1. 74

The author of actix-web has cleared out the repository with a postmortem.

More discussion on the /r/rust subreddit: https://www.reddit.com/r/rust/comments/epzukc/actix_web_repository_cleared_by_author_who_says/

  1.  

  2. 30

    Feminintendo on Reddit called out the people calling him out. Had three, good options at the end.

    Edit to add: @ddevault said same thing even shorter on Hacker News.

    1. 11

      I think their responses go overboard ‘the other way’. People are expecting too much of open source authors, but I don’t believe the correct response is: ‘they have no responsibilities at all’. I believe that if you choose to release something to the public, you carry some responsibility for it. And I believe the discussion should be about which few responsibilities others may reasonably expect you to take on.

      Some analogies to illustrate my though process here:

      • If I offer to borrow my hedge trimmer to my neighbours, it would be disapproved of if it was, known to me, broken or dangerously malfunctioning
      • If I claim a piece of a communal garden and don’t take care of it, it would be disapproved of and I would consider it right for the piece to be offered to someone else
      • If I offer to do some volunteer work and I subsequently don’t do it or do a lousy job for whatever reason, people are right to be disappointed and call me out on it
      • If I would have been the first to claim recipes.com and I would largely, deliberately, publish recipes that are incomplete or disgusting, people would be right to be disappointed and one could wonder what gives me the right to cause so many negative emotions.
      • If I would be a famous chef and I would publish a book with such defects, people could also wonder whether they shouldn’t be able to hold me responsible for resulting harm (and yes, frustration and disappointment are harms, usually offset by being a minority response or by being unintentional).

      If you release code, you stake a claim to at least the name of the project and filling a certain niche. You choose to have your intellectual property invade the minds of everyone that is reached. That can have many benefits for the world and particular communities within it. At the same way your code being published and ‘out there’ can cause harm. That it’s free doesn’t change that. That you didn’t intend harm doesn’t change that. That people could theoretically choose to ignore it doesn’t change that, because in practice people don’t and you know that beforehand. That’s why I believe that publishing code carries some minimal responsibilities with it, like giving your neighbour a list of things they can borough from you does.

      I don’t know exactly how those responsibilities translate to open source software. That’s the hard part here. I would tentatively say something like:

      • At the very least things should, to your knowledge, do what they are described to do.
      • If something is in known ways defective, you should make that known.
      • If you own a project and associated publishing permissions (e.g. for libraries to your the library repo of your language of choice) and are tired of it or the community in general seems like it would like to fork, be cooperative. Offer to cede the name and the publishing permissions and to not compete with the fork. Names and niches are not yours to own because you were the first to move into them.

      Responsibilities you explicitly don’t have:

      • Keeping the code functional, including secure
      • Responding to issues
      • Merging push requests
      • Sharing any knowledge of how the code works, including documentation
      • Anything else you don’t want to do, except when listed under the responsibilities you do have

      Is that unreasonable?

      1. 5

        At the 36C3 congress there was a talk about declaring what people can expect from software (German) (at least that’s what I learned from the talk). The speaker proposed that software should have labels that describe what kind of promises the authors of the software are making. The speaker proposed a few dimensions for this, for example:

        • ownership (license, FOSS? closed source? cloud vendor-lock-in?)
        • confidence (do you make any guarantees about your software? how experienced are you in the field?)
        • correctness (unit tests? formal proof?)
        • and some more.

        (the speaker said that this is just a rough idea and probably not the best approach, yet; but I like the idea, thus I want to refer to it here)

        Such an approach could help with the issue that people expect something from you which you cannot or do not want to deliver. For example, there could be one dimension commitment (how much time are you spending on this project) with options like:

        • this project has a full corporate team (5+ members)
        • this is a one man project, but related to my business so I earn money from it (higher chance for support that on hobby project)
        • this project is developed by a team of hobbyists - so if I do not want to continue, others can
        • this is a hobby project which I do myself in my free-time. Do not expect any work from me when I’m busy. Expect it to be discontinued at any time.

        Even if we do not have a standardized system for this, yet, I guess it could still make sense for a FOSS project to state such things in the README.md at the top. That way people know what to expect. The speaker of the talk proposes a shortcut scheme for this (e.g. O++ for permissive licenses), but that’s only possible once categories are known and there is some adoption.

        1. 9

          Yes, I think it’s unreasonable.

          When I release code, I do it as a gift. I expect nothing from you and you should expect the same from me.

          If I write documentation, respond to issues, etc. is because I get something from it, even if it’s only the satisfaction of doing something useful for others, but I have no obligation to keep doing it.

          Take it or leave it

          1. 4

            That seems like an oversimplification to me.

            Open source authors reap non-monetary social and reputational rewards for their efforts that can be desirable in their own right and sometimes translate to significant real world benefits (projects can be the reason you’re hired at a high-paying job, the reason you’re invited to speak at a conference that gets you more consulting clients, and so on)

            Given that, it strikes me as little disingenuous if your POV as an open source author, especially of a popular project, is “Anyone who expects anything from me is an entitled asshole, and I’m a holy selfless person.” Not totally disingenuous, mind you (it’s partly reasonable), but also not the whole story.

            The details really matter too.

            For example, if you want the relationship between you and your users to be “I expect nothing from you and you should expect the same from me,” I think you should make that clear in your README, one way or another. Set the expectations clearly.

            But I think it’s dishonest to, e.g., silently claim that as your philosophy when it suits you, and at the same time build an active community around your project, maintain it regularly, accept PRs, and so on. (btw, I’m discussing the general case now, not casting accusations at the Rust maintainer that spurred this thread – I’m not familiar with those details but it seems like he was genuinely treated unfairly.)

            1. 3

              My argument is based on the observation that what you are giving the world is not just a gift. There are costs even to ‘leaving it’.

              1. 3

                Those costs should be evaluated by the people taking it, as they are the ones that it affects.

                1. 2

                  Having to evaluate things Is exactly one of the costs imposed on the world by publishing things. It’s not optional.

                  1. 3

                    But still your own decision. You can always write your own thing, if that seems to be cheaper than evaluating existing solutions. I don’t think that would be wise in most cases, but it is an option. Do you think people should only release their projects as open source if they are prepared to help with the costs that software project might have for others who evaluate/eventually use those projects? I know, personally, that if I’d think that was true, I’d never release anything at all…

                    1. 2

                      I am looking for minimal responsibilities and the ones you mention seem unlikely to be an agreed upon minimum. Not deliberately making it hard to evaluate things would be a smaller responsibility. At least not being deliberately deceptive in ways to would obviously cause harm was kind of the minimum thing I was going for, but it seems agreement on that cannot be reached.

