Threads for Bherzet

  1. 2

    Redirect all known offending IPs to a porn site. If it’s a corporate or university network, it makes it more likely someone will notice. Another option is to redirect them to a page that generates as much CPU load as possible, but unfortunately, that will also disrupt users who’ve had their computers attacked. On a plus side, they might finally notice and the botnet would be destroyed, but on a negative side, some ordinary Joe will be freaking out that his computer doesn’t work properly when he has a deadline to meet.

    1. 4

      Is it free software or just open source? Does the license allow sharing these paid modules with other parties? Do you know of such case?

      1. 7

        The author actually answers this in one of the comments:

        Well, no, open3A is no freeware. I know it usually is seen as if open source was the same as freeware. But open3A is “only” open source. Which means anyone who runs the software is allowed to see the source code and make alterations to it like she pleases. Some people actually do that with open3A, too.

        In theory they are also allowed to re-sell the software. But we all know how hard it is to run a company and sell something. This hasn’t been an issue so far.

        I think that’s really interesting. It sounds like it is a “true” FOSS license (I haven’t checked myself), and the only thing preventing everyone from taking it for free is access (only available via a shop or someone redistributing it). It probably means there are people running free versions out there, but the fact that updates are part of the paid package/download is likely what is keeping this going - it’s a neat hybrid one-time/subscription model.

        1. 5

          in the comments the author clarifies that the plugins themselves are also open source

          1. 3

            Yeah, I get that. But what’s the license, though? If someone put it on GitHub or started selling it under a different name for a cheaper price, would the author mind? Free software would allow it, some source-available license not necessarily. I’m curious what’s the actual licensing and whether all people have acted in good will so far.

            1. 2

              The author might mind, but do you care?

              This isn’t new, BTW. Parts of GDB or GCC were developed under this model, by Cygnus in the nineties. I’ve forgotten which one (was it both?). None of the customers ever published what they got, even though they unambiguously had the right under the GPL.

              1. 6

                The author might mind, but do you care?

                Nah, I just wanted to know how viable and reliable this business model is to support one’s life. FOSS projects have been ripped before.

                I’d be afraid of it being just a matter of growing to a certain size or attracting someone like Albert Silver. A game of luck, basically. Once it happens, there goes your project and there goes your income. You can still sell future updates or support, but all your previous work got “stolen” and there’s nothing you can do with it.

                So what’s the strategy to cope with this? Make the sources available, but under a license stating basically that “this becomes licensed under GPL 5 years from now, but until then, you cannot redistribute this”?

                1. 1

                  If you don’t want people to take your stuff without paying for it, don’t make it OSS. Why is this hard?

                  1. 14

                    Someone talks about flying around the world.

                    Q: How likely is an aircraft accident?

                    A: If you don’t want to die in an aircraft accident, don’t fly.

                    Author of the article described his experiences with selling something. I asked about a specific scenario. Have it ever happened? That’s a yes or no question. Has she thought about what to do in such case?

                    I find answers to these questions highly relevant for my own reasons at this very moment. Either answer it or don’t, but please stop going meta. (I also originally thought the story was posted by the author herself, but it probably wasn’t.)

                    1. 2

                      How on earth is this a valid analogy? A key part of all certified OSS licenses is the users’ right to re-distribute the software without your permission.

                      1. 1

                        Sorry about the lateness of this… “a key part” doesn’t imply that this part is important for everyone, or even for many people.

                        The last time I was involved in anything of the sort, the company chose open source for sensible reasons that had nothing to do with that particular “key” part: Development and debugging convenience.

                        Open source meant that I had the source for all the code that went into the final executable. I could see the source code for every stack frame in my debugger, and I when I released for production, I could say “this can be built reproducibly from this git tree”. They had no desire to distribute, but did have a desire to use less of my time, and did have a desire to have buildable source code on hand.

                  2. 1

                    AFAICT it’s awfully risky, but not more or less risky than developing software, generally speaking. You’ve read Peopleware and the other great classics that describe how and why most software projects fail? Those are large risks. Developing FOSS doesn’t make you immune, and AFAICT doesn’t make you much more susceptible either.

                    If you have a specific case in mind, then that case will be one where going open source may add more risks than benefits. Or more benefits than risks. It depends.

            2. 1

              Cannot find the project on my mobile, but already a fork:

              Which already answers some questions.

              1. 1

                Hasn’t got the last 5 years of updates, tho.

                1. 1

                  is that not a rebase away?

                  1. 3

                    Yes, of course it could be updated, but the point is that, like the Cygnus customers, Open3A customers don’t seem to be interested in doing that.

                    Open3A also seems inexpensive, so I don’t see that many people would want to undercut the author by buying from someone else (especially when the someone else won’t be creating new features for it).

            1. 4

              The article doesn’t actually explain how they managed to avoid DMCA. This is especially funny since they just got DMCA’d.

              It’s definitely an interesting project, but I just hate misleading titles like this one so much…

              1. 1

                Imagine this being done with minutes. You look at the countdown and notice that it goes from 15 to 14. Naturally, you’d assume 1 minute just ellapsed, but in fact, it’s been just 30 seconds.

                I don’t like such “enhancements”. It pretends to make technology simpler and more intuitive for you, while in reality it just adds unnecessary complexity and makes it harder to understand what’s actually going on.

                1. 2

                  If you’re glancing at a display that only shows minutes and trying to glean sub-minute timing, you’re making some fundamental errors.

                  1. 1

                    By the same logic, my calendar could be telling me it’s already 2021.

                    1. 2

                      Your calendar is expected to follow an ISO standard. All the stopwatches don’t all need to be synchronized.

                      1. 2

                        You’re conflating absolute with relative time.

                  1. 3

                    This is possibly one of the most amazing low-level hacks I’ve ever seen. Unfortunately, I couldn’t get it running:

                    $ sh
           8: cannot create : Directory nonexistent

                    Debian 10, x86_64, dash

                    1. 2

                      It sure does look whole lot different than the Dev-C++ I remember, but why do they focus solely on the aesthetics? README contains more information than this entire article.

                      1. 1

                        Legacy technology desperate for a modern-looking win.

                      1. 4

                        I expected this post would be about manufacturing files that are both a valid PNG and a valid ELF. I’m disappointed.

                        1. 3

                          See Ange Albertini’s work on Proof of Concept || GTFO and his Funky File Formats talk:




                        1. 5

                          Maybe instead of a generating a totally random string for the challenge, you could use the salted hash of the website name. That way you can still recover your account if you lose the details, and don’t have a message from the site in your inbox.

                          1. 4

                            You could also use a password manager to generate + store the unique addresses.

                            1. 2

                              That’s actually a very nice idea.

                              BTW: This post was authored by my friend Jenda. Just so you guys know if he joins the discussion.

                              1. 1

                                I do this, but in my head. Rather than using a mathematical hash function, I come up with a set of words that will map, in my head, back to the site. For example, if I wanted a throw-away address for, I might use It’s easy for me to map that back to a lobster but it’s not something that someone would be likely to guess from the domain

                              1. 2

                                Screen recording softwares such as SimpleScreenRecorder make it possible to (i) circumvent the technological protection measures used by authorized streaming services such as YouTube, and (ii) reproduce and distribute music videos and sound recordings owned by RIAA’s member companies without authorization for such use.

