Ask HN: If you open source some code, are you responsible for maintaining it?

47 points by egonschiele ↗ HN
This is something I have been wondering for a while. At my company, we depend on a lot of open-source technologies. We expect that someone will keep rails up to date, fix security vulnerabilities etc.

At the same time, I have a lot of projects that I open sourced but have no desire to maintain. Here's an example: http://github.com/egonSchiele/mdpress

This is a simple Ruby script I wrote that is now one of my most starred projects. I haven't used it in a while (I don't make many presentations) but I still keep getting and responding to bug reports. What's my responsibility here? I am happy to open source my code, but I don't want the extra work of maintaining something I rarely use.

57 comments

[ 3.2 ms ] story [ 24.7 ms ] thread
You have no formal responsibility. No obligation. If someone complains to you about fixing bugs, they are welcome to fix them themselves. That's what open source is for. Anyone can fix issues without having to wait for the creator.
Indeed. Additionally if you loose interest in the project you can also see if someone who contributes back would be interested in taking over the project as well.
Exactly. Some people just don't get it. Personally I enjoy maintaining other people's abandoned projects. They free you from any obligation to keep up with new features, new bugfixes and so on. It feels more like a gift, than an abandonment.
Open sourcing some code means making it available under a license. That's it. No further promises are made by you.

So you're free to add a notice that you won't maintain it and that people are free to fork it and maintain it under another name.

Or you could maintain it if you think it's good for your career and/or you simply enjoy doing it.

I would just put that clearly and prominently in the readme.

"Released open source in case this code is useful to you, but there will be no support, no further releases, no bugfixes, and no response to issues. If you find this code useful and would like to modify it, please feel free to fork it."

[I forget if Github lets you turn off 'Issues' entirely, but if it does, do so.]

This way people know what they're getting into when they use the code. You have no _obligation_ to do anything, and it's better to share the code as examples for others trying to do the same thing than to keep it private because you don't want to support it.

But people may assume the code is supported, and regardless of what they assume, they can make a better decision on whether to use it or not (and use it how), if they know it's unsupported, and it is the right thing to do to let them know up front. If I found useful code, but knew it was 'abandonware', I might or might not choose to use it anyway, but that knowledge would effect my decision.

If you have code that you released without making that clear, and _have_ been supporting half-heartedly anyway (setting some expectations), well, contrary to what I predict will be the HN consensus, I think you do have some responsibility to your users. But you still aren't trapped forever in indentured servitude. Wind it down gracefully, maybe find someone else to take it over (have you accepted a pull request from anyone ever? if so, that person is a good candidate :) ), maybe keep responding to issues for a little while after you make the announcement that it will soon be abandonware. Or if you're completely burned out on it and just don't have time, then stop cold turkey if you have to, but post in the README what you're doing. (Don't delete the repo, that would be very rude to current users).

Yeah, the Issues function of a repository can be disabled, most useful for if there is already a way to report issues with a system such as Bugspray.
looks like pull requests can't be though?
If you don't plan to maintain your code what you did is not "open sourcing": it is merely a source code "release". "Open source" means "welcome", if you don't mean it, don't say it.

If you are tired of maintaining your old project just put a tar.gz of the last stable release up on your own site and let it die or be used. Or, at the very least, disable GitHub's issue tracker.

Open sourcing does not imply future maintenance. That's why everyone should evaluate the state of a project before starting to use it.
There is one good point made, though: if you don't plan on maintaining a project, you might as well disable issues and pull requests on Github. Leaving them on gives the (false) impression that you'll respond to them.
Putting the site on a social site and setting up an issue tracker implies future maintenance.

Making it clear in the README that no maintenance is guaranteed and disabling the issue tracker should be enough to send the message to would be users. If the OP doesn't do that he is actively implying future maintenance.

It does not imply future maintenance, any more than having an account on Facebook means that you'll reply to anyone else's comment, pokes, or app requests, or that you'll even log in again.

Having an account on Twitter doesn't mean there's an obligation to respond to every tweet directed your way.

In dating web sites there's no obligation to reply to every "hi, I'm interested in you" message.

In fact, in no social site I know of has an obligation for future engagement.

Why is code different?

