Tag open-source

How can we even start talking about supply chain security and sustainability if a maintainer publishing a bad npm package version breaks everyone instantly? Stable, deterministic pinning is table stakes. theverge.com/2022/1/9/22874…

Filippo ${jndi:ldap://filippo.io/t} Valsorda (@FiloSottile)Sun, 09 Jan 2022 22:23 GMT

https://twitter.com/odarbelaeze/status/1479284733670567939

I would say that once you start having *other* people contributing and maintaining is not fully *yours* anymore?

Hugo Rodrigues (@hugorodrigues)Fri, 07 Jan 2022 03:32 GMT

https://twitter.com/PhIegethon/status/1479516388100395009

Nope. Absolutely, completely, incorrect. Total nonsense. OSS maintainers don't owe you anything. Says so right on the license. If you can't read, maybe stay off the internet.

Yawar Amin لول (@yawaramin)Sat, 08 Jan 2022 01:01 GMT

https://twitter.com/JoshuaKGoldberg/status/1479235187582148609

Often OSS developers make the world keep the lights on but aren't compensated for their time. Marak was struggling, asked help. Got nothing. In protest, removed his code and github suspended his account for removing something he owned the rights to.

Sam (@metruzanca)Fri, 07 Jan 2022 01:07 GMT

I found a one-digit typo in the docs for Python's typing_extensions. I wanted to be a good community member and fix it. I had no idea how much frustration that one-char PR was about to cause. Brace yourselves as I take you along on this wild ride 🧵 RT for reach appreciated 🙏

Predrag Gruevski (@PredragGruevski)Wed, 05 Jan 2022 17:36 GMT

If one wants to push a long-standing issue along, then don’t comment that, instead (if sensible in context) ask: “What can be done to push this issue forward? Are more details needed? More use cases? Someone doing a PR?” Then it becomes collaborative rather than exploitative 👍

Post details

Random comment on long-standing issue: Any updates on this? Me: would you like to work on it? Them: …

Matteo Collina (@matteocollina)Thu, 06 Jan 2022 17:04 GMT

Pelle Wessman (@voxpelli)Thu, 06 Jan 2022 18:30 GMT

Random comment on long-standing issue: Any updates on this? Me: would you like to work on it? Them: …

Matteo Collina (@matteocollina)Thu, 06 Jan 2022 17:04 GMT

As an engineer, @Neovim is critical infrastructure for my productivity, so I set up a monthly donation a few years ago through GitHub. It's great to be able to support a project that I rely on! ☺️

Post details

here's a recommendable new years resolution: donate in support of the critical open source tools you rely on. We do this at @discourse every year.

Jeff Atwood (@codinghorror)Fri, 31 Dec 2021 00:27 GMT

Alex Gude (@alex_gude)Sat, 01 Jan 2022 15:40 GMT

here's a recommendable new years resolution: donate in support of the critical open source tools you rely on. We do this at @discourse every year.

Jeff Atwood (@codinghorror)Fri, 31 Dec 2021 00:27 GMT

👍🏻 For folks looking for concrete and impactful steps they can take that aren’t personal: divest from using Facebook tech in your projects. Vote with your tech stack. twitter.com/quinnypig/stat…

Post details

https://twitter.com/QuinnyPig/status/1476372236776849408

Let me be clear: I think the company is molten garbage, but that's a very different thing than dunking on the humans who work there. I don't want to be remembered for a lack of empathy towards other people.

Corey Quinn (@QuinnyPig)Thu, 30 Dec 2021 02:17 GMT

Zach Leatherman (@zachleat)Thu, 30 Dec 2021 17:55 GMT

“The customer has nuclear weapons” is an unusual argument when inquiring whether a bug has been fixed yet, in an open source project. gcc.gnu.org/bugzilla/show_…

FX Coudert (@fxcoudert)Wed, 29 Dec 2021 14:53 GMT

did...did this person threaten an open source project with nukes when they asked to be paid?

Post details

“The customer has nuclear weapons” is an unusual argument when inquiring whether a bug has been fixed yet, in an open source project. gcc.gnu.org/bugzilla/show_…

FX Coudert (@fxcoudert)Wed, 29 Dec 2021 14:53 GMT

Manish (@ManishEarth)Wed, 29 Dec 2021 14:57 GMT

the most important thing about the log4j incident is that it’s clear and incontrovertible evidence in support of whatever beliefs i already have about software development

henry 🌘 (@hdevalence)Mon, 13 Dec 2021 17:29 GMT

Just use an npm package.