                                Please, do let them know. This is an excellent opportunity to make projects migrate to dark corners of the Internet, completely out of reach of big corporations and US/EU lobbyists.

                                1. 25

                                  I’m glad I left the macOS-ecosystem in 2012 for good in favor of Gentoo. Apple as a company is just milking and babysitting their customers, even if they don’t want to.

                                  I know many professionals that are locked within macOS due to software/habit, and I pity them.

                                  I made the switch by replacing each program with an open source one, one after the other. The restrictions mentioned in the article will make this even harder to achieve unless open source developers shell out the 100$ per year, which is highly unlikely. It’s all about keeping up the walled garden.

                                  Apple can screw themselves.

                                  1. 14

                                    I would be significantly less productive and make a ton less money if I went /back/ to Linux/BSD on the desktop.

                                    1. 5

                                      What is the productivity boost that macOS gives you compared to Linux/BSD?

                                      1. 10

                                        A quick list off the top of my head:

                                        • The ability to use certain closed source software (Adobe, many electron apps built by startups).
                                        • Alfred (rofi/dmenu/etc are not even close without significant effort to configure them)
                                        • The “help” button at the top of the screen which allows you to search context menus. (This existed in an older version of Unity but now afaik no longer exists in any modern DE.)
                                        • Separation of control/command (you can use command+C in terminal instead of control+shift+c or just copying everything that gets highlighted, no need to mentally context switch every time you go between the Terminal and other apps).
                                        • nicer looking websites (look at how much better websites look in a default Ubuntu/Fedora/whatever install vs MacOS, I think it’s fonts but even after copying all my MacOS fonts to Fedora it’s still not the same).
                                        • tight hardware integration (longer battery life, fingerprint reader to unlock)
                                        • Integration with iOS (easily send files between my phone and laptop via AirDrop; start reading a article on my phone and finish on my laptop)
                                        • Finder preview (press spacebar to preview a file quickly)

                                        Many of the above can be done on Linux, but either require a bunch of manual configuration or are clunky to use even after configured.

                                        1. 4

                                          Except maybe that first point, I really wouldn’t call that “a significant productivity boost”. Especially considering I’d have to walk into a vendor lock-in and buy overpriced baubles with weird keyboards etc.

                                          1. 7

                                            You’re right; it’s not one big thing, it’s a bunch of little things that make it more productive for me.

                                            1. 1

                                              If I believed hard enough that taking some pill would make me more productive, it might very well do so even if it didn’t contain any active substance. I’ve heard this “productivity talk” from Apple users multiple times and never got any reason to believe it’s actually something more than just a placebo effect taking place.

                                              It’d be very interesting to see a controlled study on this. We’d define productivity as solving programming tasks, replying to e-mails, writing articles etc and see what the differences really are.

                                              Like… OK. Everyone needs a different environment and I can imagine some people actually being more productive within Apple’s ecosystem, but it’s more about personal preferences than anything else. I’d expect all groups (Mac-, Windows-, Linux-with-GNOME-, Linux-with-KDE-, … users) to have roughly the same productivity, with some people being slightly more productive in certain environments, but probably not dramatically (assuming they’re motivated to actually try hard enough – so the study would probably have to be organized as a challenge with some neat prizes).

                                              Basically what I’m trying to say is that it comes to reaching some optimal setup and even though my setup isn’t optimal at all, by migrating to macOS I’d gain very little and lose a lot. That’s because I’ve spent quite some time reaching the setup that works at least this well for me. I suppose that might be the case with most power users and some productivity boost is most likely to be expected with people who tried using Windows or Ubuntu in default configuration, didn’t like it and then got a MacBook. But I’m still kind of skeptical about its magnitude.

                                            2. 2

                                              Maybe also integration with iOS, but the rest is just what one’s used to. OSX and Windows feel clunky and limiting to me because I’m used to Unix, especially wrt cross platform development.

                                              It’s all anecdotal.

                                            3. 3

                                              The hardware/software cohesion is nigh impossible to beat.

                                          2. 3

                                            You would be less productive at the beginning of the transition, yes. But you would eventually develop new workflows and then regain productivity.

                                            I used to be 100% on macOS until a few years ago. My last 2 jobs I’ve been 100% on Linux and haven’t had any problems. I can install all of the corporate software on my Linux machine. I also haven’t seen any cuts in my paycheck… still making a ton of money (I think). ^_^’

                                            I work on web services and most of our software runs on Linux. I got tired of learning 2 OSes. I personally didn’t find any value in running macOS to run Linux (in containers or via SSH). So I cut out the middleman. I also hated that macOS is Linux-like, but not actually. For example, you might end up learning the wrong nc or sed on macOS. Super annoying when debugging.

                                            I do get the appeal of macOS and still recommend it to my family, but as a developer, I value the simplicity of learning 1 set of tools over vanity features. Whenever I have to switch to macOS, my productivity takes a huge hit, but that’s because I’ve learned Linux workflows.

                                            1. 2

                                              Totally understandable, and I’m not arguing that. There are many people making a really good living working with Macs, and admittedly, Macs are probably the greatest machines for creative works and are superior in terms of color space handling and font rendering, to just name two things.

                                              Nevertheless, the price you pay for this advantage will grow further and further. If you only do it for work, that’s fine of course, godspeed to you! But if you look at it long-term, it looks rather bleak.

                                            2. 4

                                              If the best thing to happen to my computing career was learning Unix and the second best thing was finding Cygwin for Windows (a lifesaver), the worst decision was getting a MacBook at the end of 2019. Most frustrating keyboard and mouse (Magic Mouse) I have ever used in almost 50 years of using keyboards and X years of using mice. Just awful keyboard design, layout, touch & feel, disaster of a touchbar, no universality or standardization with anything but Macs.
                                              I use multiple machines at home/work and I want everything to be configured the same everywhere to ease transitions between machines. Linux and Windows, I can configure to be sufficiently similar, but it’s virtually impossible with a MacBook and MacOS.
                                              I figured that with 37 years to figure it out and with so many Linux devs using a Mac, Apple would have had to get their act together. Boy, was I wrong. Can’t wait to be done with it and get back to sanity.

                                              1. 5

                                                Mac hardware 10 years ago was the best on the market, and I loved using it. I am still using an old Apple USB Keyboard because I haven’t found anything matching its quality and feel. Apple changed under Tim Cook, and it will change even further.

                                                What they probably don’t realize is that developers might not make the biggest portion of their revenue, but they keep the ecosystem alive. I like to call this fallacy the “fallacy of the gaussian belly”, because they probably only aim their efforts on the consumers (iPhone, iPad, Apple Watch, etc.) and neglect the professional segment because it doesn’t make them as much money.

                                                I hope I’m not sounding like an armchair-CEO here, but in my opinion they shouldn’t even penny-squeeze the Mac customers that much. What the developers do in turn for the ecosystem is much more valuable than just mere stockholder-profits and market value.

