More people need to operate like Linus Torvalds. Call people on their shit. Respectfully of course.
Fuck you
Respectfully,
Linus Torvalds
Shit, sensitivity training works. Please don’t show this to my HR team…
Respectfully
I’m more of a fan of responding in kind. Manners may cost nothing, but so does clear communication.
In my book, respectfully is something more insulting than “you’re so stupid, how did you survive to suck on your mother’s tit, one would imagine you were too stupid to know what to do with it”.
Obligatory /s
Lol, you don’t already operate this way in life?
Someone trying to guilt or pressure you has an agenda and isn’t concerned with what’s best for you.
Yes, you should totally do that. DO IT.
Open source is such a wild west at times.
You have your gatekeepers like Linus Torvalds who will call you a fucking moron if you submit something that looks remotely off.
You have your committees that you can submit a MR, but it has to go through the council of experts before it gets merged.
But the vast majority, it’s a one or two person project and this was a side project because you had an issue you wanted solved. No financial reward, no acknowledgement. And so when someone gives it a iota of attention, you fall head over heels and hope they are like-minded and want to support this dream too.
Theo is even more strict than Linus.
I’ve always taken this attitude towards pushy people and tbh this is more or less why. Being pushy like this is inherently suspicious as fuck.
I think it can depend on how and why you’re being pushy too. I’ve definitely had to have my fair share of passionate conversations and strongly advocating (yes, you could say pushing) for what I believe is best for the direction of a project with my fellow maintainers, especially when it comes to important things (like how to handle specific security issues etc since there’s not always one way of handling it). Generally speaking though you’re right.
Yeah, that’s fair, there are driven people, and people who are pushing for something, right, but in this case, look at the language used:
Progress will not happen until there is new maintainer. XZ for C has sparse commit log too. Dennis you are better off waiting until new maintainer happens or fork yourself. Submitting patches here has no purpose these days. The current maintainer lost interest or doesn’t care to maintain anymore. It is sad to see for a repo like this. [src]
Tons of emotional button-pushing and pressure, but not on technical grounds. Just trying to make the dev feel crappy about themselves.
Honestly that should go for all transactions. someone calls you to fix an issue or pressure you into buying something. Just hang up and call the company back. one thing I have learned from many years of support is the person calling always has power over the person being called. So flip the dynamic. same goes for car sales just walk away. hell go look at cars when you don’t want one and practice just walking away and see how much power you get.
Regardless of flipping the dynamic, that’s a good way to avoid scammers. It’s easy to spoof an incoming number, but near impossible to intercept an outgoing call. If your “bank” calls and starts asking funny questions, just hang up and call the real bank to check.
as a non developer myself, to my understanding, the vulnerabilities were implemented in test binaries?
If so, i question why those were shipped to the client. Unless they were built into the package itself on the mirror, in which case, still curious as to why that would be. I would think tests are entirely benign and do nothing. Seems like it would be incredibly bad practice to do otherwise?
Seems like an obvious vector to shutdown any potential fuckery. But what do i fucking know.
The compile process was modified to decrypt and unpack the “corrupted” test zip file, which was actually a code patch, and apply said code patch before assembly of the final binaries.
hmm ok. Yeah idk, even from an organization aspect, i still wouldn’t consider that to be ok. Test files that patch code on the fly is a recipe for a nightmare of maintenance. Which i suppose is the idea here considering that it’s malicious code lol.
It is way more complicated than that. Very good explanation, I could never do it justice.
Edit: I found an even better one https://robmensching.com/blog/posts/2024/03/30/a-microcosm-of-the-interactions-in-open-source-projects/
i know it’s rather involved, i’ve been tailing it from the sidelines, though like i said, i am not a developer, so in terms of code and maintaining code im blind there. But everything else i understand.
It’s definitely an interesting situation to observe.
I’ve always been a fan of “pull requests welcome” when someone asks me for something.
The problem is when people then open huge PRs and expect you to take time to review them, then eventually merge them.
Especially when it’s something you don’t want in your codebase because it introduce a big unnecessary “refactoring” or a feature that you don’t want to have to maintain forever.
It’s a hard call at end of day. If you want it to all be privacy respecting and open source and decentralised then you’re almost guaranteeing you won’t make money from it.
The alternative is ad based software that’s free which is also garbage.
Hard to find the balance between the two, can’t think of many examples if any that actually work besides just making a paid product that’s very good and hope it’s better enough than the rest to be successful. But even then you likely will have to cross lines because you’re just relying on viral luck at that stage.
