Open Source is one person
134 points by drmorr
134 points by drmorr
Maybe we’re looking at a wrong unit of collaboration?
An average npm dependency tree is definitely not all by one person. In fact, a common criticism of small-package ecosystems is that there are too many different authors involved.
Perhaps publishing of small packages is just a more convenient way to collaborate? Especially in open-source that is naturally distributed and communicating asynchronously. Instead of multiple devs working on fragments of a single monolith library, each dev can work on their bit behind a library interface. The package boundary means there’s less coordination required. When devs disagree about the goals, forking or replacing a small library is less explosive than a disagreement within a large monolith project.
Having internal library boundaries within a project can be useful on its own: preventing unintentional layering violations and tangling of components that were supposed to be separate. Rust/Cargo projects split themselves into tiny component libraries even when the libraries are completely project-specific and aren’t reused anywhere else. It just helps organize the code and isolate dependencies.
I’ll add that not only “alone”, to not derailed the post, but exploited by big corporations that they “know” that WE, in our field, are some kind of special, with our craft and with the time we decide to spend on it; I don’t know a single living person that has the passion software people has about its own.
We build “toys” for ourselves all the time, we want to be as productive as we can with our own ideas, we configure our own servers, we build from scratch everything, etc, all because of “we like” it.
I might be completely wrong and my sample could be small enough to make this a completely senseless claim, but I really believe that kind of “naive” way of seeing the world will end, and even more now with the raise of AI, that we already started to see
People coded for fun on competitions just for the sake of Google to take those results and trainings and use companies such as Turing to completely automatize thousands of jobs of people “reading” the actual code
Furthermore, I was reading and enjoying until you reach, so I’ll drop a quick note
So we’re going to use the NPM ecosystem to explain this
NPM is by any means a good example on contributors and open source, and for sake of this, you can take an example of Vercel and Next.js. One of the (if not the most) most used open source projects in the world of Javascript.
Maintained by a corporation. Node.js it’s the one you can claim it’s still in the open, but they have thousands of contributors. Same for Bun, etc. Usually this libraries on NPM are just one fork away to be replicated, it’s “simple” code with a few handful exceptions (that’s part of the issue why NPM is an utterly mess).
I don’t know a single living person that has the passion software people has about its own.
Artists and crafts people. Woodworkers, metalworkers, electronics hobbyists, that sort of thing. Heck, writers too. These sorts of people super nerd out about their chosen topic. Look for the people who do things like weld together life-sized equestrian statues out of bottlecaps, or retrofit a car to have a WW2 bomber engine under the hood.
The difference is these people build machines one at a time, usually basically by hand. Software nerds build machines that can be copy-pasted flawlessly, almost for free. Even if your nerd-passion is 3D printing, it has a lot of scaling limitations compared to software. And software is popular because it’s very cheap and easy to get into, you don’t need a machine shop full of tools and a good source of materials. All you need is a laptop and some software which– oh look, is all open source.
Musicians, digital artists, and photographers also have the “can be copy-pasted flawlessly, almost for free” feature, and plenty of them are just as passionate about their respective crafts as we are about code even if they do it for fun instead of for money. Same with writers, for that matter. I don’t think we’re unique in that regard.
Your post somehow reminded me of JF Sebastian in Blade Runner. Similarly passionate, naive and building toys for himself, with the Tyrell company making the big bucks off his inventions (the replicants).
I think the number is likely even higher once up the threshold to 1.5 maintainers. So many projects that effectively run on one person (sometimes two) holding it together with some incidental additional maintainers tagging along for a few months here and there.
None of the open source projects I have been involved in have been as critical like some of the libraries half the world seems to run on. But some of them have been big enough to have a dedicated user base, actively requesting features and support. There were a large amount of people who expressed polite interest in contributing. Even a large amount of people decrying that it shouldn’t be that so few people maintain the product. Yet that rarely if ever translated to people actually trying to contribute. Most contributions were incidental and just one time contributions (which I still value to be clear) but the amount of longer time collaborations were rare. Basically the 90-9-1 rule in full effect.
The obvious answer to this problem, which this blog post doesn’t quite get to, is infrastructure funding.
