We asked Devon about where bounties might fit in to GitHub Sponsors when we had her on The Changelog and most of what she said then is reflected in this post, but fleshed out and explained in greater detail.
We recently talked with Josh Aas on The Changelog #389 about securing the web with Let’s Encrypt. At the tail end of the conversation Josh shared his passion for memory safety, saying “we need to rewrite all the software that we already wrote in C and C++, and replace it. “ My guess is that this move with Daniel and curl takes us several steps further in this direction.
Memory safety vulnerabilities represent one of the biggest threats to Internet security. As such, we at ISRG are interested in finding ways to make the most heavily relied-upon software on the Internet memory safe. Today we’re excited to announce that we’re working with Daniel Stenberg, author of ubiquitous curl software, and WolfSSL, to make critical parts of the curl codebase memory safe. … ISRG is funding Daniel to work on adding support for Hyper as an HTTP back-end for curl. Hyper is a fast and safe HTTP implementation written in Rust.
Hayden Barnes explains how Windows and Linux exist in a “cosmic duality” and whether or not Microsoft will ever “shift the core of the Windows operating system to the Linux kernel.”
I have a unique perspective on Microsoft’s Linux involvement. I help deliver Ubuntu on Windows Subsystem for Linux in my job at Canonical. … I have become somewhat of an intermediary between the Microsoft and Linux communities. It is something I am glad to do. There are creative, kind, and fascinating people in both communities. Interesting things happen when the lines between them blur. Fostering cross-pollination will make computing better for everyone.
We’re joined by Jim Haughwout (Head of Infrastructure and Operations) and Stefan Ålund (Principal Product Manager) from Spotify to talk about how they manage hundreds of teams producing code and shipping at scale. Thanks to their recently open sourced open platform for building developer portals called Backstage, Spotify is able to keep engineering squads connected and shipping high-quality code quickly — without compromising autonomy.
Antirez on the strange relationship between money, open source, and the code we write on the job:
Open source is different, it’s an artifact, it’s a transposition in code of what you really want to do, of what you feel software should be, or just of all your fun and joy, or even anger you are feeling while coding… It’s not about money. You can ignore bugs if you want, and ignore their complains, you can do that since you don’t have a contract to do otherwise, but they are helping you, they care about the same thing you care: your software quality, grandiosity, perfection.
The Hacktoberfest team has responded to the concerns of Hacktoberfest hurting open source, saying…
We apologize for the impact this spam is having on the community. We often talk about intent versus impact and this is a classic example. Hacktoberfest aims to celebrate open source with positive engagement between contributors and maintainers alike. Unfortunately, the actions of some participants led to unintended consequences for all. They’ve overwhelmed maintainers and steamrolled other participants in an effort to receive a T-shirt they didn’t really earn.
Despite this, we are confident that, with your help, we can make things better. We’ve already started making changes to the program to help reduce spam and there is much more work planned in the days ahead.
And specifically to maintainers…
We’re sorry that these unintended consequences of Hacktoberfest have made more work for many of you. We know there is more work to do, which is why we ask that you please join us for a community roundtable discussion where we promise to listen and take actions based on your ideas.
We’re big fans of what Hacktoberfest represents, but maybe it’s time to rethink the model. The burden falls primarily on maintainers, as Domenic Denicola outlines in this post – going as far as to describe Hacktoberfest as “a corporate-sponsored distributed denial of service attack against the open source maintainer community.”
In reality, Hacktoberfest is a corporate-sponsored distributed denial of service attack against the open source maintainer community.
So far today, on a single repository, myself and fellow maintainers have closed 11 spam pull requests. Each of these generates notifications, often email, to the 485 watchers of the repository. And each of them requires maintainer time to visit the pull request page, evaluate its spamminess, close it, tag it as spam, lock the thread to prevent further spam comments, and then report the spammer to GitHub in the hopes of stopping their time-wasting rampage. … The rate of spam pull requests is, at this time, around four per hour. And it’s not even October yet in my timezone.
This screenshot of issues on whatwg/html labeled as spam was taken moments before posting this.