You also assume that "social" => "with the world." If I want to work on a project with friends in California and New Zealand, why not set it up as a public account on github? We're being social, just not social with you. Our obligations are towards each other, not some stranger on the internet.

I disagree. It's certainly still 'open sourcing' if it's released under an open source license.

But some people (like you) will assume by default that it is supported. So be clear in your README that it ain't. I think we should start popularizing the term 'abandonware' here -- some code starts out as abandonware, but other code becomes so when the authors lose interest. We all know that using abandonware is 'riskier' to your project long-term than using supported open source, and many of us find ourselves depending on abandonware that used to be supported, and looking for alternatives. So it goes.

And especially for 'abandonware', I think it's actually much better to put it in a github repo than as a .tar.gz. One of the main uses for born-abandoned open source would be to look at the source code as an example and copy-paste from it, and a github repo makes those sorts of uses a lot easier in several ways than a .tar.gz.

If you release it under an open source license, you've open sourced it. Nothing changes if you do so with the intention of never touching it again.
Except for the neverending stream of issues that will kind of force you to keep working on your code if you are not a jerk.

Make it clear in the README that you won't provide any further support and disable the issue tracker if you don't want people to contribute or ask for help.

I don't agree. If someone releases open-sourced code, others are free to use it and modify it. Why would the developer who shared the code be a jerk if it didn't fit the needs of others?

I also don't understand why someone would expect continuous support without checking whether the project is in development or not.

>If you don't plan to maintain your code what you did is not "open sourcing": it is merely a source code "release". "Open source" means "welcome", if you don't mean it, don't say it.

This is about as incorrect a statement as one could make on the issue.

And you did nothing to explain why. Thanks for your input.
Others have already explained why. The parent poster is expressing annoyance at your presumption that others have any obligation.

In any case, your definition is in stark conflict with historical usage. "Open source" was coined in 1998 when the majority of releases were as tarballs on ftp sites, and SourceForge hadn't even started. By your definition then, all of those self-labeled open source projects of 1998 didn't actually exist.

It's also ridiculous because it means that when I die, and there's no one else who wants to support it any more, then it somehow loses its "open source" status.

You won't find any popular open-source license that mentions active development.
I agree. If somebody wants just publish sources - zip archive is enough. And this format will be answer to questions "can I rely on that?", "will security issues be fixed?", "can I ask for more documentation?". With zip archive all answers are "No". Publishing code to CVS repository means "welcome for collaboration, we expect your commits, PRs, issues".
zip archive isn't enough to find source code googling, or to view a source file in the browser to see how the code works or to copy-and-paste from it, or to use github's search feature to search the whole repo in my browser, or (if hosted on github) to press one button to fork the repo into my own github account as a convenient way of modifying it.

Those are all things i am likely to want to do with code published open source but as unsupported 'abandonware', use it as an example to look at and copy and paste from, instead of just using the product as is as without looking at the source.

In fact, the one thing I'd be less likely to want to do with abandonware -- actually install and use it, instead of just consulting it as an example -- is the one thing you haven't actually made that much more difficult by publishing only as an archive.

I have code on SourceForge that I haven't touched in 10 years. I'll only maintain it if someone pays me to work on it.

Should I shut down the SF account?

Actually, I think what you imply is publishing source code in a public repository says that I have a social obligation to work at no cost.

Why can't I charge for my time?

Why can't I ignore people I don't like?

You can, just write about it in README to not give false hopes.
You mean, "send me email if you've got a problem. I might respond if I feel like it, but don't hold your breath. If you catch me at a conference then even better. If you offer me money it's more likely to hold my interest."?

That seems rather ... needless. Surely it's better to assume that no one is obligated to respond to you than to cater to unrealistic and unreasonable hopes and promote this practice as being somehow necessarily.

I also doubt it will make a difference. People don't read READMEs in general, much less for details about support options.

How is putting a tar.gz of the file, saying people can use it under an open spouse license NOT open sourcing it? You can open source your code without putting it on github.
You can turn off issues and wikis on github repositories and force people to file pull requests to fix issues if you'd like.
You can hand it off to other people to maintain if it's something you don't want to do.

Other people can fork it if they are unsatisfied with what you're doing.

