Having posts like this occasionally on the front page of HN is a good and necessary regular reminder to the community: the people who write and maintain OSS projects are humans. Treat them with respect, and challenge bad actors when you encounter them.
Yes, this is a real problem. But the text of the email makes it seem the author was a target of some troll attack. The names do not look real on gmail (Diego jewstein ???) and the text is very llm’ish.
I worry that someone may be trying to incorporate a sophisticated supply chain attack. Step 1. Troll maintainers, Step 2. Find someone to maintain who can accept malicious code. Step 3. Track where this goes
That's a good call on the possibility that this is an attack, which I personally hadn't considered despite the recency of the xz shenanigans. At least the maintainer seems to have thought of it.
> Also, I will consider turning it over to an interested party, but I will require at least one recommendation from a Node.js core contributor that I can vet with the people that I know on that team.
Maybe not a perfect solution but it's something. Granted, a new fork might become popular but people could rightly call it into question given this statement.
> I worry that someone may be trying to incorporate a sophisticated supply chain attack. Step 1. Troll maintainers, Step 2. Find someone to maintain who can accept malicious code. Step 3. Track where this goes
Maybe. I had not considered that, but it might be right.
There are mitigations of such an attack although you will have to be careful; such mitigations might not really stop it if you are not careful.
"hey reminder that" does make a difference, but that difference is invisible because it's exclusively in the form of incidents that did not happen. Remember that everyone reading the comment is a human too and some will be receptive. Good is good.
Given the amount of people in this thread (and similar threads over time) saying "just thicken up your skin" (i.e. it is the maintainers fault for being sensitive, not the trolls fault for being a dick), I doubt it.
I maintain a few open source projects, and while it’s not for everyone, if you don’t put your best foot forward interacting to get support or contribute, I’ll block you and move on. Life is too short to suffer fools or shitty people.
I don't think anyone is suggesting it is not the trolls fault, but the internet is fundamentally an unpolicable place so I'm unsure what the value of assigning 'fault' even is.
There are 7 billion people and at minimum, tens of millions of them are massive assholes and idiots.
> What do those sentences mean, if not suggesting that the maintainer is the one who made the wrong decision (by taking offense to the email)?
They mean that I don't see really any value in your framework of 'fault' vs not. We are still left with the question of 'what do you do'.
For a project of this magnitude, I don't think the maintainer made the wrong decision. But just because someone else is at fault does not mean that every decision by the other party in response is a good one.
You're really hanging on to the word 'fault', but 'fault' is not the main point I was trying to convey with my comment.
My point was: I don't think this post will serve as a reminder to be nice to OSS maintainers (as the original comment I replied to was saying), because the majority of comments I see are some variation of "toughen up" directed at the maintainers.
The maintainer can decide what to do about it. Whether or not that is the wrong decision is a different issue. (Anyways, there are many other reasons why it might not be maintained, than only due to receiving such a email message; e.g. because you are injured or because you have other work to do (which is what is mentioned in the README.md file anyways), or whatever other reason that maybe other people don't necessarily know.)
Nevertheless, some people who will maintain the project (not necessarily this one, and not necessarily) should do so even if people send such bad messages. That does not mean that everyone will; what they decide to do about messages they receive is their own choice. This is why FOSS is important; you can fork the project and make your own modifications, if you disagree with the maintainer.
Nobody is making excuses for shitty behavior, they're saying that if you interact with enough people you'll encounter shitty behavior because there are shitty people in the world. When you go outside just be ready to carry on with your life when you encounter one of these.
Statistically speaking, the likelihood that there's an asshole somewhere that you'll run into in the course of your lifetime is near 100%, so it is some natural law like gravity. Do you have a proposal for a solution to this problem, or are you just calling people victim blamers for acknowledging that these people exist?
>or are you just calling people victim blamers for acknowledging that these people exist
If someones only contribution to the conversation is blaming the victim of harassment for not have thick enough skin, they shouldn't be surprised to be called a victim blamer.
