I too have been frustrated by the way open source works. Maintainers are frequently people in high demand and open source rarely pays commensurate.
So too have I given my work away and been met with entitled demands for service and time. I enjoyed writing the code and making something useful. I enjoyed the validation of that belief based on use but that doesn't feed the family or further my actual goals in life.
Exactly. There has to be a payoff. When that's sheer enjoyment, that's fine. But that could flip and then payment, exchange of honest value, is a good model between people to do things and get mutual value exchange
I agree that open source needs to find ways to engage with the economy, for multiple reasons. But the project needs to create the system/process/structure; individual contributors paying money won't affect these systemic problems even if the money they're paying is substantial. At best they create a temporary system of privilege.
I agree with what most of you've written. A temporary system of privilege is a great descriptor of what I've seen to date. I'm not sure this should be each individual project's responsibility, the scaling attributes of that design seems to intend failure.
Why should I pay, why can't we tax big tech and VC firms so the public can fund this stuff instead? They have all the money, they have all the power; why can't we take it away from them?
The world of software would be a vastly better place if the public had options to invest in software as well.
Strictly speaking that question was for the author. Less strictly for anyone who wants to demand the resources of contributors, even if contributing themselves. The question is about balance and consideration, recognizing that even if someone is giving away their work they live in a financialized world that doesn't respond to their generosity by giving them free access to resources (most of the time).
The distributive justice matters you reference are big problems. To answer your question: we can because they don't actually have all the power, we just don't find the will and not entirely without reason. If we used taxes to extract those funds they would likely be priced in so that the population is left funding them still. It would risk a privileging as suggested by a peer statement and the real solution has to be pretty systemic.
The problem is broad and something like we live in a society where the most privileged amongst us are happy to have a smaller pie so long as they get a larger proportion of it. Even if it's caused by ignorance, that doesn't keep it from being the case. It's also true that we have societal behaviors which reduce our productivity due to the injustice of things. We punish the sincere and well-behaved for the benefit of those creating asymmetric information and abusing others.
I don't think we should be surprised that this leads to bad results and things functioning less capably than they could.
"Why can't we just demand to spend someone else's money on this because they ought to agree that this is important. Meanwhile, I myself can't be arsed to spend a dime on it, but yeah still important..."
In the UK two decades ago (admittedly not the shortest time) I heard plenty of terrible words and treatment of Pakistanis (which seemed to be used as a good enough bucket for all brown skinned people) and people with red hair. A general disdain for Continentals was a little more subdued. When I was younger France was famous for it's poor treatment of foreigners and non-francophiles. Consider all the politics and anger towards those that continue to try to cross the Mediterranean on makeshift boats or the constant complaints about "benefit thieves" who emigrate from the Eastern bloc. There are many examples and some of them are not without basis but while things have gotten less stabby-stabby there's some fairly brutal attitudes and behaviors.
I'm not defending racism against immigrants to Europe, but let's get this in proportion. It wasn't long ago that the US had _state mandated segregation_ and regular lynchings. All racism is abhorrent, but I really don't see Europe a specifically problematic in this regard.
> There are many examples and some of them are not without basis but while things have gotten less stabby-stabby there's some fairly brutal attitudes and behaviors.
Yeah, I won't claim that everyone is treated equally or even fairly in Europe, and some places are absolutely worse than others, in many different ways.
I'd still claim we no longer do "expulsions" of entire ethnoreligious groups anymore in the 21st century though, which was the initial example of why Europe today is terrible.
Well, to be fair, GP did use the "Expulsion of Jews from Spain" as the example for that, so I don't think they were trying to say "Some people in Europe have bad thoughts about perceived outsiders" but rather hinting to some larger events still happening today.
That's fair. To continue being fair, there's a lot of rough behavior happening throughout the world these days. We've forgotten how bad we can make things.
I'd suggest that in Europe also there's more than just bad thoughts for outsiders but bad words, bad treatment, and exclusion from thriving. Extreme cases include bodily harm and I'm fairly certain death but these extreme occur at a lower scale.
Imagine they bought the gold in the US for 1b and sold for 16b. Yes they turned around and purchased 16b of order gold immediately but there's was still a transaction where they sold an asset for more than they bought it.
