575
submitted 7 months ago by davel@lemmy.ml to c/opensource@lemmy.ml
top 48 comments
sorted by: hot top controversial new old
[-] piefedderatedd@piefed.social 104 points 7 months ago

In some open source projects there is a lot of leeching and little contributions.

In 2020 the sole developer of Invidious stepped away from development because of burn out. https://omar.yt/posts/stepping-away-from-open-source

Also in 2020 developer Raymond Hill archived the uMatrix browser add-on https://news.ycombinator.com/item?id=24532973

I will never hand over development to whoever, I had my lesson in the past -- I wouldn't like that someone would turn the project into something I never intended it to become (monetization, feature bloat, etc.). At most I would archive the project and whoever is free to fork under a new name. For now I resisted doing this, so people will have to be patient for new stable release.

What would actually help is that people help to completely investigate existing issues instead of keep asking me to add yet more features. Turns out people willing to step in the code to investigate and pinpoint exactly where is an issue (or that there is no issue) is incredibly rare.

[-] a1studmuffin@aussie.zone 29 points 7 months ago

That last sentence rings true of most software engineers. Everyone wants to work on a glamorous new feature that's going to wow users or let them think about problems they want to think about. No-one wants to hunt down the difficult-to-repro bug in an old but critical section of someone else's code.

[-] Cwilliams@beehaw.org 21 points 7 months ago* (last edited 7 months ago)

For anyone wondering, here is the difference between uMatrix and uBlock Origin: https://news.ycombinator.com/item?id=24533329

[-] danielquinn@lemmy.ca 14 points 7 months ago

When I stepped away from my own (mildly successful) Free software project, I had the same concerns: it's about the reputation.

The project had earned a decent amount of trust when I was running it, and presumably people were installing new updates without going over the changes. If I handed off the project to someone new, I wasn't just handing over the work, but that trust as well.

So rather than handing over the project to someone new, I archived it and someone else (thankfully someone not-evil) forked it. Anyone installing the fork immediately understood that the relationship was new. They'd have to decide whether to trust this new maintainer or not.

For my money, this is the way. If you're burning out, remember that your reputation is tied to your project name, and that it has considerable value. If you don't want to continue, the disruption of a fork is better/safer than the smooth-but-risky hand-off.

[-] rizoid@lemmy.dbzer0.com 86 points 7 months ago

More people need to operate like Linus Torvalds. Call people on their shit. Respectfully of course.

[-] pastermil@sh.itjust.works 69 points 7 months ago

Fuck you

Respectfully,

Linus Torvalds

[-] bhamlin@lemmy.world 2 points 7 months ago

Shit, sensitivity training works. Please don't show this to my HR team....

[-] maniel@sopuli.xyz 13 points 7 months ago* (last edited 7 months ago)

Respectfully of course.

Like "Fuck you Nvidia"?

[-] nossaquesapao@lemmy.eco.br 16 points 7 months ago

I vote on an exception for big corps. Fuck you nvidia.

[-] bhamlin@lemmy.world 4 points 7 months ago

Respectfully

I'm more of a fan of responding in kind. Manners may cost nothing, but so does clear communication.

[-] MigratingtoLemmy@lemmy.world 1 points 7 months ago* (last edited 7 months ago)

In my book, respectfully is something more insulting than "you're so stupid, how did you survive to suck on your mother's tit, one would imagine you were too stupid to know what to do with it".

Obligatory /s

[-] BearOfaTime@lemm.ee 79 points 7 months ago

Lol, you don't already operate this way in life?

Someone trying to guilt or pressure you has an agenda and isn't concerned with what's best for you.

[-] anzo@programming.dev 41 points 7 months ago

Easy to say... Not so easy to just do it, specially if you're burned down..

[-] ReversalHatchery@beehaw.org 3 points 7 months ago

This very comment could be very dismissed with the attitude.

[-] Murdoc@sh.itjust.works 51 points 7 months ago

Yes, you should totally do that. DO IT.

[-] Killing_Spark@feddit.de 40 points 7 months ago

No. I won't not do that. For security reasons.

[-] Potatos_are_not_friends@lemmy.world 49 points 7 months ago

Open source is such a wild west at times.

You have your gatekeepers like Linus Torvalds who will call you a fucking moron if you submit something that looks remotely off.

You have your committees that you can submit a MR, but it has to go through the council of experts before it gets merged.

But the vast majority, it's a one or two person project and this was a side project because you had an issue you wanted solved. No financial reward, no acknowledgement. And so when someone gives it a iota of attention, you fall head over heels and hope they are like-minded and want to support this dream too.