Anyone can communicate or do other stuff that will affect anyone, and they may make decisions based on that. Therefore, it is both of their fault. Whoever wrote the email message should not have written like that; but, it is the receiver to decide what (if anything) to do about it. The maintainer can choose to decomission the project; whether or not that is the best thing to do is a different question (although, considering what the first paragraph of the README.md file says, there are some reasons that they might not want to work on this project, especially if all it results is email messages like that one).
I had that realization when I emailed the creators of Erlang [1]. In my mind they were like these rockstars and I was some plebe groveling at their feet, so I was amazed when they replied back extremely politely, fairly quickly no less.
It made me realize that fundamentally these are just people, people generally are helpful and nice, and they also like hearing positive things said about them. It was a good lesson to learn at a fairly young age.
[1] To be clear I was extremely polite, no criticism was tossed their way!
I remember e-mailing a guy for some iPad app and having a similar moment.
The important context is the app had its own custom keyboard. I used the app personally, and recommended it to a customer to solve a problem they were having. It turned out that the newest version would not work because it had removed some of the Fn-keys.
I e-mailed the developer to ask for some guidance. At the time I figured it maybe had something to do with the viewport size, and was just trying to diagnose the issue. (I had an iPad mini, while the customer had purchased I think a 9th gen iPad. I wanted to know if a different device would solve the problem.)
The guy e-mailed me back and was like "Oh, yeah, I changed that last week while making the new keyboard layout. I'll revert it and push out a new build." - I had a similar epiphany at that point where it was like "this guy is a dev just trying to navigate tradeoffs and ship the best app he can." - Also the tradeoffs are never as straightforward as one would think.[1]
> this guy is a dev just trying to navigate tradeoffs and ship the best app he can
I suspect a lot (most?) of apps in the App Store and the Play Store fall into this category, just like most repos on Github. People are putting their projects out there; obviously they're not immune to criticism, but I think it's important to remember that most of these people aren't Tim Cook, they're not making a living promoting stuff and taking shit people throw, they're just engineers sharing code with the world.
> Also the tradeoffs are never as straightforward as one would think.
Yep, completely agree; the obvious "solution" is to make everything configurable, and that can work to some extent, but then you risk an "oops I reinvented interpreters" moment, and then you made the app impossible to use for non-geeks. There's almost never a "correct" way to do it to satisfy everyone.
People can be pretty weird. I once received death threats over a technical blog post I’d written nearly a decade earlier, because the reader was upset that I hadn’t updated it. (The date was clearly labelled at the top of the post)
It is really weird. I have had dozens of hateful messages or emails in the decades of online communication, but in terms of death threat both was somehow related to Intel.
First one was in 2013/2014 when I said by the current trajectory TSMC is going to overtake Intel by 2020. Second was Intel losing the Smartphone Modem and Foundry battle about a year later, due to failure to forecast capacity.
For a lot of these reasons I simply left most of the online hardware communities and forum.
It is strange a lot of people think of brands in Tech as if they are religion. And internet in the 10s is really different to the 00s.
Consider substituting 'criminal' (or 'felonious', etc) for "weird" in future tellings of this story. Death threats are generally regarded as a crime by police and judicial systems, and 'weird' tacitly excuses the crime committed upon you. A death threat is not in the same category as weird, and does not deserve a framing-pardon from us.
Yeah, personally I take this as a known fact of life on the internet. I'm surprised the maintainer let it get to them so much.
Like many popular creators today are learning, we all must "stop reading the comments", lest we never put anything out there ever again, for fear of critical feedback.
I do worry that trolls who really don't care if they quit maintaining this software have outsized influence on things and the outcome of a decision like this. And the decision MIGHT only impact everyone but the troll, and maybe even encourage such bad behavior.
Recall an actress who noted how much abuse she received over the internet for how she looked. She announced she wasn't going to do something (it was something related to her clothing) as a response. It was presented as almost a punishment, but I couldn't help but wonder who was driving the bus / decisions in that situation.
Still, I respect the maintainers choice and I have no magic solutions for this.
It's the internet, strange that the author didn't face abuse like this before. He doesn't seem too young to have experienced such abuse online growing up.
I wish I could say that everyone should be exposed to some aimless and unfair adversity while growing up, it helped me grow some thicker skin.