                2. 1

                  But those costs are not the responsibility of the OSS author.

                  1. 3

                    Why not? They are the one imposing the costs on the world: they claim a name and set things up so their publication takes space in the heads of people.

                    1. 5

                      Call it freedom of speech. It’s like saying you wrote a book. Nobody has to read it and you can’t blame the author if you don’t like it.

                      Please also don’t blame the author if you use a book you didn’t like as a stand for you monitor and it somehow tips over.

                      1. 0

                        If you don’t like ads, don’t look at them. That giant billboard, that lightshow, that banner at the top of the page you are visiting, don’t look at them. Easy, right? No effort at all to ignore them. No reason to install ad blockers or pi-holes whatsoever.

                        1. 3

                          You’re missing the point. Everyone can cram as many ads on their page as they like. I take the liberty to not use those sites. Or if I do, use an adblocker. Or in this case, I might not use the library. Or read the source and patch it. I’m not demanding the author change anything, but I might open a friendly issue or PR.

                          1. -1

                            I think you’re missing the point :). Those ads enforced a cost on you. You had to take the trouble to use an adblocker. Similarly, publishing something with the intent it be found and presented to you by search engines imposes a cost on you and everyone else: more results to evaluate. If you impose a cost on the world, perhaps you have to take on some minimum of responsibility, such as a least having a short description truthful about the further contents of what was published. That is what we’re arguing about here: do you have a certain minimum of responsibility to the world and what is that minimum?

                            1. 2

                              To me, that’s just the cost of participating in a community, be it our small one here, or the ‘big’ one outside. You can’t expect to not have to pay anything (be it money, time, attention, whatever), if you choose to participate. You participating in this thread has a cost for me too, but I don’t blame you :-)

                              1. 2

                                That is absolutely true and I think that in comparable situations some of those costs of participating in a community are costs you voluntarily pay to reduce the costs multiple other members would otherwise have to pay, so the aggregate cost for everyone stays lower.

                                1. 2

                                  Fair enough, yes. Personally, I like the little inefficiencies, surprises and unexpected-nesses when participating in contexts like those. That’s usually where the (to me) worthwhile and interesting stuff happens. And I can always choose to opt-out (forever, or for a while) if something gets on my nerves.

                      2. 3

                        Um, no. Pushing a repo to GitHub and setting up a website does not force people to use the project. It doesn’t force people to pay a cost or even if it does the cost is so small–in a sea of other projects like this–that it’s trivial. And because it’s trivial, removing the project is also a trivial cost to people who are not using it. It’s not a cost that people normally even think about. Like, my existence imposes a cognitive load on your mind. Does that mean I pay you something? What, like $0.01?

                        1. 2

                          You didn’t choose to exist, so you can’t be held responsible for that.

                          even if it does the cost is so small–in a sea of other projects like this–that it’s trivial

                          It’s death by a thousand cuts.

                          It’s not a cost that people normally even think about.

                          That doesn’t make it less real. Across all people and projects it adds up. It will get worse in the coming decennia and it will need to be solved.

                          But that’s all going much further than what I argued. In the end, my question was only: what are the minimal responsibilities. Can we agree on ‘being honest about what software is supposed to do’ and ‘not hiding (valid) bug reports’?

                          1. 3

                            It’s death by a thousand cuts.

                            Only if you’re actually personally evaluating a thousand OSS projects–are you personally evaluating a thousand OSS projects?

                            That doesn’t make it less real. Across all people and projects it adds up.

                            So do the cognitive ‘cost’ of books, music, and other art forms being published, but somehow you don’t hear about calls to ‘solve’ this problem.

                            my question was only: what are the minimal responsibilities.

                            I’ve already answered this question: please check the license file of the software you’re using to understand what the maintainer owes you.

                3. 3

                  Then again both BSD and MIT licenses expressly say that the software is provided “as is”. This is not incidental, it specifically is there to tell people that the author does not owe the licensees a damn thing.

                  Which is also why, if bugs arise in some of my open source libraries, I will tell people that I might fix them one day because I built them for fun on my spare time, also giving them the option to contract me – for money – to actually fix them short notice. Even if the libraries are not popular by any margin, a company is actually using one of them in production, and did offer to pay for me to fix them “next week”. Eventually we decided this wasn’t necessary but we keep the option open for the future. I am also open to selling nonfree versions of the libraries with support contracts.

                  So many companies use open source software in their products it makes very little sense to not see a market there. A hobby is a hobby, fun is free, but entitlement isn’t. I already get paid to write software, if someone really wants me to spend a Saturday fixing bugs for them, they might as well pay for it. Otherwise they’ll have to wait an indeterminate amount of time.

                  Here are the respective bits from BSD and MIT.

                  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

                  THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

                  1. 3

                    I think it makes sense to do distinguish between the responsibilities you (want to) legally have (towards everyone) and the responsibilities you can morally be expected to have (towards your neighbour).

                    You can legally disclaim any responsibility without also (intending to) morally disclaim all responsibility.

                    1. 5

                      Some answers I’d like to hear from people who insist software authors have no moral responsibility. If I deliberately release a program that promises to, for example, display a fractal animation, but instead deletes user’s home dir, am I morally responsible? Am I less morally responsible if it deletes user’s home dir due to an unintentional bug?

                      1. 3

                        A tourist asked me for directions at the train station. I did my very best to explain to him what platform to use, but later, I saw him in the middle of a crowd as he moved towards a different one (it was the same number, but a different orientation, as I apparently failed to explain before). Unfortunately, I didn’t have the time to follow him and send him to the opposite side as I was already late for my own train.

                        I feel really bad about this, because it was a very polite gentleman and if he missed the train, who knows how long he had to wait for the next one. I actually think he didn’t, as he still had some time left and hopefully double-checked which train he’s getting on, but it still troubles me. Am I morally responsible? :-/

                        I certainly would be responsible if I did this intentionally, but that was not the case and I tried to repeat myself a couple of times. I felt reasonably confident we understand each other and didn’t feel the need to ask someone else for help.

                        The similar goes with bugs. When the author’s intentions are clear and he takes reasonable measures to prevent vulnerabilities or damage, it’s not fair to accuse him. Sure, a normal person will feel bad for such incident and apologize, but that’s it. What else? Should he pay you money or something for using his software?

                        1. 2

                          Some answers I’d like to hear from people who insist software authors have no moral responsibility.

                          am I morally responsible?

                          The people who say software authors have no moral responsibility–what do you think they will answer to your question?

                          1. 1

                            I’m not sure why you ask as the question was rhetorical, but I’d expect them to say no.

