[izacus]

> As a maintainer, it is his choice which patches to accept. If you're not happy with his decisions, choose another project, fork it, or pay someone to do it for you.

Sure, but that DOES NOT mean you're immune to criticism, especially when it comes to security.

Your type of argument could otherwise be used for pretty much everything - even large corporations. It's not useful.

[pgeorgi]

> Sure, but that DOES NOT mean you're immune to criticism

The problem wasn't the criticism, but the expectation that said criticism invokes a certain behavior of the maintainer.

You can criticize open source maintenance by creating a fork in which you outline your vision (e.g. "much less use of 'unsafe' in the web package") - and deal with the burden of being a maintainer.

Everything else is just trying to force people to do stuff for you, and that's rude.

[weberc2]

FWIW, I don't have a dog in this fight. On the one hand, there is the maintainer who is within his rights to accept or reject patches as he wishes (although it's not great that he's allegedly falsely advertising his project as secure) and you have critics who are within their right to criticize (although it's not great that much criticism is vitriolic, etc). As TFA says, it's a sad affair all around.

> The problem wasn't the criticism, but the expectation that said criticism invokes a certain behavior of the maintainer.

Of course it implies that the maintainer should change. All criticism implies an expectation of change, at least when the opportunity to change is still available.

> Everything else is just trying to force people to do stuff for you, and that's rude.

Criticism isn't "force" or "attempted force". This is just criticism. If you think criticism is rude, that's fine. Hypocritical, but fine.

You can't rationally say the maintainer is within his rights for rejecting security patches and then argue that critics are wrong for criticizing these practices.

[pgeorgi]

> Criticism isn't "force" or "attempted force". If you think criticism is rude, that's fine. Hypocritical, but fine.

No, the attempt to make somebody do what you want by brigading is what's attempting to exert force and what's rude.

Hiding that behind "I'm just criticizing" (you didn't, but it's a popular refrain in such "debates") is more than only rude, it's also cowardice.

> You can't rationally say the maintainer is within his rights for rejecting security patches and then argue that critics are wrong for criticizing these practices.

The author of the package didn't force their code onto the users.

The authors of the criticism forced their criticism on him by throwing it his way in the form of bug reports etc. even when it was clear that there's no interest in it.

[throwaway894345]

> No, the attempt to make somebody do what you want by brigading is what's attempting to exert force and what's rude.

Unless the critics are engaging in threats, intimidation, and/or violence, we're talking about criticism and not force.

> Criticism isn't "force" or "attempted force". If you think criticism is rude, that's fine. Hypocritical, but fine.

No, the attempt to make somebody do what you want by brigading is what's attempting to exert force and what's rude.

> The author of the package didn't force their code onto the users.

No one is arguing this. Weird straw man.

> The authors of the criticism forced their criticism on him by throwing it his way in the form of bug reports etc. even when it was clear that there's no interest in it.

Wow. I really didn't anticipate the "bug reports == force" equivalence.

[jdbernard]

I don't know that I agree with the parent post equivalence of "bug reports == force" but I think there is a point to be made that this wasn't just people speaking poorly or offering criticism. There is a real difference between posting your criticism on a platform you control and filling up the issue tracker used by the project. There is an aspect of coercion in that the maintainer has to choose between expending effort to combat the flood of unwanted issues or abandon the use of the issue tracker. They can't just decide to ignore the criticism.

Re. "The author of the package didn't force their code onto the users," it's not really a straw man. People are arguing that the author has moral responsibility for their use of his code. That ignores the fact that they actively chose to use his code. The only way the author would be morally responsible for their use of his code is if he had forced them to use it somehow. So yes, people are basically arguing this.

[deng]

> Your type of argument could otherwise be used for pretty much everything - even large corporations. It's not useful.

No, if you pay for things, you have a contract and things are immediately different.

[hvis]

No, I am allowed to criticize a corporation which is obviously acting against public good.

Even if I'm not paying them anything.

[makomk]

So basically, if you use open source code in your code, you should expect there to be security vulnerabilities which people know about and are keeping quiet about because it'd be unfair to the unpaid creator to criticise them? Tbat sure makes it sound like it's morally irresponsible to use open-source rather than purchased commercial code in something like a web-facing service in 2020, especially given what we know now about the damage compromises can do and the resulting legal climate.

[komali2]

You can report on security vulnerabilities in a library without being vitriolic.

Find vulnerability. Already, awesome of you to have done. Issue patch request. That's 10x even better, you're a boon to the community. You submit it, it gets rejected, you find out why and it's the maintainer is just not feeling it or some other irrational reason. Fork, put in the readme why you forked, write a blog post without being a dick about it, done.

The article we're talking about is referring to the bloodbath of a Reddit pile-on. That's totally unacceptable behavior from an adult.