But I've met people who really can't handle it, and exposing them to even a bit of it would be unethical, it wouldn't help them in any way. Some people are really sensitive, on the edge of mental stability, with crumbling self respect, or whatever other issues. Abuse like this does affect them significantly. Such people are the perfect victims for these immature trolls, and I really don't see a way to help them.
I remember hanging out on forums as a teen, and there was this script kiddie who would hound users on some local forums and IRC servers, both plainly insulting and/or threathning them, and trying to 'hack' them. He was annoying, but I was so used to these edgy insults and such that I never took them seriously (just a bit of roughhousing among teens)... Yet he was really successful in pissing people off and made a significant number of them leave. He was banned many times, but would just re-join with new account(s) (the joys of dynamic IPs every time you dial in). Took him years to quit.
If you're offended by things like this to be affected significantly (we're all affected a bit), don't be fooled, you're worse off than people who aren't. It's not your fault by any means. But finding a way to care less about things like this, if possible, will improve your wellbeing. You can ignore and / or react (which might make it worse), but there's not much you can do against assholes without ushering in censorship, surveillance, or making everythign worse otherwise. You can't fix other people, but you can at least try fixing yourself.
You know, not everything is an opportunity to better yourself. It's perfectly valid to leave when boudaries are crossed - it's weird that you argue the person should "work on themselves" and keep getting deaths threaths over maintaining random stuff.
Of course it is valid to leave, especially if it's prolonged abuse, but it's a two-edged sword.
If you have some bored idiot on the other side, you leaving might encourage them to abuse you even more. If you yield further, then you've allowed yourself to be shut out from the public Internet, depriving yourself of the satisfaction of contributing to projects.
My point is that you need to try to be rational in these (emotional) situations, and think about the consequences of your decisions. Sometimes the best solution will affect you more than the abuser, which feels really unfair, but the alternatives are simply worse.
> You know, not everything is an opportunity to better yourself.
You're wrong, everything is an opportunity to better yourself. It's up to you whether or not you choose to take advantage of opportunities. Certainly you can chose not to, you can choose to tap out and quit, but as it is a choice so also is it an opportunity.
You don't know that they haven't faced abuse like this before, you're just assuming this is the first/only case, maybe this is just the final straw.
But that's also moot - people don't have a right to abuse others, people have a right to not be subjected to this kind of abuse.
If a person is not allowed to halt a project when they receive abuse, then you're saying that they are required to accept abuse as part of their (typically) unpaid labor. There is a huge difference between "I am willing to put up with this" and "You are required to put up with this". You are saying that because the former applies to you, that therefore the latter applies to everyone.
I get that this is the long term outcome of the "don't feed the trolls" concept, which is tacitly the message "being a troll is a-ok", which has led people like this ass to think that just because they can send this kind of shit, that it's ok to.
Of course they can leave. Not just that, everybody can leave for any reason whatsoever, including being bored of the project.
But if you're leaving because of abuse, you're both letting the troll win and potentialy opening yourself to more abuse.
If you're sufficiently enraged by trolls, you may overreact, and start supporting policies that are more damaging than the trolling itself, like supporting surveillance or forcing KYC on everything.
Let me qualify this by saying that I support reporting people for abuse to the authorities if that's a thing where you live, but I don't support asking for more surveillance just to catch trolls.
I see this pattern every day, on every level: "I'm being victimized and something needs to be done about it". I hope that people will think about what "something" is and make sure it's not making things even worse.
I feel the same way about this being on the front page of HN as I do about school shootings being a guaranteed front-page event in national news:
It's tragic that things like this happen, but posting and discussing the troll's (fake) name, their tirade, and the terrible impact that they had on a maintainer is not going to make things easier for maintainers. On the contrary, it's just going to give copycat trolls inspiration and something to aspire to, a sort of "victory" end game.
The author of that email doesn't care about LDAP, they don't care about JavaScript libraries, they're just a troll. Rule #1 of the internet is "don't feed the trolls".
