Ask HN: If you open source some code, are you responsible for maintaining it?
This is something I have been wondering for a while. At my company, we depend on a lot of open-source technologies. We expect that someone will keep rails up to date, fix security vulnerabilities etc.
At the same time, I have a lot of projects that I open sourced but have no desire to maintain. Here's an example: http://github.com/egonSchiele/mdpress
This is a simple Ruby script I wrote that is now one of my most starred projects. I haven't used it in a while (I don't make many presentations) but I still keep getting and responding to bug reports. What's my responsibility here? I am happy to open source my code, but I don't want the extra work of maintaining something I rarely use.
57 comments
[ 3.2 ms ] story [ 24.7 ms ] threadSo you're free to add a notice that you won't maintain it and that people are free to fork it and maintain it under another name.
Or you could maintain it if you think it's good for your career and/or you simply enjoy doing it.
"Released open source in case this code is useful to you, but there will be no support, no further releases, no bugfixes, and no response to issues. If you find this code useful and would like to modify it, please feel free to fork it."
[I forget if Github lets you turn off 'Issues' entirely, but if it does, do so.]
This way people know what they're getting into when they use the code. You have no _obligation_ to do anything, and it's better to share the code as examples for others trying to do the same thing than to keep it private because you don't want to support it.
But people may assume the code is supported, and regardless of what they assume, they can make a better decision on whether to use it or not (and use it how), if they know it's unsupported, and it is the right thing to do to let them know up front. If I found useful code, but knew it was 'abandonware', I might or might not choose to use it anyway, but that knowledge would effect my decision.
If you have code that you released without making that clear, and _have_ been supporting half-heartedly anyway (setting some expectations), well, contrary to what I predict will be the HN consensus, I think you do have some responsibility to your users. But you still aren't trapped forever in indentured servitude. Wind it down gracefully, maybe find someone else to take it over (have you accepted a pull request from anyone ever? if so, that person is a good candidate :) ), maybe keep responding to issues for a little while after you make the announcement that it will soon be abandonware. Or if you're completely burned out on it and just don't have time, then stop cold turkey if you have to, but post in the README what you're doing. (Don't delete the repo, that would be very rude to current users).
If you are tired of maintaining your old project just put a tar.gz of the last stable release up on your own site and let it die or be used. Or, at the very least, disable GitHub's issue tracker.
Making it clear in the README that no maintenance is guaranteed and disabling the issue tracker should be enough to send the message to would be users. If the OP doesn't do that he is actively implying future maintenance.
Having an account on Twitter doesn't mean there's an obligation to respond to every tweet directed your way.
In dating web sites there's no obligation to reply to every "hi, I'm interested in you" message.
In fact, in no social site I know of has an obligation for future engagement.
Why is code different?
You also assume that "social" => "with the world." If I want to work on a project with friends in California and New Zealand, why not set it up as a public account on github? We're being social, just not social with you. Our obligations are towards each other, not some stranger on the internet.
But some people (like you) will assume by default that it is supported. So be clear in your README that it ain't. I think we should start popularizing the term 'abandonware' here -- some code starts out as abandonware, but other code becomes so when the authors lose interest. We all know that using abandonware is 'riskier' to your project long-term than using supported open source, and many of us find ourselves depending on abandonware that used to be supported, and looking for alternatives. So it goes.
And especially for 'abandonware', I think it's actually much better to put it in a github repo than as a .tar.gz. One of the main uses for born-abandoned open source would be to look at the source code as an example and copy-paste from it, and a github repo makes those sorts of uses a lot easier in several ways than a .tar.gz.
Make it clear in the README that you won't provide any further support and disable the issue tracker if you don't want people to contribute or ask for help.
I also don't understand why someone would expect continuous support without checking whether the project is in development or not.
This is about as incorrect a statement as one could make on the issue.
In any case, your definition is in stark conflict with historical usage. "Open source" was coined in 1998 when the majority of releases were as tarballs on ftp sites, and SourceForge hadn't even started. By your definition then, all of those self-labeled open source projects of 1998 didn't actually exist.
It's also ridiculous because it means that when I die, and there's no one else who wants to support it any more, then it somehow loses its "open source" status.
Those are all things i am likely to want to do with code published open source but as unsupported 'abandonware', use it as an example to look at and copy and paste from, instead of just using the product as is as without looking at the source.
In fact, the one thing I'd be less likely to want to do with abandonware -- actually install and use it, instead of just consulting it as an example -- is the one thing you haven't actually made that much more difficult by publishing only as an archive.
Should I shut down the SF account?
Actually, I think what you imply is publishing source code in a public repository says that I have a social obligation to work at no cost.
Why can't I charge for my time?
Why can't I ignore people I don't like?
That seems rather ... needless. Surely it's better to assume that no one is obligated to respond to you than to cater to unrealistic and unreasonable hopes and promote this practice as being somehow necessarily.
I also doubt it will make a difference. People don't read READMEs in general, much less for details about support options.
Other people can fork it if they are unsatisfied with what you're doing.
