Jerry Bell :verified_paw: :donor: :verified_dragon: :rebelverified:
> I can’t tell you how angry this makes me feel for this maintainer. I don’t know who Jigar Kumar is, or what the motivation was behind the emails that the author is referencing, but I can tell you if I was trying to get a bad actor in as a trusted developer, this is how I would approach it. Good post. 20 comments
Luigi :donor:
@jerry I was discussing this earlier: it feels like all the vitriol foss devs get might be part of a wider campaign to take over their projects for supply chain attacks. Not saying all the abuse is for this reason, but part of it likely, I believe
Ken Marable
@luigirenna @jerry Some of it, perhaps, but also that thinking makes it far too easy to shift the blame to the bad actors. The "community that desires more" here needs to take a long look at itself and the role it plays in enabling this. Because even if the "Jigar" account is a sockpuppet of the bad actor, the "Dennis" responses are all too common for ordinary entitled users who see Open Source as something to consume rather than something to support. We cannot lose focus of that problem.
Nullstring 🏴☠️
@jerry @luigirenna i think the environment is ripe for it, but the environment came first. 
Scott Francis
@jerry thanks, I hate it (absolutely hit the nail on the head, the pattern here is so old and established as to be the expected behavior online - leveraging expected crappy behavior as a means to sneak in a bad actor is clever in a horrid way.)
Multiverse Mike
@jerry literally every day working as an online indie game developer of a passion project that also has a real job and a family ... 😔 
Joe Cooper 💾
@jerry I assume it's the same person (but certainly in the employ of the same organization, if not the same person). They were nice and helpful as Jia, and abusive and toxic under another name. Classic manipulation tactic used by cops and interrogators. Break someone down and then someone else comes in to relieve the pain. 
Brian Campbell
@jerry I'm guessing just another sockpuppet of the original attacker. This kind of pressure from several sockpuppets seems to be part of the MO of the attacker; see the Debian bug in which they were pushing hard for the update to 5.6.1 that fixed the valgrind warning caused by the exploit, with several users who all appear to be sockpuppets: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067708
A feral Natalie
@jerry Saying no is part of the gig as a manager, important as an IC, but damn if it's not a superpower as an OSS maintainer. (personally, I'm a huge fan of sending the GitHub docs on how to fork a repo, but I guess I can be a jerk sometimes)
Jerry Bell :verified_paw: :donor: :verified_dragon: :rebelverified:
@alex_02 the email exchanges were very troubling - hard not to feel for the maintainer. 
Jobu Tupaki
from now on, every beleaguered solo #FOSS maintainer should rebut each and every nasty, inhumane pressure campaign by referencing this attack on #xz: « Nothing is so urgent that it cannot be done safely. Articulate substantive technical issues in an issue; then take a number, and remove such unconstructive personal invective to more appropriate forums than this project's mailing list or issue tracker. »
Jobu Tupaki
i would further amend my Code of Conduct to prohibit disparagement of a maintainer's "productivity": « This project honors the legacy of #LasseCollin and the #xz infiltration. Manufactured urgency criticizing a maintainer's throughput, dedication, or competency to keep pace with specious "community demands" will be regarded as hostile social engineering, and harshly sanctioned (permabanned). »
SpaceLifeForm
I despise feature creep because it increases the size of the codebase and allows new bugs to surface like cicadas. If it is not broke, then don't fix it.
BlueBee
We need a system that pays people based on adoption of their project. A system that moves us towards an honest to God meritocracy. This getting paid to sell other people's stuff, pollute, and steal others effort thing sucks. If only it was so simple.
Trent Waddington
@BlueBee @jerry well, we have a system - you go get a job at a corporate entity that pays you to maintain open source - and provides professional services, like HR and an engineering structure, healthcare, and an environment where you get to talk to other human beings who share the same pain points, etc. Solo devs and maintainers hate it, resist it, disparage it, and produce phenomenal work without it - until the passion becomes drudgery. Maybe they could work together?
Nick Selby :donor:
@jerry Wow. That is a great piece. Thanks for sharing, which I will, now, as well. |
Gregory's Server
@jerry As a group admin for a FOS CMS, I feel this in my bones.