Please don't allow it to cause you any stress! Many quiet users are just grateful that devs release stuff.

No, you are not. But it boils down to what you advertise.

Perhaps declare in readme that project is unmantained and disable Issues on such project (no emails). Also declare how much hours/month you are willing to put into maintenance. And finally use separate email for OS activity, public email generates a lot of spam (viagra etc)

I actually build my living around one such abandoned project. Original idea was great, but it needed some TLC to make it usable.

I've never seen a programmer be held responsible for maintaining code.

I've seen them paid to do it. I've seen them do it because they want to. I've never (ever) seen any of them do it because someone else told them they had to.

(comment deleted)
>At my company, we depend on a lot of open-source technologies. We expect that someone will keep rails up to date, fix security vulnerabilities etc.

That's a pretty terrible, and indeed entitled, attitude to hold I must say.

>I haven't used it in a while (I don't make many presentations) but I still keep getting and responding to bug reports. What's my responsibility here? I am happy to open source my code, but I don't want the extra work of maintaining something I rarely use.

Then don't. Invite others to collaborate and submit patches themselves.

Please don't turn off issues so people wanting to try your code are aware of bugs. Just say it's unsupported.
Well, for that particular repository the README still encourages pull requests, so while that's still there I'd probably expect you to maintain the project. If you turned issues off and put in the README that you had stopped maintaining the project I'd think that would be enough.

Really, I think once you open source something you should be prepared to maintain it for perhaps somewhere between 3-6 months at a minimum. If it's popular, I'd expect you to maintain it while it's still relatively popular and people are regularly sending pull requests and reporting issues.

If the repo is still popular, I'd think that you'd probably have to hand it over to someone else if you're not going to look after it. If it's less popular, a simple note in the README should be fine.

You have no responsibility. If people want bugs fixed, they can fork it and do it themselves...
There's one thing you're responsible for that I don't see mentioned here : potentially wasting a name from the global namespace.

There are too many abandoned projects that took the easy to remember / cool names. At a smaller scale and as an exemple, nowadays if you want to implement a protocol and publish it on NPM there is 99% chances the name is taken and the implementation is poor. Too many people thrown away quick hacks only to leave them die. People willing to work and invest time in proper implementations may end up discouraged and give up trying to publish or even coding them.

Names are the scarcest resource of all. My point of view is that when you take a name you take with it the responsibility of not wasting the cognitive paths associated with it. This is not a small responsibility at all, in my humble opinion.

It probably doesn't apply to the example you gave. Just took the opportunity to voice my concern.

With golang that problem goes away :) but if you're stuck on Node, there's always several different implementations to linking libraries (although, a pain in the ass, but this isn't the fault of the open source author -- complain to Isaac for making an incredibly useless packaging system [nicest to play with though hence the popularity]).

Don't get me wrong, I love Node, but blaming an NPM problem shouldn't place blame on an open source author. None of these solutions works for you? Time to be an open source contributor :)

Golang's stance on this struck me when I saw it. "Of course". URLs have the answer embedded in their name from the beggining. There of course are pros and cons but it seems to me much saner to have URLs as package names and registries as mere search engines leveraging package metadata.

I think you're a bit rude to NPM though. It had many things right and finding defects in retrospect is always an easy task.

Regarding my involvement in open source, I have no clear picture of a solution to this problem at the moment so I will refrain, following the spirit of my previous point. I tend to publish only what I know will be firm ground for others to build upon.

> I think you're a bit rude to NPM though. It had many things right and finding defects in retrospect is always an easy task.

In retrospect, NPM was a bit rude to it's userbase. We've asked for support on custom, multiple, and private registries. PRs have even been made for them and Isaac explicitly shut them down only to later (much later) come out and talk about NPM Inc. NPM is a great tool, and the community for building upon it is absolutely fantastic and wonderful, but the leadership and advisory board behind it are pretty terrible for something as good as NPM.

May be I am a bit harsh, and I may be a bit biased coming from "the old crowd" in Node before it was the cool thing on the block (funny to think back on Rubyist snickering at me for mentioning node to them :))

At least NPM has git URLs which is nice, and may be NPM can do these things (I've abandoned it for much saner practices other than cloning a 50+gb registry, pointing to a registry that falls back to an official registry [big security no-no, at least allow checksums], etc).

