Joe Cooper πŸ‡ΊπŸ‡¦ πŸ‰Mar 30, 2024
The abusive behavior that was being used to manipulate Lasse Collin into bringing on more maintainers for #xz went unnoticed because abusive behavior in Open Source communities is so pervasive. In context, we can clearly see it was part of an orchestrated operation. Out of context, it looks like just another asshole complaining about stuff they have no right to complain about. https://robmensching.com/blog/posts/2024/03/30/a-microcosm-of-the-interactions-in-open-source-projects/
A Microcosm of the interactions in Open Source projects | RobMensching.com

Originally a thread on Twitter about the xz/liblzma vulnerability, when I finished typing it, I realized I had a real world slice of Open Source interaction that deserved more attention.

Show threadChristian ThΓ€terMar 31, 2024

@swelljoe I am worried that this now leads to more problems for 'Lone Wolf' projects. People won't let other people in because of fear, burning out sooner.

What we need is actually the contrary. More eyes looking on code. Put, the burden on more shoulders. Let other committers in *early* in a project lifecycle. I presume that *most* people don't have ill intent. Even if something bad happens it can be found and fixed *when enough people looking at the code*.

Show threadJoe Cooper πŸ‡ΊπŸ‡¦ πŸ‰Mar 31, 2024

@cehteh I mean, nothing is good about this situation. We were reminded of lots of worrying things about the OSS ecosystem.

I don't think it's anything new, though. I mean, we didn't learn about this vector of attack from this event, we knew it was possible (likely, inevitable, even). And, we're kind of preaching to the choir in saying this isn't a sustainable or healthy way to make software. But, the solutions require sustained support at a scale that's not possible for small projects.

Show threadJoe Cooper πŸ‡ΊπŸ‡¦ πŸ‰
@cehteh you're absolutely right that becoming more insular and closed off to outside contributions isn't the solution. But, having to be ever vigilant against hostile actors adds to the stress of the already mostly thankless job of maintaining software on a shoestring for years.
Mar 31, 2024 at 9:11amWeb