                        2. 1

                          Maybe, and you are certainly free to do that in your own projects, but in the absence of that the disclaimer that is actually in effect is the one included in the license.

                          1. 1

                            It is. Does that mean we are fine with people lying in their README or hiding legitimate bug reports?

                            1. 1

                              Their project, they do whatever they want with it. You don’t like it–don’t use it.

                              1. 1

                                people lying

                                This type of slanderous characterization is why I flagged the original entry as off-topic. Most of the comments here, to their credit, is sincere reflection on the pressures of writing and contributing to open source. But some, like this, as just rehashing the persecution of the software maintainer.

                                1. 1

                                  This entire subthread is not about the specific situation reported here and is wondering in general what minimum responsibilities we may expect open source authors to take on. There seem to be people that believe we may not expect them to take on any responsibility at all, even excluding the minimum moral responsibilities we normally asociate with any other human interaction as reasonable expectations. That is what I am explicitly asking after.

                                  1. 2

                                    OK, so someone explicitely stating untruths in READMEs and hiding issues is just a hypothetical example?

                                    1. 2

                                      Shit, I understand my mistake. Those are both things are alleged to have happened in this particular case and repeating them can be seen as accepting them as facts.

                                      To be explicit, for both things: no, that is not what I had in mind. I’m not talking about this case.

                                      • I don’t know the facts concerning the alleged untruths. I have something in mind like “This code is safe to run to see a puppy” when you know it will delete the home directory. Something that obviously causes harm. Anything more gray is, well, more gray and requires separate discussion. My goal is establishing a bare minimum responsibility.
                                      • The thing with the issues happened in frustration and is defensible. I’m thinking of someone hiding/deleting an issue that literally says “Don’t run this project, it will remove your home directory” when it indeed does that.
                                      1. 2

                                        Thanks for clearing that up!

                        3. 1

                          I’ll say first I thank you for a detailed, thoughtful write-up on the other side of this.

                          “ I believe that if you choose to release something to the public, you carry some responsibility for it.”

                          I’m actually with you on that belief. I’m utilitarian. I look out for the public a bit. So, it just fits my beliefs. Thing is, other people have all kinds of beliefs. I tend to go with lowest-common denominator if I’m aiming for a universal expectation. For OSS/FOSS, they’ve done volunteer work, shared it with others, and typically with a license denying responsibility. So, I shouldn’t hold them responsible for any problems I experience from my use of their work they published. Plus, if people need it fixed, they have options ranging from pull requests (denied) to forking their own version.

                          I’ll run through the analogies to see how they might fit:

                          Hedge trimmer. Used as intended, the hedge trimmer would work. It only breaks if the neighbor is doing malicious or weird things with it. Someone requests the hedge trimmer be modified by the supplier or its buyers to block all such malicious and weird uses. That really on them?

                          Communal garden. This is more like someone planting the garden (or a lot of it), it being used by many people, planter takes care of it almost exclusively themselves, it gets some improvements by others here and there, and original planter leaves due to disagreements on managing the garden. They still planted, maintained, and left a garden. If anything, the other people look suspect here.

                          Volunteer work done lousy. This is the closest thing to where I agree with you. I’d say that’s a matter of personal integrity to do what one promised. I hate it when I slip too much to do that. In this case, I don’t know if author promised anything so much as just shared their work which outperformed most others. They did what they intended and were volunteers. What others expected wasn’t actually their promise as volunteers.

                          Recipes.com and Chef. Responding to chef since they’re similar. I’d first look to see what was promised. This author would be a chef that was making their prefered kind of recipe, used some ingredients a lot of people liked, some people didn’t, and shared it with others. The chef’s preferences for their style of cooking caused them to not accept recipe changes from others to be published in the chef’s recipe. Others were allowed to pubish their own version. They didn’t. Most enjoyed the recipe. Some didn’t even read the ingredients to spot potentially nasty ones or things they were allergic to. Some found out about suspicious ingredients but ate it anyway. Again, it’s not the chef that’s suspect to me since they’re just doing their thing with the questionable ingredients dominating the menu at other providers.

                          “You choose to have your intellectual property invade the minds of everyone that is reached.” “because in practice people don’t and you know that beforehand”

                          That’s a big difference in our thinking. I’m from free speech, thick skin, control-how-people-influence-you part of the country. Realistically, what you describe will happen to some degree or even most of the time due to human nature. Realistically, we also need to know this, be wary of it (esp our biases/triggers), skeptical about what others offer, and only allow good ideas into our minds or as our working dependencies. We also need to introspect occasionally to prune bad ones out. If the audience didn’t do that, they need to address their bad habits before the screw up again.

                          I’m no exception. I’m actually spending most of this week flushing out last year’s stresses, assessing bad habits, new goals, and how I’ll handle them. Those that affected me negatively were almost universally those I allowed to be a mental dependency. There’s the root problem. Sometimes I have little choice or one with high coercion. Most I could’ve handled differently, though. I strongly encourage that in others who are considering being emotionally tied to or walking into an artificial, nearly-pointless catastrophe such as the Actix situation. I’m responding just because I find these things interesting with some good usually coming out of it. Raph’s write-up on the front page is an example.

                          On your three part list, the third isn’t reasonable since its the owners’ work and property. The license allows a fork. That’s enough. The first, honesty, should be a must on basic principle. The second is really where all this happened. Is it really defective if it does what the owner wanted it to do? In security, we evaluate the software against a correctness or security goal or policy. There’s endless possibilities. We usually only care about a subset of it. Author found it correct enough for now with no urgency for a fix, planning on their own. If it meets author’s requirements, is it really defective or even defective enough to warrant calling it a failure? Remember that most useful, deployed software sucks in some way when you try to answer that.

                          Your thoughts are all reasonable. I could see maintainers subscribing to that philosophy. I just can’t justify pushing it on them at large. Many wouldn’t accept it either due to ideological differences.

                          1. 1

                            As is usual in discussions I’m going to focus on where we (seem to) differ, but we’re largely in agreement.

                            An explanation I should have added to my original post: my analogies were not intended as analogies of this specific situation, but as analogies of open source in general. My intention is to flesh out some general expectations people may have of each other, to get to some minimum responsibilities.

                            You e.g. adjusted the hedge trimmer example to match this specific situation, which was not what I had in mind. So to be clear: I was not implying the author of the project under discussion violated reasonable expectations by delivering something similar to a dangerously broken hedge trimmer. I agree that unforeseen and dangerous use of a hedge trimmer is in no way the responsibility of the lender. Similar things hold for the other analogies as you formulated them: I agree with your takes.

