Post details
Now on the other hand if a company uses open source to profit from, then yes companies should likely have a duty to treat that project as a supplier and act accordingly.
Tane Piper (@tanepiper)Sat, 29 Jan 2022 09:18 GMT
Now on the other hand if a company uses open source to profit from, then yes companies should likely have a duty to treat that project as a supplier and act accordingly.
Tane Piper (@tanepiper)Sat, 29 Jan 2022 09:18 GMT
I've been writing open source software for over 20 years and I'd say it's absolutely no one's duty to contribute to anything - that's conferring a moral or legal obligation on people. It should only ever be a choice from a persontwitter.com/parik36/status…Tane Piper (@tanepiper)Sat, 29 Jan 2022 09:18 GMT
Being an open source maintainer: build something popular and you either die a hero or live long enough to be told, “you’re what’s wrong with open source. “ 🤷♂️
Nicholas C. Zakas (@slicknet)Fri, 28 Jan 2022 01:58 GMT
If you don't have a paying day job you will likely die of malnutrition while the corporations sponge off your #OpenSource work.Post details
Being an open source maintainer: build something popular and you either die a hero or live long enough to be told, “you’re what’s wrong with open source. “ 🤷♂️
Nicholas C. Zakas (@slicknet)Fri, 28 Jan 2022 01:58 GMT
Justin Johansson (@IndieScripter)Fri, 28 Jan 2022 09:33 GMT
I started a sketch of my thoughts on the funding of open source and so far my conclusions are so bleak I hesitate to publish.
Laurie Voss (@seldo)Mon, 24 Jan 2022 02:28 GMT
If you are a multi billion dollar company and are concerned about log4j, why not just email OSS authors you never paid anything and demand a response for free within 24 hours with lots of info? (company name redacted for *my* peace of mind)
Daniel 🥌 Stenberg (@bagder)Fri, 21 Jan 2022 23:43 GMT
... but pure altruism isn't scalable, it's difficult to build a big community just on that. There're many advantages of participating pro-bono: learning/mentorship, portfolio, addressing your own needs, exposure, etc. These reasons are totally valid, and they can be win-win
Oleg Nenashev (@oleg_nenashev)Wed, 19 Jan 2022 07:42 GMT
For what it worth, there are many small projects being maintained by solo maintainers. Their time investment is way beyond direct and indirect benefits they get for it. This is where altruism takes place, and it should be appreciated. Kudos to these maintainers🙏
Oleg Nenashev (@oleg_nenashev)Wed, 19 Jan 2022 07:37 GMT
Pure altruism of maintainers
Oleg Nenashev (@oleg_nenashev)Wed, 19 Jan 2022 06:44 GMT
"Securing the (open source) software supply chain" naturally focuses attention "upstream" in the supply chain. And there is so much to do _downstream_ in how we assemble and operate software more securely. Improvements downstream don't need to wait on investments upstream.Matthew S. Wilson (msw) (@_msw_)Sun, 16 Jan 2022 17:18 GMT
Everyone wants to create something new to start a startup But there are so many open source projects that are widely used, but don’t have anyone offering support or custom dev You might not get huge valuations, but there are a thousand million-dollar businesses out thereDaniel Feldman.ehh (@d_feldman)Sat, 15 Jan 2022 06:17 GMT
Imagine how much worse this could have been (and how long it would have gone undetected) if the change was siphoning AWS credentials instead of graffiti in the terminal.
Post details
Looks like the AWS CDK is broken because the dependency on colors.js which has a totally hilarious bug: github.com/aws/aws-cdk/is… It shows "LIBERTY LIBERTY LIBERTY".Soenke Ruempler (@s0enke)Sun, 09 Jan 2022 18:43 GMT
Aidan W Steele (@__steele)Sun, 09 Jan 2022 23:22 GMT
Looks like the AWS CDK is broken because the dependency on colors.js which has a totally hilarious bug: github.com/aws/aws-cdk/is… It shows "LIBERTY LIBERTY LIBERTY".Soenke Ruempler (@s0enke)Sun, 09 Jan 2022 18:43 GMT
Thanks to this tip I just found out Datasette gets a mention in this academic paper! "What Else Is New? Open Data Users Need to Know What’s Changed" computer.org/csdl/magazine/…Post details
Well worth searching your GitHub URL with Google Scholar. E.g. scholar.google.com/scholar?q=gith… Great way to find out if your code has made it into any academic publications.Terence Eden (@edent)Sun, 09 Jan 2022 15:56 GMT
Simon Willison (@simonw)Mon, 10 Jan 2022 02:07 GMT
Nice, I've found one of my own projects in this which is pretty cool 🤓
Well worth searching your GitHub URL with Google Scholar. E.g. scholar.google.com/scholar?q=gith… Great way to find out if your code has made it into any academic publications.Terence Eden (@edent)Sun, 09 Jan 2022 15:56 GMT
People screaming as someone fucked up their OSS code on purpose. If only there was some way AWS could have, you know, pinned a specific version of a package for cdk... Oh wait there was.Chris McKee (@chrismckee)Sun, 09 Jan 2022 23:49 GMT
How can we even start talking about supply chain security and sustainability if a maintainer publishing a bad npm package version breaks everyone instantly? Stable, deterministic pinning is table stakes. theverge.com/2022/1/9/22874…Filippo ${jndi:ldap://filippo.io/t} Valsorda (@FiloSottile)Sun, 09 Jan 2022 22:23 GMT
I would say that once you start having *other* people contributing and maintaining is not fully *yours* anymore?
Hugo Rodrigues (@hugorodrigues)Fri, 07 Jan 2022 03:32 GMT
Nope. Absolutely, completely, incorrect. Total nonsense. OSS maintainers don't owe you anything. Says so right on the license. If you can't read, maybe stay off the internet.
