51 comments

[ 305 ms ] story [ 232 ms ] thread
[Relevant xkcd.](https://xkcd.com/2347/)

It's interesting to see the periodic rediscovery of "capitalism + technology relies on unpaid, voluntary labour", or as the author puts it, "Open source, the thing that drives the world, the thing Harvard says has an economic value of 8.8 trillion dollars".

The one flaw that I see in the author's analysis though is that they don't seem to account for whether the packages accounted for by their source have dependents or monthly downloads. There's *a lot* of dead code out there. When excluding abandoned packages, I bet the picture is still grim, but it might be less so.

You can frame the "unpaid voluntary labor" as "creative work" and it would start making a whole lot of sense. "Creative work thrives despite being unpaid in capitalist society."
I’d state that as capitalism + technology provides enough surplus money and time that people can work on hobbies
> capitalism + technology relies on unpaid, voluntary labour

You are falling into the breadtube trap of faulting capitalism for a societal issue that has nothing to do with it. Did capitalism force people to have productive hobbies? Would you prefer a system, other than capitalism, that prevented people from having productive hobbies?

Often times this error relies on the assumption that capitalism is what's preventing us from having an "idealized" version of communism that I've heard aptly described as Gay Luxury Space Communism, where anyone can do anything they want and society just magically pays for it. The problem is that GLSC isn't real, we'd need ~infinite resources to do it.

I personally blame this problem on charities. This is the type of problem that charities and foundations should solve but there is no safeguard for charity money actually going to the charity's cause of action, instead the moment you create any kind of non profit it transforms into Non Profit (inc) and all the money it received goes to (1) professional non-profit people for the job of raising money and redistributing it, (2) shuffled to other non-profits, (3) thinly disguised political activism.

It is funny how you recognize the "breadtube trap", yet you are so invested in the "no alternative" ideology.
If they had done an activity check they would have seen that half of all projects have zero maintainers.
software once "perfected" (working well enough long enough) needs NO maintenance. No cleaning. No calibrating/tunning.

updating is a systemic issue, not a per-project matter

I find it more concerning that the DoD uses node.

I might be wrong but npm etc feels like a very large attack surface.

(comment deleted)
The DoD is a huge organization, so I'd guess they use almost everything.
Why?

The DOD is one of the world's largest organizations. There are people there who do things like publish newsletters and put up webpages for people like boy scouts to arrange tour bases. It is totally fine to use Node for things like that.

Those systems are not connected to the systems that fire missiles. If the sign up page for the 4th of July fireworks announcement gets vandalized, it isn't really an issue.

I've heard good things about work done by this guy Linus. I'm pretty sure that I've used his work.

I think he comes from a country that borders Russia, so should we be worried?

I've done OSS for decades; mostly by myself, but sometimes, in teams of volunteers.

If anyone has any experience, working in teams of volunteers, it can be ... challenging.

It can definitely work, but not as often as you'd think. If it works, there's usually some "BDFL," or a common goal that has everyone on the same beam. In my case, it was usually the latter.

(Off topic.)

Not only that, but Linus's parents were politically active communists and young Linus was a pioneer (like a boy scout but for communists). His father also lived in Moscow for several years on two separate occasions.

Linux is a well supported project with a lot of maintainers and support, it isn't a one-man project by Linus.
(comment deleted)
Curious, because just recently he expelled Russian maintainers from the Linux project, just because
The title of the register article is completely disgusting

> Putin on the code: DoD reportedly relies on utility written by Russian dev

then in the article:

> Hunted Labs told us that it didn't speak to Malinochkin prior to publication of its report today, and that it found no ties between him and any threat actor.

Aren't Russian developers on average more susceptible to the "wrench attack" though?

  The title of the register article is completely disgusting
Nearly all The Register articles are clickbaits or rage baits.
Yeah, it is pretty amazing but not surprising. The Register has taken to a certain kind of sensationalism as of late.

I found this interesting:

> "Every piece of code written by Russians isn't automatically suspect, but popular packages with no external oversight are ripe for the taking by state or state-backed actors looking to further their aims," Smith told us in an email. "As a whole, the open source community should be paying more attention to this risk and mitigating it."

Uh, I guess? The nature of open source is supposed to be that the dev provides the effort and the code, and that's where the guarantee stops. It is up to the people who uses it to implement and ensure security. People treat OSS like it is a business product that must have drop-in replacement ready at all times.

The modern nature of development is perhaps my biggest gripe as a professional. There is little care given. Projects begin with importing dozens of other packages and libraries that we never look at, let alone fully understand. And it is normalized.

Yeah, the subtle way to plant an idea. It's a crime again to a person have "certain nationalities".
> So while NPM has over 4 million single person projects, they have about 900,000 maintainers for those 4 million single person projects. This will be an important data point at the end.

Am I missing something or was it not, in fact, an important data point at the end?

I didn't see it explicitly stated, but I think it supports the "overworked" part of this statement:

> Open source, the thing that drives the world, the thing Harvard says has an economic value of 8.8 trillion dollars (also a big number). Most of it is one person. And I can promise you not one of those single person projects have the proper amount of resources they need. If you want to talk about possible risks to your supply chain, a single maintainer that’s grossly underpaid and overworked. That’s the risk. The country they are from is irrelevant.

And even in projects that are maintained by more than one person, it's usually just a single person responsible for most of the commits.
Huh, I just checked stats on ecosyste.ms

It looks they consider as maintainer only those people who listed on package.json, not a real number of contributors on github or anything.

So all conclusions in this post is based on wrong assumption and incorrect data interpretation. That's all you need to know about it.