                            Realistically, what you describe will happen to some degree or even most of the time due to human nature.

                            Absolutely true and wouldn’t it be very nice if the amount of work we had to do to guard against that would be lower, because of shared general principles that result in more people taking on some minimum responsibility to not cause the problems we’re guarding ourselves against? I believe often the problem isn’t so much that people don’t believe they have responsibilities as that they have never explicitly thought about them or forget about them and would take action when reminded of a responsibility they have previously agreed they have. Perhaps we need something like an ‘Open source author manifesto’ that people can include with their repo.

                            The second is really where all this happened.

                            Not within the scope of the minimum responsibility I had in mind there. In the context of Github, I would say it’s enough that ‘issues’ exist that document brokenness. The minimum responsibility here is not closing/hiding/deleting issues that could cause users grief. My opinion on this specific situation is that the author did nothing wrong with respect to the responsibilities we may minimally expect them to take on.

                            The license allows a fork. That’s enough.

                            That seems to be the majority opinion, but in practice it seems to be very ineffective to me. It doesn’t happen as much as it should.

                            I think one of the main obstacles is that just forking a project isn’t enough: you also need to communicate to everyone, including newcomers, that the previous project has been superseded, with the blessing of the community. Forking causes confusion and makes it hard for people to pick the option generally considered ‘the best’. Wouldn’t it be helpful to the community if authors would give up their claims to project names and publication permissions so the fork can continue under that name? Wouldn’t that make forks likelier to succeed?

                            So what I’m assuming here is that one of the major problems open source has is not so much availability of people who want to maintain a fork, but the availability of such people who also believe that spending that effort is useful, because the fork will succeed.

                            But in the end the entire third bullet can be a separate discussion. If people would in general agree open source authors have at least the minimum responsibilities of being honest about what the code is supposed to do and about defects that may cause users harm, then already we have at least established there are some responsibilities and that the discussion should be about those; not about ‘none’ vs ‘all’.

                          2. 1

                            You offer to create no value for me, only to “respect” my claim and deed to property, and you think I owe you money/time for that.

                            I think you’re going to be disappointed.

                            1. -1

                              We generally don’t accept people just giving the world ‘gifts’. We hold that they have a minimum of responsibility with respect to their gifts. If we find that giving African villages wells has counterproductive results, because it disrupts the social fabric, then we are responsible to undo the damage. We frown upon someone giving a recovering alcoholic a free bottle of booze. We frown upon someone promising to help you and reneging on that promise. You can think of countless examples yourself where the fact that something is a gift does not absolve the giver from all responsibility concerning that gift.

                              So yes, I believe there is a minimum responsibility, and thus a minimum of time, you owe the world if you choose to ‘give’ it something. And I think you believe exactly the same.

                              1. 2

                                My reason for producing software is not a gift. It is entirely selfish!

                                When I have published software, gratis or otherwise, it is not because I’m trying to get you hooked on booze, or even because I don’t think you can produce it yourself.

                                I do things because they benefit me, or because I expect them to benefit me, and I think that’s true of everyone, including you.

                                That’s why you try and convince people into thinking they owe you more: Because that more can benefit you.

                                Maybe you even think that’s necessary/economy: To convince people to take a worse deal than you, but that’s sad. I don’t want to be friends with people like that. I think we can find a deal where we’re both happy with the outcome, and happy enough we would do it again, and I hope that you might learn to actually prefer that as well.

                                1. 0

                                  If you think lending a broken hedge trimmer to your neighbour for the laughs is fine, because you have the selfish benefits of having a laugh at them – or the only reason you don’t do it is because you might need something from your neighbour in the future and some form of utilitarianism informs you not to do such a thing, then I’m not interested in being friends either.

                                  I prefer people to not be entirely selfish, to consider what costs they impose on the world to get the benefits they are after and to take some minimal responsibility to reduce those costs.

                                  1. 2

                                    Yes. The only reason I don’t buy a hedge trimmer, break it, then lend it to my neighbour, is obviously because I might need something from my neighbour in the future, and not because I might have bought the hedge trimmer in the first place for my own purposes. After all, I only would ever buy a hedge trimmer in the first place, if I wanted to lend it to someone for some social currency I can redeem in the future.

                                    Obviously.

                                    @friendlysock - you really vouch for Confusion?

                                    1. 0

                                      I started this thread suggesting open source authors at the very least have the responsibility of basic decency. You responded negatively and are now promoting selfishness, attempting to extract more and finding mutually beneficial deals so that you may do it again. And somehow I’m the offensive one, even though your principles lead to the offensive scenario and you are the one denying any basic moral responsibility when that might have a cost to you without any benefit?

                                      1. 2

                                        Yes. On all points: You started this thread. You called working for free “basic decency”. I did respond negatively (makes sense, I was indeed offended by that). I did say I will not work for free. Yes you’re the offensive one. Yes not working for free is selfish. Yes I do not work for free.

                                        Sounds like you’re a communist (or whatever it is where they can make you work) and I’m a socialist and we just have ourselves a little ideological difference of opinion, but since I don’t have to do anything I don’t want to, and you haven’t convinced me of anything (all that comparing my writing code to enabling alcoholics definitely didn’t help) that’s probably just going to be the way things will be.

                                        1. 0

                                          Let me.emphasize, based on comments in another subthread, that I emphatically do not mean the things that are alleged to have happened in the specific case reported here. I’m thinking of things like saying “you can safely run this code” when you know it actually deletes a home directory or removing an issue that warns others of such an obviously harm-causing thing.

                                          You called working for free “basic decency”

                                          You call ‘being honest about what something does’ (not writing anything is honest) and ‘not hiding bug reports’ work?

                                          (all that comparing my writing code to enabling alcoholics definitely didn’t help)

                                          Not writing code: the equivalent would be publishing it and then lying about what it does, negatively impacting people for no reason.

                          3. 7

                            I’d just like to point out that nowhere here has anybody linked to a new fork of the code everybody is handwringing about being gone. Instead, we are now just linking to other fora, doubtless perpetuating a tempest in a teacup.

                            This is why I flagged the submission.

                            1. 3

                              I would love for the technical community to forget trying to figure out precisely where blame and responsibility lie and why, and instead move on to working out a plan for immediate and seamless recovery from a catastrophic bus factor reduction. Next time, I want to see more “this happened, yes it sucked, but more importantly here’s how we’re going to pick up the pieces and carry on smoothly” and less 90+-comment threads (to which I reluctantly contribute) focusing on a single person who very likely wants to be left alone right now.

                              1. 1

                                Exactly. Just more flying peanuts from the peanut gallery.