Gitter is exiting GitLab and entering the Matrix…ok, we couldn’t help ourselves with that one. Today we’re joined by Sid Sibrandij (CEO of GitLab) and Matthew Hodgson (technical co-founder of Matrix) to discuss the acquisition of Gitter. A little backstory to tee things up…back in 2017 GitLab announced the acquisition of Gitter to help push their idea of chatops within GitLab. As it turns out, the GitLab team saw a different path for Gitter as a core part of Matrix rather than a non-core project at GitLab. We talk through all the details in this episode with Matthew and Sid.
Today we welcome Hisham Muhammad into our Maintainer Spotlight. Hisham is the creator of htop - a well known cross-platform interactive process viewer. This conversation with Hisham covers the gamut of being an open source software maintainer. To set the stage, a new version of htop was announced, but not by Hisham – it was a kind takeover of the project and needless to say Hisham was surprised, but ultimately relieved. Why? Well, that’s what this episode it all about…
David Bryant shared the details and transition plans for WebThings as it’s being spun out of Mozilla as an independent open source project. Mozilla is “transitioning control and responsibility to the community,” and the project’s new home will be webthings.io.
Governance of the project will be passed to the community using a module ownership system independent of the Mozilla Corporation’s organisational structure, like the one used by the core Mozilla project 11. … The WebThings project will no longer be directly affiliated with the Mozilla Corporation so will stop using Mozilla trademarks and will instead operate under its own WebThings brand.
Open source software shows its resiliency once again:
youtube-dlc is a fork of youtube-dl with the intention of getting features tested by the community merged in the tool faster, since youtube-dl’s development seems to be slowing down.
If you’re unaware of youtube-dl, it’s like a Swiss Army Knife for downloading videos from the web. It’s a great tool and I’m happy to see the community rally around its maintenance.
Earlier this year on February 2nd, 2020 Jon Evans and his team of archivists took a snapshot of all active public repositories on GitHub and sent it to a decommissioned coal mine in the Svalbard archipelago where it will be stored for the next 1,000 years.
On this episode, Jon chats with Jerod all about the GitHub Archive Program and how they’re preserving open source software for future generations.
The why of the project from Craig Mod is what’s interesting…
Kickstarter is an excellent way to run a crowdfunding campaign. But if you already have a community built up, and have communication channels in place (via a newsletter, for example), and already run an online shop, then Kickstarter can be unnecessarily cumbersome. Kickstarter’s 10% fee is also quite hefty. By leaning on Shopify’s flexible Liquid templating system and reasonable CC processing fees, an independent publisher running a campaign can save some ~$7,000 for every $100,000 of sales by using Craigstarter instead of Kickstarter. That’s materially meaningful, especially in the world of books.
There’s also a step-by-step walkthrough on setting things up here ~> https://www.youtube.com/watch?v=DXP9iKARaYY
Max Braun thinks today’s webcams are boring, so he brought back a classic. Max took an Apple iSight and retrofitted it with a $5 Raspberry Pi Zero, which “fits the iSight’s dimensions almost perfectly.”
The PiSight actually works like you’d expect it to. Just plug in the USB cable and the camera will show up in your video conferencing app of choice. The image quality is quite good, possibly better than the built-in camera of today’s MacBooks.
The best part is you can do this too because Max made all the plans available as open source.
Just in case you’re not completely taken aback by the absurdity of this project and are now considering building your very own PiSight, rest assured that I’m making everything available as open source.
The GitHub repo has a list of parts and where to get them, the 3D-print-ready model of the frame, and the source code. I’m thinking it should be possible to get the total cost down to under $150. I had to spend a bit more than that because I needed to experiment and opted for higher-end materials.
Carbon is an open source web app that helps you create and share beautiful images of your source code. Whether you’ve used Carbon personally or not, odds are you’ve seen its dent on the universe of social code sharing. Mike Fix has been maintaining Carbon for a few years and he’s embraced the project as an opportunity to experiment and practice working in public.
On this Maintainer Spotlight episode, we chat with Mike about building Carbon, growing its community, sustainability models, and why he loves the world of open source.
Let me just cut straight to it: I’m going to open source the Have I Been Pwned code base. The decision has been a while coming and it took a failed M&A process to get here, but the code will be turned over to the public for the betterment of the project and frankly, for the betterment of everyone who uses it. Let me explain why and how.