                                                In the end, I see the problem in public trading and having a bean-counter at the top. The goals shift and the company goes down in the long-term. And now you might say “Why can you say that when Apple has just passed 2 billion market value?”. Just look at the market data of Apple before 1997. Before its demise under Sculley, Apple was at its most profitable, and just like Cook Sculley is a bean-counter. This degradation-process won’t be sudden and there were more factors at play in 1997, but it will happen in the long-term (10 years).

                                                1. 1

                                                  I joined the Apple ecosystem as the owner of a PowerMac G3 B&W that was given to my dad by a friend in 2007. I became a massive fanboy pretty quickly. 13 years later, and I’m embarrassed at how far my ‘sports team’ have fallen. The next 20 years are gonna be a rough ride and I don’t plan to stay for long.

                                                  1. 1

                                                    It’s a good call to leave the sinking ship. I’m sure the ARM-Macs will be successful, but they will just be more locked down and not suitable for anyone interested and invested in open source software.

                                            1. 17

                                              Shameless plug: I’ve been running and for a few years now that you can just CNAME a domain to.

                                              1. 3

                                                You guys should make it a business together. The marketing buzzwords you’re looking for are “immutable bit-buckets”.

                                                To @izabera: I’m sorry for an unintended almost-DoS. I wanted to post a script here that would fetch and display a short message from a few buckets. I used a simple design, where I generated a “bucket prefix” and then stored individual bits in bucket_prefix + {0, 1, ..., a, ...} etc. After every 8 bits, there was a bit signaling if there was one more byte.

                                                Apparently my judgement failed me as I didn’t realize before I executed the script that the message “Starting at just $1 per bucket, our revolutionary immutable bit-buckets are the perfect solution to satisfy your business’es everyday storage needs.” would create 1332 files (that’s a pretty leet number!). When I realized it, quite a few of them have already been created, so I let the script finish.

                                                But it didn’t work anyway. With no error handling, some bits probably got lost on the way. I don’t have time to debug it as I have to go to sleep. Please do run rm 4b56be65-224c-47e8-886e-171a5e151406-* as this is the prefix I used.

                                              1. 2

                                                Too bad it doesn’t support Unicode characters. I created giving a negative answer, and also wanted to create a homographic variation ra∩ (where instead of n I used U+2229) giving a positive answer, but it failed. So I just went with which is perhaps even less distinguashible than the original (it obviously depends on the font you’re using; for me, in the terminal the former looks better, while here it’s the latter).

                                                1. 4

                                                  You could have made it work by just entering xn–radom-jh6b instead of ra∩dom in the text field (which I did, and now it works).

                                                1. 2

                                                  I had been switching between different distributions and families of distributions when I first started using Linux, but it’s been a couple of years since I settled with only using Debian-based systems which seem to be the most widely supported package-wise. Arch (especially because of the community repositories) might actually be slightly better, but I have developed a certain (and not necessarily fair or logical) distrust against the entire distribution after a failed upgrade I experienced a couple of years ago.

                                                  I’m now running Debian and I’ve recently switched from testing to stable. If I were to migrate to a different distribution, I’d be most likely to consider Ubuntu Server, Ubuntu Desktop, Mint or KDE neon, if I decided to give KDE another shot (in that order).

                                                  1. 5

                                                    Is this clocking in at 5 kB in total really that bad in comparison? I don’t think so.

                                                    You’ve got the number wrong:

                                                        <!-- yes, I know...wanna fight about it? -->
                                                          (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
                                                          ga('create', 'UA-45956659-1', '');
                                                          ga('send', 'pageview');

                                                    This is something I fail to understand. He doesn’t even use CSS to prevent the text from spreading over the entire width of the screen, but then happily references a JS blob that amounts to 44 KB to spy on the users. Káže vodu, pije víno..

                                                    1. 3

                                                      Haha, shoot. The script was triple blocked: first by uBlock, then by uMatrix, then by my Pi Hole. So it did not show up on my browser’s Network tab…

                                                      And yes, I’m with you there. 44 kB… Nearly 10 times the size of the rest of that site. For what I think is vanity.

                                                      1. 5

                                                        What I found particularly amusing about this was the comment. It’s like if someone saw him get into his private airplane a few minutes after he gave an emotional talk about why people should take extreme measures to lower their carbone footprint and he just stayed there with a guilty face: “I know, I know…”.

                                                        It creates an illusion that there’s nothing we could do, practically speaking. We could theoretically build better websites, but not even the strongest advocates do actually bother.

                                                        I don’t actually think using GA is that bad. I don’t like it on a personal/ideological level, but I’m not fanatical about it and can see myself using it too in some scenarios. Here, it’s all about the contrasts: no styling, the page that’s to be perceived as ugly and boring by many; everything is as minimalistic as it can be. And then bum, let’s load 44 KB worth of some JS blob.

                                                        Had the objective been to criticize the worst-of-worst bloated websites that take hundreds of milliseconds to load on a modern computer with a decent connection for seemingly no reason and demonstrate that things can be simpler (on something people could actually imagine using; such as a news portal or magazine, which commonly contain the most bloatware), then it wouldn’t be such a big deal to add some extra 40 KB. But taking extreme measures only to throw any advantage away a few seconds later doesn’t make much sense.

                                                        Oh, and an interesting article of yours (I forgot to mention).

                                                    1. 13

                                                      BTW, a story of mine: When I was in high school, we had a class to teach us how to type on the keyboard efficiently. The classes consisted of using a training software, and the grades were given mostly by the score we achieved there. We could run the program on other computers in the school as well and do some lessons in the spare time.

                                                      While never intentionally learning how to use the keyboard properly, over the years of coding and spending hours on IRC, I learned to type pretty fast, so I always was far ahead. However, some of my friends struggled with this and I was helping them. But this was boring.

                                                      So naturally, I went ahead and wrote a simple program to type in the window automatically. During a break, I gathered a group of friends, took them to the computer and intended to demonstrate them this incredible time-and-effort-saving creation of mine. I opened one of the lessons, where we had to type a single sentence as many times as possible, fired up my program, typed the sentence there and pressed the “Start” button. It worked perfect, except… I made a typo.

                                                      At around 800 bpm, it wrote the errorneous input all over again in a lesson, where it was particularly important to type as accurately as possible. Few seconds later, the lesson was over, because there were too many mistakes, and it threw me back to the previous lesson. But the expected input in that lesson was completely different, so it kicked me even faster. And it continued doing that for over and over again.

                                                      Before I finally managed to kill the program, I lost about two weeks worth of progress. But the program got popular nonetheless as they understood it worked properly, I only entered an invalid input. Later on, an IT teacher asked me to demonstrate it for him. My memory is faint on that part, but I think nothing happened at all. I’m sure he would ban it if he knew how, but he wasn’t very good.

                                                      1. 5

                                                        Cool story… I love the irony that you built it to speed up your results but it caused the opposite to happen in the end… that’s probably a metaphor for about 50% of everything I do in my code :)

                                                        1. 2

                                                          It would have been great if you made it only type when the user pressed a key, so people could mash the keys as quickly as possible and have 100% correct output come out. Since you were just using it for training, though, your way makes sense too.

                                                          1. 2

                                                            Are you me?

                                                            Did almost the exact same thing back in elementary/middle school.

                                                            Loaded it up onto my purple 64mb JumpDrive that had cost me a small fortune so I could run it on any of the computers.

