Tag open-source

the log4j “december to remember” event this year features 0% financing on tech debt 😮

Patrick Cable (@patcable)Fri, 17 Dec 2021 15:40 GMT

seems like the entire internet is built on either small open source projects run by a couple folkx for free, and the gigantic cloud infrastructure run by a couple of companies. when either one is borked, the world goes poof

Selena (@selenalarson)Wed, 15 Dec 2021 16:14 GMT

open source maintainers to developers with jobs:

I Am Devloper (@iamdevloper)Wed, 15 Dec 2021 15:55 GMT

this high-profile vulnerability in an open source project is really reinforcing my belief that, to a dominant portion of users, the primary important thing about free software is that it is gratis, rather than libre

cron mom (@sophaskins)Sun, 12 Dec 2021 23:58 GMT

https://twitter.com/beka_valentine/status/1470134831262564353

but its not the log4j's responsibility to fix this in a timely fashion they didnt make any promises to any big corps about SLAs or any shit like that, and if there are **consequences** for those corps, that is FINE it might suck, but that's not the dev's responsibility

Beka Valentine (@beka_valentine)Sun, 12 Dec 2021 20:55 GMT

https://twitter.com/bagder/status/1470409522229428225

My team could spend an entire year reviewing the code from one “npm install”. I don’t think it’s really feasible to do code review across all OSS components. But funding? Absolutely.

April King 🌀 (@CubicleApril)Mon, 13 Dec 2021 15:11 GMT

https://twitter.com/seldo/status/1470031613174042626

Open source is free as in puppy.

Laurie Voss (@seldo)Sun, 12 Dec 2021 16:26 GMT

A rare insightful comment on the orange site: news.ycombinator.com/item?id=295252… "Open source is not broken".

Danack (@MrDanack)Sun, 12 Dec 2021 22:11 GMT

Been thinking about the maintainers of log4j2 a ton this weekend. I'm so thankful for open source. While I get to maintain projects with support from my employer - most do this entirely with spare time Maintainers deserve our thanks (and sponsorships!) for their work 🤗🙏

Jeff Hollan (@jeffhollan)Sun, 12 Dec 2021 17:16 GMT

Another chronically underfunded OSS library in the news. It’s simple: - Using OSS to make money? Fund it! - Want to see an OSS project advance? Fund it! - Want to help your dependencies succeed so you can hire people experienced in them? Fund them! NORMALIZE FUNDING OSS.

twitter.com/benjie/status/…

Post details

Why not take 5% of your engineering budget and invest it in the various open source projects you depend on? I'd hazard the returns you'd see over the coming years from this investment would be greater than having spent that same amount on payroll.

Benjie 🐘 (@Benjie)Thu, 18 Jun 2020 13:18 +0000

Benjie 🐘 (@Benjie)Sun, 12 Dec 2021 10:05 GMT

We all agree the status quo is unsustainable. Here are 1,000 words on how we could get the role of Open Source maintainer to graduate to a real, properly paid profession. The thing is, companies need it as much as maintainers do. blog.filippo.io/professional-m…

Filippo ${jndi:ldap://filippo.io/x} Valsorda (@FiloSottile)Sat, 11 Dec 2021 19:22 GMT

since everyone is talking about log4j/supply chains an experiment years ago i calculated 1-bit offset utf8 strings of the top few hundred npm packages and registered packages under them they received thousands of hits per week from machines trying to download and execute them

suzuha (@dystopiabreaker)Sat, 11 Dec 2021 08:06 GMT

Maintainable open source is not an easily solved problem. And yet most of our tech stacks would shut down if open source code was all of a sudden unavailable.

Laurie (@laurieontech)Sat, 11 Dec 2021 22:44 GMT

The Apache Log4j project is maintained by three people who are volunteering their spare time. Please don't be a jerk to them because multi-billion dollar companies are using their tool without even bothering to throw $1,000 their way.

Post details

Log4j maintainers have been working sleeplessly on mitigation measures; fixes, docs, CVE, replies to inquiries, etc. Yet nothing is stopping people to bash us, for work we aren't paid for, for a feature we all dislike yet needed to keep due to backward compatibility concerns. twitter.com/shipilev/statu…

Volkan Yazıcı (@yazicivo)Fri, 10 Dec 2021 16:55 GMT

Catalin Cimpanu (@campuscodi)Sat, 11 Dec 2021 17:41 GMT

It took me about 5 minutes to start locally running an open source Ruby project despite the fact that I never touched Ruby on Rails in the past & project itself didn’t have related docs. Now that’s what I call strong external community resources that are easy to find 👏

Cake is Kate. Always has been 💫 (@kefimochi)Sat, 11 Dec 2021 23:27 GMT

https://twitter.com/FiloSottile/status/1469441487175880711

The market rate of a developer who can maintain a large open source project is at least $300k/yr. (Conservatively, check levels.fyi.) The most I've seen someone rack up on GitHub Sponsors and Patreon is like $1,000/month. You see the problem?