It’s not open source yet, but it will be and Troy lays out his thinking and the process in this excellent write-up. Since HIBP’s data is both sensitive and the entire point of the software, there will be special consideration taken with it:
I need to really clearly break this part of the discussion out because whilst open sourcing the code base is one thing, how the data is handled is quite another. There’s no way to sugar coat this so I’ll just lay it out bluntly: HIBP only exists due to a whole bunch of criminal activity resulting in data that’s ultimately ended up in my possession.
Then there’s the privacy side of it all: my own personal data is in those breaches and your data almost certainly is too because there are literally billions of people that have been impacted by data breaches. Regardless of how broadly that information is circling, I still need to ensure the same privacy controls prevail across the breach data itself even as the code base becomes more transparent. That’s non-trivial. Doable, but non-trivial.
Nadia Eghbal is back and this time she’s talking with us about her new book Working in Public. If you’re an old school listener you might remember the podcast we produced with Nadia and Mikeal Rogers called Request for Commits. If you weren’t listening then, or can’t remember…don’t worry…the back catalog of Request for Commits is still online and subscribe-able via all the podcast ways. That podcast is still getting listens to this very day!
Obviously we go way back with Nadia…and having a chance to now talk with her through all the details of her new book Working in Public, this was a milestone for this show and Jerod and I. We talked through the reasons she wrote the book in the first place, Nadia’s thoughts on the future of the internet and the connection of creators to the platforms they build their followings on, and we also talk about the health of projects and communities and the challenges we face internet-at-large as well as right here in our backyard in the open source community.
Have you heard of the GitHub Arctic Code Vault? If not, the goal of GitHub Arctic Code Vault is to preserve open source software for future generations. Which means we need thorough docs describing how the world makes and uses software. Which I find completely fascinating!
We are now also opening up the initial compilation of Tech Tree resources to community input. Inspired by the Long Now Foundation’s Manual for Civilization, the Tech Tree is a collection of technical works which document and explain the layers of technology on which today’s open-source software relies, along with works included to provide additional cultural context for the Arctic Code Vault.
What follows, which we call the Tech Tree, is a selection of works intended to describe how the world makes and uses software today, as well as an overview of how computers work and the foundational technologies required to make and use computers. The purpose of the GitHub Archive Program is to preserve open source software for future generations. This implies also preserving the knowledge of other technologies on which open-source software runs, along with a depiction of the open-source movement which brought this software into being.
With Microsoft’s strong push into open source it is easy to assume that they are fully open source and that their flagship code editor and its cool LiveShare and Remote extensions are there to play nice with the wider world of free software and open source. This is not entirely the case as this post outlines.
You’ve likely heard a lot about Google’s monorepo and how it impacts the org’s development productivity, but have you heard how it makes managing their open source efforts easier as well?
Adam loves a good dark theme and supporting a fellow creator, and Hedy Li finished the episode we did with Nikita Prokopov covering FiraCode and reached out saying Zeno Rocha’s work on Dracula deserved the same credit. We agreed. So we linked up with Zeno about his passion for open source, how he’s changed his mind on making money with open source, his big release of Dracula Pro and the future of Dracula, and of course his new book – 14 Habits of Highly Productive Developers. Check for a link in the show notes for details on how to get your hands on Zeno’s book for free through our giveaway.
GitHub Sponsors is a step forward, but is far from a panacea. I propose “sponsorship pools”, an alternative approach to OSS sustainability.
We’re joined again by José Valim talking about the recent acquihire of Plataformatec and what that means for the Elixir language, as well as José. We also talk about Dashbit a new 3 person company he helped form from work done while at Plataformatec to help startups and enterprises adopt and run Elixir in production. Lastly we talk about a new idea José has called Bytepack that aims to help developers package and deliver software products to developers and enterprises.
Daniel and Chris get you Fully-Connected with open source software for artificial intelligence.
In addition to defining what open source is, they discuss where to find open source tools and data, and how you can contribute back to the open source AI community.
A listener request led us to Nikita Prokopov and FiraCode, and we’re sure glad they did. When we think of open source software, fonts aren’t usually high on the list of things that need maintaining. That’s not true when your font also supports hundreds of programming ligatures like FiraCode does. Nikita has his hands full!