[-] jaypatelani@lemmy.ml 7 points 7 months ago

Theo is even more strict than Linus.

[-] protozoan_ninja@sh.itjust.works 30 points 7 months ago* (last edited 7 months ago)

I've always taken this attitude towards pushy people and tbh this is more or less why. Being pushy like this is inherently suspicious as fuck.

[-] ipkpjersi@lemmy.ml 6 points 7 months ago* (last edited 7 months ago)

I think it can depend on how and why you're being pushy too. I've definitely had to have my fair share of passionate conversations and strongly advocating (yes, you could say pushing) for what I believe is best for the direction of a project with my fellow maintainers, especially when it comes to important things (like how to handle specific security issues etc since there's not always one way of handling it). Generally speaking though you're right.

[-] protozoan_ninja@sh.itjust.works 3 points 7 months ago

Yeah, that's fair, there are driven people, and people who are pushing for something, right, but in this case, look at the language used:

Progress will not happen until there is new maintainer. XZ for C has sparse commit log too. Dennis you are better off waiting until new maintainer happens or fork yourself. Submitting patches here has no purpose these days. The current maintainer lost interest or doesn't care to maintain anymore. It is sad to see for a repo like this. [src]

Tons of emotional button-pushing and pressure, but not on technical grounds. Just trying to make the dev feel crappy about themselves.

[-] phx@lemmy.ca 24 points 7 months ago

Anyone pushing you to do something you don't understand, or understand poorly. I could see an actual security researcher pushing for a code update to fix a vulnerability.

Heck, even as an occasional contributor I take some pride in seeing my fixes etc make it into the mainline codestream.

But yeah, you definitely need to be wary of somebody you only know from online pushing a change that doesn't make sense or you don't understand.

[-] davel@lemmy.ml 8 points 7 months ago

Anyone pushing you to do something you don’t understand, or understand poorly.

This was taught to me in my bank teller training back in 19-dickety-two. Don’t let someone try to rush you or to obfuscate/over-complicate things.

[-] lordnikon@lemmy.world 16 points 7 months ago

Honestly that should go for all transactions. someone calls you to fix an issue or pressure you into buying something. Just hang up and call the company back. one thing I have learned from many years of support is the person calling always has power over the person being called. So flip the dynamic. same goes for car sales just walk away. hell go look at cars when you don't want one and practice just walking away and see how much power you get.

[-] MotoAsh@lemmy.world 3 points 7 months ago

Regardless of flipping the dynamic, that's a good way to avoid scammers. It's easy to spoof an incoming number, but near impossible to intercept an outgoing call. If your "bank" calls and starts asking funny questions, just hang up and call the real bank to check.

[-] KillingTimeItself@lemmy.dbzer0.com 12 points 7 months ago

as a non developer myself, to my understanding, the vulnerabilities were implemented in test binaries?

If so, i question why those were shipped to the client. Unless they were built into the package itself on the mirror, in which case, still curious as to why that would be. I would think tests are entirely benign and do nothing. Seems like it would be incredibly bad practice to do otherwise?

Seems like an obvious vector to shutdown any potential fuckery. But what do i fucking know.

[-] tomalley8342@lemmy.world 23 points 7 months ago

The compile process was modified to decrypt and unpack the "corrupted" test zip file, which was actually a code patch, and apply said code patch before assembly of the final binaries.

[-] KillingTimeItself@lemmy.dbzer0.com 1 points 7 months ago

hmm ok. Yeah idk, even from an organization aspect, i still wouldn't consider that to be ok. Test files that patch code on the fly is a recipe for a nightmare of maintenance. Which i suppose is the idea here considering that it's malicious code lol.

[-] ReversalHatchery@beehaw.org 20 points 7 months ago

They were not shipped to the client. They were shipped to the build system, executed there after deobfuscation, and they inserted an additional, opaque program file into the build process.

[-] KillingTimeItself@lemmy.dbzer0.com 1 points 7 months ago

that much i picked up on, though i didn't make it very clear. I did mention that alternative though.

[-] Fave@lemmy.world 17 points 7 months ago* (last edited 7 months ago)
[-] KillingTimeItself@lemmy.dbzer0.com 1 points 7 months ago

i know it's rather involved, i've been tailing it from the sidelines, though like i said, i am not a developer, so in terms of code and maintaining code im blind there. But everything else i understand.

It's definitely an interesting situation to observe.

