1. 51

  2. 24

    If a business setup shop selling lemonade from a magical spout that appeared in the air, and then sought funding, a reasonable question from any investor would be “What happens if the spout stops working or disappears?”. Any team without a good answer to that question deserves derision.

    Similarly, if your team/product depends on things you don’t control, you should invest in the upkeep of those things or bring them in-house. Acting surprised when one of the authors of the eighty-gorillion packages you’ve brought in doesn’t zig when you want them to zag is a reflection on you, not them.

    1. 8

      Half of me agrees, the other half disagrees. The half of me that disagrees thinks that I want everyone, including businesses, to use my work. That does mean I need to be open to providing at least some level of support. At the very least, I ought to communicate my schedules/plans so that “share holders” can confide in my work.

      But, this isn’t true for all projects I work on. I’m not going to provide the same level of support for libhijack as I will for HardenedBSD. So, the half of me that disagrees also recognizes the need for flexibility and appropriate “risk management.” After all, the amount of support a given project receives could be considered “risk.”

      1. 19

        The difference here is between a project and a product. A project that is interested to be seen as a product should be making explicit steps for that: have a web site oriented to customers, exposed business contacts, appropriate wording in the documentation, etc. My gripe is about businesses treating all projects as products by feault.

        After effecting a cultural shift about a decade ago that made businesses view OSS code seriously, we need to effect another one, by making everyone understand that dependability doesn’t come for free.

        1. 1

          Wholly agreed with you there. Great discussion. :)

        2. 3

          “The half of me that disagrees thinks that I want everyone, including businesses, to use my work. “

          You’re not really disagreeing. Widespread adoption along with whatever that entails is part of your goals for HardenedBSD. Whereas, the author’s goals were different. Either way, other people freeloading off the work shouldn’t expect you to do anything past what your stated goals and preferences are. Even still, they shouldn’t expect it or criticize you much since it was purely a volunteer effort. If it matters, they can contribute something as well.

          I just don’t think you’re really saying something different if we’re looking at making sure what maintainer wants and others’ needs align. You’re actively aligning the two to some degree with HardenedBSD. You’re also letting people know with your words, foundation, and so on. Others care less about adoption or putting work in. Won’t align with them. Changes how they should or might react.

          1. 3

            You’re not really disagreeing. Widespread adoption along with whatever that entails is part of your goals for HardenedBSD. Whereas, the author’s goals were different. Either way, other people freeloading off the work shouldn’t expect you to do anything past what your stated goals and preferences are. Even still, they shouldn’t expect it or criticize you much since it was purely a volunteer effort. If it matters, they can contribute something as well.

            Fully agreed. I guess “disagree” wasn’t the right word to describe my thoughts. Sometimes I suck at choosing the right wording.

        3. 7

          There’s reasons that places like IBM charge 5-8 figures for the sort of reliability that these users expect for free.

          1. 11

            That entire issue is so exasperating for a bunch of reasons. The worst part is that it’s such an easily fixable issue on YOUR END. You don’t need the package maintainers to do anything: just don’t use the latest version but a previous one. I know npm is very enthusiastic about using the latest versions of packages, but pretty sure that using 9.15.0 (assuming that is the latest working version) is not just possible, but also fairly easy to do.

            Always using the latest version and then complaining that the latest version is “blocking your build” is misinformed at best.

            1. 6

              Exactly this. If you’re automatically upgrading dependencies not under your control you basically have a sign up inviting trouble. You should take down the sign instead of complaining about the trouble you invited.

            2. 4

              I’m still surprised how many people in the JS/PHP (does this happen for other scripting language communities?) worlds do live-install of dependencies (i.e. they don’t update/review/commit new dependencies in their own repo, they {git,hg}ignore them, and install on as part of the deployment process. After the various craptacular events related to NPM, I’d have thought at least some people would have realised it’s a shitty approach.

              But, stories like this also highlight the other point: funding. I’m able to publish things my company does as OSS because the projects themselves aren’t what make us money - they’re tools to make life easier, but no one is paying specifically for them. Most projects (as evidenced by the post) are not like that though. They’re donating their time, and often non-inconsiderable amounts of their own money to run a project that the community benefits from.

              I recently organised to pay about a months hosting costs for a project, in exchange for a slight priority bump on an issue that would make things easier for a client/future clients/internal projects. The maintainer was a delight to talk with about it, understood that businesses can fund things, but usually have their own slightly less than altruistic reasons, and everyone seems happy with the result. I understand not everyone is in the position to donate, or buy optional licences etc from OSS projects, but if you can, I think it’s worthwhile.

              Ultimately, what is ~half a day’s billable hours for one person, compared to supporting (both the financial aspect and the appreciation that goes with it) a project you rely on for your business?

              1. 2

                The problem in the JS world is npm itself. npm by default will actually upgrade packages when you run npm install even when the package.json or package-lock.json have a version specified.

                1. 3

                  To clarify, npm install will respect the versions in package.json (possibly updating if allowed by the specified ranges), but will update subdependencies and write a new package-lock.json. If you want to exactly follow the lockfile, you should use npm ci instead.

