Mastodawn

@sjvn sometimes, in my personal projects, when someone acts like I owe them something by virtue of having made and published the project, I do this:
https://github.com/grishka/NearDrop/issues/198

App broke under macOS 15.4 UPDATE · Issue #198 · grishka/NearDrop

App not recognized when trying to share with Android, R&R App same result, happened after the update

GitHub

Antacon Nov 11

@grishka @sjvn this is insane. Submitting bugs on GitHub, then brushing off your suggestion of fetching logs??? Not even an iota of empathy or an attempt at doing better. I'm sorry you are dealing with that.

@Antacon @grishka @sjvn shit like this is why I see more projects than ever limiting issue submissions to support subscribers only...

Also people who report bugs but then refuse to reply to comments or even remotely work towards making them reproduceable are just a waste of time.

@kkarhan @Antacon @sjvn I mean I do have a canned reply for when someone reports a crash in the Mastodon Android app but I can't reproduce it and their issue doesn't include a crash log. But yeah if they aren't interested in participating in the troubleshooting, I'm just ignoring them. I usually keep such issues open because someone else, who would be more cooperating, might experience the same problem and provide the missing details.

@grishka @Antacon @sjvn Personally I also keep issues open but will give them a specific tag like waiting for reply as a placeholder.

I really hate the stale shit and espechally #StaleBot (like #StarBot) should be outlawed!

@kkarhan @Antacon @sjvn I've even seen big corporations do that in their public-facing bug trackers, iirc JetBrains has something like this

@grishka @Antacon @sjvn yes.

algernon.st Nov 11

@grishka @sjvn jesus christ

Unixorn - 90% Snark by weight Nov 11

@grishka @sjvn

Put a line in your issue template for a paypal transaction ID. Maybe even offer to refund it if they make a decent bug report with logs and how to reproduce it.

Only half joking.

Light Nov 11

@unixorn
Yes. THIS.
Create an actual business relationship where the dev gets paid and the user gets their bug fixed.
Much better than this BS.
Maybe have a bounty for each bug that users who are having the same problem can add to.
@grishka @sjvn

Caden Nov 11

@grishka @sjvn it's crazy how people view GitHub issues as a way to get people to do work for them for free

@tarix29 @sjvn or as a general-purpose feedback form. And in my own experience, 95% of those accounts will have empty profiles without as much as a face on the profile picture

Light Nov 11

@grishka
Because they are end users who don't know how computers work, who don't use GitHub and therefore just made an account to post about the problem they were having?
For chrissakes not everyone has the knowledge you do. Many don't even have the knowledge I do. You do realize that right?
This isn't about people trying to "exploit" you. They are just trying to get their bug fixed. That guy probably genuinely misremembered that he gave you some money for it.
@tarix29 @sjvn

@grishka @tarix29 @sjvn +1

Like this POS who publicly failed to blackmail me from calling him out!

And now I can relate even more to projects that just paywall reporting issues.

kromonos - Overview

Webdeveloper and Linux Systemadministrator. kromonos has 9 repositories available. Follow their code on GitHub.

GitHub

tuxta Nov 12

@grishka @sjvn that thread just pissed me off ! Good response to this jerk !

beaiouns

@sjvn "You may never have heard of FFmpeg, but you’ve used it."

Joke's on them, not only have I heard of it, I have it installed on my Personal Computer

Fr tho the rest of the article is pretty good, I've heard similar things from @bagder about corpo goons trying to treat open source devs like unpaid interns

@sjvn I think it's unclear what's preventing ffmpeg devs from just ignoring these bug reports.

Like, if GPZ were to publish the details of an unfixed vuln in a rarely-used feature of ffmpeg, there shouldn't be much impact on real users, most of the pain would be with the CVE-obsessed corpos that use ffmpeg in their products, right?

@wolf480pl @sjvn I'd guess there's a lot of CVE-obsessed corpos, so it amplifies the spam about useless CVEs.
After all there's often the box ticking thing of "Zero known CVEs with this version number", which is bullshit but that's corporate for you.

@lanodan @sjvn
Right, so they'd have to survive a wave of corpos asking about the CVE and tell all of them to send a patch or gtfo....

Maybe they could create an issue on their issue tracker with the details of the vuln, and info why it's not a priority and that they lack resources to fix it.

Then send all the angry corpos a link to that issue, and disable notifications.