                              2. 3

                                I think the linked two takes go too far in the direction of letting anything go for developers of Open Source who don’t adhere to minimal social norms while appearing too restrictive on what other people can say.

                                For developers, even if one agrees that developers of a piece of Open Source software don’t have an obligation to keep developing the piece of software or to provide support, it’s still reasonable to hold it as a social norm that if the original developer quits they shouldn’t take disruptive active action (such as making the repo go away on GitHub or pushing breakage via cargo, npm, or similar; not suggesting that the latter is relevant in this case).

                                Handing off maintainership is a tricky case if there isn’t already a trusted co-developer. One one hand, properly handing off maintainership is socially expected, but the hand-off is also a potentially disruptive active action. Clearly, as npm incidents has taught us, one should not hand over control of a software distribution channel to some random person who volunteers. If quitting happens under emotionally heavy circumstances, handling the hand-off responsibly to a properly trustworthy party may be too burdensome. In that case, it’s best not to take any action (except maybe marking the repo archived on GitHub).

                                As for other people, especially in the case of an infrastructural library, it should be an acceptable response to publicly advise against the use of a particular library with a polite fact-based explanation why. (See @burntsushi’s post on Reddit.) When other people are relying on code that someone wrote, it’s no longer just about the person who wrote the code. It’s bad for the Rust ecosystem for a crate whose approach to soundness doesn’t meet the soundness issue handling expectations for Rust to end up in a keystone position in the ecosystem. In practice, you don’t get true freedom of choice about what crates are in your dependency tree. There needs to be a way for the Rust community to communicate norms such that crates that don’t meet the soundness issue handling expectations of Rust don’t end up in keystone positions in the ecosystem.

                                In this case, some people failed badly at the “politely” part. Also, not everything has to happen that fast, and the Rust community is a bit too quick and harsh to react to things that are look like people who haven’t bought into Rust could use them as counter-examples against Rust’s evangelism promises. I’ve been perceived to do a thing undermining Rust’s promises (not on soundness), and the response hasn’t been particularly nice and at times it has been more on the quick than researched side. Things don’t need to be resolved on Reddit the moment you discover them.

                              3. 24

                                The way I remember it back in the day, open source was a flat community — if you used an open source library, you were working with everyone else who was using it. There was often a “core team” or “committers” who did some gatekeeping, but they were respected by everyone else for volunteering that effort, and it might even be a rotating position so the effort was shared amongst the users. Users were expected to understand and contribute to the code.

                                Maybe it’s just part of the ongoing movement of the whole industry where “programming” increasingly means “wiring together libraries I don’t understand”, but the modern attitude toward open source seems to be it’s a magical endless supply of code that is assumed to work, even though there are no mechanisms to ensure that it does work except for popularity.

                                And rather than maintenance being a shared burden, maintainers now seem to be regarded by some as “auteurs” with absolute autonomy. People are arguing there’s no social contract at all. That isn’t how it was supposed to work.

                                1. 21

                                  It’s because back in the day open source wasn’t Open Source, it was Free Software. Free Software licensing kinda made sure that the users would give back, and scared away a lot of Corporate Consumers. Open Source adopted the ‘Business-Friendly’ philosophy of encouraging Corporate Consumers to use without having to give back. IMHO this is one of the repercussions of that approach–getting users who treat your software purely as a consumer relationship, as if they paid for it simply by using it, and have the right to demand support.

                                  1. 7

                                    Corporate Consumers not giving back is a myth. Majority of open source we use exists because of donations or direct involvement of corporations. Yes, corporations have different business incentives than non-corporate users and at times this hurts us. But if we’re not paying, we’re not entitled to anything - doesn’t matter if stuff is being worked on by volunteers or paid people.

                                    I may hate on systemd all I want but other people do depend on it and it wouldn’t exist w/o Red Hat. I may not use virtualization but a lot of virt code in Linux was developed by Microsoft. I don’t own anything Apple but if it weren’t for them (and their business incentive) LVVM wouldn’t be where it is today.

                                    It’s easy to say that we’d have comparable things without corporate involvement. We can’t verify this alternate reality but my experience indicates that things would implode pretty fast. Large projects without an oversight start diverging, become stale or simply vanish. There are very few counter examples to that and they all seem to revolve around something that’s got enough mass to build sustainable gravity. But the vast majority of things we need aren’t Linux kernel.

                                    1. 1

                                      Of course corporations sponsor projects that benefit them, but there is a long tail of projects which don’t meet their criteria and get no sponsorship, yet their maintainers still get pressured to act like they’re professional support. You’ll see plenty of issues opened by people who are clearly using the project in their business, of course with no sign of support.

                                    2. 6

                                      There was plenty of open source that wasn’t Free Software. Open source originated with things like the DECUS user group and SHARE for IBM owners. (And of course the BSD and MIT licenses originate from further examples.) But I agree — warping open source into a pseudo-consumer relationship where the consumers not only contribute no cash, but contribute nothing at all, is what has gone wrong with the system.

                                      1. 1

                                        There was plenty of open source that wasn’t Free Software

                                        What do you mean? “Open source” and “free software” refer to the same software, just like “freedom fighter” and “rebel insurgent” refer to the same people. It’s just a matter if you want to emphasise the business-friendly side of it or the freedom-side of the same software. OSI coined “open source” to be a synonym for free software.

                                        Although if you go back to the days of DECUS, using software was the same thing as writing software. There was no need to distinguish software as free or open, because that was just the way all software was. Back in the 1960s, people weren’t even sure you could copyright software any more than you could copyright mathematics.

                                        Since you bring up BSD and MIT licenses, those are free software too. A lot of people think, because the FSF wrote the GPL, that “free software” means copyleft or something. It does not. Even OpenBSD, despite how much they disagree with the FSF, call themselves free software:

                                        https://www.openbsd.org/lyrics.html#40

                                    3. 12

                                      I think Github has really changed the way we view collaborative software, and not for the better.

                                      To begin with, every repo is nested under an account, usually an individual. Sourceforge and most other forges took a different approach: the repo is the central object, and user accounts can be added or removed from the repo. Github’s makes a difference: now an individual owns the repo. It’s a bit less… communal?

                                      Then there’s the PR workflow that Github popularised. One person submits a change and everyone else comments on that change… but it’s up to the original submitter to make any amends on the PR. Everyone else just comments on the PR.

                                      This also seems a little less communal. When it used to be more common to get patches by email, the person receiving the patches would say, “thanks… oh, you made a typo here. No problem, I fixed the patch as I was applying it.” This is now unusual. Instead we tell them, during code review, you made a typo… and we have to wait for the original submitter to make the change. It’s also less communal. Now every change is owned by an individual instead of being owned by everyone.