[deng]

Please don't twist my words. I never said you have to keep quiet or that you're not allowed to criticize. If you see that a project has serious issues, feel free to write a blog post about it. Maybe offer to help, but don't demand your help being accepted.

[asjw]

> if you use open source code in your code, you should expect there to be security vulnerabilities

You should be able.to fix them yourself

That's the premise of OSS

if you don't want to pay for a cab or a driver, you should be able to drive

[badloginagain]

You can fix them yourself, by duplicating the car and fixing it yourself. You can't force someone else to fix the locks on their car

[aurosul]

The only guarantee OSS gives is

- full access to the source code

- full rights to modify it and use it as it was your own

There's no other guarantee.

So if someone writes some code that becomes highly popular, they have no obligation whatsoever to maintain it the way people want.

They don't even have to maintain it at all, if they don't want to!

It's out in the public, it's free, that's the end of the agreement on the creato's side.

If a writer gave away their writings for free, could people pretend that they write what people want them to write, the way they want?

Is it fair to judge the writer because the answer was "WONTFIX"?

But the reality is worse than that.

A lot of companies are literally making billions using OSS, but they are not paying for it, a lot of programmers are making a lot of money by assembling OSS for their clients, but they are not paying for it, hell most of them are not even contributing in _any_ way, what does entitle them to pretend the attention of the OSS maintainer or that the maintainer should act in a way or another, according to the "community" desires?

[UncleMeat]

Yes. I would expect there to be vulns and inconsistent patching for all OSS that I depend on and where I don't have a professional contract with its maintainers.

[SkyBelow]

>Sure, but that DOES NOT mean you're immune to criticism, especially when it comes to security.

But our society does not just openly accept giving criticism. There are rules. Unwritten and extremely vague ones, no doubt, but still social rules. This is especially so when criticizing something a person is providing for free. In this incident, did the criticism cross the boundary and violate those rules? It seems so. Many people likely gave respectful criticism that followed the rules but they appear to have been drowned out by those who did not.

[HorstG]

Security isn't a special license for being nasty. Criticism is fine, even with some urgency due to security being important.

But software done for free by volunteers carries no obligation of a legal or even a moral kind, whatsoever. This is completely different from selling software or doing work for hire or donations. There a moral and often even legal obligation exists.

[creyes]

The problem here was not that there was criticism, it's the TYPE of criticism (anger, hate etc).

And you know what's a good form of criticism? An issue with an attached PR

[throwlaplace]

no your argument isn't useful. the question is never about rights because we all know what the maintainer's rights are (so it's always a discussion of obligation).

if you accept that the open source projects are voluntary as an axiom then you in fact cannot criticize choices made by the volunteer.

here's an analogy: a homeless person asks for money. you don't give him money but buy him food. can the homeless person rightfully criticize you?

[wgerard]

Here's another analogy:

A homeless person asks for money. You don't give him money but give him some advice. Can the homeless person rightfully criticize you?

You can absolutely criticize choices made by volunteers. I don't think you need to think too deeply about this to imagine situations where few would object to criticizing a volunteer's behavior. An obvious one would be if an open source maintainer willfully included malware/etc. into their project - which, to many people, ignoring glaring security issues is vaguely equivalent.

I obviously don't think vitriol is warranted ever, but criticism obviously is from time-to-time.

[throwlaplace]

what is the relationship of your analogy to this situation? is the maintainer the homeless person in your analogy?

you can criticize all you want as an exercise of your critical thinking faculties but the volunteer is not in anyway obligated to heed the criticism.

"it's my money/time and I'll spend it how I want, which includes burning it"

is the fundamental axiom. Given that that is the foundation what sense would it make to criticize that person for burning the money - it's right there in the premise that they're allowed to!

[wgerard]

> what is the relationship of your analogy to this situation? is the maintainer the homeless person in your analogy?

It's your analogy, you tell me.

> you can criticize all you want as an exercise of your critical thinking faculties but the volunteer is not in anyway obligated to heed the criticism.

Nobody said they were. Nobody's trying to punish the maintainer legally. That doesn't mean criticism won't be offered or warranted.

Here's another analogy: You have a right to be a jerk in real life. Nobody's going to physically or legally stop you, barring extreme circumstances. People will still criticize you for being a jerk, as is THEIR right.

[throwlaplace]

in my analogy you're the homeless person and the maintainer is the charitable person. in your analogy the homeless person is getting advice from ...?

>People will still criticize you for being a jerk, as is THEIR right.

completely specious. code in a github repo is not active participation in society. the fact that it's public does not mean it's been submitted for evaluation in any way. criticizing a thing that wasn't critically submitted is meaningless. it's like calling my practice sketches inferior to commissioned pieces - no shit that's the point!

