logo

drewdevault.com

[mirror] blog and personal website of Drew DeVault git clone https://hacktivis.me/git/mirror/drewdevault.com.git

Dependencies-and-maintainers.md (4590B)

    

  1. ---
  2. date: 2020-02-06
  3. layout: post
  4. title: Dependencies and maintainers
  5. tags: [philosophy, free software, maintainership]
  6. ---
  8. I'm 34,018 feet over the Atlantic at the moment, on my way home from FOSDEM. It
  9. was as always a lovely event, with far too many events of interest for any
  10. single person to consume. One of the few talks I was able to attend[^1] left a
  11. persistent worm of thought in my brain. This talk was put on by representatives
  12. of Microsoft and GitHub and discusses whether or not there is a sustainability
  13. problem in open source ([link][fosdem archive]). The content of the talk,
  14. interpreted within the framework in which it was presented, was moderately
  15. interesting. It was more fascinating to me, however, as a lens for interpreting
  16. GitHub's (and, indirectly, Microsoft's) approach to open source, and of the
  17. mindset of developers who approach problems in the same ways.
  19. [fosdem archive]: https://fosdem.org/2020/schedule/event/foss_sustainability_issues/
  20. [^1]: And strictly speaking I even had to slip in under the radar to attend in the first place — the room was full.
  22. The presenters drew attention to a few significant crises open-source
  23. communities have faced in recent years — left-pad, in which a trivial
  24. library was removed from npm and was unknowingly present in thousands of
  25. dependency graphs; event-stream, in which a maintainer transferred project
  26. ownership to an unknown individual who added crypto mining; and heartbleed, in
  27. which a bug in a critical security library caused mass upgrades and panic
  28. — and asks whether or not these can be considered sustainability issues.
  29. The talk has a lot to dissect and will frame my thinking and writings for a
  30. while. Today I'll focus on one specific problem, which I called attention to
  31. during the Q&A.
  33. At a few points, the presenters spoke from the perspective of a business which
  34. depends on up to thousands of open-source libraries or tools. In such a context,
  35. how do you prioritize which of your thousands of dependencies requires
  36. attention, for financial support, contributions upstream, and so on? I found
  37. this worldview dissonant, and asked the following question: "why do you have
  38. thousands of dependencies in the first place?" Because this approach seems to be
  39. fast becoming the norm, this may seem like a stupid question.[^2] If any Node
  40. developers are reading, scan through your nearest node_modules directory and see
  41. how many of these dependencies you've even heard of.
  43. [^2]: If so, you may be pleased by a Microsoft's ridiculous answer: "we have 60,000 developers, that's why."
  45. Such an environment is primed to fail in the ways enumerated by this talk.
  46. Consider the case of the maintainer who lost interest and gave their project to
  47. an untrusted third party. If I had depended on this library, I would have
  48. noticed long ago that the project was effectively unmaintained. It's likely that
  49. I or my peers would have sent patches to this project, given that bugfixes would
  50. have stopped coming from upstream. We would be aware of the larger risk this
  51. project posed, and have studied alternatives. Earlier than that, I would
  52. probably have lent my ear to the maintainer to vent their frustrations, and
  53. offered my help where possible. 
  55. For most of my projects, I can probably list the entire dependency graph,
  56. including transitive dependencies, off of the top of my head. I can name most of
  57. their maintainers, and many of their contributors. I have shaken the hands of
  58. these people, shared drinks and meals with them, and count many of them among my
  59. close friends. The idea of depending on a library I've never heard of, several
  60. degrees removed via transitive dependencies, maintained by someone I've never
  61. met and have no intention of speaking to, is *absolutely nuts* to me. I know of
  62. these problems well in advance because I know the people affected as my friends.
  63. If someone is frustrated or overworked, I'm right there with them trying to find
  64. solutions and correct the over-burden. If someone is in dire financial
  65. straights, I'm helping them touch up their resume and introducing them to
  66. companies that I know are looking for their skillset, or helping them work on
  67. more sustainable sources of donations and grants. They do the same for me, and
  68. for each other.
  70. Quit treating open-source projects like a black box that conveniently solves
  71. your problem. Engage with the human beings who work on it, participate in the
  72. community, and *make* it healthy and sustainable. You shouldn't be surprised
  73. when the 3 AM alarm goes off if the most you see of a project is a line in your
  74. `package.json`.