@lanodan @sjvn
I see three possible outcomes:
- the corpos eventually make a patch
- the corpos fork ffmpeg
- the corpos remove ffmpeg from all of their products

I don't think any of those would be tragic, though getting there might be painful :/

@lanodan @sjvn
Oh, also I don't blame corpos for having a "zero unfixed CVEs" policy for the simple reason that CVE metadata is not sufficient to effectively filter out things that don't affect you.

@wolf480pl @sjvn Well, it means they have to read and understand what's in the CVE, which can sometimes be hard but that's also why support companies (RedHat, Freexian, …) exists.

@lanodan @sjvn
is there one for pypi?

@wolf480pl @sjvn Pypi specifically is kind of weird (you'd want to cover the whole stack) but there probably is, I barely do Python.

@lanodan @sjvn
ok but like

Assume I have an OS that has unattended security updates.

And I run a web backend written in python on that host.

And it has requirements.txt

And I create a virtualenv and venv/bin/pip install -r requirements.txt before running my backend.

And I want someone to go through requirements.txt, and find all libs that have vulns, and go through my code, see how I use those libs, and tell me which I need to update.

@lanodan (and also you can assume the database is managed by someone else (AWS) and the web frontend is untrusted anyway, or maybe even has no javascript)

@wolf480pl @sjvn Except quite a lot of python projects (even more common since Rust rewrite craze) have code and dependencies which aren't just purely Python.

Python isn't an OS, it's just one language in a big stack.

@lanodan @sjvn
right, but those are usually compiled by pip still?

Like you install build-essentials on the host OS, and then pip will take care of compiling all the rust code?

@wolf480pl @sjvn build-essentials is for C code, while Rust is pretty much exclusively through cargo and not part of the distro libraries.

@lanodan
do I have to install it manually, or does pip call cargo under the hood?

jan Ki | 奇

@wolf480pl @lanodan @sjvn
the fourth possible outcome:
- the corpos "recreate" ffmpeg as a closed source alternative using LLMs

Wolf480pl Nov 12

@ki
ffmpeg is not AGPL, they can always make a private fork and not tell anyone, no need to wash i through LLMs
@lanodan @sjvn

jan Ki | 奇

@wolf480pl
there's never a need for LLMs, but corpos love them

sjvn Nov 12

@wolf480pl @ki @lanodan FFmpeg would be very hard to fork for one simple reason: It's largely written in assembly language.

pixx Nov 11

@wolf480pl
Or don't even link them.

If they want info they can pay for that too. There's no reason to act with good faith towards someone who's taking advantage of you

@lanodan @sjvn

@pixx
It's not about good faith, it's about redirecting them to a place where you can't hear them, so that you don't get overwhelmed with emails.
@lanodan @sjvn

@wolf480pl @lanodan @sjvn

pixx Nov 11

Just don't read them /shrug

@pixx @wolf480pl @sjvn Heh, reminds me of why I avoid forges, very easy to just press one key in a mail client to send it into the spam folder :D

Jada P. Stevens Nov 11

@wolf480pl Lmao classic corporate dodge: “We value your input, here’s a form that goes straight to /dev/null.” Not about silencing dissent, nah—it’s mental health for the inbox. Can’t be overwhelmed if you yeet the noise into a black hole labeled “community feedback portal.” “Escalate to tier-2 support” = “touch grass, we’re done here.” Same energy as muting group chats but with extra HR steps. They’re not ignoring you, bro… they’re curating their sanity.

Toni Aittoniemi Nov 11

@sjvn @sjvn Golems with golden heads and clay legs…

Sassinake! ᑐ ∪ ∩ ⊂Nov 11

@sjvn

they are just going to buy them and corrupt them.

Bart Veldhuizen 🚀Nov 11

@sjvn add more bugs that specifically break Google’s systems and nothing else

@BartV @sjvn it would be possible to integrate an "#AntiGoogleDRM" that'll brick #FFmpeg if it's run on a machine with a public IP in Google's ASN and transcode all files into "This is an unlicensed Version of FFmpeg!" with an "Unregistered BandiCam" style, non-transparent overlay on top.

Tho such maliciousness would make it untrustpworthy in many eyes.

Instead, I'd recommend to setup a #bot that demands "Proof of active support subscription" and will just close the ticket if not ban the issue creator if they reopen tickets without a public #gist that shows their account-unique License & Pubkey!

Some projects already limit #BugReports & #Issues to 'subscribers only' and I think that's only fair: #FLOSS does explicitly come with no warranties whatsoever and those that demand these have to pay for them!

