> As a maintainer, it is his choice which patches to accept. If you're not happy with his decisions, choose another project, fork it, or pay someone to do it for you.
Sure, but that DOES NOT mean you're immune to criticism, especially when it comes to security.
Your type of argument could otherwise be used for pretty much everything - even large corporations. It's not useful.
> Sure, but that DOES NOT mean you're immune to criticism
The problem wasn't the criticism, but the expectation that said criticism invokes a certain behavior of the maintainer.
You can criticize open source maintenance by creating a fork in which you outline your vision (e.g. "much less use of 'unsafe' in the web package") - and deal with the burden of being a maintainer.
Everything else is just trying to force people to do stuff for you, and that's rude.
FWIW, I don't have a dog in this fight. On the one hand, there is the maintainer who is within his rights to accept or reject patches as he wishes (although it's not great that he's allegedly falsely advertising his project as secure) and you have critics who are within their right to criticize (although it's not great that much criticism is vitriolic, etc). As TFA says, it's a sad affair all around.
> The problem wasn't the criticism, but the expectation that said criticism invokes a certain behavior of the maintainer.
Of course it implies that the maintainer should change. All criticism implies an expectation of change, at least when the opportunity to change is still available.
> Everything else is just trying to force people to do stuff for you, and that's rude.
Criticism isn't "force" or "attempted force". This is just criticism. If you think criticism is rude, that's fine. Hypocritical, but fine.
You can't rationally say the maintainer is within his rights for rejecting security patches and then argue that critics are wrong for criticizing these practices.
> Criticism isn't "force" or "attempted force". If you think criticism is rude, that's fine. Hypocritical, but fine.
No, the attempt to make somebody do what you want by brigading is what's attempting to exert force and what's rude.
Hiding that behind "I'm just criticizing" (you didn't, but it's a popular refrain in such "debates") is more than only rude, it's also cowardice.
> You can't rationally say the maintainer is within his rights for rejecting security patches and then argue that critics are wrong for criticizing these practices.
The author of the package didn't force their code onto the users.
The authors of the criticism forced their criticism on him by throwing it his way in the form of bug reports etc. even when it was clear that there's no interest in it.
> No, the attempt to make somebody do what you want by brigading is what's attempting to exert force and what's rude.
Unless the critics are engaging in threats, intimidation, and/or violence, we're talking about criticism and not force.
> Criticism isn't "force" or "attempted force". If you think criticism is rude, that's fine. Hypocritical, but fine.
No, the attempt to make somebody do what you want by brigading is what's attempting to exert force and what's rude.
> The author of the package didn't force their code onto the users.
No one is arguing this. Weird straw man.
> The authors of the criticism forced their criticism on him by throwing it his way in the form of bug reports etc. even when it was clear that there's no interest in it.
Wow. I really didn't anticipate the "bug reports == force" equivalence.
I don't know that I agree with the parent post equivalence of "bug reports == force" but I think there is a point to be made that this wasn't just people speaking poorly or offering criticism. There is a real difference between posting your criticism on a platform you control and filling up the issue tracker used by the project. There is an aspect of coercion in that the maintainer has to choose between expending effort to combat the flood of unwanted issues or abandon the use of the issue tracker. They can't just decide to ignore the criticism.
Re. "The author of the package didn't force their code onto the users," it's not really a straw man. People are arguing that the author has moral responsibility for their use of his code. That ignores the fact that they actively chose to use his code. The only way the author would be morally responsible for their use of his code is if he had forced them to use it somehow. So yes, people are basically arguing this.
So basically, if you use open source code in your code, you should expect there to be security vulnerabilities which people know about and are keeping quiet about because it'd be unfair to the unpaid creator to criticise them? Tbat sure makes it sound like it's morally irresponsible to use open-source rather than purchased commercial code in something like a web-facing service in 2020, especially given what we know now about the damage compromises can do and the resulting legal climate.
You can report on security vulnerabilities in a library without being vitriolic.
Find vulnerability. Already, awesome of you to have done. Issue patch request. That's 10x even better, you're a boon to the community. You submit it, it gets rejected, you find out why and it's the maintainer is just not feeling it or some other irrational reason. Fork, put in the readme why you forked, write a blog post without being a dick about it, done.
The article we're talking about is referring to the bloodbath of a Reddit pile-on. That's totally unacceptable behavior from an adult.