                                                            1. 1

                                                              Same here on Mavis Beacon. Except, the hackers weren’t impressed. So, we changed the challenge to seeing what numbers we could get doing that by hand on the actual keyboard. I can’t remember the number but it was insane.

                                                          1. 1

                                                            What would’ve happened if you killed the VNC before he connected? Would he notice?

                                                            1. 4

                                                              He’d have known the machine I was logged into wasn’t allowing him to connect, but I suppose he wouldn’t know why. I killed it about 3 times in total, but he never came over to me to check. I assume he simply never tried connecting to me during those times, or if he did, he thought it was just a temporary problem (rather than one of my own doing :)).

                                                              1. 1

                                                                OK. I wondered whether he just didn’t see some list of running instances and if you killed yours, he wouldn’t notice at all. :)

                                                            1. 30

                                                              Feminintendo on Reddit called out the people calling him out. Had three, good options at the end.

                                                              Edit to add: @ddevault said same thing even shorter on Hacker News.

                                                              1. 11

                                                                I think their responses go overboard ‘the other way’. People are expecting too much of open source authors, but I don’t believe the correct response is: ‘they have no responsibilities at all’. I believe that if you choose to release something to the public, you carry some responsibility for it. And I believe the discussion should be about which few responsibilities others may reasonably expect you to take on.

                                                                Some analogies to illustrate my though process here:

                                                                • If I offer to borrow my hedge trimmer to my neighbours, it would be disapproved of if it was, known to me, broken or dangerously malfunctioning
                                                                • If I claim a piece of a communal garden and don’t take care of it, it would be disapproved of and I would consider it right for the piece to be offered to someone else
                                                                • If I offer to do some volunteer work and I subsequently don’t do it or do a lousy job for whatever reason, people are right to be disappointed and call me out on it
                                                                • If I would have been the first to claim and I would largely, deliberately, publish recipes that are incomplete or disgusting, people would be right to be disappointed and one could wonder what gives me the right to cause so many negative emotions.
                                                                • If I would be a famous chef and I would publish a book with such defects, people could also wonder whether they shouldn’t be able to hold me responsible for resulting harm (and yes, frustration and disappointment are harms, usually offset by being a minority response or by being unintentional).

                                                                If you release code, you stake a claim to at least the name of the project and filling a certain niche. You choose to have your intellectual property invade the minds of everyone that is reached. That can have many benefits for the world and particular communities within it. At the same way your code being published and ‘out there’ can cause harm. That it’s free doesn’t change that. That you didn’t intend harm doesn’t change that. That people could theoretically choose to ignore it doesn’t change that, because in practice people don’t and you know that beforehand. That’s why I believe that publishing code carries some minimal responsibilities with it, like giving your neighbour a list of things they can borough from you does.

                                                                I don’t know exactly how those responsibilities translate to open source software. That’s the hard part here. I would tentatively say something like:

                                                                • At the very least things should, to your knowledge, do what they are described to do.
                                                                • If something is in known ways defective, you should make that known.
                                                                • If you own a project and associated publishing permissions (e.g. for libraries to your the library repo of your language of choice) and are tired of it or the community in general seems like it would like to fork, be cooperative. Offer to cede the name and the publishing permissions and to not compete with the fork. Names and niches are not yours to own because you were the first to move into them.

                                                                Responsibilities you explicitly don’t have:

                                                                • Keeping the code functional, including secure
                                                                • Responding to issues
                                                                • Merging push requests
                                                                • Sharing any knowledge of how the code works, including documentation
                                                                • Anything else you don’t want to do, except when listed under the responsibilities you do have

                                                                Is that unreasonable?

                                                                1. 5

                                                                  At the 36C3 congress there was a talk about declaring what people can expect from software (German) (at least that’s what I learned from the talk). The speaker proposed that software should have labels that describe what kind of promises the authors of the software are making. The speaker proposed a few dimensions for this, for example:

                                                                  • ownership (license, FOSS? closed source? cloud vendor-lock-in?)
                                                                  • confidence (do you make any guarantees about your software? how experienced are you in the field?)
                                                                  • correctness (unit tests? formal proof?)
                                                                  • and some more.

                                                                  (the speaker said that this is just a rough idea and probably not the best approach, yet; but I like the idea, thus I want to refer to it here)

                                                                  Such an approach could help with the issue that people expect something from you which you cannot or do not want to deliver. For example, there could be one dimension commitment (how much time are you spending on this project) with options like:

                                                                  • this project has a full corporate team (5+ members)
                                                                  • this is a one man project, but related to my business so I earn money from it (higher chance for support that on hobby project)
                                                                  • this project is developed by a team of hobbyists - so if I do not want to continue, others can
                                                                  • this is a hobby project which I do myself in my free-time. Do not expect any work from me when I’m busy. Expect it to be discontinued at any time.

                                                                  Even if we do not have a standardized system for this, yet, I guess it could still make sense for a FOSS project to state such things in the at the top. That way people know what to expect. The speaker of the talk proposes a shortcut scheme for this (e.g. O++ for permissive licenses), but that’s only possible once categories are known and there is some adoption.

                                                                  1. 9

                                                                    Yes, I think it’s unreasonable.

                                                                    When I release code, I do it as a gift. I expect nothing from you and you should expect the same from me.

                                                                    If I write documentation, respond to issues, etc. is because I get something from it, even if it’s only the satisfaction of doing something useful for others, but I have no obligation to keep doing it.

                                                                    Take it or leave it

                                                                    1. 4

                                                                      That seems like an oversimplification to me.

                                                                      Open source authors reap non-monetary social and reputational rewards for their efforts that can be desirable in their own right and sometimes translate to significant real world benefits (projects can be the reason you’re hired at a high-paying job, the reason you’re invited to speak at a conference that gets you more consulting clients, and so on)

                                                                      Given that, it strikes me as little disingenuous if your POV as an open source author, especially of a popular project, is “Anyone who expects anything from me is an entitled asshole, and I’m a holy selfless person.” Not totally disingenuous, mind you (it’s partly reasonable), but also not the whole story.

                                                                      The details really matter too.

                                                                      For example, if you want the relationship between you and your users to be “I expect nothing from you and you should expect the same from me,” I think you should make that clear in your README, one way or another. Set the expectations clearly.

                                                                      But I think it’s dishonest to, e.g., silently claim that as your philosophy when it suits you, and at the same time build an active community around your project, maintain it regularly, accept PRs, and so on. (btw, I’m discussing the general case now, not casting accusations at the Rust maintainer that spurred this thread – I’m not familiar with those details but it seems like he was genuinely treated unfairly.)

                                                                      1. 3

                                                                        My argument is based on the observation that what you are giving the world is not just a gift. There are costs even to ‘leaving it’.

                                                                        1. 3

                                                                          Those costs should be evaluated by the people taking it, as they are the ones that it affects.

                                                                          1. 2

                                                                            Having to evaluate things Is exactly one of the costs imposed on the world by publishing things. It’s not optional.