I recall some folks did interviews with mass shooters in jail. They came up with a list of things they knew mass shooters DID NOT like in the media after a shooting, and things they did like. They sent some suggestions to news organizations and some have adopted them. They're not hiding information, but they are altering exactly how they covey it. Some of the suggestions were IIRC:
1. Limit how often you say the shooters name, don't give details about any manifestos / letters and etc from the shooter.
2. Avoid playing lots of video / audio of screaming / chaos.
3. Tell stories about the victims, give their names often, tell their story.
4. Tell stories about people supporting each other, the community responding and coming together.
I relied on this project heavily at a past organization when the original maintainer was just leaving it to wither. They worked at Joyent if I remember and assuredly their work on that was decommissioned. I remember when James took it over, it was rejoiced to finally have some PRs landing again!
I haven’t thought about ldapjs in a long time, and it’s sad to see this stuff happen. Hope you’re well otherwise James!
I empathize with the author (on more than one level, an LDAP agent in Javascript sounds like more trouble than it's worth and his suggestion to use Go makes sense), and while this kind of email is inexcusable, it's ultimately a risk of being on the internet.
To be clear, I don't want to sound callous or say that this is, in the long term, the cost of doing business in open source (it absolutely should not be); but if you're a person with a publicly-routable email (say, via git commiter or author metadata), on a long enough timeline, someone awful's liable to find it and use it maliciously.
My opinion (admittedly, not having been on the receiving end of something this pointlessly awful) is that it's better not to fold to these kinds of attacks. These people are basically schoolyard bullies, and usually attention-seekers. Validating their attempts only encourages more behaviour like this.
I hope the former maintainer is doing well, and I hope this message doesn't come off as disrespectful or harmful. If it does, I'm very open to hearing about alternative approaches.
It sounds like they had a foot out the door on this project anyway.
You make a point that we shouldn't just cave to any Jerk that comes along and used your code, which makes some sense. There is a silent user majority that appreciates these projects (or doesn't think enough about them). I'd advocate saying thanks, but if everyone did that might be a time suck for the developer, so maybe use the "star" if on github, or contribute if that is an option.
About LDAP and what programming language should be used, I am not familiar enough with that program to answer the question.
I agree with you that it is generally better to not to fold to these kinds of attacks.
However, the README.md does mention other reason why they would not really want to maintain it for sure anyways. Furthermore, the maintainer can make their own decision about what to do with it (whether or not other people agree with it).
And, since it is FOSS, it is not much of the problem if the maintainer decides to stop maintaining it, since FOSS is possible to fork the project and other people to work on it too, anyways.
This is not an excuse for writing such a bad email message, but nevertheless someone might do so and therefore you will have to decide how to deal with it. (I think it is best to ignore it, but of course everything will influence anyone)
What exactly makes Go more suitable for building LDAP clients than any other language, including JS? I've been running ldapjs in production for 4 years now (it's basically a web-based LDAP frontend) and it's been rock-solid.
Rule 1: don't read email from strangers.
Rule 2: don't read any comments under your article/video/whatever.
People are full of hate and tend to dehumanise other people over internet, while they would be (possibly) nice to them in person. Something is in the internet that people's hate is magnified...
It's a great example of the barking dog effect. Put up a barrier between people that they know can't be crossed, and they'll just let loose the wildest aggression possible. The second that barrier is gone, they're back to "normal". It's frightening seeing people's impulses revealed while the barrier is up.
It is your own choice if you wish to continue the maintenance or not (and, even if you wish to maintain the project, you can decide to not accept email messages). If it is FOSS, then other people can maintain their own version if they want to do, anyways (this is why FOSS is important; it is due to things like this).
However, whoever wrote the email message did not decomission the project; it is whoever maintain the project that did so, due to receiving such email message. I think that might be unnecessary to decomission the project just due to one message like that, but it is their choice to maintain or not maintain it, or to decomission it. (Anyways, if you receive too many messages like that then you might be too stressed to work on the project properly.)
Although, still they should not have written such a email message, because it is no good. It does contain an actual comment about the program (although I am not familiar with the program to know whether or not the complaint is legitimate), but that is a very bad way of writing it.
