I've always been a fan of "pull requests welcome" when someone asks me for something.
this post was submitted on 31 Mar 2024
586 points (97.6% liked)
Open Source
31070 readers
677 users here now
All about open source! Feel free to ask questions, and share news, and interesting stuff!
Useful Links
- Open Source Initiative
- Free Software Foundation
- Electronic Frontier Foundation
- Software Freedom Conservancy
- It's FOSS
- Android FOSS Apps Megathread
Rules
- Posts must be relevant to the open source ideology
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
Community icon from opensource.org, but we are not affiliated with them.
founded 5 years ago
MODERATORS
That doesn't apply as a solution here. After all Jia Tan did make pull requests, the pressure came later.
The problem is when people then open huge PRs and expect you to take time to review them, then eventually merge them.
Especially when it's something you don't want in your codebase because it introduce a big unnecessary "refactoring" or a feature that you don't want to have to maintain forever.
I can’t imagine just opening a giant PR without having extensive contact and coordination with the maintainer. Almost any amount of incremental safe steps would be preferable to a giant PR, even with extensive communication. I once introduced fully strict typescript into a vanilla js codebase and it took dozens of small PRs to do so. It was made more complicated by the fact that it was a library, but still. The communication made the entire process smooth and let everyone be confident the changes were correct along the way. If I’d done it all at once without any coordination, it would have been faster for me, but at the cost of the maintainer’s sanity and time.
The point is that saying "pull requests welcome" is still work for the maintainer, because now you have to have these discussions with potential contributors, sometimes explain them why you don't want to maintain the feature, or explain them why this PR is not the way you want...
So either way it's work, it's important to keep in mind before saying "just send a PR".
Anyone pushing you to do something you don't understand, or understand poorly. I could see an actual security researcher pushing for a code update to fix a vulnerability.
Heck, even as an occasional contributor I take some pride in seeing my fixes etc make it into the mainline codestream.
But yeah, you definitely need to be wary of somebody you only know from online pushing a change that doesn't make sense or you don't understand.
Anyone pushing you to do something you don’t understand, or understand poorly.
This was taught to me in my bank teller training back in 19-dickety-two. Don’t let someone try to rush you or to obfuscate/over-complicate things.
I've always taken this attitude towards pushy people and tbh this is more or less why. Being pushy like this is inherently suspicious as fuck.
I think it can depend on how and why you're being pushy too. I've definitely had to have my fair share of passionate conversations and strongly advocating (yes, you could say pushing) for what I believe is best for the direction of a project with my fellow maintainers, especially when it comes to important things (like how to handle specific security issues etc since there's not always one way of handling it). Generally speaking though you're right.
Yeah, that's fair, there are driven people, and people who are pushing for something, right, but in this case, look at the language used:
Progress will not happen until there is new maintainer. XZ for C has sparse commit log too. Dennis you are better off waiting until new maintainer happens or fork yourself. Submitting patches here has no purpose these days. The current maintainer lost interest or doesn't care to maintain anymore. It is sad to see for a repo like this. [src]
Tons of emotional button-pushing and pressure, but not on technical grounds. Just trying to make the dev feel crappy about themselves.
It's a hard call at end of day. If you want it to all be privacy respecting and open source and decentralised then you're almost guaranteeing you won't make money from it.
The alternative is ad based software that's free which is also garbage.
Hard to find the balance between the two, can't think of many examples if any that actually work besides just making a paid product that's very good and hope it's better enough than the rest to be successful. But even then you likely will have to cross lines because you're just relying on viral luck at that stage.
as a non developer myself, to my understanding, the vulnerabilities were implemented in test binaries?
If so, i question why those were shipped to the client. Unless they were built into the package itself on the mirror, in which case, still curious as to why that would be. I would think tests are entirely benign and do nothing. Seems like it would be incredibly bad practice to do otherwise?
Seems like an obvious vector to shutdown any potential fuckery. But what do i fucking know.
The compile process was modified to decrypt and unpack the "corrupted" test zip file, which was actually a code patch, and apply said code patch before assembly of the final binaries.
hmm ok. Yeah idk, even from an organization aspect, i still wouldn't consider that to be ok. Test files that patch code on the fly is a recipe for a nightmare of maintenance. Which i suppose is the idea here considering that it's malicious code lol.