[wgerard]

> in my analogy you're the homeless person and the maintainer is the charitable person. in your analogy the homeless person is getting advice from ...?

the maintainer?

> completely specious. code in a github repo is not active participation in society. the fact that it's public does not mean it's been submitted for evaluation in any way. criticizing a think that wasn't critically submitted is meaningless. it's like calling my practice sketches inferior to commissioned pieces - no shit that's the point!

Uh, what? By packaging something as a crate, by listing it on crates.io, you're submitting it to be used. If you don't want it to be used or evaluated, at all, why in the world would you publish something as a crate on a public registry?

This is more like submitting your sketches to a public art gallery and then being upset when the public criticizes it.

[weberc2]

I reject the axiom. No one is above criticism provided the criticism is rooted in fact (i.e., defamation is not criticism).

[throwlaplace]

it's not about whether someone is above criticism - it's about whether criticism makes sense in the context of what's being proffered. in another part of this branch of the thread i make the analogy with a an artist's sketch posted to a public art gallery. it's not that you can't criticize, it's that it doesn't make sense to criticize because the artist isn't attempting to achieve anything.

maybe a better analogy is if i play a pickup game of basketball and i get labeled a bad player for not trying my hardest. it's not that the criticism is misplaced it's that it doesn't make sense at all - i wasn't trying to be a good player! i was trying to have fun.

[weberc2]

That’s not the issue at all, and we know this because the project was advertised as secure and the critics were arguing that it wasn’t advertised as such. This is characteristically different than your basketball analogy because it is neither explicit nor implicit that the project was unsuitable for production. Drew is arguing that the criticism is invalid because maintainers are within their rights to even lie about their projects because all responsibility lies downstream. Note that security DOES indeed lie downstream, but Drew is mistaken for arguing that this downstream responsibility immunizes maintainers from such criticism. This is a non sequitur.

I don’t understand the desire to make this out to be a sort of dichotomy—both groups have the right to do what they did (the maintainer to reject patches and even allegedly lie about the security properties of his project and the critics to criticize even in bad taste) and both parties could have handled it better. TFA did a fine job for implicitly acknowledging this by simply referring to the situation as sad all around.

[throwlaplace]

>That’s not the issue at all, and we know this because the project was advertised as secure

this is so weird to me. i have a really difficult time on hn often because i don't understand why people that claim to be intelligent can't distill out the fundamental/primary issues.

it's a free/proffered/donation/voluntary/no strings attached piece of code. that is the first thing that defines its use/understanding/existence/ontology whatever other words. everything else is contingent upon that. you can debate this point - you can say something about the social contract of open source software and your responsibility to the community if you yourself have benefited from other open source projects and etc but no one is debating this. everyone is debating aposteriori things.

if i put a mattress out on the street with a sign "no bed bugs" and you pick it up and it has bed bugs in can you be mad at me? can you take action against me?

i don't know what kind of framework i need to appeal to in order to underscore this issue so that people address it directly instead of things further down the line. i would really appreciate someone showing me how to either do this (put the focus on the thing i'm engaging with) or tell me why i'm wrong for focusing on that.

[throwaway894345]

> this is so weird to me. i have a really difficult time on hn often because i don't understand why people that claim to be intelligent can't distill out the fundamental/primary issues.

I feel the same way, but not about /u/weberc2's post.

> it's a free/proffered/donation/voluntary/no strings attached piece of code. that is the first thing that defines its use/understanding/existence/ontology whatever other words. everything else is contingent upon that.

This is another of your own axioms. These aren't universal. In particular, if a maintainer states or otherwise implies that his project is secure and suitable for production and then behaves otherwise, criticism is warranted. Even if he doesn't, criticism is still permissible.

> you can debate this point - you can say something about the social contract of open source software and your responsibility to the community if you yourself have benefited from other open source projects and etc but no one is debating this. everyone is debating aposteriori things.

No one is debating this because it's not necessary. The maintainer's explicit assertions about his project (its security, etc) override implicit "social contract" responsibilities.

> if i put a mattress out on the street with a sign "no bed bugs" and you pick it up and it has bed bugs in can you be mad at me? can you take action against me?

Not sure, but I can certainly criticize you.

> i don't know what kind of framework i need to appeal to in order to underscore this issue so that people address it directly instead of things further down the line. i would really appreciate someone showing me how to either do this (put the focus on the thing i'm engaging with) or tell me why i'm wrong for focusing on that.

In general your arguments are based on your own axioms. If your axioms aren't widely-shared, then you will run into these sorts of disagreements.

[endorphone]

This has been the argument throughout the various discussions -- that somehow if there isn't a payment structure between party A and party B, there is full immunity from criticism, questioning, expectations, etc. It is absolutely insipid and is a logical non-starter that doesn't pass the most basic of considerations. Yet it keeps recurring. It's bizarre.