(Other comments also mention that stuff like this may be used to attack the project to make a version with malware if the original maintainer won't then someone else will and will add malware. It is a legitimate concern, which should be considered seriously, but one that can be handled whether or not this maintainer decides to maintain this project or not.)
That's a pretty nasty email; I initially thought this was some kind of bizarre targeted spam, until they started talking about the coding stuff and it made me realize "nope, a human wrote this".
I don't think I've ever received anything this horrible ever; when I was attempting to make videos on early (~2008) YouTube as a teenager, I definitely got a lot of death threats though, so much so that someone made a whole-ass video threatening to kick my ass because they thought I said something bad about people in wheelchairs (I did not, I genuinely have no idea how they even came to that conclusion).
The internet is simultaneously the best and worst invention that humans have ever made. It allows people to be their true selves, for all that entails.
I hope this doesn't become a more widely used repo attack vector: Abuse repo maintainers until one or more fold. Fork the repo and become the New Maintainer That Saves The Day. At a later time, insert attack code.
sad to see but sounds like it was just a reminder to archive the project anyways. trolls make up a fair portion of the interweb and with llm's on the rise that'll probably just get worse. put on that armor!
Honestly seems like you could also easily just laugh it off. People on the internet are weird and gross. But I guess it sounds like he was already kind of over the project anyway.
As the maintainer he gets to call the shots, so this response is perfectly fair. It's easy for me to say "I wouldn't have reacted like this", especially since I'm kind of numb to this type of shit-slinging,
but I haven't had such visceral anger directed towards my hard work, so I really don't know.
Many public figures have social media and PR teams to help deal with stuff like this, you really expect that every individual out there should just grow a thick skin as culture is continually encouraging us to have more and more of a public presence? This is the kind of thinking that gives a free pass to entrenched patterns of discrimination and targeted hate speech. It's very possible that emails like this wouldn't just be a spew of random insults but targeted towards a person's very specific triggers, and in that case a thick skin cannot stop a bullet.
I think of it more as a general observation: the people who maintain open source projects that must deal with the public must have thick skin, or they won't last. Acknowledging that there are and will always be assholes like the email writer in the world is not to excuse their behavior. It's great to call out shitty behavior and try to get rid of it, but it will always be around at some low level, that's the reality.
Unfortunately HN is no longer a place where you can assume good faith observations when something like that is said. OP's words play into toxic narratives that need to be called out for the sake of other people reading the comments. I might be wrong about OP's intentions when giving my reply, but I am pushing back against a narrative, not against a specific person.
> I might be wrong about OP's intentions when giving my reply, but I am pushing back against a narrative, not against a specific person.
What narrative? Your comment is vague. Would you mind expanding on this accusation and how it relates to open source, especially when today's maintainers on platforms like GitHub and GitLab have an array of tools at their disposal to deal with issues?
OP replied to my comment and I now see that it makes sense as an observation. The narrative I was referring to is something that I see common in discussions surrounding abuse; "there's nothing to be done about it; [people should] just grow a thick skin." If we agree that this exists, then I posit that it's a toxic thing to say to someone who's coming forward and saying that they're suffering from this. It's also toxic to use that as a way to dismiss measures that we can build in technologically to combat abuse, like building blocking mechanisms or modifying them to make them better. Hope that clarifies things.
You might be correct but it still stands that nothing is added to the discourse by just telling people to grow a thick skin. It's a repulsive attitude and I had to call that out.
I think the "repulsive attitude" I'm referring to is shouting "Just grow a thick skin!" to someone who is saying that they're suffering from abuse. In some cases, the suffering is so acute and so deep ("bullets") that it's not necessarily actionable on the part of the person suffering; rather, it's a call for help that others may respond to.
Try using the language in that email the next time you talk to a cashier and see how long it takes to get you escorted from the premises.
The “don’t feed the trolls” or “just accept that people do this” nonsense has just meant “let scumbags do stuff they’d never be permitted to do in person” as much as they want with no consequences.
It would be trivial for Google to verify this email did come from an actual Gmail account, and then provide information about any associated accounts if it was - their entire business model is built on doing just that.
While we can try to improve the reality, it is the reality today and difficult to improve. There is always a small percentage of people that are bad.
