[HN Gopher] From zero to hero: contributing to open source (2017) ___________________________________________________________________ From zero to hero: contributing to open source (2017) Author : mparnisari Score : 42 points Date : 2021-11-14 19:44 UTC (3 hours ago) (HTM) web link (miparnisariblog.wordpress.com) (TXT) w3m dump (miparnisariblog.wordpress.com) | hutch120 wrote: | Next step is to figure out how to transfer the value generated by | the consumers to the value created by the contributors... maybe | crypto services like https://www.algorand.com/ ? | AlexAndScripts wrote: | You're doing a incredibly bad job of seeming genuine. | hutch120 wrote: | What, unless I complain about something I'm a troll? This | forum is turning into a massive old farts forum for what | wrong with the world. | danslo wrote: | >Now I felt even more excited. I could push fixes and refactors | without having to wait for someone to code review them. | | Am I the only one feeling uneasy about this? | capableweb wrote: | Yes and no. Open source is built on trust, something we're | starting to feel the backsides of today, where npm modules | sometimes gets compromised, but people also get shared | responsibility over shared resources like reusable libraries. | | I'm torn if it's good or bad really. I feel like our tools | should do more to protect us, but until we get there, maybe we | do need to be more careful with who we're giving our trust to? | Zababa wrote: | I'll preface this by saying that I have nothing against the | author, I'm just trying to make a point about the NPM ecosystem | and chain supply attacks . | | > The problems seemed easily solvable and would require some | moderate amount of work. | | > When that got merged, suprise! I was made a project | contributor. | | > Now I felt even more excited. I could push fixes and refactors | without having to wait for someone to code review them. | | Think about this, and then think about your dependencies. How | easy it is to pay a few people full time to contribute to the | edges of the NPM ecosystem (deep dependencies, forgotten | dependencies) to then slowly take control over some packages? | Every result that's shown with "npm fund" is a potential target. | Famously, Express was sold to a company (though this wasn't for | chain supply attacks, but for clout I think?). | | Of course that's also the good part of open source NPM-style: in | some places there isn't much red tape. But I'm wondering if | companies should rely on processes like that. That seem | dangerous. | leeoniya wrote: | [2017] | dang wrote: | Added. Thanks! ___________________________________________________________________ (page generated 2021-11-14 23:00 UTC)