                                      The result is that now there’s more focus and more pressure on individuals. This used to be more distributed amongst a core group, but now instead we’re concentrating the stress on individuals, who are getting tired and flaming out.

                                      1. 2

                                        GitHub does support organizations with multiple admins — nevertheless, the default is an individual, and it seems like only the most prominent repos get upgraded to an organization, so yeah, I totally see what you’re saying. If the natural expectation was to create an organization as soon as you publish a library, maybe that would be a little pressure on the norms.

                                        1. 2

                                          In the bottom right of your PR view, there is a checkbox that says “Allow edits from maintainers”. I think that’s checked by default but I always ensure it’s checked. Then they can push to that branch of yours.

                                          1. 1

                                            That is besides the point as that has been added only ~3 years ago. Long after the PR workflow become dominant.

                                            1. 4

                                              Not intending to argue. Informing of a feature they may not know about.

                                          2. 1

                                            but it’s up to the original submitter to make any amends on the PR. Everyone else just comments on the PR.

                                            GH now lets you comment with diffs that the PR author can immediately inject into their PR.

                                        2. 12

                                          And thus the commons become more tragic.

                                          I’ve wondered, since we rely so much on the whim of others, if, say, Google were just to completely vanish overnight (say, the CEOs think it was an incredible journey, but it’s time to shut off the company, beginning with google.com)… does society have any recourse? I mean, legally, is there any way we can say, no, you can’t shut down google.com because it’s now ingrained into the fabric of our society?

                                          Or does Google not owe us anything? What about Twitter, Facebook, or Youtube, which drive so much of the worldwide economy and politics? How different is this from one small unpaid maintainer of an obscure package closing up shop?

                                          1. 7

                                            Isn’t that logic not really applicable here, since Actix is open source? Someone can just fork it. You can’t fork Google’s entire business and infrastructure.

                                            1. 13

                                              My guess is no-one forks it and it dies. I don’t know what drives anyone to write open source code, I simply can’t fathom the mental health hit it would take to manage a community. People filing bugs on my code in my own company makes me anxious. People filing bugs in public? People shittalking me in public and filing angry bugs on me? Forget it. No way.

                                              The word I am looking for about open source maintainers isn’t hero exactly, but something like that. You have to have a certain stuff that most of us don’t. I would hazard none of those in the peanut gallery who were throwing shells are not the same people who have that stuff.

                                              1. 3

                                                Sadder and confirming your point is that we just had the article on Actix’s optimizations showing the maintainer was ahead of the curve.

                                                1. 2

                                                  If not hero, how about martyr?

                                                  1. 1

                                                    I used to maintain a large open source project with a friend. Our community is mostly very supportive and when some people aren’t we feel very comfortable telling them that we don’t owe them squat.

                                                  2. 4

                                                    Also, what logic? I’m just wondering what happens when we rely on someone’s good will and that good will goes away. People were obviously relying on this guy for something, or otherwise wouldn’t be upset that he’s no longer providing it.

                                                    1. 6

                                                      What you’re saying now, about someone’s good will, is totally disjoint from what you were saying in your other comment: Google, Twitter, Facebook owing us anything.

                                                      I’m just pointing out your statement is not really comparable to what has happened.

                                                      My opinion on all this is… the community killed the project. There are approaches to things, and harassment is not one of them.

                                                      Know what would’ve been super effective?

                                                      Fork the project, make the SAFE changes, show the performance impacts, and if they are marginal, and people like it, then they will use the fork. This introduces a game theory approach: if more people use the fork, the original will fade unless it adapts the changes. And we know this model works - it’s been done many times.

                                                    2. 2

                                                      Being free software doesn’t mean that the original author is required to keep distributing it. If people had neglected to keep copies of the original (which isn’t the case here, granted) the original author has no obligation to make sure you can keep receiving those copies.

                                                      But sometimes, depending on the terms that you received something, free licenses can be revoked. The GPL has an irrevocability clause, but weaker licenses don’t.

                                                      1. 1

                                                        Also crates.io will maintain the current state, so your builds won’t fail from today to tomorrow*

                                                        *(Yes there is still DMCA but that’s a complete different situation.)

                                                      2. 5

                                                        We could charge them for securities fraud. Everything Everywhere Is Securities Fraud!

                                                        1. 2

                                                          Oh, interesting. So, right, shareholders could sue. But can a judge order, bring google.com back up or go to jail or something like that?

                                                        2. 4

                                                          I’ve wondered, since we rely so much on the whim of others, if, say, Google were just to completely vanish overnight (say, the CEOs think it was an incredible journey, but it’s time to shut off the company, beginning with google.com)… does society have any recourse? I mean, legally, is there any way we can say, no, you can’t shut down google.com because it’s now ingrained into the fabric of our society?

                                                          i’d say we would end up with a positive outcome medium-term. short-term it would be “interesting” i guess.

                                                        3. 5

                                                          At the moment I am planing to make repos private and then delete them (will remove benchmarks as well), unless others suggest better ideas.

                                                          Ok, I’m neither a rust user nor a user of this library, but this confuses me generally. Why not just archive the project? Deleting it seems needlessly provocative.

                                                          1. 9

                                                            Your name is still attached to it and you will continue being badgered about it, but you can’t deal with the mental stress this puts on you. It’s perfectly valid for anyone to do whatever they want with their project. We’ve entitled to archive it for posterity. We can fork it. But we can’t tell author what is correct or incorrect WRT to his repository. People telling him what to do is what led to this situation to begin with.

                                                            1. 2

                                                              It’s perfectly valid for anyone to do whatever they want with their project

                                                              “Valid” seems like a pretty low bar, I understand and accept that in principle he can do what he wants, but if you go one step further, and ask what makes sense, I think archiving would have been a better option, since it would have the same effect, disturb less workflows, while creating less controversy for him to deal with – which as far as I understand is what he wanted?

                                                              1. 3

                                                                No, valid is not a low bar. He’s not hurting anyone by doing that yet alternatives are clearly worse from his POV. You forgot to ask: deleting makes more sense to whom? It does make sense to him, clearly. Why should he care about your convenience over his own?

                                                                You’re dismissive of what he’s going through for the sake of ill perceived greater good. It’s git. People have copies of the repo, there are numerous forks. There’s absolutely nothing preventing people from remaining invested in the framework. Insisting on him doing what you or I think is right is cruel. Sure, maybe you’d archive, maybe I would. But that’s not what he feels he needs to do to distance himself from the attacks.

                                                                1. 2

                                                                  It does make sense to him, clearly. Why should he care about your convenience over his own?