It is way more complicated than that. Very good explanation, I could never do it justice.
Edit: I found an even better one https://robmensching.com/blog/posts/2024/03/30/a-microcosm-of-the-interactions-in-open-source-projects/
i know it's rather involved, i've been tailing it from the sidelines, though like i said, i am not a developer, so in terms of code and maintaining code im blind there. But everything else i understand.
It's definitely an interesting situation to observe.
They were not shipped to the client. They were shipped to the build system, executed there after deobfuscation, and they inserted an additional, opaque program file into the build process.
that much i picked up on, though i didn't make it very clear. I did mention that alternative though.
It's common to bundle test artefacts with the release tarballs. The reason is that when Linux distributions build the software from the tarballs, they often run the tests to ensure that they pass.
More people need to operate like Linus Torvalds. Call people on their shit. Respectfully of course.
In my book, respectfully is something more insulting than "you're so stupid, how did you survive to suck on your mother's tit, one would imagine you were too stupid to know what to do with it".
Obligatory /s
Respectfully of course.
Like "Fuck you Nvidia"?
I vote on an exception for big corps. Fuck you nvidia.
Respectfully
I'm more of a fan of responding in kind. Manners may cost nothing, but so does clear communication.
Thing is, much of what Linus says is respectful; even though it reads harsh. Phrases like "you keep doing this" and "your code is shit" and "I will bar you from committing code until you can get better" and similar stuff, is respectful to the person, as he is still just focusing on the code : the product. Mostly.
Sure it comes off as aggressive ultimatums, but when I worked on New Jersey I saw numerous arguments between passionate coders who really cared about their work and spoke on these loud voices with aggressive gesticulations and gestures, and it was frightening. But, when you took apart the arguments, it was all about "the code" this, and "the standard" that, and very little "you suck" and "you're dumb". And, when the argument was settled, these passionate people were still friends.
Of all the people I've been yelled at by in my career, the harsh-sounding ones who kept it on the work and not the worker ended up with the most loyalty and trust in the end.
Give me a dozen Linus who care about their work. Sure he's slipped up a few times, but on balance he's been very good. Even before the "let's all hug" sensitivity training.
"You're dumb" is disrespectful, but "your code is shit" isn't? How does the latter not reasonably imply the former?
Being respectful is taking the time to moderate "your code is shit" to something like "your code is not acceptable". You might even go a modicum further into kindness with "there are aspects of your code I need you to improve".
All express the same idea, some will leave the listener more open to internalizing the criticism.
Mimimi
How does the latter not reasonably imply the former?
I'm not dumb and I write shit code all the time. Bad code only implies that the author is dumb if you assume only dumb people can make mistakes.
Bad code, yes, calling it 'shit', no.
Stuff like this is a big part of why software circles are seen as so hostile and unwelcoming to outsiders.
You can be completely clear and frank without resorting to insult, mild though it may be. Just because you and people most like you understand that calling their work 'shit' doesn't reflect on them personally, doesn't mean it's not significantly exclusionary.
Now, obviously you can get to know your reports well enough to understand whom would take 'shit' well, but that doesn't mean it's not generally important to temper criticism with kindness. Kindness never has to mean holding back criticism, just avoiding stooping to insult.
Sure it comes off as aggressive ultimatums, but when I worked on New Jersey I saw numerous arguments between passionate coders who really cared about their work and spoke on these loud voices with aggressive gesticulations and gestures, and it was frightening. But, when you took apart the arguments, it was all about “the code” this, and “the standard” that, and very little “you suck” and “you’re dumb”. And, when the argument was settled, these passionate people were still friends.
I used to work for a guy like that. He was aware of how a lot of people perceived him and was working on it but it never really bothered me when he slipped because like you said it wasn't a personal attack, he was just trying to make us get the work done to his standards. There were multiple times he would come to me and apologize after we finished something and I was just like "well you were right so I'm not really worried about it".
Fuck you
Respectfully,
Linus Torvalds
Shit, sensitivity training works. Please don't show this to my HR team....
view more: next ›