I’m surprised gmail spam filters didn’t catch this.
I worry that someone may be trying to incorporate a sophisticated supply chain attack. Step 1. Troll maintainers, Step 2. Find someone to maintain who can accept malicious code. Step 3. Track where this goes
> Also, I will consider turning it over to an interested party, but I will require at least one recommendation from a Node.js core contributor that I can vet with the people that I know on that team.
Maybe not a perfect solution but it's something. Granted, a new fork might become popular but people could rightly call it into question given this statement.
Maybe. I had not considered that, but it might be right.
There are mitigations of such an attack although you will have to be careful; such mitigations might not really stop it if you are not careful.
I also worry that "hey reminder that" really doesn't do much on the internet, except maybe give the troll their moment in the spotlight.
Granted, as I say in my other comment, I don't have an magical solutions to this kind of thing :(
There are 7 billion people and at minimum, tens of millions of them are massive assholes and idiots.
I mean, there is though?
"Just get over it", "need thicker skin", "the cost of doing business in open source", etc.
You did it in your own comment even. Making excuses for shitty behavior, as if it's some natural law like gravity.
What do those sentences mean, if not suggesting that the maintainer is the one who made the wrong decision (by taking offense to the email)?
It made me realize that fundamentally these are just people, people generally are helpful and nice, and they also like hearing positive things said about them. It was a good lesson to learn at a fairly young age.
[1] To be clear I was extremely polite, no criticism was tossed their way!
The important context is the app had its own custom keyboard. I used the app personally, and recommended it to a customer to solve a problem they were having. It turned out that the newest version would not work because it had removed some of the Fn-keys.
I e-mailed the developer to ask for some guidance. At the time I figured it maybe had something to do with the viewport size, and was just trying to diagnose the issue. (I had an iPad mini, while the customer had purchased I think a 9th gen iPad. I wanted to know if a different device would solve the problem.)
The guy e-mailed me back and was like "Oh, yeah, I changed that last week while making the new keyboard layout. I'll revert it and push out a new build." - I had a similar epiphany at that point where it was like "this guy is a dev just trying to navigate tradeoffs and ship the best app he can." - Also the tradeoffs are never as straightforward as one would think.[1]
I suspect a lot (most?) of apps in the App Store and the Play Store fall into this category, just like most repos on Github. People are putting their projects out there; obviously they're not immune to criticism, but I think it's important to remember that most of these people aren't Tim Cook, they're not making a living promoting stuff and taking shit people throw, they're just engineers sharing code with the world.
> Also the tradeoffs are never as straightforward as one would think.
Yep, completely agree; the obvious "solution" is to make everything configurable, and that can work to some extent, but then you risk an "oops I reinvented interpreters" moment, and then you made the app impossible to use for non-geeks. There's almost never a "correct" way to do it to satisfy everyone.
What do you suggest? This is basically unpolicable in a world with anonymous ways of getting people to see text.
Try using the language in that email the next time you talk to a cashier and see how long it takes to get you escorted from the premises.
The “don’t feed the trolls” or “just accept that people do this” nonsense has just meant “let scumbags do stuff they’d never be permitted to do in person” as much as they want with no consequences.
It would be trivial for Google to verify this email did come from an actual Gmail account, and then provide information about any associated accounts if it was - their entire business model is built on doing just that.
While we can try to improve the reality, it is the reality today and difficult to improve. There is always a small percentage of people that are bad.
I maintain a couple semi-famous open-sourced projects and get a criticism (of course a milder one than what OP got) once in a while. I read them and only take what is useful.
I always always thank them for feedback whether the feedback is good, bad, or abusive. I never argue that the users are wrong. I might help correct their understanding, but I'd say: I can see why it can be misunderstood.
This is because, if you start arguing with users, it leaves a bad taste in other users even if you are right.
I used to look at one open-sourced project where the maintainers taunted the users to implement the change themselves because it's "the benefit of an open-sourced project". It kinda turned me away from the project.
First one was in 2013/2014 when I said by the current trajectory TSMC is going to overtake Intel by 2020. Second was Intel losing the Smartphone Modem and Foundry battle about a year later, due to failure to forecast capacity.
For a lot of these reasons I simply left most of the online hardware communities and forum.
It is strange a lot of people think of brands in Tech as if they are religion. And internet in the 10s is really different to the 00s.
Like many popular creators today are learning, we all must "stop reading the comments", lest we never put anything out there ever again, for fear of critical feedback.