[-] KingThrillgore@lemmy.ml 12 points 7 months ago

I've always been a fan of "pull requests welcome" when someone asks me for something.

[-] erwan@lemmy.ml 10 points 7 months ago

The problem is when people then open huge PRs and expect you to take time to review them, then eventually merge them.

Especially when it's something you don't want in your codebase because it introduce a big unnecessary "refactoring" or a feature that you don't want to have to maintain forever.

[-] Kazumara@feddit.de 4 points 7 months ago

That doesn't apply as a solution here. After all Jia Tan did make pull requests, the pressure came later.

[-] twinnie@feddit.uk 7 points 7 months ago

The guy was from Hong Kong, they probably threatened to throw his family in jail.

[-] underisk@lemmy.ml 48 points 7 months ago

he was using a singapore VPN and had access to multiple sockpuppets. we know literally nothing else about them and anything you've heard to the contrary is baseless rumor.

leading theory is that it was a state-sponsored actor, but frankly even that much is speculation and which state is still way up in the air.

[-] ReversalHatchery@beehaw.org 3 points 7 months ago

It seems I'm out of the loop, how do we know about hongkong and singapore?

[-] underisk@lemmy.ml 8 points 7 months ago

we know about the singapore VPN because they connected to IRC on libera chat with it. the only reason I can think people would believe they're from hong kong is because of the pseudonym they used, but it's not like that proves anything.

see link posted in another user's reply: https://boehs.org/node/everything-i-know-about-the-xz-backdoor#irc

[-] Potatos_are_not_friends@lemmy.world 12 points 7 months ago

Via https://boehs.org/node/everything-i-know-about-the-xz-backdoor

They found this particularly interesting as Cheong is new information. I’ve now learned from another source that Cheong isn’t Mandarin, it’s Cantonese. This source theorizes that Cheong is a variant of the 張 surname, as “eong” matches Jyutping (a Cantonese romanisation standard) and “Cheung” is pretty common in Hong Kong as an official surname romanisation. A third source has alerted me that “Jia” is Mandarin (as Cantonese rarely uses J and especially not Ji). The Tan last name is possible in Mandarin, but is most common for the Hokkien Chinese dialect pronunciation of the character 陳 (Cantonese: Chan, Mandarin: Chen). It’s most likely our actor simply mashed plausible sounding Chinese names together.

[-] xantoxis@lemmy.world 3 points 7 months ago

Wild, so it would suggest that the actor wasn't Chinese at all. An authentic Chinese person probably wouldn't choose a name that sounded like that, any more than I would name myself Sean MacBerkowitz, it would just sound wrong.

A random name generator might produce something like this, of course, if it wasn't programmed to be too picky.

[-] baseless_discourse@mander.xyz 6 points 7 months ago* (last edited 7 months ago)

Or they are Chinese, and pick non-authentic Chinese names so people wouldn't suspect them? I don't think looking at the name can be a great way to identify the source.

This attack is clearly sophisticate: the attacker(s) are probably well-trained in obscuring their identity to not reveal much info from their name picks. Say, just use a random name generator.

[-] Miaou@jlai.lu 1 points 7 months ago

Except it is a Chinese name, as Cantonese is spoken in China. Lots of speculation here by people missing vital information.

[-] baseless_discourse@mander.xyz 2 points 7 months ago* (last edited 7 months ago)

The name is suspicious because "Jia Cheong Tan" uses two different romanization of Chinese used in different regions. "Jia" and "Tan" seems to be pinyin, which is commonly used in the mainland; yet "cheong" uses probably Wade-Giles which is used in Taiwan.

OP seems to suggest cheong is Jyuping, which is used as a romanization for cantonese, but according to wikipedia, "eong" is not a final for Jyuping. So I don't think this is Jyuping.

disclaimer: I don't know a lot about Jyuping or Wade-Giles, so everything I put out is from wikipedia.

See:

[-] DingoBilly@lemmy.world 2 points 7 months ago* (last edited 7 months ago)

It's a hard call at end of day. If you want it to all be privacy respecting and open source and decentralised then you're almost guaranteeing you won't make money from it.

The alternative is ad based software that's free which is also garbage.

Hard to find the balance between the two, can't think of many examples if any that actually work besides just making a paid product that's very good and hope it's better enough than the rest to be successful. But even then you likely will have to cross lines because you're just relying on viral luck at that stage.

[-] galil3o@lemmy.world 1 points 7 months ago
this post was submitted on 31 Mar 2024
575 points (100.0% liked)

Open Source

31272 readers
377 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 5 years ago
MODERATORS