                                                                            1. 3

                                                                              But still your own decision. You can always write your own thing, if that seems to be cheaper than evaluating existing solutions. I don’t think that would be wise in most cases, but it is an option. Do you think people should only release their projects as open source if they are prepared to help with the costs that software project might have for others who evaluate/eventually use those projects? I know, personally, that if I’d think that was true, I’d never release anything at all…

                                                                              1. 2

                                                                                I am looking for minimal responsibilities and the ones you mention seem unlikely to be an agreed upon minimum. Not deliberately making it hard to evaluate things would be a smaller responsibility. At least not being deliberately deceptive in ways to would obviously cause harm was kind of the minimum thing I was going for, but it seems agreement on that cannot be reached.

                                                                          2. 1

                                                                            But those costs are not the responsibility of the OSS author.

                                                                            1. 3

                                                                              Why not? They are the one imposing the costs on the world: they claim a name and set things up so their publication takes space in the heads of people.

                                                                              1. 5

                                                                                Call it freedom of speech. It’s like saying you wrote a book. Nobody has to read it and you can’t blame the author if you don’t like it.

                                                                                Please also don’t blame the author if you use a book you didn’t like as a stand for you monitor and it somehow tips over.

                                                                                1. 0

                                                                                  If you don’t like ads, don’t look at them. That giant billboard, that lightshow, that banner at the top of the page you are visiting, don’t look at them. Easy, right? No effort at all to ignore them. No reason to install ad blockers or pi-holes whatsoever.

                                                                                  1. 3

                                                                                    You’re missing the point. Everyone can cram as many ads on their page as they like. I take the liberty to not use those sites. Or if I do, use an adblocker. Or in this case, I might not use the library. Or read the source and patch it. I’m not demanding the author change anything, but I might open a friendly issue or PR.

                                                                                    1. -1

                                                                                      I think you’re missing the point :). Those ads enforced a cost on you. You had to take the trouble to use an adblocker. Similarly, publishing something with the intent it be found and presented to you by search engines imposes a cost on you and everyone else: more results to evaluate. If you impose a cost on the world, perhaps you have to take on some minimum of responsibility, such as a least having a short description truthful about the further contents of what was published. That is what we’re arguing about here: do you have a certain minimum of responsibility to the world and what is that minimum?

                                                                                      1. 2

                                                                                        To me, that’s just the cost of participating in a community, be it our small one here, or the ‘big’ one outside. You can’t expect to not have to pay anything (be it money, time, attention, whatever), if you choose to participate. You participating in this thread has a cost for me too, but I don’t blame you :-)

                                                                                        1. 2

                                                                                          That is absolutely true and I think that in comparable situations some of those costs of participating in a community are costs you voluntarily pay to reduce the costs multiple other members would otherwise have to pay, so the aggregate cost for everyone stays lower.

                                                                                          1. 2

                                                                                            Fair enough, yes. Personally, I like the little inefficiencies, surprises and unexpected-nesses when participating in contexts like those. That’s usually where the (to me) worthwhile and interesting stuff happens. And I can always choose to opt-out (forever, or for a while) if something gets on my nerves.

                                                                                2. 3

                                                                                  Um, no. Pushing a repo to GitHub and setting up a website does not force people to use the project. It doesn’t force people to pay a cost or even if it does the cost is so small–in a sea of other projects like this–that it’s trivial. And because it’s trivial, removing the project is also a trivial cost to people who are not using it. It’s not a cost that people normally even think about. Like, my existence imposes a cognitive load on your mind. Does that mean I pay you something? What, like $0.01?

                                                                                  1. 2

                                                                                    You didn’t choose to exist, so you can’t be held responsible for that.

                                                                                    even if it does the cost is so small–in a sea of other projects like this–that it’s trivial

                                                                                    It’s death by a thousand cuts.

                                                                                    It’s not a cost that people normally even think about.

                                                                                    That doesn’t make it less real. Across all people and projects it adds up. It will get worse in the coming decennia and it will need to be solved.

                                                                                    But that’s all going much further than what I argued. In the end, my question was only: what are the minimal responsibilities. Can we agree on ‘being honest about what software is supposed to do’ and ‘not hiding (valid) bug reports’?

                                                                                    1. 3

                                                                                      It’s death by a thousand cuts.

                                                                                      Only if you’re actually personally evaluating a thousand OSS projects–are you personally evaluating a thousand OSS projects?

                                                                                      That doesn’t make it less real. Across all people and projects it adds up.

                                                                                      So do the cognitive ‘cost’ of books, music, and other art forms being published, but somehow you don’t hear about calls to ‘solve’ this problem.

                                                                                      my question was only: what are the minimal responsibilities.

                                                                                      I’ve already answered this question: please check the license file of the software you’re using to understand what the maintainer owes you.

                                                                          3. 3

                                                                            Then again both BSD and MIT licenses expressly say that the software is provided “as is”. This is not incidental, it specifically is there to tell people that the author does not owe the licensees a damn thing.

                                                                            Which is also why, if bugs arise in some of my open source libraries, I will tell people that I might fix them one day because I built them for fun on my spare time, also giving them the option to contract me – for money – to actually fix them short notice. Even if the libraries are not popular by any margin, a company is actually using one of them in production, and did offer to pay for me to fix them “next week”. Eventually we decided this wasn’t necessary but we keep the option open for the future. I am also open to selling nonfree versions of the libraries with support contracts.

                                                                            So many companies use open source software in their products it makes very little sense to not see a market there. A hobby is a hobby, fun is free, but entitlement isn’t. I already get paid to write software, if someone really wants me to spend a Saturday fixing bugs for them, they might as well pay for it. Otherwise they’ll have to wait an indeterminate amount of time.

                                                                            Here are the respective bits from BSD and MIT.



                                                                            1. 3

                                                                              I think it makes sense to do distinguish between the responsibilities you (want to) legally have (towards everyone) and the responsibilities you can morally be expected to have (towards your neighbour).

                                                                              You can legally disclaim any responsibility without also (intending to) morally disclaim all responsibility.

                                                                              1. 5

                                                                                Some answers I’d like to hear from people who insist software authors have no moral responsibility. If I deliberately release a program that promises to, for example, display a fractal animation, but instead deletes user’s home dir, am I morally responsible? Am I less morally responsible if it deletes user’s home dir due to an unintentional bug?

                                                                                1. 3

                                                                                  A tourist asked me for directions at the train station. I did my very best to explain to him what platform to use, but later, I saw him in the middle of a crowd as he moved towards a different one (it was the same number, but a different orientation, as I apparently failed to explain before). Unfortunately, I didn’t have the time to follow him and send him to the opposite side as I was already late for my own train.

                                                                                  I feel really bad about this, because it was a very polite gentleman and if he missed the train, who knows how long he had to wait for the next one. I actually think he didn’t, as he still had some time left and hopefully double-checked which train he’s getting on, but it still troubles me. Am I morally responsible? :-/

                                                                                  I certainly would be responsible if I did this intentionally, but that was not the case and I tried to repeat myself a couple of times. I felt reasonably confident we understand each other and didn’t feel the need to ask someone else for help.

                                                                                  The similar goes with bugs. When the author’s intentions are clear and he takes reasonable measures to prevent vulnerabilities or damage, it’s not fair to accuse him. Sure, a normal person will feel bad for such incident and apologize, but that’s it. What else? Should he pay you money or something for using his software?