Please don't twist my words. I never said you have to keep quiet or that you're not allowed to criticize. If you see that a project has serious issues, feel free to write a blog post about it. Maybe offer to help, but don't demand your help being accepted.
- full rights to modify it and use it as it was your own
There's no other guarantee.
So if someone writes some code that becomes highly popular, they have no obligation whatsoever to maintain it the way people want.
They don't even have to maintain it at all, if they don't want to!
It's out in the public, it's free, that's the end of the agreement on the creato's side.
If a writer gave away their writings for free, could people pretend that they write what people want them to write, the way they want?
Is it fair to judge the writer because the answer was "WONTFIX"?
But the reality is worse than that.
A lot of companies are literally making billions using OSS, but they are not paying for it, a lot of programmers are making a lot of money by assembling OSS for their clients, but they are not paying for it, hell most of them are not even contributing in _any_ way, what does entitle them to pretend the attention of the OSS maintainer or that the maintainer should act in a way or another, according to the "community" desires?
Yes. I would expect there to be vulns and inconsistent patching for all OSS that I depend on and where I don't have a professional contract with its maintainers.
>Sure, but that DOES NOT mean you're immune to criticism, especially when it comes to security.
But our society does not just openly accept giving criticism. There are rules. Unwritten and extremely vague ones, no doubt, but still social rules. This is especially so when criticizing something a person is providing for free. In this incident, did the criticism cross the boundary and violate those rules? It seems so. Many people likely gave respectful criticism that followed the rules but they appear to have been drowned out by those who did not.
Security isn't a special license for being nasty. Criticism is fine, even with some urgency due to security being important.
But software done for free by volunteers carries no obligation of a legal or even a moral kind, whatsoever. This is completely different from selling software or doing work for hire or donations. There a moral and often even legal obligation exists.
no your argument isn't useful. the question is never about rights because we all know what the maintainer's rights are (so it's always a discussion of obligation).
if you accept that the open source projects are voluntary as an axiom then you in fact cannot criticize choices made by the volunteer.
here's an analogy: a homeless person asks for money. you don't give him money but buy him food. can the homeless person rightfully criticize you?
A homeless person asks for money. You don't give him money but give him some advice. Can the homeless person rightfully criticize you?
You can absolutely criticize choices made by volunteers. I don't think you need to think too deeply about this to imagine situations where few would object to criticizing a volunteer's behavior. An obvious one would be if an open source maintainer willfully included malware/etc. into their project - which, to many people, ignoring glaring security issues is vaguely equivalent.
I obviously don't think vitriol is warranted ever, but criticism obviously is from time-to-time.
what is the relationship of your analogy to this situation? is the maintainer the homeless person in your analogy?
you can criticize all you want as an exercise of your critical thinking faculties but the volunteer is not in anyway obligated to heed the criticism.
"it's my money/time and I'll spend it how I want, which includes burning it"
is the fundamental axiom. Given that that is the foundation what sense would it make to criticize that person for burning the money - it's right there in the premise that they're allowed to!
> what is the relationship of your analogy to this situation? is the maintainer the homeless person in your analogy?
It's your analogy, you tell me.
> you can criticize all you want as an exercise of your critical thinking faculties but the volunteer is not in anyway obligated to heed the criticism.
Nobody said they were. Nobody's trying to punish the maintainer legally. That doesn't mean criticism won't be offered or warranted.
Here's another analogy: You have a right to be a jerk in real life. Nobody's going to physically or legally stop you, barring extreme circumstances. People will still criticize you for being a jerk, as is THEIR right.
in my analogy you're the homeless person and the maintainer is the charitable person. in your analogy the homeless person is getting advice from ...?
>People will still criticize you for being a jerk, as is THEIR right.
completely specious. code in a github repo is not active participation in society. the fact that it's public does not mean it's been submitted for evaluation in any way. criticizing a thing that wasn't critically submitted is meaningless. it's like calling my practice sketches inferior to commissioned pieces - no shit that's the point!
> in my analogy you're the homeless person and the maintainer is the charitable person. in your analogy the homeless person is getting advice from ...?
the maintainer?
> completely specious. code in a github repo is not active participation in society. the fact that it's public does not mean it's been submitted for evaluation in any way. criticizing a think that wasn't critically submitted is meaningless. it's like calling my practice sketches inferior to commissioned pieces - no shit that's the point!
Uh, what? By packaging something as a crate, by listing it on crates.io, you're submitting it to be used. If you don't want it to be used or evaluated, at all, why in the world would you publish something as a crate on a public registry?
