Why? I wish people would put their projects in something like https://www.codeshelter.co so anyone who's interested can maintain them, instead of just killing them.
You can maintain it right now. Make a fork, and continue development. You might even get some shoutout from the original devs. It's all open source after all, making this repo read-only doesn't mean the project's dead if the community is vibrant enough.
The community matters. It's one thing to get control of the official websites, official packages, etc, and another to have to tell every single user "come use my fork".
There are accidents on the highway, planes crash, fires in buildings, etc. Let's reason about Jia Tan - a problem, not a danger to all of FOSS - not, like everything else these days, just embrace ignorant fears.
It's cool to destroy social trust, to deny it and abandon it. The counterargument is right in front of your nose - the incredible, infinite, world-changing world of FOSS. Think of all those amazing projects, social trust working over and over and over.
You're going to throw all that out over one guy? The only thing we have to fear is fear itself.
This is not what I meant. But I prefer a fork of an abandoned project which needs to gain new trust to be installed instead of a new release pushed through an auto update after 3 years that installs malware.
The parent comment was not about someone from the community taking over (which to be honest was the case in the xz story) but about posting the project on a „projects without maintenance“ site for any random person to take control.
So you're saying that if projects continue choosing to sunset without handing over the keys to the kingdom, open source will stop existing?
This is simply not even close to true.
Edit: I can't reply to your reply, so here will do. You've completely ignored my main point. I get that you want projects to pass on the torch, but saying open source will otherwise die is ridiculous.
> "But I want and can maintain it, can I take it over?" Let me put it plain and simple: No! I don't know you, I don't trust you! Fork it and carry on!
For something security critical like VPN, ownership change is a big deal. Users trust project's reputation. So if there is not a a trusted successor, shutting it down is way better that giving it up to unknown people.
That's not what they meant at all, don't be obtuse. The community exists around the project (in this case the repo and associated website etc). If you fork it then you have to hope that the community follows you to your fork and that then everyone coalesces around it. This isn't guaranteed to work though, so passing the existing project onto a new maintainer is a much better way of retaining the existing community. That is what was meant when talking about the community.
The earlier comment is concerned for the users being orphaned by the project they used. The project is concerned with protecting the trust the users placed in the project by using it.
To trivialize the concern of the project seems worse because it prioritizes convenience in a particularly sticky area (security/privacy) as well as forcing a less informed choice on the user (who they are trusting).
There's probably a nice parallel here where we consider the NRL's role in Tor and how FOSS practices, EFF funding, and transparency meant it preserved user trust.
The maintainers are vetted before joining, and are removed if they do something untoward, but when the choice is between killing the project or giving it to some random person, Code Shelter provides a better alternative.
What if they pass the joining process but then later sneak something in that goes undetected until things go boom? There are alternatives, you can fork the original project, and things will go on. As others have said too, you can just update the underlying software and there's a good chance that the wrapper itself will continue functioning, providing there are no giant breaking changes and by that point, a fork or alternative will likely have handled it.
What if there's no joining process, and they contact a maintainer directly, and peer pressure them to hand over the project, and the maintainer does, and then they sneak a backdoor in some binary test files?
That scenario is exactly what PiVPN is avoiding by refusing to nominate a new maintainer and telling interested parties to fork--so what is your actual and concrete objection?
> I wish people would put their projects in something like https://www.codeshelter.co so anyone who's interested can maintain them, instead of just killing them