                                                                                  1. 2

                                                                                    Some answers I’d like to hear from people who insist software authors have no moral responsibility.

                                                                                    am I morally responsible?

                                                                                    The people who say software authors have no moral responsibility–what do you think they will answer to your question?

                                                                                    1. 1

                                                                                      I’m not sure why you ask as the question was rhetorical, but I’d expect them to say no.

                                                                                  2. 1

                                                                                    Maybe, and you are certainly free to do that in your own projects, but in the absence of that the disclaimer that is actually in effect is the one included in the license.

                                                                                    1. 1

                                                                                      It is. Does that mean we are fine with people lying in their README or hiding legitimate bug reports?

                                                                                      1. 1

                                                                                        Their project, they do whatever they want with it. You don’t like it–don’t use it.

                                                                                        1. 1

                                                                                          people lying

                                                                                          This type of slanderous characterization is why I flagged the original entry as off-topic. Most of the comments here, to their credit, is sincere reflection on the pressures of writing and contributing to open source. But some, like this, as just rehashing the persecution of the software maintainer.

                                                                                          1. 1

                                                                                            This entire subthread is not about the specific situation reported here and is wondering in general what minimum responsibilities we may expect open source authors to take on. There seem to be people that believe we may not expect them to take on any responsibility at all, even excluding the minimum moral responsibilities we normally asociate with any other human interaction as reasonable expectations. That is what I am explicitly asking after.

                                                                                            1. 2

                                                                                              OK, so someone explicitely stating untruths in READMEs and hiding issues is just a hypothetical example?

                                                                                              1. 2

                                                                                                Shit, I understand my mistake. Those are both things are alleged to have happened in this particular case and repeating them can be seen as accepting them as facts.

                                                                                                To be explicit, for both things: no, that is not what I had in mind. I’m not talking about this case.

                                                                                                • I don’t know the facts concerning the alleged untruths. I have something in mind like “This code is safe to run to see a puppy” when you know it will delete the home directory. Something that obviously causes harm. Anything more gray is, well, more gray and requires separate discussion. My goal is establishing a bare minimum responsibility.
                                                                                                • The thing with the issues happened in frustration and is defensible. I’m thinking of someone hiding/deleting an issue that literally says “Don’t run this project, it will remove your home directory” when it indeed does that.
                                                                                                1. 2

                                                                                                  Thanks for clearing that up!

                                                                                  3. 1

                                                                                    I’ll say first I thank you for a detailed, thoughtful write-up on the other side of this.

                                                                                    “ I believe that if you choose to release something to the public, you carry some responsibility for it.”

                                                                                    I’m actually with you on that belief. I’m utilitarian. I look out for the public a bit. So, it just fits my beliefs. Thing is, other people have all kinds of beliefs. I tend to go with lowest-common denominator if I’m aiming for a universal expectation. For OSS/FOSS, they’ve done volunteer work, shared it with others, and typically with a license denying responsibility. So, I shouldn’t hold them responsible for any problems I experience from my use of their work they published. Plus, if people need it fixed, they have options ranging from pull requests (denied) to forking their own version.

                                                                                    I’ll run through the analogies to see how they might fit:

                                                                                    Hedge trimmer. Used as intended, the hedge trimmer would work. It only breaks if the neighbor is doing malicious or weird things with it. Someone requests the hedge trimmer be modified by the supplier or its buyers to block all such malicious and weird uses. That really on them?

                                                                                    Communal garden. This is more like someone planting the garden (or a lot of it), it being used by many people, planter takes care of it almost exclusively themselves, it gets some improvements by others here and there, and original planter leaves due to disagreements on managing the garden. They still planted, maintained, and left a garden. If anything, the other people look suspect here.

                                                                                    Volunteer work done lousy. This is the closest thing to where I agree with you. I’d say that’s a matter of personal integrity to do what one promised. I hate it when I slip too much to do that. In this case, I don’t know if author promised anything so much as just shared their work which outperformed most others. They did what they intended and were volunteers. What others expected wasn’t actually their promise as volunteers.

                                                                           and Chef. Responding to chef since they’re similar. I’d first look to see what was promised. This author would be a chef that was making their prefered kind of recipe, used some ingredients a lot of people liked, some people didn’t, and shared it with others. The chef’s preferences for their style of cooking caused them to not accept recipe changes from others to be published in the chef’s recipe. Others were allowed to pubish their own version. They didn’t. Most enjoyed the recipe. Some didn’t even read the ingredients to spot potentially nasty ones or things they were allergic to. Some found out about suspicious ingredients but ate it anyway. Again, it’s not the chef that’s suspect to me since they’re just doing their thing with the questionable ingredients dominating the menu at other providers.

                                                                                    “You choose to have your intellectual property invade the minds of everyone that is reached.” “because in practice people don’t and you know that beforehand”

                                                                                    That’s a big difference in our thinking. I’m from free speech, thick skin, control-how-people-influence-you part of the country. Realistically, what you describe will happen to some degree or even most of the time due to human nature. Realistically, we also need to know this, be wary of it (esp our biases/triggers), skeptical about what others offer, and only allow good ideas into our minds or as our working dependencies. We also need to introspect occasionally to prune bad ones out. If the audience didn’t do that, they need to address their bad habits before the screw up again.

                                                                                    I’m no exception. I’m actually spending most of this week flushing out last year’s stresses, assessing bad habits, new goals, and how I’ll handle them. Those that affected me negatively were almost universally those I allowed to be a mental dependency. There’s the root problem. Sometimes I have little choice or one with high coercion. Most I could’ve handled differently, though. I strongly encourage that in others who are considering being emotionally tied to or walking into an artificial, nearly-pointless catastrophe such as the Actix situation. I’m responding just because I find these things interesting with some good usually coming out of it. Raph’s write-up on the front page is an example.

                                                                                    On your three part list, the third isn’t reasonable since its the owners’ work and property. The license allows a fork. That’s enough. The first, honesty, should be a must on basic principle. The second is really where all this happened. Is it really defective if it does what the owner wanted it to do? In security, we evaluate the software against a correctness or security goal or policy. There’s endless possibilities. We usually only care about a subset of it. Author found it correct enough for now with no urgency for a fix, planning on their own. If it meets author’s requirements, is it really defective or even defective enough to warrant calling it a failure? Remember that most useful, deployed software sucks in some way when you try to answer that.

                                                                                    Your thoughts are all reasonable. I could see maintainers subscribing to that philosophy. I just can’t justify pushing it on them at large. Many wouldn’t accept it either due to ideological differences.

                                                                                    1. 1

                                                                                      As is usual in discussions I’m going to focus on where we (seem to) differ, but we’re largely in agreement.

                                                                                      An explanation I should have added to my original post: my analogies were not intended as analogies of this specific situation, but as analogies of open source in general. My intention is to flesh out some general expectations people may have of each other, to get to some minimum responsibilities.

                                                                                      You e.g. adjusted the hedge trimmer example to match this specific situation, which was not what I had in mind. So to be clear: I was not implying the author of the project under discussion violated reasonable expectations by delivering something similar to a dangerously broken hedge trimmer. I agree that unforeseen and dangerous use of a hedge trimmer is in no way the responsibility of the lender. Similar things hold for the other analogies as you formulated them: I agree with your takes.

