[HN Gopher] From zero to hero: contributing to open source (2017)
___________________________________________________________________
 
From zero to hero: contributing to open source (2017)
 
Author : mparnisari
Score  : 42 points
Date   : 2021-11-14 19:44 UTC (3 hours ago)
 

web link (miparnisariblog.wordpress.com)

w3m dump (miparnisariblog.wordpress.com)

 
| hutch120 wrote:
| Next step is to figure out how to transfer the value generated by
| the consumers to the value created by the contributors... maybe
| crypto services like https://www.algorand.com/ ?
 
  | AlexAndScripts wrote:
  | You're doing a incredibly bad job of seeming genuine.
 
    | hutch120 wrote:
    | What, unless I complain about something I'm a troll? This
    | forum is turning into a massive old farts forum for what
    | wrong with the world.
 
| danslo wrote:
| >Now I felt even more excited. I could push fixes and refactors
| without having to wait for someone to code review them.
| 
| Am I the only one feeling uneasy about this?
 
  | capableweb wrote:
  | Yes and no. Open source is built on trust, something we're
  | starting to feel the backsides of today, where npm modules
  | sometimes gets compromised, but people also get shared
  | responsibility over shared resources like reusable libraries.
  | 
  | I'm torn if it's good or bad really. I feel like our tools
  | should do more to protect us, but until we get there, maybe we
  | do need to be more careful with who we're giving our trust to?
 
| Zababa wrote:
| I'll preface this by saying that I have nothing against the
| author, I'm just trying to make a point about the NPM ecosystem
| and chain supply attacks .
| 
| > The problems seemed easily solvable and would require some
| moderate amount of work.
| 
| > When that got merged, suprise! I was made a project
| contributor.
| 
| > Now I felt even more excited. I could push fixes and refactors
| without having to wait for someone to code review them.
| 
| Think about this, and then think about your dependencies. How
| easy it is to pay a few people full time to contribute to the
| edges of the NPM ecosystem (deep dependencies, forgotten
| dependencies) to then slowly take control over some packages?
| Every result that's shown with "npm fund" is a potential target.
| Famously, Express was sold to a company (though this wasn't for
| chain supply attacks, but for clout I think?).
| 
| Of course that's also the good part of open source NPM-style: in
| some places there isn't much red tape. But I'm wondering if
| companies should rely on processes like that. That seem
| dangerous.
 
| leeoniya wrote:
| [2017]
 
  | dang wrote:
  | Added. Thanks!
 
___________________________________________________________________
(page generated 2021-11-14 23:00 UTC)