Yawar Amin لول (@yawaramin)Sat, 08 Jan 2022 01:01 GMT
Often OSS developers make the world keep the lights on but aren't compensated for their time. Marak was struggling, asked help. Got nothing. In protest, removed his code and github suspended his account for removing something he owned the rights to.Sam (@metruzanca)Fri, 07 Jan 2022 01:07 GMT
I found a one-digit typo in the docs for Python's typing_extensions. I wanted to be a good community member and fix it. I had no idea how much frustration that one-char PR was about to cause. Brace yourselves as I take you along on this wild ride 🧵 RT for reach appreciated 🙏Predrag Gruevski (@PredragGruevski)Wed, 05 Jan 2022 17:36 GMT
If one wants to push a long-standing issue along, then don’t comment that, instead (if sensible in context) ask: “What can be done to push this issue forward? Are more details needed? More use cases? Someone doing a PR?” Then it becomes collaborative rather than exploitative 👍Post details
Random comment on long-standing issue: Any updates on this? Me: would you like to work on it? Them: …Matteo Collina (@matteocollina)Thu, 06 Jan 2022 17:04 GMT
Pelle Wessman (@voxpelli)Thu, 06 Jan 2022 18:30 GMT
Random comment on long-standing issue: Any updates on this? Me: would you like to work on it? Them: …Matteo Collina (@matteocollina)Thu, 06 Jan 2022 17:04 GMT
As an engineer, @Neovim is critical infrastructure for my productivity, so I set up a monthly donation a few years ago through GitHub. It's great to be able to support a project that I rely on! ☺️Post details
here's a recommendable new years resolution: donate in support of the critical open source tools you rely on. We do this at @discourse every year.Jeff Atwood (@codinghorror)Fri, 31 Dec 2021 00:27 GMT
Alex Gude (@alex_gude)Sat, 01 Jan 2022 15:40 GMT
here's a recommendable new years resolution: donate in support of the critical open source tools you rely on. We do this at @discourse every year.Jeff Atwood (@codinghorror)Fri, 31 Dec 2021 00:27 GMT
👍🏻 For folks looking for concrete and impactful steps they can take that aren’t personal: divest from using Facebook tech in your projects. Vote with your tech stack. twitter.com/quinnypig/stat…Post details
Let me be clear: I think the company is molten garbage, but that's a very different thing than dunking on the humans who work there. I don't want to be remembered for a lack of empathy towards other people.Corey Quinn (@QuinnyPig)Thu, 30 Dec 2021 02:17 GMT
Zach Leatherman (@zachleat)Thu, 30 Dec 2021 17:55 GMT
“The customer has nuclear weapons” is an unusual argument when inquiring whether a bug has been fixed yet, in an open source project. gcc.gnu.org/bugzilla/show_…FX Coudert (@fxcoudert)Wed, 29 Dec 2021 14:53 GMT
did...did this person threaten an open source project with nukes when they asked to be paid?
Post details
“The customer has nuclear weapons” is an unusual argument when inquiring whether a bug has been fixed yet, in an open source project. gcc.gnu.org/bugzilla/show_…FX Coudert (@fxcoudert)Wed, 29 Dec 2021 14:53 GMT
Manish (@ManishEarth)Wed, 29 Dec 2021 14:57 GMT
the most important thing about the log4j incident is that it’s clear and incontrovertible evidence in support of whatever beliefs i already have about software development
henry 🌘 (@hdevalence)Mon, 13 Dec 2021 17:29 GMT
Just use an npm package.
Den Delimarsky (@DennisCode)Sun, 26 Dec 2021 05:17 GMT
there's something to be said for making some software to do something, calling it done, and then not updating it except maybe to fix things that break "move fast and break things" startup culture has leaked HARD into open source personal software; no commits this year = ""dead""artemis (@artemiseverfree)Mon, 27 Dec 2021 01:49 GMT
This is why I started charging for open source work that’s not to my schedule.
Post details
“Open source maintainers are effectively unpaid outsourcing teams for giant corporations.” dev.to/yawaramin/the-…Ceej "Cat-Warmed" Silverio (@ceejbot)Sat, 25 Dec 2021 17:45 GMT
Jan Lehnardt (@janl)Sat, 25 Dec 2021 18:22 GMT
“Open source maintainers are effectively unpaid outsourcing teams for giant corporations.” dev.to/yawaramin/the-…Ceej "Cat-Warmed" Silverio (@ceejbot)Sat, 25 Dec 2021 17:45 GMT
imagining a timeline where the log4j maintainers replied to the vuln disclosure with "ok, feel free to raise a PR"
Post details
this is *well* worth the read dev.to/yawaramin/the-…cje (@caseyjohnellis)Thu, 23 Dec 2021 09:06 GMT
Matt "jira delenda est" Olson (@arachnocapital2)Sat, 25 Dec 2021 01:39 GMT
A precondition of employment (if any) is probably going to be "If I am working with a language using an open source toolchain and find a bug or enhancement for our code that can be addressed by pushing a patch upstream, I am allowed to open the PR without asking Legal."
future🦹jubilee (@workingjubilee)Wed, 22 Dec 2021 20:30 GMT
Good news: Log4j is the only library you use that’s been trivially vulnerable for about a decade.haroon meer (@haroonmeer)Mon, 20 Dec 2021 11:12 GMT
If funding devs more could fix the bugs before it reaches users, Windows and Mac OS would be bug free.
Nicolas Dorier (@NicolasDorier)Sun, 19 Dec 2021 14:42 GMT
If the past week has taught us anything it's that people would rather depend on software they don't pay for, while complaining about it and it's maintainers (who are also not getting paid!)
Marit van Dijk (@MaritvanDijk77)Fri, 17 Dec 2021 06:03 GMT