                                                                  No, I don’t think so, as deleting it obviously stirred up the controversy even more – something, again, I don’t think he wants.

                                                                  And yes, the source isn’t gone, but a dependency is broken. As a consequence people will probably keep on annoying him in months to come, as what happened, what’s the blessed fork, etc. If GitHub offers an “archive” feature, I don’t see why it would have been the better, easier and more professional option for all people involved, yes, including the dev.

                                                          2. 9

                                                            A BIG oof about this. I really loved actix for what it was doing for the rust community. But I also shaked my head about how ignorant some of the creators replies seemed to be, when people tried their hardest to point out why a specific usage of unsafe wasn’t right. Still I always kept using actix, because I think that in itself it was a nice project and improving it will eventually remove all its UB. This reminds me of systemd for some reason.

                                                            Obviously there was also too much shitstorm about actix itself, so I can’t blame them for complaining about how people started to treat actix.

                                                            I’ll have to transition some projects. Guess I won’t have to do the async/await switch for the actix code anymore.

                                                            1. 3

                                                              Even if the code was unsafe and the author impermeable to the remarks, it’s his code and therefore his right. Users of his code are not entitled to anything. If the users don’t like it, they can fork it and do as they please. Expecting anything more is preposterous.

                                                              1. 2

                                                                Are there actual exploits for any the unsafe code? Or is it the usual Rust cargo cult over reaction?

                                                                1. 5

                                                                  Both. Issues got proven to be exploitable from userland.

                                                                  1. 9

                                                                    I wouldn’t go as far. It was proven that there’s a usage pattern that would trigger UB if the user used it this way. The pattern in itself is unlikely and probably not present in any application out there.

                                                                    So there’s no general path to exploiting actix-based applications in general.

                                                                    It’s basically equivalent to the openssl side of heartbleed: if you use openssl wrong, it is exploitable, you are still using it wrong. Given that the actix-web API didn’t seem to be intended for library clients use, it’s even less likely.

                                                                    Not arguing that it shouldn’t be fixed, but let’s be realistic about the impact.

                                                                    1. 4

                                                                      It was proven that there’s a usage pattern that would trigger UB if the user used it this way. The pattern in itself is unlikely and probably not present in any application out there

                                                                      From a security engineer’s point of view, doesn’t that constitute “completely broken”?

                                                                      1. 6

                                                                        No. You are literally flying planes or driving cars based on systems with potentials for such bugs. There’s usually expensive tooling around the “don’t do this, then” (linters and such).

                                                                        1. 4

                                                                          User here refers to the developer using the library, not the user interfacing with the resulting web service. Under normal circumstances (that is, not a contrived example code snippet) it’s not broken, but it requires some amount of care that the problematic pattern wasn’t used somewhere in spite of it being unusual.

                                                                          strcpy isn’t “completely broken” and for a given use of it it’s possible to reason that it is safe (if it is). Still, a security engineer would recommend (and at some point: demand) not to use it to reduce the amount of reasoning required (and remove the code smell). The issue at hand in actix is much less worrisome than strcpy in terms of being able to shoot yourself in the foot.

                                                                          AIUI the author was interested in handling this, but on their own terms. Apparently that wasn’t enough for some and so they cranked up the internet rage engines.

                                                                          1. 3

                                                                            from a security engineer’s perspective we would talk about Likelihood or Difficulty (both of Discovery and of Exploitation) as well as Impact; you may see other metrics thrown in like Confidentiality, Integrity, and Availability.

                                                                            If the user must use a specific library in a problematic way, that usually constitutes a Likelihood of Very Low/Low or a Difficulty of High; basically, yes, this could be bad (Impact of High), but the Likelihood of a user doing that may be very low. Security people who speak in absolutes are usually trying to sell you something or not very effective at their jobs.

                                                                  2. 4

                                                                    Is this in direct response to https://lobste.rs/s/v7vzjv/smoke_testing_rust_http_clients ?

                                                                    Edit. I see its been happening for a while, but perhaps the highly shared article was the last straw.

                                                                    1. 8

                                                                      Klabnik implies that the reaction on Reddit to that article was indeed the last straw…

                                                                      1. 4

                                                                        This is the last line in that article too. :(

                                                                        No crate maintainers were harmed in the making of this article.

                                                                    2. 7

                                                                      Hmm, thanks for the news. I just started on a project that uses actix-web and I’ll stop. Maybe I’ll try the “Write Rust w/o a Framework” approach and see how fast it is to develop. But at this point, just using Go is beginning to sound appealing.

                                                                      Honestly, all this stuff makes me think that the choices in favour of simplicity that Go and Java made are an accidental beneficial mutation. All the people who obsess about language features go somewhere else. And they’ll shun your community, but that’s a good thing.

                                                                      So while the Scala community has starving packs of functional fanatics who occasionally feed on a program somewhere that is too imperative and the Rust community has roving memory cultists who will hack you to death with an unsafe machete because you “do not respect semver, you do not respect soundness”, Go and Java just don’t have any features to cluster around so they’re just used by people who don’t form an obsessive relationship with a software tool.

                                                                      I’m not “part of the community” in any way. I just want to write some software for myself.

                                                                      1. 3

                                                                        so they’re just used by people who don’t form an obsessive relationship with a software tool.

                                                                        gofmt filters those out pretty quickly yeah :)

                                                                      2. 5

                                                                        I have an idea for a solution, which is a github bot that simply closes issues from people who are not sponsors.

                                                                        1. 4

                                                                          Sadly, this reinforces my impression that, to a huge part of developers, “type safety” acts as a meme and serves no other purpose but eliciting some kind of Pavlovian response. Too bad for those who give some thought to either theoretical or practical problems and actually get things done, such as the language creators and the poor framework developer.

                                                                          1. 2

                                                                            Type safety is not a meme. Ho do you go from “a person misuses a piece of technology” to “some piece of technology is a meme”?

                                                                            1. 2

                                                                              I should have been clearer. Maybe what I trying to say is that assertions on code quality derived from the fierce defense of static type systems are, sometimes, based not on logical grounds, but serve exactly as a meme: they carry a cultural message that is blindly replicated across part of the community.

                                                                              The unsafe keyword means potentially unsafe, right? In that case, it should never be interpreted as a token for public shaming. CVEs aren’t[1]. The community is mature enough to understand that mistakes happen and we just need to move on.

                                                                              Imagine a world where the C community shamed OpenSSL developers for sloppy pointer arithmetic and implicit type casts to the point they rage-quit. Would that be any better? Would computer users be better served overall in practice?

                                                                              [1] Usually.