Filippo ${jndi:ldap://filippo.io/x} Valsorda (@FiloSottile)Fri, 10 Dec 2021 22:58 GMT

https://twitter.com/FiloSottile/status/1469441477642178561

This is the maintainer who fixed the vulnerability that's causing millions(++?) of dollars of damage. "I work on Log4j in my spare time" "always dreamed of working on open source full time" "3 sponsors are funding @rgoers's work: Michael, Glenn, Matt" People, what are we doing.

Filippo ${jndi:ldap://filippo.io/x} Valsorda (@FiloSottile)Fri, 10 Dec 2021 22:58 GMT

orgs: hire an oss strategy person to do this for your entire product portfolio. add in “what does the project need” to the “how is this being funded?” question eng: do this for your tech stack

Post details

fun exercise for folks with production code in github: go to the Insights tab in your repo and navigate to the Dependencies page. pick a package that looks interesting and find out how it's funded.

shelby spees (@shelbyspees)Sat, 11 Dec 2021 16:34 GMT

p🍐ris (@ParisInBmore)Sat, 11 Dec 2021 16:38 GMT

fun exercise for folks with production code in github: go to the Insights tab in your repo and navigate to the Dependencies page. pick a package that looks interesting and find out how it's funded.

shelby spees (@shelbyspees)Sat, 11 Dec 2021 16:34 GMT

This may seem like overkill, but it's really an investment in your company's stability. #OpenSource may reduce many costs of development, but it's not entirely free. Don't find out that the library that's integral to your infrastructure is un(der)-funded when it's too late.

Post details

orgs: hire an oss strategy person to do this for your entire product portfolio. add in “what does the project need” to the “how is this being funded?” question eng: do this for your tech stack

twitter.com/shelbyspees/st…

p🍐ris (@ParisInBmore)Sat, 11 Dec 2021 16:38 GMT

julia ferraioli (@juliaferraioli)Sat, 11 Dec 2021 17:53 GMT

No one is paying the log4j2 maintainers!? There is a whole page on the responsibilities of a @TheASF "Project Management Committee"... AND NO ONE IS PAYING THEM? apache.org/dev/pmc.html Open Source needs to grow the hell up. Yesterday.

Post details

Log4j maintainers have been working sleeplessly on mitigation measures; fixes, docs, CVE, replies to inquiries, etc. Yet nothing is stopping people to bash us, for work we aren't paid for, for a feature we all dislike yet needed to keep due to backward compatibility concerns. twitter.com/shipilev/statu…

Volkan Yazıcı (@yazicivo)Fri, 10 Dec 2021 16:55 GMT

Filippo ${jndi:ldap://filippo.io/x} Valsorda (@FiloSottile)Fri, 10 Dec 2021 22:58 GMT

Sending hugs to Log4J people. This must be an extraordinarily shitty Friday for them.

Post details

If you're running a server with #Log4J, please add the following JVM argument to your command line immediately to protect against a 0-day exploit. -Dlog4j2.formatMsgNoLookups=true lnkd.in/gHmEFJ9w #Java #Security #Infosec

Bruno Borges (@brunoborges)Fri, 10 Dec 2021 06:07 GMT

Aleksey Shipilëv (@shipilev)Fri, 10 Dec 2021 15:26 GMT

Log4j maintainers have been working sleeplessly on mitigation measures; fixes, docs, CVE, replies to inquiries, etc. Yet nothing is stopping people to bash us, for work we aren't paid for, for a feature we all dislike yet needed to keep due to backward compatibility concerns.

Post details

Sending hugs to Log4J people. This must be an extraordinarily shitty Friday for them. twitter.com/brunoborges/st…

Aleksey Shipilëv (@shipilev)Fri, 10 Dec 2021 15:26 GMT

Volkan Yazıcı (@yazicivo)Fri, 10 Dec 2021 16:55 GMT

This is the kind of shit open-source maintainers and visible community members deal with _constantly_. I spend a lot of my time teaching people about Kubernetes and ops stuff, possibly too much time. But I do it on my terms. Maintainers don't owe you training.