Den Delimarsky (@DennisCode)Sun, 26 Dec 2021 05:17 GMT

there's something to be said for making some software to do something, calling it done, and then not updating it except maybe to fix things that break "move fast and break things" startup culture has leaked HARD into open source personal software; no commits this year = ""dead""

artemis (@artemiseverfree)Mon, 27 Dec 2021 01:49 GMT

This is why I started charging for open source work that’s not to my schedule.

Post details

“Open source maintainers are effectively unpaid outsourcing teams for giant corporations.” dev.to/yawaramin/the-…

Ceej "Cat-Warmed" Silverio (@ceejbot)Sat, 25 Dec 2021 17:45 GMT

Jan Lehnardt (@janl)Sat, 25 Dec 2021 18:22 GMT

“Open source maintainers are effectively unpaid outsourcing teams for giant corporations.” dev.to/yawaramin/the-…

Ceej "Cat-Warmed" Silverio (@ceejbot)Sat, 25 Dec 2021 17:45 GMT

imagining a timeline where the log4j maintainers replied to the vuln disclosure with "ok, feel free to raise a PR"

Post details

this is *well* worth the read dev.to/yawaramin/the-…

cje (@caseyjohnellis)Thu, 23 Dec 2021 09:06 GMT

Matt "jira delenda est" Olson (@arachnocapital2)Sat, 25 Dec 2021 01:39 GMT

A precondition of employment (if any) is probably going to be "If I am working with a language using an open source toolchain and find a bug or enhancement for our code that can be addressed by pushing a patch upstream, I am allowed to open the PR without asking Legal."

future🦹jubilee (@workingjubilee)Wed, 22 Dec 2021 20:30 GMT

Good news: Log4j is the only library you use that’s been trivially vulnerable for about a decade.

haroon meer (@haroonmeer)Mon, 20 Dec 2021 11:12 GMT

https://twitter.com/Narodism/status/1472541647909146629

If funding devs more could fix the bugs before it reaches users, Windows and Mac OS would be bug free.

Nicolas Dorier (@NicolasDorier)Sun, 19 Dec 2021 14:42 GMT

https://twitter.com/starbuxman/status/1471635197292466177

If the past week has taught us anything it's that people would rather depend on software they don't pay for, while complaining about it and it's maintainers (who are also not getting paid!)

Marit van Dijk (@MaritvanDijk77)Fri, 17 Dec 2021 06:03 GMT

the log4j “december to remember” event this year features 0% financing on tech debt 😮

Patrick Cable (@patcable)Fri, 17 Dec 2021 15:40 GMT

seems like the entire internet is built on either small open source projects run by a couple folkx for free, and the gigantic cloud infrastructure run by a couple of companies. when either one is borked, the world goes poof

Selena (@selenalarson)Wed, 15 Dec 2021 16:14 GMT

open source maintainers to developers with jobs:

I Am Devloper (@iamdevloper)Wed, 15 Dec 2021 15:55 GMT

this high-profile vulnerability in an open source project is really reinforcing my belief that, to a dominant portion of users, the primary important thing about free software is that it is gratis, rather than libre

cron mom (@sophaskins)Sun, 12 Dec 2021 23:58 GMT

https://twitter.com/beka_valentine/status/1470134831262564353

but its not the log4j's responsibility to fix this in a timely fashion they didnt make any promises to any big corps about SLAs or any shit like that, and if there are **consequences** for those corps, that is FINE it might suck, but that's not the dev's responsibility

Beka Valentine (@beka_valentine)Sun, 12 Dec 2021 20:55 GMT

https://twitter.com/bagder/status/1470409522229428225

My team could spend an entire year reviewing the code from one “npm install”. I don’t think it’s really feasible to do code review across all OSS components. But funding? Absolutely.

April King 🌀 (@CubicleApril)Mon, 13 Dec 2021 15:11 GMT

https://twitter.com/seldo/status/1470031613174042626

Open source is free as in puppy.

Laurie Voss (@seldo)Sun, 12 Dec 2021 16:26 GMT

A rare insightful comment on the orange site: news.ycombinator.com/item?id=295252… "Open source is not broken".

Danack (@MrDanack)Sun, 12 Dec 2021 22:11 GMT

Been thinking about the maintainers of log4j2 a ton this weekend. I'm so thankful for open source. While I get to maintain projects with support from my employer - most do this entirely with spare time Maintainers deserve our thanks (and sponsorships!) for their work 🤗🙏

Jeff Hollan (@jeffhollan)Sun, 12 Dec 2021 17:16 GMT

Another chronically underfunded OSS library in the news. It’s simple: - Using OSS to make money? Fund it! - Want to see an OSS project advance? Fund it! - Want to help your dependencies succeed so you can hire people experienced in them? Fund them! NORMALIZE FUNDING OSS.

twitter.com/benjie/status/…

Post details

Why not take 5% of your engineering budget and invest it in the various open source projects you depend on? I'd hazard the returns you'd see over the coming years from this investment would be greater than having spent that same amount on payroll.