There's always a last straw.
I wish I could say that everyone should be exposed to some aimless and unfair adversity while growing up, it helped me grow some thicker skin.
But I've met people who really can't handle it, and exposing them to even a bit of it would be unethical, it wouldn't help them in any way. Some people are really sensitive, on the edge of mental stability, with crumbling self respect, or whatever other issues. Abuse like this does affect them significantly. Such people are the perfect victims for these immature trolls, and I really don't see a way to help them.
I remember hanging out on forums as a teen, and there was this script kiddie who would hound users on some local forums and IRC servers, both plainly insulting and/or threathning them, and trying to 'hack' them. He was annoying, but I was so used to these edgy insults and such that I never took them seriously (just a bit of roughhousing among teens)... Yet he was really successful in pissing people off and made a significant number of them leave. He was banned many times, but would just re-join with new account(s) (the joys of dynamic IPs every time you dial in). Took him years to quit.
If you're offended by things like this to be affected significantly (we're all affected a bit), don't be fooled, you're worse off than people who aren't. It's not your fault by any means. But finding a way to care less about things like this, if possible, will improve your wellbeing. You can ignore and / or react (which might make it worse), but there's not much you can do against assholes without ushering in censorship, surveillance, or making everythign worse otherwise. You can't fix other people, but you can at least try fixing yourself.
If you have some bored idiot on the other side, you leaving might encourage them to abuse you even more. If you yield further, then you've allowed yourself to be shut out from the public Internet, depriving yourself of the satisfaction of contributing to projects.
My point is that you need to try to be rational in these (emotional) situations, and think about the consequences of your decisions. Sometimes the best solution will affect you more than the abuser, which feels really unfair, but the alternatives are simply worse.
You're wrong, everything is an opportunity to better yourself. It's up to you whether or not you choose to take advantage of opportunities. Certainly you can chose not to, you can choose to tap out and quit, but as it is a choice so also is it an opportunity.
Lol, HN... you never cease to crack me up.
But that's also moot - people don't have a right to abuse others, people have a right to not be subjected to this kind of abuse.
If a person is not allowed to halt a project when they receive abuse, then you're saying that they are required to accept abuse as part of their (typically) unpaid labor. There is a huge difference between "I am willing to put up with this" and "You are required to put up with this". You are saying that because the former applies to you, that therefore the latter applies to everyone.
I get that this is the long term outcome of the "don't feed the trolls" concept, which is tacitly the message "being a troll is a-ok", which has led people like this ass to think that just because they can send this kind of shit, that it's ok to.
But if you're leaving because of abuse, you're both letting the troll win and potentialy opening yourself to more abuse.
If you're sufficiently enraged by trolls, you may overreact, and start supporting policies that are more damaging than the trolling itself, like supporting surveillance or forcing KYC on everything.
Let me qualify this by saying that I support reporting people for abuse to the authorities if that's a thing where you live, but I don't support asking for more surveillance just to catch trolls.
I see this pattern every day, on every level: "I'm being victimized and something needs to be done about it". I hope that people will think about what "something" is and make sure it's not making things even worse.
To be clear, I don't want to sound callous or say that this is, in the long term, the cost of doing business in open source (it absolutely should not be); but if you're a person with a publicly-routable email (say, via git commiter or author metadata), on a long enough timeline, someone awful's liable to find it and use it maliciously.
My opinion (admittedly, not having been on the receiving end of something this pointlessly awful) is that it's better not to fold to these kinds of attacks. These people are basically schoolyard bullies, and usually attention-seekers. Validating their attempts only encourages more behaviour like this.
I hope the former maintainer is doing well, and I hope this message doesn't come off as disrespectful or harmful. If it does, I'm very open to hearing about alternative approaches.
You make a point that we shouldn't just cave to any Jerk that comes along and used your code, which makes some sense. There is a silent user majority that appreciates these projects (or doesn't think enough about them). I'd advocate saying thanks, but if everyone did that might be a time suck for the developer, so maybe use the "star" if on github, or contribute if that is an option.
I agree with you that it is generally better to not to fold to these kinds of attacks.
However, the README.md does mention other reason why they would not really want to maintain it for sure anyways. Furthermore, the maintainer can make their own decision about what to do with it (whether or not other people agree with it).
And, since it is FOSS, it is not much of the problem if the maintainer decides to stop maintaining it, since FOSS is possible to fork the project and other people to work on it too, anyways.