I maintain a couple semi-famous open-sourced projects and get a criticism (of course a milder one than what OP got) once in a while. I read them and only take what is useful.
I always always thank them for feedback whether the feedback is good, bad, or abusive. I never argue that the users are wrong. I might help correct their understanding, but I'd say: I can see why it can be misunderstood.
This is because, if you start arguing with users, it leaves a bad taste in other users even if you are right.
I used to look at one open-sourced project where the maintainers taunted the users to implement the change themselves because it's "the benefit of an open-sourced project". It kinda turned me away from the project.
If you're selling proprietary software and are worried about an OSS competitor, forget FUD, legal battles and patent challenges. Just send a few of these emails to the primary maintainer, and the OSS competitor will be no more.
You can't control what other people say to you. You can only control how you react. If obvious trolls like this upset you, then you are guaranteed to be miserable. Worse, if you publish troll emails like this and say that's why you got upset, then you are guaranteed to get many more troll emails.
I'm guessing the maintainer has some other stuff going on in his life and this was the straw that broke the camel's back. I hope he overcomes whatever he's going through and winds up more resilient and more content.
Is "don't feed the troll" better? This behavior is unacceptable but I'm really leaning towards the belief that sensationalizing this will only make it more likely..
This is about as big of a recognition a single troll could get in OSS with no code contributed.
As advice? No... Maybe slightly? At least it is sort of actionable I guess.
I agree with most everything else you said, and it invites further conversation on whether this is exactly what the troll wanted (recognition, feeling powerful for ousting the maintainer, etc.).
The original comment I replied to, a one-liner with the most overused platitude possible, did not invite any further conversation and contributed nothing which is why I sarcastically called it out.
I think that's a very uncharitable interpretation of Exuma's comment.
There's a big difference between demanding support while being an asshole and advising that obviously troll emails can be tossed in the trash without ruining your day.
James is totally free to do whatever he wants, of course.
The person sending this email clearly uses the library, and yet sent this email.
That person is still demanding support - they're clearly using this library [minor edit due to garbage grammar] - they're just hiding who they are because they know their behavior is BS. Receiving mail like this has a mental and emotional toll even if it can be "tossed in the trash" you still have to at least start reading it to determine that it's a troll.
So this maintainer now has to read these messages, even if it's just to send them to the trash, and knows that the person sending this is a person that is using the library, and so any more work they do is helping this person.
Exuma is saying "you can only control your own reaction", which is pretty dismissive and contextually implies that shutting down the project is not a reasonable reaction. i.e. if you maintain a project, it's over reacting if you choose to stop maintaining that project just because you're being subjected to abuse.
I'm not sure how else to interpret Exuma's comment.
> ... knows that the person sending this is a person that is using the library, and so any more work they do is helping this person.
Something mentioned in the email message is private members of an interface. If they do abandon the project, then I suppose that whoever wrote that can make them public safely since there is not a new version, it is unlikely to break compatibility with newer versions if there aren't any. So, maybe abandoning this project, does possibly help them.
(This is not any kind of excuse for writing such a bad message nor a reason for continuing to maintain the project; it is just an observation.)
Furthermore, some other comments mention possible supply chain attacks; if so, that might also help the author of the email message.
So, abandoning or not abandoning it isn't considering if it helps them or not. Rather, what is important to consider is how much it harms everyone else; how much it helps the person sending that message isn't important.
that is probably the absolute farthest thing from what I'm saying.
In the end, you have 2 choices:
1. try to control other people
2. control yourself
There is literally no other options. Theres no "middle ground." Any advice/comments/etc boil down to ONE of these two choices.
The entire first choice is moot, because given 10 million years, you will never be able to control other people's behavior. No amount of good advice, helpful HN comments, 1000 word blog posts, will never, ever, 100% remove all threads of possibility of getting teased/whatever. I would not categorize this choice as "wrong" (which implies bad), but merely "moot" (neutral).
Therefore, that only leaves option 2. Discussing anything to do with what people "should" do is, quite literally, a waste of time. This idea CAN coexist simultaneously with the idea that I treat people well. Why? Because being nice is option #2... its something I control about myself. I CAN control how I treat other people, just as I can control my reaction to other people.
