Jerry πŸ¦™πŸ’πŸ¦™

I can’t tell you how angry this makes me feel for this maintainer.

I don’t know who Jigar Kumar is, or what the motivation was behind the emails that the author is referencing, but I can tell you if I was trying to get a bad actor in as a trusted developer, this is how I would approach it.

Good post.

https://robmensching.com/blog/posts/2024/03/30/a-microcosm-of-the-interactions-in-open-source-projects/

A Microcosm of the interactions in Open Source projects | RobMensching.com

Originally a thread on Twitter about the xz/liblzma vulnerability, when I finished typing it, I realized I had a real world slice of Open Source interaction that deserved more attention.

Mar 30, 2024 at 6:02pmWeb
Show threadAlison MeeksMar 30, 2024
@jerry As a group admin for a FOS CMS, I feel this in my bones.
Show threadLuigi Mar 30, 2024
@jerry I was discussing this earlier: it feels like all the vitriol foss devs get might be part of a wider campaign to take over their projects for supply chain attacks. Not saying all the abuse is for this reason, but part of it likely, I believe
Show threadJoe Cooper πŸ‡ΊπŸ‡¦ πŸ‰Mar 30, 2024
@jerry I assume it's the same person (but certainly in the employ of the same organization, if not the same person). They were nice and helpful as Jia, and abusive and toxic under another name. Classic manipulation tactic used by cops and interrogators. Break someone down and then someone else comes in to relieve the pain.
Show threadBrian CampbellMar 30, 2024
@jerry I'm guessing just another sockpuppet of the original attacker. This kind of pressure from several sockpuppets seems to be part of the MO of the attacker; see the Debian bug in which they were pushing hard for the update to 5.6.1 that fixed the valgrind warning caused by the exploit, with several users who all appear to be sockpuppets: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067708
#1067708 - xz-utils: New upstream version available - Debian Bug report logs

Show threadA feral NatalieMar 30, 2024

@jerry Saying no is part of the gig as a manager, important as an IC, but damn if it's not a superpower as an OSS maintainer.

(personally, I'm a huge fan of sending the GitHub docs on how to fork a repo, but I guess I can be a jerk sometimes)

Show threadJobu TupakiMar 30, 2024

from now on, every beleaguered solo #FOSS maintainer should rebut each and every nasty, inhumane pressure campaign by referencing this attack on #xz:

Β« Nothing is so urgent that it cannot be done safely. Articulate substantive technical issues in an issue; then take a number, and remove such unconstructive personal invective to more appropriate forums than this project's mailing list or issue tracker. Β»

Show threadJobu TupakiMar 30, 2024

i would further amend my Code of Conduct to prohibit disparagement of a maintainer's "productivity":

Β« This project honors the legacy of #LasseCollin and the #xz infiltration. Manufactured urgency criticizing a maintainer's throughput, dedication, or competency to keep pace with specious "community demands" will be regarded as hostile social engineering, and harshly sanctioned (permabanned). Β»

Show threadSpaceLifeFormMar 30, 2024

@jerry

I despise feature creep because it increases the size of the codebase and allows new bugs to surface like cicadas.

If it is not broke, then don't fix it.

Show threaddarylMar 30, 2024
@jerry heartbreak interaction, such rotten behaviour
Show threadπŸ…±πŸ…»πŸ†„πŸ…΄πŸ…±οΈMar 30, 2024

@jerry

We need a system that pays people based on adoption of their project. A system that moves us towards an honest to God meritocracy.

This getting paid to sell other people's stuff, pollute, and steal others effort thing sucks.

If only it was so simple.

Show threadTrent WaddingtonMar 31, 2024
@BlueBee @jerry well, we have a system - you go get a job at a corporate entity that pays you to maintain open source - and provides professional services, like HR and an engineering structure, healthcare, and an environment where you get to talk to other human beings who share the same pain points, etc. Solo devs and maintainers hate it, resist it, disparage it, and produce phenomenal work without it - until the passion becomes drudgery. Maybe they could work together?
Show threadπŸ…±πŸ…»πŸ†„πŸ…΄πŸ…±οΈMar 31, 2024

@quantumg @jerry

From someone who has been trying to climb that crap.

It ain't working.

Maybe it is where your are, but over here, making stuff worthwhile just means that someone else gets the credit.

And I've been ready to work for a minute and instead I'm wasting months on a job search.

Look, I literally can't think of an analogue for how 'not working' this system is.

Show threadcircafuturumMar 30, 2024
@jerry Eye opening, thanks for sharing!