Unfortunately for the US, their government doesn’t really have any interest in using its economic power to subsidize underresourced digital public goods. Presumably they are hoping The Market will fix it (it won’t). So the question is really who will fund it.
It makes me feel that there’s an opportunity here for countries who are interested in “digital sovereignty” to take up the mantle.
Let’s face it, the Russians aren’t dumb enough to backdoor a package owned by a guy living in Russia
i have a very different level of faith in the russian government than OP
i think you face a similar risk when storing data in any company run by an american: the specific american has basically nothing to do with it, if they get a FISA secret court warrant
I don’t think it’s about faith, it’s about deniability. If you’re the FSB and you want a backdoor, you’ll find some foreign national to extort. And you’ll probably do it through an organised-crime front. That way, when it’s discovered, you should ‘these evil imperialist Americans not properly policing their society allows organised crime to run rampant and target poor innocent people in {whatever country the target lives in}’. You’d only target a Russian as a last resort.
what i mean, is that i have low expectations on both the evil and stupid axes
in terms of strategy, it’s one of those things they can only get away with once, before everyone blacklists every russian-developed software, and it makes them look bad
i just still wouldn’t put it outside the realm of possibility
I understand the issue, and as a maintainer of a bunch of open-source projects myself (none big) I know I’ve felt burdened by them at some times. But is this really a problem that should be dealt with? People who maintain high-quality open-source projects are just too conscientious to be helped. If they don’t have to worry about their open-source projects they will find something else to worry about and something to overwork on to help others that don’t value their work.
I guess there could be better tooling and a slight shift of culture so these people feel less like they have to ruin their lives by fixing bugs from annoying users who don’t value their work. Like for example having a git server that allows turning off the “issues” tab (tongue-in-cheek suggestion, but still).
Very concise and well-presented, this definitely goes into the good_writing collection
I used to really hate reading blogs that use slightly patronizing language to the reader (like “it’s ok, you’re in denial”) but now I find myself clutching onto all those stylistic bits that current AI writing cannot quite replicate, it’s a strange thing
Speaking of Russian individual developing cool things, Recopter has designed what appears to be a very solid frame for drones. Using his work has obviously zero risk, but I could see how it could be frowned upon on the other side of the fence.
I also recall a fantastic tester who found several critical bugs in Monocypher, and basically taught me how to test in the process. He lives somewhere between Europe and Russia, I don’t know where exactly (I believe that’s intentional). One funny thing is, he has the expertise to vouch for my work in his country.
The supply chain thing also deeply resonates with me. It’s a big reason why I want as few dependencies as possible, and I want the most reliable, the most stable I could possibly get. So I could write a reliable, stable package for my users. (Fun fact: the speaker is of the opinion all software, not just Open Source, should be one person. And I kind of agree with him.)
This post is about a Register article – one I didn’t write, but it viciously attacks what I think is a perfectly fair and reasonable article. I’ve brought the article to the author’s attention, and he thinks it’s unfair and unreasonable too.
I wish people would remember that there are real humans behind these stories.
Secondly, I think this article is wrong, unfair, unbalanced, and generally not good copy. I find it infuriating that Lobsters users are upvoting this highly when it attacks my employer and one of my colleagues – even if I’ve never met him, he is young and smart and motivated.
What do I think is wrong with this?
It conflates the Javascript module world with FOSS as a whole, and that is mendacious nonsense.
FOSS is about a vast range of tools.
Javascript is just one of them, and while it’s a big one, it’s also a widely derided and even mocked tool. It doesn’t matter if a million people use it; that doesn’t make it a good tool. It is not a good tool and it is widely considered not to be a good language. Popularity is not an indicator of quality.
JS is a bit of a toy and the maintainers are, for a large part, not serious devs. They think they are, but it’s not true. (Much the same goes for PHP. (And if I really wanted to be mean, I’d say for Python as well.))
The result of that is millions of tiny trivial modules, used by people who aren’t pros, and as a result of that, an insane chaotic “ecosystem” whose denizens think the whole world is like this.
And whoever this blog author is, he thinks that represents the entirety of the FOSS world, and that it’s a good and solid model for passing judgement on the FOSS world.