I don't condone/not condone the person email, because I don't even look at things like that. I look at things in terms of what I'm capable of controlling (or, that is the goal, anyway. sometimes life can be tricky!).
If i were to look at things in terms of what other people "should" be doing, then I am destined for a lifetime of disappointment and emotional turmoil.
There's absolutely an alternative, and that's what this person has done: stop providing free labor to others.
There's no reason to put yourself in, or stay in, an environment where you are apparently expected to be subject to abuse.
Saying the only option is "control yourself", when what that means is "suck it up and don't let abuse get to you" is BS. We keep getting people handwringing over the work load and treatment of maintainers or individual developers, but then comments like this that are just saying "so what? they should just get over it".
This is a 100% serious question here - what is a maintainer allowed to do? There are three options:
1. Accept the abuse and continue to try to maintain the project while being subjected to that abuse.
2. Shutdown the project.
3. Hand the project over to someone else.
You appear to be advocating for (1) as the only option. Most of the comments in this thread say the (2) is just not reasonable and that the maintainer should accept abuse as a fact of life (e.g. being more explicit that (1) is the only option). The final option is what the maintainer of xz did, and they then got blamed for an exploit that was introduced when they were definitionally no longer involved in the project.
Certainly in such a world I would never sign up to be a maintainer of any project, and if anyone asked I would advise them not to as well. The rules seem to be that once you are a project maintainer you are required to accept abuse, and you are never allowed to stop, no matter how much abuse is sent your way.
This maintainer did what is in my opinion the only reasonable option: they said "I am unwilling to put up with this BS and so I'm ceasing maintenance of the project". We've already established through xz that you can't hand off a project in response to abuse, as that makes you responsible for it if the replacement installs malware, and demanding people accept permanent abuse is immoral and selfish.
> We've already established through xz that you can't hand off a project in response to abuse, as that makes you responsible for it if the replacement installs malware, and demanding people accept permanent abuse is immoral and selfish.
You are right, but that does not necessarily mean that ceasing maintenance of the project is the only reasonable option. Although, it also does not necessarily mean that it is not a reasonable option. You can be too stressed to work on the project properly if you receive such abusive messages, so maybe it is reasonable. However, that does not necessarily mean that it is the only possible option. For example, maybe some people can handle it better than others, or maybe you can just disable the email so that you will not have to receive any more abusive messages like that while working on the project, etc.
About malware, that is a reasonable precaution. Of course other people can still maintain their own version of it if they like to do, but then they will have to call it a separate project (even if the file name is the same), so then they don't have the "hand off" problem like you describe as badly as that.
And since it is FOSS, you should not need to demand people accept permanent abuse, or to demand them to work on the project for any other reason. Proprietary software is more of a problem with this since then a vendor-lock is possible and if they refuse to work on it then it can affect everyone and it is much more difficult to recover from than FOSS.
There is writing between the lines you are missing.
The very phrase "accept abuse" already puts one in the position of victim. I suspect you won't "see" this though because I'm going to guess you'll look at it as some kind of behavioral impasse which you are either "subjected" to or free from. That's not what I'm saying
This has nothing to do with OSS maintenance, it has nothing to do with projects, it has nothing to do with development even.
It is a life lesson, one which entirely directs your life as a victim, or as a sort of life-long learner (because it never ends!) of how to control your own reaction... and as one gets better at this (hard) feat, the bigger situations one can be in before "tapping out" so to speak.
IMO, the goal of life should be to be on that second path, and look at all situations like this email more as "challenges" to practice this life-long lesson. It's entirely freeing as it's now simply a sort of zen meditation with the self... you are no longer chained to constantly reacting to what is around you. It is a profound shift in thinking.
So objectively speaking, if I were him in his shoes (and I have been there)... I would read the email, feel a "ugh" wash over me, then realize... this literally has nothing to do with me, and then I would go on living my life
Are you familiar with the Open Source Guides Best Practices for Maintainers [1] and Maintaining Balance for Open Source Maintainers [2]?