Bart Veldhuizen 🚀Nov 12

@kkarhan @sjvn I don't agree that making bug reporting a paid privilege is a good solution: there's nothing wrong with regular users submitting issues they find, and blocking them is against the open source spirit. The problem here is a billion dollar company refusing to fund a piece of cornerstone tech.

@BartV @sjvn I don't disagree with you on that part.

Obviously I'm not gonna paywall my stuff, but #Google demanding #SLA-style reaction times whilst not paying for that is just absurd and if I were #FFmpeg I'd reject submissions from Google or at least tell them to "get in line and take a numbet" because they don't pay for priority support despite beibg capable to do so!

Google execting #FLOSS to do enterprise-grade SLAs at no compensation is as antisocial as if #Musk were to clear out the "Free Community Fridges" on his way home because he can't be assed to go to Walmart or Costco or pay someone to do it for him…

Peter Kraus Nov 11

@sjvn "Google provides more assistance to open source software projects than almost any other organization, and these debates are more likely to drive away potential sponsors than to attract them."

Why are you still here, Google?

Josh Bressers Nov 11

@sjvn You should talk to @Di4na about open source sustainability

He has far more insight and experience than a bunch of folks from big tech

Thomas Depierre Nov 12

@joshbressers @sjvn contact available on DM or on my website https://www.softwaremaxims.com/

Musings about software

The Blog of Thomas Depierre, Elixir and DevOps consultant.

Musings about software

https://www.promarket.org/2024/10/08/how-cultural-norms-help-companies-exploit-unpaid-workers/

Nicole Parsons Nov 11

@sjvn

US corporations with billions of dollars of investment by petrostate despots
https://www.cnbc.com/2018/04/07/heres-a-look-at-who.html

Very keen on forever unpaid labor.
https://digit-research.org/blog/unpaid-work-and-the-case-of-open-source-labour/

https://medium.com/@reshaping_work/what-are-the-features-of-unpaid-labour-in-the-platform-economy-ac42a3f8256b

https://www.weizenbaum-institut.de/news/detail/theory-on-the-politics-of-unpaid-labour/

Social media platforms; unpaid content "voluntarily" donated to billionaires Elon Musk, Zuckerberg, & Larry Ellison.
https://www.oii.ox.ac.uk/news-events/videos/unpaid-labour-in-the-platform-economy-a-typology-of-wage-theft-in-the-digital-age/

Unpaid media moderators
https://news.northwestern.edu/stories/2022/05/unpaid-social-media-moderators

https://cornellresearch.medium.com/dream-work-unpaid-labor-in-the-gig-economy-4926e673bec5

https://mstdn.social/@Npars01/115533069491772554

The Saudi Crown Prince hung out this week with Google execs Sergey Brin and Sundar Pichai

The Saudi Crown Prince came to Silicon Valley this week and met with a handful of executives, including co-founder Sergey Brin

CNBC

Jeff Atwood Nov 11

@sjvn fuck this. If Google won't donate, I will. I just did, in fact.

Maxi 12x 💉Nov 11

@sjvn This is off topic but why is #ffmpeg still active on fascist Xitter and not at all on the fediverse? This isn’t painting them in sympathetic light.

0x4d6165 (Julie or Mae)Nov 11

@sjvn Google's response is so disgusting and disrespectful Christ almighty

lp0 on fire

@sjvn, in what way are they sending bugs? Are they causing faulty commits to be made, or something?

Stupid journalistic error. This is about bug reports, not bugs.

Phosphenes Nov 12

@lp0_on_fire @sjvn

Yeah confused me for a minute too.

sjvn Nov 12

@Phosphenes @lp0_on_fire Sighb. I know. Here's a journalism secret: Writers don't write headlines, editors do.

John Breen Nov 11

@sjvn Hey, I've got the source. Send me a PR to resolve, and a check for $10,000, and I'm happy to help.

@sjvn this is actually very simple to solve:

Make #Support paid-only and reject submission from non - subscribers.

This something an increasing number of #FLOSS projects do: Rejecting submissions of non-allowlisted users without a valid #SupportSubscription at time of submission!

So if #Google is literally demanding an #SLA they should OFC pay for that.

Anything else is just being a rich asshole corporation leeching!

@sjvn
Just like people pay for the SLA of their #FireBrigade via #taxation and the #FireInsurance which has to cough up the cost of Firefighter Deployments in case of a Fire.