                  1. 2

                    I think the approach taken by a significant portion of the JS (and probably PHP) community adds to the problem.

                    “Left pad” was bad enough - but then you had that “isEven” bullshit. An entire NPM module, do do return var % 2 === 0, and then another module called “isOdd” to literally do return ! isEven(var)..

                    This approach to writing code (or more specifically, not writing it, and using someone else’s “package” or “module” for everything) is ridiculous and needs to stop.

                    1. 1

                      But isn’t isEven a battle-tested module with unit tests? And isOdd just building upon that? (code reuse) If I were to write that code, I might introduce bugs (because it’s not battle tested code; because programmers can’t) , and it becomes a liability to my organization! (code is not an asset) And I’m wasting company time reinventing the wheel (code use again).

                      Okay, sarcasm aside, where does one draw the line? I’m somewhat struggling with this myself with Lua. Yes, I have code that will parse IP addresses, but I also have code (not released) that returns the default editor (checks $VISUAL, $EDITOR then /bin/vi [1]. That’s all the module does. Is it worth having a two line module that matches an ASCII character? Or a twelve line module that matches non-ASCII, non-control UTF-8 characters? [2] It’s for reasons like “Left Pad” that I haven’t fully published some of these modules.

                      [1] Or should that be /bin/ed? I might have to fix that one …

                      [2] Both are required when using the general UTF-8 module [3]—LPEG allows one to combine parsing expressions to build up more complex expressions.

                      [3] Yes, Lua 5.3 has some support for UTF-8, but the code I’ve written also handles the so called ANSI control sequences [4], which is itself a module.

                      [4] So called because a lot of people call them that, but they’re really an ISO standard (ECMA-48).

                      1. 1

                        It’s a judgement call. An IP parser clearly makes sense as a “library” function - whether you publish it or just include it in projects you work on is a different discussion really. One that checks if a character “is ascii” is probably useful if the code to do it isn’t ridiculously short and obvious. I’m not familiar enough with Lua to know how obvious that expression is, but I’d hope var mod 2 === 0 to test for even-ness would be pretty clear to anyone doing anything remotely serious in a programming language.

                        Pretty much every project I work on, ends up introducing some kind of app-internal “library” or “utility” functions/classes. Unless they’re particularly domain specific I will often then re-implement the logic (or get permission to just copy it) to be generic enough for general use in other projects etc, and include it in existing libraries of functionality I rely on (currently I maintain a PHP library/framework and a Shell library) for internal/client projects.

                        1. 1

                          Before we go further, let me clarify what I mean by “release.” Just as JS has NPM, Ruby has jems, Lua has rocks—using luarocks to install Lua modules is very common, and I have modules I’ve released as rocks. I also have modules available via Github but not luarocks. It’s a bit more work to install those. Then I have modules that aren’t publicly available at all, and some of these are little more than return os.getenv("VISUAL") or os.getenv("EDITOR") or return "/bin/vi". At what point is such a module stupid? That’s what I’m struggling with.

                          My “is ascii” code uses LPEG (Lua parser expression grammars) and the one line is about as obvious as var mod 2 === 0 to anyone who knows ASCII or LPEG.

                          1. 1

                            I guess part of this is from this recent (from my POV, maybe I just didn’t see it before) push towards releasing tiny “micro libraries” that literally do one thing. “Composition” I guess the cool kids call it. I’d probably just call it “compost” because it smells pretty similar to me.

                            I don’t think the problem is reusing code, specifically - I have some pretty short and sweet functions in my shell library and some pretty short methods in the PHP code too - e.g. comparing to see if floats are essentially the same (https://bitbucket.org/koalephant/bamboo-framework/src/f1985d371e804ac05b411eef7a356aea70989bb9/src/koalephant/bamboo/types/numberhelper.php#lines-370) but I wouldn’t release that (either as its own repo or as a PEAR module or a Composer package) on its own - it’s part of the larger framework.

                            For some of this stuff it sounds more like you have a collection of pre-written functionality that you can copy into a project as-needed, but aren’t necessarily releasing on its own to be used.

                2. 6

                  I’ve recently found a quote that this reminds me of:

                  Open source is designed to advance the intellectual property of the corporation at the expense of effort by individuals outside the corporation. As such, it falls under corporatism, as defined in John Ralston Saul’s dictionary The Doubter’s companion. Open source is all about externalising costs for development and testing, as economists would say.

                  From this Jargon File Archive.

                  1. 3

                    Hm. This seems like something NPM could have prevented by running a basic “npm install ” in a container on attempt to publish and rejecting stuff that doesn’t even build. Any reason npm doesn’t do this today?

                    1. 2
                      1. Someone publishes X dependency
                      2. I publish Y project based on X.
                      3. Npm checks it and it installs just fine (what you suggested)
                      4. X dependency is unpublished
                      5. Y project is now broken
                      1. 2

                        That’s a different problem though. I’m talking about “I updated and it won’t even build when I upload it.”

                        You’re talking about “it used to build, but doesn’t now.” Even then, npmjs.org already has a list of the dependents for a particular project so an unpublish could be alerted on.