And that is ludicrous, foolish, and very very wrong.
Why the blazes it has 93 upvotes and counting, I do not know.
I wish people would remember that there are real humans behind these stories.
I think that could be a fair summary of the motivation of the author of the post: The author of fast-glob is also a “real human” behind the story, and doesn’t deserve to be called out like this, especially when “Hunted Labs […] found no ties between him and any threat actor […] he’s never been approached by anybody to take any actions.” Makes the Register article a bit of a non-story, doesn’t it?
JS is a bit of a toy and the maintainers are, for a large part, not serious devs.
This is both unkind and untrue.
This is both unkind and untrue.
I will not deny it is unkind. Untrue? Let us look at some of the recent incidents in the last decade or so where JavaScript developers made it into the news.
The “leftpad” incident which caused major problems. Used by more than a million programs.
https://qz.com/646467/how-one-programmer-broke-the-internet-by-deleting-a-tiny-piece-of-code
Or the Node-IPC incident.
https://notes.ekzhang.com/software/node-ipc
Over a million downloads a week. Attempted sabotage that was even featured on Vice:
https://www.vice.com/en/article/open-source-sabotage-node-ipc-wipe-russia-belraus-computers/
I wrote about it but I’m not allowed to link to that.
Faker.js and Colors.js – a protest knocked out loads of stuff. 3.3 billion downloads.
Another 25 malicious Node packages:
https://jfrog.com/blog/malware-civil-war-malicious-npm-packages-targeting-malware-authors/
“Solders” is a RAT trojan – earlier this year:
Whitesource estimated 1,300 compromised NPM packages:
Does this kind of thing look like sane, sensible FOSS development to you?
Let us look at some of the recent incidents in the last decade or so where JavaScript developers made it into the news.
Plenty of similar incidents with non-JS developers too: xz, log4j, goto fail…
I think judging worth-vs-cost-vs-whatever comes down to subjective opinions. What I and others are reacting to is the unkind presentation. I’m intensely loyal, so I understand the desire to defend broad definitions of “self”, so I think your motivation is noble, but I think the way you’re making your case detracts from it.
I wish people would remember that there are real humans behind these stories.
That’s the criticism that the author of this blog levels at El Reg. The original article has led to a person who happens to be Russian being harassed for the crime of other people who use his project not contributing to the maintenance.
It conflates the Javascript module world with FOSS as a whole, and that is mendacious nonsense.
The post specifically says:
So we’re going to use the NPM ecosystem to explain this. I use NPM because they have the richest data in ecosyste.ms to explain my point. I’ve done this same thing across multiple ecosystems and the graphs all look the same.
I therefore didn’t have a problem with their using the NPM data. The shape of their graph looks pretty much the shape I got a while ago with some ad-hoc unscientific sampling. It’s a bit less bad if you bias the results by projects a lot of people people use / depend on, but then you have the ‘curl is just the hobby of some guy that has no business providing a service to a billion people’ thing. I am the sole maintainer and author of most of the code for two projects (neither in JavaScript) that I know have shipped on more than a hundred million devices. I’m definitely not unique in that respect.
Methinks thou dost protest too much. I don’t know how you get “fair and reasonable” from an article that goes out of its way to imply – without any proof – that a single foss developer is up to something nasty on behalf of Russia. Nor do I read Bressers’ article as “viciously attacking” the article. First of all, Bressers article is primarily trying to make a point about maintainers that only somewhat relates to the article – most of the copy is about that topic.
When the article describes users of the code as “at-risk” then you should not be surprised when people react strongly to it. El Reg’s calling card as a publication is “the hand that bites IT,” right? If y’all can’t take it, don’t dish it out. Don’t name and shame someone by implying that they’re a Kremlin-backed asset and then cry that it’s unfair when someone punches back.
The post uses a Register article as an introductory example but I don’t think it’s correct to say that it is about that article. Similarly I don’t think the post’s description of OSS being “one person” is in any way limited to the Javascript module world, it seems like a pretty apt description of the majority of all open-source software, invariant of language or ecosystem.
Might I suggest that you give this article a read? https://blog.aurynn.com/2015/12/16-contempt-culture