'm pretty sure he didn't know this would have sent email notifications. Even if he had known, kid wouldn't have known that it is a bad bad thing. :D
Kid probably was creating a PR to brag tomorrow in school!
It's apparently a young person who submitted it. I think most of us who were that age with github available submitted some crap PRs. I remember I submitted some low quality PRs that just changed comment formatting/typos on some large repos. Not trolling, just trying to contribute in some way and get my name in the project without having enough skills for a real PR.
>he didn't know this would have sent email notifications
Even if it sent push notifications to everyone's browser and phone that doesn't seem much better. When you type an @ it gives you are description of a group and the description makes it clear that it's not the people related to reviewing his PR. He was just trying to send as many notifications as possible to try and get people to look at what he did.
The worst part was that even unsubscribe to the thread does nothing and I kept on getting emails. However, this was fixed for me by creating a new email address and pointing all epic organisation emails to that one. … I wonder why unsubscribe didn’t work.
You would think, there'd be some sanity checks on GitHib's side to make sure this kind of thing doesn't happen, but no... it's not even going to question 400k notifications. ᕕ( ᐛ )ᕗ
No, anyone is allowed to join the org and see the source code after accepting a T&C. The org is just used to grant permission / acknowledge you accepted the terms.
"Thank you everyone for contributing to our shared mission. When you are done with your work today, please delete all the data from your machines. Hope we see each other again soon!"
Slack gave me a dire warning that my message would send notifications to so many people across so many time zones. This didn't surprise me because attendees came from various countries for the event. So I dismissed it.
But I had accidentally sent it to my company's Slack organization instead of the hackathon-specific one. I didn't realize it until a co-worker sent me a private message asking why I had just tried to fire everyone at our company.