I think you could list random people on github in your package.json to looks cool in eyes of stats cultists.

The DoD is very efficient at finding something they are getting for free and convincing everyone it's in their best interest to pay a team of contractors for it.
This reminds me of the observation that adding people to a project doesn't necessarily increase productivity that much...
I feel like there's a lot of misunderstanding of this issue in the software community, because primarily, supply chain risk isn't a software or engineering issue. It's a governance issue.

Someone doesn't have to be a bad actor for a project to have supply chain risk. Nor do all who evaluate supply chain risk have the same security posture and evaluate risks the same as others might. The DoD likely has a very different set of risks they evaluate against for their security posture than you do.

Most supply chain risks are not an indictment of somebody's code or somebody's character. A lot of one person projects are risky just because they're only one person. Having a bus factor of one is a supply chain risk in and of itself.

And while most people don't prepare for war while choosing their packages, it's not unreasonable for a military to do so. During a war, the ability for people to govern themselves and their own projects often changes dramatically, even in democratic countries. It is entirely routine for countries to require cooperation by the force of law in war time, even the US can and has forced private companies to cooperate with war efforts. This is probably not in the security posture calculation for most of us. But it is for some.

> And while most people don't prepare for war while choosing their packages, it's not unreasonable for a military to do so. During a war, the ability for people to govern themselves and their own projects often changes dramatically, even in democratic countries. It is entirely routine for countries to require cooperation by the force of law in war time, even the US can and has forced private companies to cooperate with war efforts. This is probably not in the security posture calculation for most of us. But it is for some.

Reading this I'm really hoping the DOD maintains mirrors of GitHub projects that are vital to them.

Still, we had a lot of security issues of people injecting themselves into these one-man projects.

It is ridiculous to force these people to do anything because you were to lazy to build the foundations of your infrastructure yourself, especially if you care about self-reliance.

Another case of power law distribution being all around us. I wonder how many commits of the 1M+ downloads projects maintained by more than one person, were done by just one person?
Has anyone seen any stats on what happens to a single maintainer project when said person is hit by a bus (or meets some other demise)? With that many data points, there should be enough of them by now to study it.

Is the project taken over by another, single developer? Is it replaced by a similar project? Does it just go away?

When Bram passed away Vim was passed on to the core maintainers there.
Open Source is just a guy, and The Internet is just his computer.
>It’s not until I change downloads to 1 billion downloads that we see 1 package maintained by 1 person, and 9 packages maintained by more than 1.

Which one is that?

the west or those with largely liberal viewpoints who think in black and white vs seeing the world as grey are gonna cost the west a lot.

we already saw this - with 'cancel' mafia.

because russia or i.e putin invaded ukraine doesn't mean the whole russia is bad. or you shouldn't interact with russia at all. no one stopped interacting with usa after they invaded iraq.

just because russia doesn't give a shit about lgbtq rights doesn't mean russia is a bad country. likewise just because china runs an explicit authoritarian system - it doesn't mean its a country - china bad.

trump and his idiotic gvt kinda recognize this - but they're also doing it the wrong way.

anyways - trade with enemies / friends alike as long as they're benefits to be realized.

Drupal isn't one person last time I checked; but yes this is correct for almost all projects
Too bad the notion of completed/finished/done software is very weak. In theory, there it nothing wrong with an OSS project made by one person.

I would like to see the LOC these one-person projects with >1M downloads have. I suspect most of these are a simple Node/browser/OS API single-file wrappers that are simple to get right and treat it as complete.

At the same time such projects are easy to verify upon adding as dependency. Lately, I've just copy-pasted relevant parts of a library to my project because adding it as a dependency has a cost. I doubt this is a common practice though, especially in NPM land.

> Too bad the notion of completed/finished/done software is very weak.

FWLIW, this simple definition suffices for me: software is complete insofar as it requires no changes to do what its maintainers would like to do with it at the current point in time.

"Complete" software frequently changes to "incomplete" as the desires of the maintainer(s) change(s), and may just as quickly revert to "complete" as changes are made.

This definition does not consider the desires of non-maintainers because there's _always_ at least one such person who wants a given pieces of software to do their one weird thing (which the maintainer(s) will not ever add).

After reading. For a person that calls out how people are not smart the author takes quite of mental shortcuts to make his point work.

NPM downloads are not equal to amount of projects as people plug in their CI/CD to download package on each build.

Then assuming just by sheer number that there must be something critical in the set or at least super important. Without putting effort to track at least one in some way.

That’s at least lazy especially if you call people „smart”. Then throw up some numbers thinking you’re the smart one.

"Open source, the thing that drives the world, the thing Harvard says has an economic value of 8.8 trillion dollars (also a big number)."

Yeah, but the maintainer almost never sees anything from it. And most of the people cannot monetize oss based projects, because they don't have the expertise for it.

OSS is the biggest farce ever. Same when people say patents are evil. Ridiculous. A handful of people spoon fed this universal bullshite to people and they believed it.

Remember people that proper governments plan tens of years ahead. In this context, OSS was first, so AI systems would have ample source code to be trained on.

(comment deleted)
Most the stuff on github is something one person wrote, stuck on there, and nobody uses. Then there's a bunch of things that are one person, but some small number of people use or have used it. Most big OSS programs have more than one person behind them. The vulnerable things tend to be dependencies of larger projects - small, but useful enough to get used in larger things.
The visualisations could be improved by binning number of maintainer 1 / 2-10 / 11-n or by plotting cumulative distribution (ie. x% of projects have less than y contributors)