Noah Kantrowitz (@kantrn)Wed, 01 Dec 2021 21:20 GMT

So you want for fork Electron. This is not for the faint of heart, but I will tell you what you need to do.

Jacob 🌎💧🍁☀️ (@0x606)Wed, 24 Nov 2021 17:59 GMT

Sometimes you go from creator to maintainer to user. This is a valid path and is a healthy one.

Jaana Dogan ヤナ ドガン (@rakyll)Mon, 08 Nov 2021 20:53 GMT

A quick definition of Open-Source

Fabien Potencier (@fabpot)Thu, 04 Nov 2021 08:26 GMT

https://twitter.com/adamhjk/status/1456647709092311043

Want it to be open source? Great! Go for it. Want it to have all the upsides of open source, and none of the side effects that might make you uncomfortable? Get the fuck right out of town with that. The upside of being open should come with the potential for others to benefit.

Adam Jacob (@adamhjk)Fri, 05 Nov 2021 15:40 GMT

I don’t think people realise just how prevalent this sort of thing is… We get them to the Django board all the time too. We’re all volunteers, and it can take a toll. twitter.com/mikemcquaid/st…

Post details

Being an open-source maintainer in 2021: since yesterday I have: - people in my personal DMs calling me a douche for not helping them debug their problems in my DMs - people saying “f*ck you Homebrew” (their censoring, not mine) in my personal email for a new Homebrew release

Mike McQuaid (@MikeMcQuaid)Wed, 27 Oct 2021 11:43 +0000

Aaron Bassett - 🥑🪐 (@aaronbassett)Wed, 27 Oct 2021 13:45 +0000

Still blows my mind how people increasingly think the answer to their OSS problems is to harass and abuse the maintainers (aka who can fix their problems). The abuse gets exponentially worse towards non white/cis/men maintainers. This is the “normal”. OSS is broken. twitter.com/mikemcquaid/st…

Post details

Being an open-source maintainer in 2021: since yesterday I have: - people in my personal DMs calling me a douche for not helping them debug their problems in my DMs - people saying “f*ck you Homebrew” (their censoring, not mine) in my personal email for a new Homebrew release

Mike McQuaid (@MikeMcQuaid)Wed, 27 Oct 2021 11:43 +0000

Emily Kager (@EmilyKager)Wed, 27 Oct 2021 18:30 +0000

Being an open-source maintainer in 2021: since yesterday I have: - people in my personal DMs calling me a douche for not helping them debug their problems in my DMs - people saying “f*ck you Homebrew” (their censoring, not mine) in my personal email for a new Homebrew release

Mike McQuaid (@MikeMcQuaid)Wed, 27 Oct 2021 11:43 +0000

Thanks to @JamieTanna for stepping up up as a @jenkinsci JobDSL plugin maintainer! And kudos to @daspilker for leading it for almost ten years 🙇 JobDSL is one of the well documented and stable plugins and it is also essential for the configuration as code ecosystem in Jenkins

Post details

https://twitter.com/martaarcones/status/1433095090621362181

Just to update on this - I'm a maintainer now, it's been released as 1.78 this morning, and I'll see over the coming weeks if there's anything other high-priority to ship 🚀 (jvt.me/mf2/2021/10/jy…)

Jamie Tanna | www.jvt.me (@JamieTanna)Wed, 27 Oct 2021 09:54 +0000

Oleg Nenashev (@oleg_nenashev)Wed, 27 Oct 2021 10:11 +0000

https://twitter.com/mjasay/status/1452334102020071431

GitHub isn't Open Source, and it's acquisition by Microsoft was not proof of their commitment to Open Source as a movement. There are other things that indicate a meaningful change in respect of the movement. ASOP is an "Open Source Project" in name and software license only.

Matthew S. Wilson (msw) (@_msw_)Sun, 24 Oct 2021 18:15 +0000

Every open source maintainer upon realizing tomorrow is October…

Devon Govett (@devongovett)Fri, 01 Oct 2021 03:02 +0000

Using this

🧗‍♂️ Matt Holt (@mholt6)Fri, 01 Oct 2021 05:54 +0000

An open source project either dies young as a hero or lives long enough to be horribly mismanaged into the ground by a group of big egos with misaligned incentives.

Jamon 🚜 (@jamonholmgren)Thu, 30 Sep 2021 17:02 +0000

https://twitter.com/jenkinsci/status/1434192692414595073

Thanks to the entire Jenkins Infra Team for their evening&weekend work to get it fixed as soon as possible! 🙇

Oleg Nenashev (@oleg_nenashev)Sat, 04 Sep 2021 16:55 +0000