                                                                          2. 2

                                                                            This story is not really relevant without seeing the discussion that took place under the (now deleted) issue #83. There’s also a less recent archive taken from Google cache.

                                                                            I don’t know if there were other “dramas” that took place before, and I respect Nikolay’s right to do whatever he wants with the project, but I don’t think he was being harassed or bullied, at least not in this particular case, which is contradictory to the feeling I got from reading his statement and the discussion here.

                                                                            1. 1

                                                                              Project drama, flagged.

                                                                              Alternately, maybe a release tag would be appropriate.

                                                                              1. 13

                                                                                This is a really big project, used by a lot of people, was the flagship in terms of performance for rust webservers.

                                                                                1. 13

                                                                                  And it is being removed nominally due to drama and armchair quarterbacking. There is already at least one comment here already doing the same stuff the author cites as why they’re shutting down the project.

                                                                                  That’s why I believe it is worth flagging–is it more likely something constructive is going to happen in the comments, or just that people will dump on the project and navelgaze about the Rust ecosystem and software at large?

                                                                                  1. 3

                                                                                    I hadn’t heard about this at all until today. I think this can still be constructive by looking at all sides of it.

                                                                                    1. 2

                                                                                      A constructive thing that might happen is that people may trust each other enough here that an opposing opinion is taken seriously instead of immediately discarded and argued against without listening?

                                                                                  2. 7

                                                                                    Agreed. After some time an article or two will emerge about it. Those are more appropriate for lobste.rs.

                                                                                    1. 8

                                                                                      I disagree if only because Klabnik is one of the dwindling number of programming thought-leaders that should command deep respect. Even if the post itself isn’t everyone’s cup of tea (it certainly is mine FWIW), I think that we should always welcome articles from people like Klabnik on lobste.rs and let The Great Arrows of Up and Down decide.

                                                                                      1. 6

                                                                                        and let The Great Arrows of Up and Down decide.

                                                                                        I disagree with this position. Klabnik mentioned how reddit’s degradation is built into reddit itself, and IMO he’s right and this is exactly why.

                                                                                        I think this kind of drama is inherently poisonous for communities like lobste.rs (and reddit), because it attracts a lot of attention (and thus upvotes) and because of the kind of discussion that it generates, which only leads to more drama. It’s a vicious cycle.

                                                                                        A little bit is fine every now and then, but too much of it will kill the community. So just be careful :)

                                                                                        1. 4

                                                                                          Funny you say that since he left Lobsters after declaring it a toxic community. I did read his article on HN, though.

                                                                                          1. 1

                                                                                            If I recall correctly, this comment was regarding the github link, before the Klabnik article was merged with it(?*)

                                                                                            • I’m unfamiliar with this feature of lobste.rs
                                                                                            1. 1

                                                                                              Entries that cover the same “topic” can be merged together.

                                                                                          2. 1

                                                                                            Calling this drama is extremely dismissive. Someone got hurt to the point of quitting and you’re just being needlessly mean.

                                                                                            1. 7

                                                                                              People get hurt during drama all the time, that’s rather what makes it drama. It is precisely because somebody got hurt that I don’t think rehashing it here is something we should normalize.

                                                                                              I don’t believe Lobsters should be a secondary attack vector.

                                                                                              1. 1

                                                                                                It’s not a value judgement on what happened, it’s just an observation that this entry isn’t on-topic for this site.

                                                                                                It was also referring to the original github submission, before the Klabnik piece was merged into the discussion.

                                                                                                1. -1

                                                                                                  I understand what you were referring to. Calling something drama is a value judgment. It’s possible your intention wasn’t to judge but your statements are judging by nature and mean in effect.

                                                                                                  1. 2

                                                                                                    I have not been mean or judging in this thread, and I try very hard not to be in others. I resent your accusation.

                                                                                            2. [Comment removed by author]

                                                                                              1. 24

                                                                                                People aren’t going to like this but it has to be said. This individual sounds like they have a massive ego.

                                                                                                You see, no, actually, it doesn’t have to be said at all.

                                                                                                Something I was taught was the three gates of speech:

                                                                                                Is it true? Is it necessary? Is it kind?

                                                                                                Even if it was true, what you said was not necessary and saying “throwing a fit… is unacceptable” is certainly not phrased kindly. It didn’t have to be said.

                                                                                                Things being said that didn’t need to be was exactly the point of Klabnik’s post. So much of what happened didn’t have to be said. Whatever you perceive of his ego, he owes you and anyone else who used actix, absolutely nothing.

                                                                                                1. 10

                                                                                                  The technical issues could have been handled nicer, e.g. by forking the project, creating rustsec advisories or CVEs for the issues. Just harassing the maintainer until he quit is a failure of the community.

                                                                                                  1. 0

                                                                                                    Agreed but it’s open source, endless nonconstructive and unprovoked criticism is par for the course. No community is nor ever will be immune to that, expecting otherwise is unrealistic.

                                                                                                    1. 17

                                                                                                      I think such fatalistic view should be rejected. Accepting shitty behavior as inevitable leads to fostering shitty communities. We can do better.

                                                                                                      1. [Comment removed by author]

                                                                                                        1. 4

                                                                                                          Not being bullied correctly isn’t a serious complaint.

                                                                                                          1. 1

                                                                                                            I’m not defending bullying. My point is that there will always be bullies on the internet and if you want to be a good maintainer you have to have the maturity to deal with them. That’s just a description of reality, not how I want reality to be.

                                                                                                      2. 8

                                                                                                        It’d help if so much of the culture around these things wasn’t infected with “all that matters are the technical results, just get over the ‘people’ part of things”. My perception is that it’s gotten better over the last few years, but there’s still a long way to go.

                                                                                                        1. 15

                                                                                                          I see so much harassment via bug reports that are basically the computer science dressing up of “I’m just asking questions”. Just reopen and reopen bugs with questions that allude to the maintainer’s incompetence but never actually call it out. “Have you done this?” “Well I would have done it this way, why didn’t you?” etc. etc.

                                                                                                          I’ve had coworkers literally in tears because of this sort of harassment which is impossible to escalate to HR because its phrased as being helpful, when the outcome is anything but.

                                                                                                          1. 0

                                                                                                            Open source communities should not have the same communication norms as people bound to an American firm with an HR department.

                                                                                                            1. 9

                                                                                                              I think they should. If you can’t talk to a maintainer in a manner that wouldn’t get you fired from a company, you probably need to reevaluate how you talk to people.

                                                                                                          2. 2

                                                                                                            My gut feeling is that the opposition to systemd is in large part a reaction against its creator personally. It’s really weird.