hngopher.com

       [HN Gopher] From zero to hero: contributing to open source (2017)
       ___________________________________________________________________
        
       From zero to hero: contributing to open source (2017)
        
       Author : mparnisari
       Score  : 42 points
       Date   : 2021-11-14 19:44 UTC (3 hours ago)
        
 (HTM) web link (miparnisariblog.wordpress.com)
 (TXT) w3m dump (miparnisariblog.wordpress.com)
        
       | hutch120 wrote:
       | Next step is to figure out how to transfer the value generated by
       | the consumers to the value created by the contributors... maybe
       | crypto services like https://www.algorand.com/ ?
        
         | AlexAndScripts wrote:
         | You're doing a incredibly bad job of seeming genuine.
        
           | hutch120 wrote:
           | What, unless I complain about something I'm a troll? This
           | forum is turning into a massive old farts forum for what
           | wrong with the world.
        
       | danslo wrote:
       | >Now I felt even more excited. I could push fixes and refactors
       | without having to wait for someone to code review them.
       | 
       | Am I the only one feeling uneasy about this?
        
         | capableweb wrote:
         | Yes and no. Open source is built on trust, something we're
         | starting to feel the backsides of today, where npm modules
         | sometimes gets compromised, but people also get shared
         | responsibility over shared resources like reusable libraries.
         | 
         | I'm torn if it's good or bad really. I feel like our tools
         | should do more to protect us, but until we get there, maybe we
         | do need to be more careful with who we're giving our trust to?
        
       | Zababa wrote:
       | I'll preface this by saying that I have nothing against the
       | author, I'm just trying to make a point about the NPM ecosystem
       | and chain supply attacks .
       | 
       | > The problems seemed easily solvable and would require some
       | moderate amount of work.
       | 
       | > When that got merged, suprise! I was made a project
       | contributor.
       | 
       | > Now I felt even more excited. I could push fixes and refactors
       | without having to wait for someone to code review them.
       | 
       | Think about this, and then think about your dependencies. How
       | easy it is to pay a few people full time to contribute to the
       | edges of the NPM ecosystem (deep dependencies, forgotten
       | dependencies) to then slowly take control over some packages?
       | Every result that's shown with "npm fund" is a potential target.
       | Famously, Express was sold to a company (though this wasn't for
       | chain supply attacks, but for clout I think?).
       | 
       | Of course that's also the good part of open source NPM-style: in
       | some places there isn't much red tape. But I'm wondering if
       | companies should rely on processes like that. That seem
       | dangerous.
        
       | leeoniya wrote:
       | [2017]
        
         | dang wrote:
         | Added. Thanks!
        
       ___________________________________________________________________
       (page generated 2021-11-14 23:00 UTC)