This is more like submitting your sketches to a public art gallery and then being upset when the public criticizes it.
>This is more like submitting your sketches to a public art gallery and then being upset when the public criticizes it.
that's not what happened. there weren't simply discussions of the viability or soundness or the crate. there were implicit/explicit demands for changes. so your analogy is wrong again - it would be like submitting public sketches and then facing demands that the sketches be improved. does that sound like something that i as the artist should be comfortable with? more importantly does that sound like something a reasonable person would do (make demands for alterations to sketches submitted to a public art gallery)?
what are you talking about? The code was submitted to be used by the public as a crate on a public registry. There were ABSOLUTELY discussions of the soundness of the crate - that’s literally what sparked this issue, security flaws in the crate.
Are you sure you have a firm grasp on what actually transpired here?
And people are allowed to criticize his reluctance to accept those vital security patches, because he submitted code packaged as a crate to be used by others on a public registry.
By publishing something to be used by others in a public registry, you are opting in to receive criticism from the public.
Criticism is not the same thing as vitriol and I’m not endorsing the latter even one iota.
You've broken the site guidelines egregiously in this thread. Since you also have a long history of breaking the HN guidelines, we'd normally ban an account for this, but it has been posting pretty well in recent history, so I won't ban it this time.
you know what would be useful mr. arbiter-of-what's-appropriate? if you would point out exactly what you believe i've done that is "egregious" instead of just vaguely alluding to the guidelines page and leave it up to interpretation/divination/mind-reading. as far as i can tell i've engaged in a good faith discussion/debate and it was solely this other person that shouted/antagonized. the only informal (could be perceived as antagonistic) thing i did was remark on how that person was moving goal posts after i clarified and produced reasoning for my position and how i'm glad that one valuable thing that came out of the exchange was i learned to avoid them in the future. as far as i can tell in the comment chain, it was the other person's that got flagged first and was the source of the tension.
there's something so aggravating about how you preside (note i didn't call it moderation) over these forums. what is the point of a voting system if you can unilaterally censor and censure? you know what the pretense to "objective" and "rational" discourse of this forum does? it inspires the kind of arrogance you see here on so many posts - absolutist positions on everything from tech to healthcare to history. the brand of yc and you and the rhetoric of the guidelines and you all function as an aegis.
For starters, "man i'm glad there are identifying details about you in your profile so i can avoid working with you" is an egregious personal attack, certainly something we'd ban accounts for, especially when they have a history of breaking the site guidelines.
> what is the point of a voting system if you can unilaterally censor and censure?
HN is a constitutional democracy. I can see why you'd find it annoying if you're assuming otherwise. We can't go by upvotes alone—if comments break the site guidelines, it doesn't matter how upvoted they are.
The voting system alone doesn't regulate itself—it leads to flamewars because indignant and unsubstantive comments frequently get upvoted. That's why there need to be countervailing mechanisms like flagging and moderation.
i would love for you precisely identify what part of
>man i'm glad there are identifying details about you in your profile so i can avoid working with you
is an attack. it's an expression of my personal exasperation. there's literally not a single ascription of any qualities to the other person. you can ctrl+f "you" or "your" in this subtree
and i in no place ascribe any qualities to anyone. my only other remark was pointing out the other person's belligerence which i still didn't make personal.
so either you can claim that there's something like a "zero tolerance" policy for antagonism or you can retract what you've accused me of.
this is my overarching point and has been for years on hn: it's evil to paint with a broad brush people that are actually antagonistic and those that don't feel they should toe the line in response to those people. your constitutional moderation is this brush.
it's not about whether someone is above criticism - it's about whether criticism makes sense in the context of what's being proffered. in another part of this branch of the thread i make the analogy with a an artist's sketch posted to a public art gallery. it's not that you can't criticize, it's that it doesn't make sense to criticize because the artist isn't attempting to achieve anything.
maybe a better analogy is if i play a pickup game of basketball and i get labeled a bad player for not trying my hardest. it's not that the criticism is misplaced it's that it doesn't make sense at all - i wasn't trying to be a good player! i was trying to have fun.
That’s not the issue at all, and we know this because the project was advertised as secure and the critics were arguing that it wasn’t advertised as such. This is characteristically different than your basketball analogy because it is neither explicit nor implicit that the project was unsuitable for production. Drew is arguing that the criticism is invalid because maintainers are within their rights to even lie about their projects because all responsibility lies downstream. Note that security DOES indeed lie downstream, but Drew is mistaken for arguing that this downstream responsibility immunizes maintainers from such criticism. This is a non sequitur.