Perhaps these helpful pages and the resources linked within may give you some guidance on how experienced maintainers can handle such matters without a hostility-first mindset.
For my own projects, I do try to avoid scope creep. (In some cases I had thought something should be in scope but later changed my mind (before actually implementing it), though.) I did not add a file called VISION but maybe that would help, so I will consider that. I do want to keep communication public (mainly using NNTP, although IRC and GitHub issue trackers can also be used), but nevertheless there isn't any communication on there.
> If a potential contributor has a different opinion on what your project should do, you may want to gently encourage them to work on their own fork. Forking a project doesn’t have to be a bad thing. Being able to copy and modify projects is one of the best things about open source. Encouraging your community members to work on their own fork can provide the creative outlet they need, without conflicting with your project’s vision.
This is correct. However, it is also possible for some of the features of a forked version to later be put into the official version (or a different fork) (after being reviewed by the maintainer). This does happen sometimes, too.
> Users are far more likely to reach out when they have a complaint. If everything works great, they tend to stay silent. It can be discouraging to see a growing list of issues without the positive feedback showing how your contributions are making a difference.
Nevertheless, it make sense; there is more to say if they have a complaint (or a suggestion for improvement, or a question, etc) than if it works OK.
I don't mind this; my problem is that I rarely receive any feedback at all, regardless of good or bad.
(However, I think that it is helpful even for positive feedback to be specific. This way, it can also help other people to decide whether or not they think this program is suitable (or almost suitable) for their intended uses.)
(I have received stars on GitHub (for some projects), but they don't help me at all, since they do not say anything.)
> Working alone: Being a maintainer can be incredibly lonely. Even if you work with a group of maintainers, the past few years have been difficult for convening distributed teams in-person.
This is my problem; lack of other people discussion and contributions.
have you read the actual email.. ? It's pretty bad. I've co-founded a very succesfull open source project and I can assure you a lot of people treat maintainers like crap. One guy sent me a few mails with veiled death threats because I banned him from the forum (He was harassing users and the community decide to boot him...)
I wouldn't be so sure about that. If you had said this before my most recent hire I would have agreed - but my junior writes stuff that looks like this or worse. I'm always reviewing stuff with weird capitalization, punctuation, spelling, grammar, etc. that makes me raise an eyebrow on a regular basis. Their code looks just as weird despite having the help of a heavy-weight IDE in their corner. We're constantly cleaning up hanging indents, unnecessary newlines, mismatched indents, commented out code, etc. (That's with a college education, a Grammarly license, and no small amount of coaching on my part!)
I have a sample size of 1, so I can't ascribe too much to "these damn kids," but it seriously strikes me as having learned written language primarily from texting & instant messaging. Whereas I grew up roughly by transitioning from: reading books -> writing mails to pen pals-> writing e-mails -> web chats -> T9 texting -> modern IMEs. In other words I initially learned to write with long-form content and learned to condense it down later. These days I think people are just learning straight from the condensed version.
The other reason I don't think it's an LLM is simpler: most commercial LLMs wouldn't be "aligned" to be that rude, and the smaller LLMs I've seen wouldn't be able to inject relevant code snippets from a relatively unpopular library into the output.
I would not be surprised if this person misused the library, got called out for it in code-review (calling the iterator multiple times is a huge code-smell), and now they are soothing their ego by shifting blame onto the library author for making "such a bad API."
Individual who sent that mail has trollish name, trollish email account and s/he is talking gibberish. My conclusion was, give it a pass and move on.
>I would not be surprised if this person misused the library, got called out for it in code-review (calling the iterator multiple times is a huge code-smell), and now they are soothing their ego by shifting blame onto the library author for making "such a bad API."
It could be that but then again it's his or her fault not the maintainer's. At the end of the day, s/he has some serious anger control issues if that's true.
>The other reason I don't think it's an LLM is simpler: most commercial LLMs wouldn't be "aligned" to be that rude, and the smaller LLMs I've seen wouldn't be able to inject relevant code snippets from a relatively unpopular library into the output.
You can modify some open source LLM to talk trash, meaning teach it to hate and disrespect.