Thank you for the perspective though, less whining and more typing (contributing to NPM). My anger is more so towards the leadership of NPM rather than the toolset itself and I didn't express that in my OC ^

> complain to Isaac for making an incredibly useless packaging system [nicest to play with though hence the popularity]).

If you call npm a useless packaging system, you obviously don't understand any software.

It's useless in the sense of scalability, not in terms of usefulness. Hope that clears things up.
How is all this different from DNS? I am sure people are willing to forego names by request or for some money.
If someone is using the original package, then replacing that package with a better one (with different functionality and/or a different API) could mess them up.
You don't have responsibility to maintain, but the copyright holders of the code are potentially open to liability.

When you open source something, you have to make sure it has a clear license which includes legal disclaimers of warranty and liability. For instance take a look at the disclaimers in the GPL and BSD licenses.

As far as maintenance goes, you have no contractual obligation to anyone to fix anything for them, if you aren't being paid.

http://choosealicense.com/licenses/

All open source licenses are not liable for damages arising from the use of open source code

Interestingly that page doesn't include the WTFPL [0]

As that licence doesn't include a "no-warranty" statement, and copyright is automatic in most countries (from your link), there must be a fair few open source repos on Github etc that could be liable for damages arising from the use of open source code (or at least fall into a nice grey area I'd personally rather avoid).

[0] http://en.wikipedia.org/wiki/WTFPL

That is simply not the case; only perhaps the ones listed on that page. People sometimes release code without properly licensing it. For instance I have seen code accompanied by a statement like "this code is in the public domain; anyone can do anything they wish" (without any disclaimers of liability).
You have a responsibility to your own reputation. When you publish some source, are you trying to help other developers, or are you just making a public online backup? If the former, then do so; if the latter, then just be clear what you're doing. Put "I'm just dumping this on the 'net" in the README, and people can take it for what it's worth (nothing, probably).
TL;DR You have no responsibility to keep coding, but you do have a responsibility to transition the project to a new maintainer if someone sufficiently competent volunteers.

As many others have already mentioned, it is very useful to clarify in the README what the status of the project is.

Something I would like to add is that if someone else comes along who offers to take over maintenance, that is a useful thing which you should probably accept, and then you should update your README to point to the new official maintainer. You can also explicitly mention in the README that the project is looking for a new maintainer, which to me always seems a bit friendlier than just stating you've abandoned the project.

Even if you don't officially pick a new maintainer for your project, if a couple of forks spring up on github consider linking to them from your README if they still seem active after a couple of months.

No, actually you don't have the responsibility to transition the project. It would be the nice thing do. But not a requirement
Thanks for the suggestions HN! I added a note to the top of the README and will try to wrap up existing issues. I won't delete the repo from github.
Begin rant:

I'm going to be the one who says it. I am frankly tired of the sense of developer entitlement. We get so much amazing and great work from people, yet it never seems to be enough for some. They bitch about semantic details, style choices, lack of support, and yet refuse to pay for quality services. Instead, they cockily spout "...why would I pay for that when I can just code it myself?"

I think this mentality is what separates these sort of developers from entrepreneurs. Entrepreneurs will pay for services happily that make their lives and business easier and improved, while entitled developers will just "hate" on the technical merits or "poo poo" the language, framework, or design decisions.

On to the OPs question, no you don't have a responsibility to maintain anything you give away to the community.

I would say that if anyone is obligated to maintain the code is is the people who are using it and benefiting from your initial work. (Not using "obligated" in the literal sense, more to mean "ought to").
Mentioning the state of the project in the README is useful. Additionally, you could selectively reach out to some of your users and offer them GitHub's "collaborator" status. This enables them to accept pull requests, push to master, etc.. That way your code can be maintained by people with a current interest in it.
(comment deleted)
I think it depends on how you go about it. If you just make it available and from the outset make it known that's what you're doing, then I think it's fair game. If, on the other hand, you spent time convincing people to use it and then just abandon it, I think that's kind of a jerk move. I see this happen a lot with freelancers using open source as a means to drum up clients.