Open source maintainer Jordan Harband on life after xz and vetting potential contributors
HTML-код
- Опубликовано: 13 май 2024
- Shortly after the xz utils backdoor hack was uncovered, Tidelift gathered together a group of open source maintainers across the Javascript, Java, and Python ecosystems to hear not only how the xz hack impacted their work (spoiler alert: this attack reverberated across ALL ecosystems, not just in the Linux OS!), but also how it made them feel.
In this clip, we hear from JavaScript open source maintainer, Jordan Harband. Here he discusses the struggle that arises when mistrust is embedded in the community due to a bad faith actor and why xz is making him have to look deeper into the profiles behind potential contributors.
You can watch the entirety of the panel on-demand here: explore.tidelift.com/c/life-a...
Learn more about xz: tidelift.com/resources/xz-bac...
Transcript:
I maintain a lot of projects, and I am the single maintainer on almost all of them. I hope that's not because of my personality, and it's certainly not because I don't want additional maintainers. I very much do. But it's hard to find people who have the interest and the stamina, and who will take the time to develop the chops to maintain any package, even a small single-purpose one. So whenever a contribution comes in, I get excited. I'm like, Ooh, a new person, like, how can I make them happy? How can I make them feel welcome? How can I make them feel proud of their contribution?
A PR just came into one of my packages two days ago, it's qs on NPM, it's got 72 million downloads a week, that's nearly as much as all of Maven combined. And instead of being able to just be happy that I got this PR to make something faster, I have to really seriously consider it. For almost the first time, I clicked on the GitHub profile of the person and looked at all their activity, to see if they matched that sort of pattern that the xz person did, which was they sort of materialized out of the woodwork to work on this domain. And I had to kind of think critically about them. And I have to employ my own biases to do that. When people have to employ their own biases and perceptions, that makes things less equitable, less inclusive. 
Наука
![Jelly Roll - Dead End Road (From Twisters: The Album) [Official Music Video]](http://i.ytimg.com/vi/_Mb8CqKW4R8/mqdefault.jpg)
I'd argue it's partly due to the philosophy ljharb has and the combative nature how we just doesn't want to drop compatibility to already dead engines or node versions. He seems like a nice guy but it doesn't help when his "best practices" are kind of made up and never feel like progress can be made. Especially when 1 package is then pulling in 50 dependencies just to polyfill features that are part of the standard library of node