                                                                                      Realistically, what you describe will happen to some degree or even most of the time due to human nature.

                                                                                      Absolutely true and wouldn’t it be very nice if the amount of work we had to do to guard against that would be lower, because of shared general principles that result in more people taking on some minimum responsibility to not cause the problems we’re guarding ourselves against? I believe often the problem isn’t so much that people don’t believe they have responsibilities as that they have never explicitly thought about them or forget about them and would take action when reminded of a responsibility they have previously agreed they have. Perhaps we need something like an ‘Open source author manifesto’ that people can include with their repo.

                                                                                      The second is really where all this happened.

                                                                                      Not within the scope of the minimum responsibility I had in mind there. In the context of Github, I would say it’s enough that ‘issues’ exist that document brokenness. The minimum responsibility here is not closing/hiding/deleting issues that could cause users grief. My opinion on this specific situation is that the author did nothing wrong with respect to the responsibilities we may minimally expect them to take on.

                                                                                      The license allows a fork. That’s enough.

                                                                                      That seems to be the majority opinion, but in practice it seems to be very ineffective to me. It doesn’t happen as much as it should.

                                                                                      I think one of the main obstacles is that just forking a project isn’t enough: you also need to communicate to everyone, including newcomers, that the previous project has been superseded, with the blessing of the community. Forking causes confusion and makes it hard for people to pick the option generally considered ‘the best’. Wouldn’t it be helpful to the community if authors would give up their claims to project names and publication permissions so the fork can continue under that name? Wouldn’t that make forks likelier to succeed?

                                                                                      So what I’m assuming here is that one of the major problems open source has is not so much availability of people who want to maintain a fork, but the availability of such people who also believe that spending that effort is useful, because the fork will succeed.

                                                                                      But in the end the entire third bullet can be a separate discussion. If people would in general agree open source authors have at least the minimum responsibilities of being honest about what the code is supposed to do and about defects that may cause users harm, then already we have at least established there are some responsibilities and that the discussion should be about those; not about ‘none’ vs ‘all’.

                                                                                    2. 1

                                                                                      You offer to create no value for me, only to “respect” my claim and deed to property, and you think I owe you money/time for that.

                                                                                      I think you’re going to be disappointed.

                                                                                      1. -1

                                                                                        We generally don’t accept people just giving the world ‘gifts’. We hold that they have a minimum of responsibility with respect to their gifts. If we find that giving African villages wells has counterproductive results, because it disrupts the social fabric, then we are responsible to undo the damage. We frown upon someone giving a recovering alcoholic a free bottle of booze. We frown upon someone promising to help you and reneging on that promise. You can think of countless examples yourself where the fact that something is a gift does not absolve the giver from all responsibility concerning that gift.

                                                                                        So yes, I believe there is a minimum responsibility, and thus a minimum of time, you owe the world if you choose to ‘give’ it something. And I think you believe exactly the same.

                                                                                        1. 2

                                                                                          My reason for producing software is not a gift. It is entirely selfish!

                                                                                          When I have published software, gratis or otherwise, it is not because I’m trying to get you hooked on booze, or even because I don’t think you can produce it yourself.

                                                                                          I do things because they benefit me, or because I expect them to benefit me, and I think that’s true of everyone, including you.

                                                                                          That’s why you try and convince people into thinking they owe you more: Because that more can benefit you.

                                                                                          Maybe you even think that’s necessary/economy: To convince people to take a worse deal than you, but that’s sad. I don’t want to be friends with people like that. I think we can find a deal where we’re both happy with the outcome, and happy enough we would do it again, and I hope that you might learn to actually prefer that as well.

                                                                                          1. 0

                                                                                            If you think lending a broken hedge trimmer to your neighbour for the laughs is fine, because you have the selfish benefits of having a laugh at them – or the only reason you don’t do it is because you might need something from your neighbour in the future and some form of utilitarianism informs you not to do such a thing, then I’m not interested in being friends either.

                                                                                            I prefer people to not be entirely selfish, to consider what costs they impose on the world to get the benefits they are after and to take some minimal responsibility to reduce those costs.

                                                                                            1. 2

                                                                                              Yes. The only reason I don’t buy a hedge trimmer, break it, then lend it to my neighbour, is obviously because I might need something from my neighbour in the future, and not because I might have bought the hedge trimmer in the first place for my own purposes. After all, I only would ever buy a hedge trimmer in the first place, if I wanted to lend it to someone for some social currency I can redeem in the future.


                                                                                              @friendlysock - you really vouch for Confusion?

                                                                                              1. 0

                                                                                                I started this thread suggesting open source authors at the very least have the responsibility of basic decency. You responded negatively and are now promoting selfishness, attempting to extract more and finding mutually beneficial deals so that you may do it again. And somehow I’m the offensive one, even though your principles lead to the offensive scenario and you are the one denying any basic moral responsibility when that might have a cost to you without any benefit?

                                                                                                1. 2

                                                                                                  Yes. On all points: You started this thread. You called working for free “basic decency”. I did respond negatively (makes sense, I was indeed offended by that). I did say I will not work for free. Yes you’re the offensive one. Yes not working for free is selfish. Yes I do not work for free.

                                                                                                  Sounds like you’re a communist (or whatever it is where they can make you work) and I’m a socialist and we just have ourselves a little ideological difference of opinion, but since I don’t have to do anything I don’t want to, and you haven’t convinced me of anything (all that comparing my writing code to enabling alcoholics definitely didn’t help) that’s probably just going to be the way things will be.

                                                                                                  1. 0

                                                                                                    Let me.emphasize, based on comments in another subthread, that I emphatically do not mean the things that are alleged to have happened in the specific case reported here. I’m thinking of things like saying “you can safely run this code” when you know it actually deletes a home directory or removing an issue that warns others of such an obviously harm-causing thing.

                                                                                                    You called working for free “basic decency”

                                                                                                    You call ‘being honest about what something does’ (not writing anything is honest) and ‘not hiding bug reports’ work?

                                                                                                    (all that comparing my writing code to enabling alcoholics definitely didn’t help)

                                                                                                    Not writing code: the equivalent would be publishing it and then lying about what it does, negatively impacting people for no reason.

                                                                                    3. 7

                                                                                      I’d just like to point out that nowhere here has anybody linked to a new fork of the code everybody is handwringing about being gone. Instead, we are now just linking to other fora, doubtless perpetuating a tempest in a teacup.

                                                                                      This is why I flagged the submission.

                                                                                      1. 3

                                                                                        I would love for the technical community to forget trying to figure out precisely where blame and responsibility lie and why, and instead move on to working out a plan for immediate and seamless recovery from a catastrophic bus factor reduction. Next time, I want to see more “this happened, yes it sucked, but more importantly here’s how we’re going to pick up the pieces and carry on smoothly” and less 90+-comment threads (to which I reluctantly contribute) focusing on a single person who very likely wants to be left alone right now.

                                                                                        1. 1

                                                                                          Exactly. Just more flying peanuts from the peanut gallery.

                                                                                        2. 3

                                                                                          I think the linked two takes go too far in the direction of letting anything go for developers of Open Source who don’t adhere to minimal social norms while appearing too restrictive on what other people can say.