This is not an excuse for writing such a bad email message, but nevertheless someone might do so and therefore you will have to decide how to deal with it. (I think it is best to ignore it, but of course everything will influence anyone)
People are full of hate and tend to dehumanise other people over internet, while they would be (possibly) nice to them in person. Something is in the internet that people's hate is magnified...
It's tragic that things like this happen, but posting and discussing the troll's (fake) name, their tirade, and the terrible impact that they had on a maintainer is not going to make things easier for maintainers. On the contrary, it's just going to give copycat trolls inspiration and something to aspire to, a sort of "victory" end game.
The author of that email doesn't care about LDAP, they don't care about JavaScript libraries, they're just a troll. Rule #1 of the internet is "don't feed the trolls".
1. Limit how often you say the shooters name, don't give details about any manifestos / letters and etc from the shooter.
2. Avoid playing lots of video / audio of screaming / chaos.
3. Tell stories about the victims, give their names often, tell their story.
4. Tell stories about people supporting each other, the community responding and coming together.
Honestly, it makes for better news too IMO.
I have a sample size of 1, so I can't ascribe too much to "these damn kids," but it seriously strikes me as having learned written language primarily from texting & instant messaging. Whereas I grew up roughly by transitioning from: reading books -> writing mails to pen pals-> writing e-mails -> web chats -> T9 texting -> modern IMEs. In other words I initially learned to write with long-form content and learned to condense it down later. These days I think people are just learning straight from the condensed version.
The other reason I don't think it's an LLM is simpler: most commercial LLMs wouldn't be "aligned" to be that rude, and the smaller LLMs I've seen wouldn't be able to inject relevant code snippets from a relatively unpopular library into the output.
I would not be surprised if this person misused the library, got called out for it in code-review (calling the iterator multiple times is a huge code-smell), and now they are soothing their ego by shifting blame onto the library author for making "such a bad API."
>I would not be surprised if this person misused the library, got called out for it in code-review (calling the iterator multiple times is a huge code-smell), and now they are soothing their ego by shifting blame onto the library author for making "such a bad API."
It could be that but then again it's his or her fault not the maintainer's. At the end of the day, s/he has some serious anger control issues if that's true.
>The other reason I don't think it's an LLM is simpler: most commercial LLMs wouldn't be "aligned" to be that rude, and the smaller LLMs I've seen wouldn't be able to inject relevant code snippets from a relatively unpopular library into the output.
You can modify some open source LLM to talk trash, meaning teach it to hate and disrespect.
Today I've hit the limit of stupid on the internet, time to go home and go for a walk and not think about how absolutely awful some people can be.
Not that I've ever had a need for this project, but, Diego, you're a terrible human being.
I do worry that trolls who really don't care if they quit maintaining this software have outsized influence on things and the outcome of a decision like this. And the decision MIGHT only impact everyone but the troll, and maybe even encourage such bad behavior.
Recall an actress who noted how much abuse she received over the internet for how she looked. She announced she wasn't going to do something (it was something related to her clothing) as a response. It was presented as almost a punishment, but I couldn't help but wonder who was driving the bus / decisions in that situation.
Still, I respect the maintainers choice and I have no magic solutions for this.
But I can respect doing it. Let someone else care about it, maybe they fork it. Maybe it just sits archived.
However, whoever wrote the email message did not decomission the project; it is whoever maintain the project that did so, due to receiving such email message. I think that might be unnecessary to decomission the project just due to one message like that, but it is their choice to maintain or not maintain it, or to decomission it. (Anyways, if you receive too many messages like that then you might be too stressed to work on the project properly.)
Although, still they should not have written such a email message, because it is no good. It does contain an actual comment about the program (although I am not familiar with the program to know whether or not the complaint is legitimate), but that is a very bad way of writing it.
(Other comments also mention that stuff like this may be used to attack the project to make a version with malware if the original maintainer won't then someone else will and will add malware. It is a legitimate concern, which should be considered seriously, but one that can be handled whether or not this maintainer decides to maintain this project or not.)
I don't think I've ever received anything this horrible ever; when I was attempting to make videos on early (~2008) YouTube as a teenager, I definitely got a lot of death threats though, so much so that someone made a whole-ass video threatening to kick my ass because they thought I said something bad about people in wheelchairs (I did not, I genuinely have no idea how they even came to that conclusion).
The internet is simultaneously the best and worst invention that humans have ever made. It allows people to be their true selves, for all that entails.
/s