Benjie 🐘 (@Benjie)Thu, 18 Jun 2020 13:18 +0000

Benjie 🐘 (@Benjie)Sun, 12 Dec 2021 10:05 GMT

We all agree the status quo is unsustainable. Here are 1,000 words on how we could get the role of Open Source maintainer to graduate to a real, properly paid profession. The thing is, companies need it as much as maintainers do. blog.filippo.io/professional-m…

Filippo ${jndi:ldap://filippo.io/x} Valsorda (@FiloSottile)Sat, 11 Dec 2021 19:22 GMT

since everyone is talking about log4j/supply chains an experiment years ago i calculated 1-bit offset utf8 strings of the top few hundred npm packages and registered packages under them they received thousands of hits per week from machines trying to download and execute them

suzuha (@dystopiabreaker)Sat, 11 Dec 2021 08:06 GMT

Maintainable open source is not an easily solved problem. And yet most of our tech stacks would shut down if open source code was all of a sudden unavailable.

Laurie (@laurieontech)Sat, 11 Dec 2021 22:44 GMT

The Apache Log4j project is maintained by three people who are volunteering their spare time. Please don't be a jerk to them because multi-billion dollar companies are using their tool without even bothering to throw $1,000 their way.

Post details

Log4j maintainers have been working sleeplessly on mitigation measures; fixes, docs, CVE, replies to inquiries, etc. Yet nothing is stopping people to bash us, for work we aren't paid for, for a feature we all dislike yet needed to keep due to backward compatibility concerns. twitter.com/shipilev/statu…

Volkan Yazıcı (@yazicivo)Fri, 10 Dec 2021 16:55 GMT

Catalin Cimpanu (@campuscodi)Sat, 11 Dec 2021 17:41 GMT

It took me about 5 minutes to start locally running an open source Ruby project despite the fact that I never touched Ruby on Rails in the past & project itself didn’t have related docs. Now that’s what I call strong external community resources that are easy to find 👏

Cake is Kate. Always has been 💫 (@kefimochi)Sat, 11 Dec 2021 23:27 GMT

https://twitter.com/FiloSottile/status/1469441487175880711

The market rate of a developer who can maintain a large open source project is at least $300k/yr. (Conservatively, check levels.fyi.) The most I've seen someone rack up on GitHub Sponsors and Patreon is like $1,000/month. You see the problem?

Filippo ${jndi:ldap://filippo.io/x} Valsorda (@FiloSottile)Fri, 10 Dec 2021 22:58 GMT

https://twitter.com/FiloSottile/status/1469441477642178561

This is the maintainer who fixed the vulnerability that's causing millions(++?) of dollars of damage. "I work on Log4j in my spare time" "always dreamed of working on open source full time" "3 sponsors are funding @rgoers's work: Michael, Glenn, Matt" People, what are we doing.

Filippo ${jndi:ldap://filippo.io/x} Valsorda (@FiloSottile)Fri, 10 Dec 2021 22:58 GMT

orgs: hire an oss strategy person to do this for your entire product portfolio. add in “what does the project need” to the “how is this being funded?” question eng: do this for your tech stack

Post details

fun exercise for folks with production code in github: go to the Insights tab in your repo and navigate to the Dependencies page. pick a package that looks interesting and find out how it's funded.

shelby spees (@shelbyspees)Sat, 11 Dec 2021 16:34 GMT

p🍐ris (@ParisInBmore)Sat, 11 Dec 2021 16:38 GMT

fun exercise for folks with production code in github: go to the Insights tab in your repo and navigate to the Dependencies page. pick a package that looks interesting and find out how it's funded.

shelby spees (@shelbyspees)Sat, 11 Dec 2021 16:34 GMT

This may seem like overkill, but it's really an investment in your company's stability. #OpenSource may reduce many costs of development, but it's not entirely free. Don't find out that the library that's integral to your infrastructure is un(der)-funded when it's too late.

Post details

orgs: hire an oss strategy person to do this for your entire product portfolio. add in “what does the project need” to the “how is this being funded?” question eng: do this for your tech stack

twitter.com/shelbyspees/st…

p🍐ris (@ParisInBmore)Sat, 11 Dec 2021 16:38 GMT

julia ferraioli (@juliaferraioli)Sat, 11 Dec 2021 17:53 GMT