                                                                                          For developers, even if one agrees that developers of a piece of Open Source software don’t have an obligation to keep developing the piece of software or to provide support, it’s still reasonable to hold it as a social norm that if the original developer quits they shouldn’t take disruptive active action (such as making the repo go away on GitHub or pushing breakage via cargo, npm, or similar; not suggesting that the latter is relevant in this case).

                                                                                          Handing off maintainership is a tricky case if there isn’t already a trusted co-developer. One one hand, properly handing off maintainership is socially expected, but the hand-off is also a potentially disruptive active action. Clearly, as npm incidents has taught us, one should not hand over control of a software distribution channel to some random person who volunteers. If quitting happens under emotionally heavy circumstances, handling the hand-off responsibly to a properly trustworthy party may be too burdensome. In that case, it’s best not to take any action (except maybe marking the repo archived on GitHub).

                                                                                          As for other people, especially in the case of an infrastructural library, it should be an acceptable response to publicly advise against the use of a particular library with a polite fact-based explanation why. (See @burntsushi’s post on Reddit.) When other people are relying on code that someone wrote, it’s no longer just about the person who wrote the code. It’s bad for the Rust ecosystem for a crate whose approach to soundness doesn’t meet the soundness issue handling expectations for Rust to end up in a keystone position in the ecosystem. In practice, you don’t get true freedom of choice about what crates are in your dependency tree. There needs to be a way for the Rust community to communicate norms such that crates that don’t meet the soundness issue handling expectations of Rust don’t end up in keystone positions in the ecosystem.

                                                                                          In this case, some people failed badly at the “politely” part. Also, not everything has to happen that fast, and the Rust community is a bit too quick and harsh to react to things that are look like people who haven’t bought into Rust could use them as counter-examples against Rust’s evangelism promises. I’ve been perceived to do a thing undermining Rust’s promises (not on soundness), and the response hasn’t been particularly nice and at times it has been more on the quick than researched side. Things don’t need to be resolved on Reddit the moment you discover them.

                                                                                        1. 8

                                                                                          Add a “show” tag, and perhaps consider not having your username be your project name (looks like advertisement).

                                                                                          1. 10

                                                                                            Yeah. I PMd to tell him to knock off the self-promotion.

                                                                                            1. 3

                                                                                              An open source project, where there is also a cloud-hosted version by the author, is not necessarily a spam post. Goat Counter does exactly the same thing and got a lot of upvotes on Whether the link goes to the Github README or a separate blog shouldn’t make much of a difference methinks?

                                                                                              The only sketchy thing here is that the username matches the project name. But that doesn’t make the project itself bad. Maybe they’ll change their username to something more personal.

                                                                                              1. 7

                                                                                                I’m really careful in not promoting/spamming GoatCounter too much here. For example, I wrote some things on my website about it that I didn’t post here, and I tend to refer to it as “the project I’m working on” in comments when I don’t really need to reference it by name. Additionally, I’ve been posting here for a while with quite a number of comments/submissions. I also just happen to be developing this product, but that’s not why I’m here.

                                                                                                I’m sure Son has the best of intentions (SimpleLogin uses GoatCounter, and provided some pretty useful feedback), but I’ve seen several SimpleLogin stories in the last few weeks, and IMHO it’s a little bit too much. Self-promotion is fine IMHO, but it’s all about the balance.

                                                                                                1. 1

                                                                                                  Hey what’s funny is some trending posts about SimpleLogin aren’t even posted by us, I learnt about them when they are trending on Reddit.

                                                                                                  We are preparing an official launch so are posting about “the project we’ve been working on” ;) a bit everywhere. Lot of constructive feedbacks, some haters (obviously) but so far so good.

                                                                                                  1. 3

                                                                                                    Yeah, it’s just some things I noticed here. Maybe my impressions are wrong 😅 Also, as someone else pointed out having the username “simplelogin” probably isn’t helping. You can change it in Lobsters on your profile at any time.

                                                                                                    1. 2

                                                                                                      Yeah I just changed my username.

                                                                                                2. 2

                                                                                                  He’s pushing it too much (see his previous submission and the discussion underneath).

                                                                                                  1. 0

                                                                                                    Self-advertising is not bad per se, I discovered some cool projects by their authors and I have met a lot of amazing people who support SimpleLogin via my “self-promotion” posts. For me, what’s more important is the content itself.

                                                                                                    It’s sad that people don’t even look at the post before classifying it as “spam”.

                                                                                                    1. 1

                                                                                                      I think maybe the match between your username here and the name of the product causes a knee-jerk reaction. Have you considered using the same username here that you use on Github?

                                                                                                      1. 2

                                                                                                        I use the product name as username on reddit and HN so anyone could know immediately that I’m self-promoting and not trying to fake a positive review. Anw just changed my username :).

                                                                                                1. 4

                                                                                                  “Something like Go or Rust” is definitely not necessary and it doesn’t matter whether or not you use a document-oriented database. Your main concern is to have the computing power and connectivity to download and index the pages, especially if you want to even remotely compete with Google. This isn’t a task for a single computer, and you need to be able to add new servers on the fly.

                                                                                                  With systems like this, even talking about a single database backend in the sense of “and there’s a few servers running Postgres” is silly. It wouldn’t scale. Can you imagine thousands and thousands of servers at different geographical locations, all consistent with each other?

                                                                                                  You need to rethink your requirements, and the consistency is the first thing to go off the list. When a certain page gets removed from the index, for example, it doesn’t matter that one server stops serving it after 5 minutes and the other after 2 hours.

                                                                                                  Some elementary (and extremely simplified) design could be something like this:

                                                                                                  At a certain geographical location, you’ll have a bunch of nodes, where each node holds a certain part of the index, and also some front-facing servers. When a new search request comes in, you query all of these nodes (or only the relevant ones, if you can somehow make that happen) at once and then merge their answers into a single result you’ll report back to the user.

                                                                                                  Then you need to figure out the crawling and indexing. Crawling is likely to be enormously computationally expensive, because with fulltext search, you need to do some analysis on the text to actually make it searchable. When I search “žlutý” in Google, which is a Czech word for “yellow”, it gives a preference to the exact match “žlutý”, but also highlights words žlutými, žlutá, žlutého, žlutém, žlutým, žlutě, žlutému, … (etc), which are the different grammatical cases of the very same word.

                                                                                                  In order to achieve this, you need to take the input text and turn every word into a single grammatical case. So you would turn a Czech sentence “Jezdili žlutými autobusy” into something like (jezdili, jet), (žlutými, žlutá), (autobusy, autobus). You then index all of these words, but give them different weights (an exact match is more valuable).

                                                                                                  Once you do this once, you need to propagate the modifications over the entire system (so, say, from North America to Europe), but do it in a way that doesn’t overload the servers.

                                                                                                  And I’m terribly oversimplifying here. I didn’t mention scoring, sorting the results, and a lot, lot of other things.

                                                                                                  But I hope I made my point clear: Deciding what language would be fancier to use is somewhat of a smaller problem here.

                                                                                                  1. 2

                                                                                                    Thank you for your insight, there’s so much I don’t know I don’t know.