If you bought your house for $500k 20 years ago, sold it today for a million, then bought it again tomorrow for a million, would you describe that to your friends as having just made $500k? Like yes in the most pedantic technical accounting way it's a gain. In spirit I would call this an unrealized gain
No, you’d remark that your house has appreciated in value over the past 20 years. But you wouldn’t have realized any of that gain until you sold the house - the point being that the realization is the actual taxable event, which is why it matters from the pedantic technical accounting POV. The fact that you turned around and bought another house just means you’re doing something new with your realized gains. Now you have a new cost basis. Maybe that’s what you’re saying with “unrealized gain” though.
Sure in the spirit it's an unrealized gain but wouldn't the tax man consider it a realized $500K capital gain? seemingly this is would be the more appropriate way of categorizing it?
Non-introspection is a fantastic source of strategic vulnerability. It can facilitate a bias to action which has it's clear value. However, if you are creating a highly valuable asset then it puts you in a position where you are extremely easy to manipulate and harvest. Perhaps this serves VCs quite well.
I suppose you would have to commit your node_modules, or otherwise cache your setup so that all prerequesite modules are built and ready to install without running post-install scripts?
You don't want "project had X users so it's less safe" to suddenly transition into "now this software has X*10 users so it has to change things", it's disruptive.
It's not much better than nothing. It basically solves "I reused my password across sites" exclusively, that's it. If you're going to go through the effort of TOTP, it seems odd that you wouldn't just use a unique password.
If you use a unique password it's questionable if it adds any value at all. Perhaps in very niche situations like "password authentication is itself vulnerable due to a timing attack/ bug" or some such thing... but we've rarely seen that in the wild.
I use a password manager and systemically use long random passwords. An attacker would need to compromise my password manager, phish me, wrench me, or compromise the site the credential is associated with to get that.
Using local only TOTP (no cloud storage or portability for me, by choice) they would have to additionally phish me, wrench me, compromise my phone, or compromise my physical security to get the code.
None of these are easy except the wrench which is high risk. My password manager had standard features which make me more phishing resistant, and together they are more challenging than either apart. For example the fact that my password manager will not fill in the password on a non associated site means I am much less likely to fill in a TOTP code on an inappropriate site. Though there are vulnerable scenarios they aren't statistically relevant in the wild and the bar is higher regardless.
Now I happen to have a FIDO key which I use for my higher security contexts but I'm a fairly low value target and npm isn't one of my high security contexts. TOTP improves my security stance generally and removing it from npmjs.org weakened my security stance there.
My password manager, as is standard for most of them, will not fill or show a password if the URL bring visited doesn't match the credential. Thus, a credential not showing is a huge red flag. The workflow is pretty standardized so any deviation is a big red flag.
Maybe you can be more specific about the attack flow you are imagining and how it will work technically to bypass my controls.
To answer your question, no and I provided details. It literally provides a second, non portable factor with a different vulnerability surface.
> My password manager, as is standard for most of them, will not fill or show a password if the URL bring visited doesn't match the credential. Thus, a credential not showing is a huge red flag. The workflow is pretty standardized so any deviation is a big red flag.
I agree.
> Maybe you can be more specific about the attack flow you are imagining and how it will work technically to bypass my controls.
Can you be more specific about the attack that your password manager doesn't solve that your TOTP does? The attack I'm suggesting is already solved by your password manager.
I've believe I've already written that but it is that my password manager gets compromised. It is not perfectly secure and has failure points. Given that it is separate from the second factor a successful attack against the password manager still leaves an attacker unable to login without a separate compromise of my TOTP code. Of course that can also be compromised but two compromises is strictly more difficult than one.
Right, so it's "password manager is compromised" or "password is reused", right? I'm pretty skeptical of these mattering relative to phishing, which is radically more common.
I too have been frustrated by the way open source works. Maintainers are frequently people in high demand and open source rarely pays commensurate.
So too have I given my work away and been met with entitled demands for service and time. I enjoyed writing the code and making something useful. I enjoyed the validation of that belief based on use but that doesn't feed the family or further my actual goals in life.
reply