- Minimum Viable EC2 in Terraform
- Storylets in Ink
- Interactive Fiction Tooling Overview
- In-Place Resizing for Digitalocean Droplets
- Unity Demonstrates the Importance of FOSS
- Target Labels in Prometheus
- My View of AI is the Same
- Verify DNS Ownership with TXT Records
- Sane Droplet Defaults
- Editing Made Easy with Vim
- Gatsby Gotchas
- Concatinating Default AWS Tags in Terraform
- Easily Updating the Default Github Branch
- Lifetimes in Rust
- Checking for Bad Links
- Maybe TypeScript and React is Bad
- Static Asset Management in React
- Bundler Down Time
- Using React Context for Localization
- JS Implementation of a Sticky Footer
- Custom Aliases
- Trying Out the 7drl Challenge
- Trash Opinions
- Building Your First Program in Rust
- Fixing mongod reports errors related to opening a socket
- Improving Open Source Maintenance
- Technical Interviewing Tips
- Housekeeping Note
- Dynamic Programming Basics
- The Oddity of Naming Conventions in Programming Languages
- An Experiment Using Machine Learning, Part 3
- Debugging with grep
- An Experiment Using Machine Learning, Part 2
- An Experiment Using Machine Learning, Part 1
- The Value of while
- National Day of Civic Hacking
- OpenAI and the Future of Humanity
- Creating a Whiteboard App in Django
- Creating Meaningful, Organized Information
- Towards A Critique of Social Media Feeds
- Setting up Routes in Django
- Developing a Messaging Component for Code for SF
- Dream Stream 2.0
- Keyed Collections in Javascript: Maps and Sets
- Blog Soft Relaunch
- Scraping with Puppeteer
- Looking Ahead to Dream Stream 2.0
- Solving West of Loathing's Soupstock Lode Puzzle
- Installing Ubuntu
- Interview with David Jickling Evaluation
- Compare Text Evaluation
- Dream Stream Evaluation
Improving Open Source Maintenance
A little over a week ago there was a major compromise in security as a result of a social engineering attack. You can read more about it in the npm blog post about it. This kind of attack has always been a source of anxiety for developers working in the Node ecosystem. I can’t think of any project I’ve worked on in Node that didn’t involve installing something using npm. In some cases, like for my Dream Stream app, the dependencies are mercifully brief (Express, Express-Handlebars, Request, and Body-Parser). Unfortunately a much more common scenario is to have a npm_modules folder that contains hundreds of subdirectories. If you create a fresh Angular or React project, you’ll notice that your project folder is already over 100MB in size thanks to all the various dependencies involved. The idea that anyone might be able to review and monitor all these dependencies is far outside the realm of what is possible.
This leaves developers with two awful choices: swear off using external tools in development, or take your chances and hope for the best. And since the first choice would put anyone at a huge competitive disadvantage in the marketplace this means of course that in practice there is only one awful choice: everyone has been forced to take their chances and hope the libraries they use are not made vulnerable by malicious actors.
Is there a way out of this scenario? Personally, I can see only one other alternative. From my perspective this looks like a marketplace failure. There are codebases that are valuable enough to people that they are worth using because they shorten development time with useful abstractions. The problem is that in many instances maintenance of a codebase isn’t worth the effort for the original developer. And a lack of maintenance exposes that codebase to security threats. If there were better mechanisms for paying developers to maintain a codebase, that would reduce the potential risks, and also send useful signals for developers to understand how valuable their work is for their peers. Imagine a system somewhat like royalties for musicians, where an agency was responsible for collecting fees from developers using open-source libraries, and distributing those fees appropriately.
Unfortunately such a solution would still face incredibly challenging implementation details. You would need figure out the right amount of money that would need to be involved. If you charge and reward too little, then it still won’t be worth a developer’s time to maintain a codebase, and nothing gets solved. On the other hand if you charge too much then you create too much of a disincentive to using open-source code. Things are further complicated by uneven distributions for costs of living, purchasing power parity, etc. So that means what is the right price point for one area of the world won’t be for others. Nonetheless, these are details that can be adjusted for and figured out over time. The alternative is the status quo.