I don’t understand the desire to make this out to be a sort of dichotomy—both groups have the right to do what they did (the maintainer to reject patches and even allegedly lie about the security properties of his project and the critics to criticize even in bad taste) and both parties could have handled it better. TFA did a fine job for implicitly acknowledging this by simply referring to the situation as sad all around.
>That’s not the issue at all, and we know this because the project was advertised as secure
this is so weird to me. i have a really difficult time on hn often because i don't understand why people that claim to be intelligent can't distill out the fundamental/primary issues.
it's a free/proffered/donation/voluntary/no strings attached piece of code. that is the first thing that defines its use/understanding/existence/ontology whatever other words. everything else is contingent upon that. you can debate this point - you can say something about the social contract of open source software and your responsibility to the community if you yourself have benefited from other open source projects and etc but no one is debating this. everyone is debating aposteriori things.
if i put a mattress out on the street with a sign "no bed bugs" and you pick it up and it has bed bugs in can you be mad at me? can you take action against me?
i don't know what kind of framework i need to appeal to in order to underscore this issue so that people address it directly instead of things further down the line. i would really appreciate someone showing me how to either do this (put the focus on the thing i'm engaging with) or tell me why i'm wrong for focusing on that.
> this is so weird to me. i have a really difficult time on hn often because i don't understand why people that claim to be intelligent can't distill out the fundamental/primary issues.
I feel the same way, but not about /u/weberc2's post.
> it's a free/proffered/donation/voluntary/no strings attached piece of code. that is the first thing that defines its use/understanding/existence/ontology whatever other words. everything else is contingent upon that.
This is another of your own axioms. These aren't universal. In particular, if a maintainer states or otherwise implies that his project is secure and suitable for production and then behaves otherwise, criticism is warranted. Even if he doesn't, criticism is still permissible.
> you can debate this point - you can say something about the social contract of open source software and your responsibility to the community if you yourself have benefited from other open source projects and etc but no one is debating this. everyone is debating aposteriori things.
No one is debating this because it's not necessary. The maintainer's explicit assertions about his project (its security, etc) override implicit "social contract" responsibilities.
> if i put a mattress out on the street with a sign "no bed bugs" and you pick it up and it has bed bugs in can you be mad at me? can you take action against me?
Not sure, but I can certainly criticize you.
> i don't know what kind of framework i need to appeal to in order to underscore this issue so that people address it directly instead of things further down the line. i would really appreciate someone showing me how to either do this (put the focus on the thing i'm engaging with) or tell me why i'm wrong for focusing on that.
In general your arguments are based on your own axioms. If your axioms aren't widely-shared, then you will run into these sorts of disagreements.
>This is another of your own axioms. These aren't universal.
how is this my axiom? it's on github. no one has paid for a license (the license is completely permissive).
>In particular, if a maintainer states or otherwise implies that his project is secure and suitable for production and then behaves otherwise, criticism is warranted.
is that part of the TOS of github? is that part of the bylaws of the guild of software engineers? is that in the bible? where is this codified except in this thread around this issue where everyone is mad?
>Not sure, but I can certainly criticize you.
you can do whatever you want. you can stand on your head and recite the star spangled banner. i'm posing the question whether it's reasonable. is it reasonable to criticize me for putting that mattress there in that state?
>In general your arguments are based on your own axioms
again they're not mine in the least - i did not coin the phrase "don't look a gift horse in the mouth". that is much older than me and fairly universally understood/accepted.
It's your axiom because others don't believe it being on github or free immunizes the maintainer from criticism. Licenses and GitHub ToS have no authority over who may or may not be criticized. You reason that it's not eligible for criticism because you hold the axiom that it is unreasonable to criticize open source projects. The "gift horse" phrase doesn't apply to situations where the "gift" is a liability; i.e., something that could leave you worse off than before--the Trojans would have done well to look their gift horse in the mouth, for example.
This has been the argument throughout the various discussions -- that somehow if there isn't a payment structure between party A and party B, there is full immunity from criticism, questioning, expectations, etc. It is absolutely insipid and is a logical non-starter that doesn't pass the most basic of considerations. Yet it keeps recurring. It's bizarre.
Sure, but that DOES NOT mean you're immune to criticism, especially when it comes to security.
Your type of argument could otherwise be used for pretty much everything - even large corporations. It's not useful.