Please don't allow it to cause you any stress! Many quiet users are just grateful that devs release stuff.
Perhaps declare in readme that project is unmantained and disable Issues on such project (no emails). Also declare how much hours/month you are willing to put into maintenance. And finally use separate email for OS activity, public email generates a lot of spam (viagra etc)
I actually build my living around one such abandoned project. Original idea was great, but it needed some TLC to make it usable.
I've seen them paid to do it. I've seen them do it because they want to. I've never (ever) seen any of them do it because someone else told them they had to.
That's a pretty terrible, and indeed entitled, attitude to hold I must say.
>I haven't used it in a while (I don't make many presentations) but I still keep getting and responding to bug reports. What's my responsibility here? I am happy to open source my code, but I don't want the extra work of maintaining something I rarely use.
Then don't. Invite others to collaborate and submit patches themselves.
Really, I think once you open source something you should be prepared to maintain it for perhaps somewhere between 3-6 months at a minimum. If it's popular, I'd expect you to maintain it while it's still relatively popular and people are regularly sending pull requests and reporting issues.
If the repo is still popular, I'd think that you'd probably have to hand it over to someone else if you're not going to look after it. If it's less popular, a simple note in the README should be fine.
There are too many abandoned projects that took the easy to remember / cool names. At a smaller scale and as an exemple, nowadays if you want to implement a protocol and publish it on NPM there is 99% chances the name is taken and the implementation is poor. Too many people thrown away quick hacks only to leave them die. People willing to work and invest time in proper implementations may end up discouraged and give up trying to publish or even coding them.
Names are the scarcest resource of all. My point of view is that when you take a name you take with it the responsibility of not wasting the cognitive paths associated with it. This is not a small responsibility at all, in my humble opinion.
It probably doesn't apply to the example you gave. Just took the opportunity to voice my concern.
Don't get me wrong, I love Node, but blaming an NPM problem shouldn't place blame on an open source author. None of these solutions works for you? Time to be an open source contributor :)
I think you're a bit rude to NPM though. It had many things right and finding defects in retrospect is always an easy task.
Regarding my involvement in open source, I have no clear picture of a solution to this problem at the moment so I will refrain, following the spirit of my previous point. I tend to publish only what I know will be firm ground for others to build upon.
In retrospect, NPM was a bit rude to it's userbase. We've asked for support on custom, multiple, and private registries. PRs have even been made for them and Isaac explicitly shut them down only to later (much later) come out and talk about NPM Inc. NPM is a great tool, and the community for building upon it is absolutely fantastic and wonderful, but the leadership and advisory board behind it are pretty terrible for something as good as NPM.
May be I am a bit harsh, and I may be a bit biased coming from "the old crowd" in Node before it was the cool thing on the block (funny to think back on Rubyist snickering at me for mentioning node to them :))
At least NPM has git URLs which is nice, and may be NPM can do these things (I've abandoned it for much saner practices other than cloning a 50+gb registry, pointing to a registry that falls back to an official registry [big security no-no, at least allow checksums], etc).
Thank you for the perspective though, less whining and more typing (contributing to NPM). My anger is more so towards the leadership of NPM rather than the toolset itself and I didn't express that in my OC ^
If you call npm a useless packaging system, you obviously don't understand any software.
When you open source something, you have to make sure it has a clear license which includes legal disclaimers of warranty and liability. For instance take a look at the disclaimers in the GPL and BSD licenses.
As far as maintenance goes, you have no contractual obligation to anyone to fix anything for them, if you aren't being paid.
All open source licenses are not liable for damages arising from the use of open source code
As that licence doesn't include a "no-warranty" statement, and copyright is automatic in most countries (from your link), there must be a fair few open source repos on Github etc that could be liable for damages arising from the use of open source code (or at least fall into a nice grey area I'd personally rather avoid).
[0] http://en.wikipedia.org/wiki/WTFPL
As many others have already mentioned, it is very useful to clarify in the README what the status of the project is.
Something I would like to add is that if someone else comes along who offers to take over maintenance, that is a useful thing which you should probably accept, and then you should update your README to point to the new official maintainer. You can also explicitly mention in the README that the project is looking for a new maintainer, which to me always seems a bit friendlier than just stating you've abandoned the project.
Even if you don't officially pick a new maintainer for your project, if a couple of forks spring up on github consider linking to them from your README if they still seem active after a couple of months.
I'm going to be the one who says it. I am frankly tired of the sense of developer entitlement. We get so much amazing and great work from people, yet it never seems to be enough for some. They bitch about semantic details, style choices, lack of support, and yet refuse to pay for quality services. Instead, they cockily spout "...why would I pay for that when I can just code it myself?"
I think this mentality is what separates these sort of developers from entrepreneurs. Entrepreneurs will pay for services happily that make their lives and business easier and improved, while entitled developers will just "hate" on the technical merits or "poo poo" the language, framework, or design decisions.
On to the OPs question, no you don't have a responsibility to maintain anything you give away to the community.