GitHub calls for input on open source sustainability

By Marilyn de Villiers
Johannesburg, 21 Jan 2019
OSS contributors are often on the receiving end of harassment, demands and disrespect.
OSS contributors are often on the receiving end of harassment, demands and disrespect.

In a move aimed at enabling improved support of open source software (OSS) contributors and maintainers, GitHub last week launched an initiative to better understand the frustrations and problems facing the individuals and teams on whom the sustainability of OSS depends.

This is according to Devon Zuegel, who recently joined GitHub as its open source product manager. As a first step, Zuegel has set up a short questionnaire/contact form asking open source contributors and maintainers to be part of the conversation.

"OSS makes world-class tools available to everyone. It feels so routine now, but ... every 'import' or 'include' statement is the contribution of a team of experts who, together, have devoted immense energy to the problem so that each developer importing their work doesn't have to.

"OSS maintainers and contributors build tools for the rest of us, yet they don't have all the tools, support, and environment they need to succeed," she wrote in a blog explaining the initiative.

Among the problems she highlighted were lack of communication resources, work overload, inadequate resources, sparse analytics, insufficient recognition and inadequate governance.

Then there are the problems of "asymmetric recognition", where "hard work, including project maintenance, can go unnoticed and unrecognised" by project users, and, the flip-side of that: abuse.

Zuegel pointed out that OSS contributors are often on the receiving end of "harassment, demands and general disrespect, even as they volunteer their time to the community".

The same issue was raised by two open source maintainers, Nick Randolph and Geoffrey Huntley, at the NDC Sydney 2018 conference, who noted the majority of OSS software the world depended on was built by volunteers.

The licence did not specify who was responsible for its subsequent maintenance, and blaming volunteer maintainers for anything that went wrong was unfair, they noted. They stated that users, contributors and maintainers together were equally responsible.

Flatmap-stream incident

An example of the problems around OSS maintenance was highlighted in November, when it was disclosed on the GitHub EventStream repository that the popular event-stream package contained a malicious package, "flatmap-stream".

It turned out that the package's author, Dominic Tarr, passed on the burden of its maintenance to a volunteer, right9ctrl, who promptly embedded the malicious package.

The EventStream community erupted, with Tarr the target of considerable abuse for handing over ownership to a total stranger.

Tarr's defence, that he hadn't used the package for years and the stranger had e-mailed him to volunteer taking over maintenance, a task for which he had never received anything, elicited little sympathy from angry users.

However, he also received some support, notably from another open source hacker who pointed out that because Tarr had bothered to give ownership away showed he had at least cared enough to do something he believed would benefit the community.

"Not caring would be doing absolutely nothing at all. That's the case quite often, and OSS maintainers get criticised for that too," the hacker declared.

But another angry user shot back: "There is a huge difference between not maintaining a repo/package vs giving it away to a hacker (which actually takes more effort than doing nothing), then denying all responsibility to fix it when it affects millions of innocent people."

In a statement thanking those who had supported him, Tarr noted: "I'm okay. But this is really a much bigger issue (the viability of open source). I'm glad that this incident is raising awareness."

Zuegel hopes the GitHub initiative will keep the spotlight on the issue, and enable the broader OSS community to address it, and hopefully find solutions.