In my unasked-for opinion, he should absolutely give up on this project, and take a salaried job that'll let him support his family and not have to deal with the entitlement issues and lack of perspective the community evidently has. If half of what's in this post is true, he's shown admirable restraint: I'd have burned it all down the first time someone got pissy about a free thing I gave them.
Yes. But I think it also shows a common misunderstanding of "open source" (and even "free software").
What he did was incredibly valuable to a huge number of successful people and corporations. But no one owes him anything. That's the point of open source. If they did owe him something, they wouldn't have used it. They used it because it was great, it was established/known, it was available with no strings attached whatsoever. Again, that's the point, that's why it's popular.
But also, he owes them nothing. He doesn't have to keep maintaining the most comprehensive, up-to-date, and flexible package, as a full-time job, for free. He could could have just stopped after his first couple years where it was an inherently fulfilling passion project, he could just put in a couple hours a week, whatever. People would make do, it would still be quite valuable for a lot of people for a long time. Or those other projects and companies would come up with an more up-to-date alternative when really needed.
You really don't have to be a martyr, and we don't have to "give up on open source" or whatever. You can just make stuff available that you wanted to do anyway. Sometimes it leads to bigger opportunities, sometimes (usually?) not. Don't slave away and sacrifice your personal life because of what you think you deserve if you do, that's not going to materialize that way.
Remember this is all stuff just offered up with NO WARRANTY, NOT EVEN FITNESS FOR PURPOSE etc. And in practice it's super super valuable that way. Even without you sacrificing yourself. Let companies spend the big bucks on it, just work on what's fun in your free time.
I think the disagreement here will continue indefinitely because it is a question of (personal and professional) ethics. Ethics doesn't necessarily offer easy answers, just sometimes hard questions. In every discussion like this on HN you see the direct conflict of several competing Ethical Frameworks that people choose to live by which is why the discussion will likely always recur and it will always seem like two or more teams talking past each other.
"What do we owe to each other?" is a massive, hard ethical question. It's not just an easy economic question with an answer of "well he did the work for free, so obviously it is priced at free" though many ethical frameworks, especially on HN, happily stop there. Some ethical frameworks, on the other hand, don't believe there is any such thing as "free labor", just "exploited labor" and find guilt in every bit of open source usage, expect some amount "owed" in backpay to eventually pay back. Some of those same ethical frameworks still feel that "open source" is an ideal, a community good, but also think that for the health of the community as a whole, some support needs to be given to individuals in that community when/where/as they need it, for the good of the whole, and that both things can be true: "open source creates good software" and "open source sometimes creates the conditions to exploit labor (and we owe it to ourselves to mitigate that)".
I can't tell anyone what their ethical framework should be, just that this discussion will likely remain an impasse because it is about personal and professional ethics. How much I feel that I owe the most exploited of the workers in our industry, is something that keeps me up at night sometimes, and that guilt doesn't come from "nowhere" and I'm well aware of the economics and the license agreements in play: that guilt comes from the ethical frameworks that I hold dear and am unlikely to waver on.
For a while it was a trend for people to use userscripts to delete their old comments on various social media sites after a certain amount of time. I think this practice is unfair, because the user gets the benefits of participating in open conversation but tries not to pay the (IMO absolutely minuscule) costs in terms of privacy.
I see a lot of open source use the same way. Companies use open-source contributions but don't contribute back any of the value they receive. I'm strongly in favor of using strict GPL licensing or dual licensing for corporate and nonprofit use for every open source project. I know people like the MIT license so that people will use their projects, but fundamentally if you want open source to continue then open source contributions need to be enforced, because otherwise it doesn't happen
He's the maintainer of a major software library. Everyone who depends on his work does owe him gratitude and respect. They'd have to pay me big bucks to care enough to do what he did, so I respect him for doing it.
The open source community can be wild sometimes. Back when I was still maintainer and lead dev for Gaim (not Pidgin), I would occasionally get downright hateful people e-mailing me for not implementing whatever feature they thought needed to be implemented, or not getting it implemented quickly enough.
One guy managed to get ahold of my cell phone number somehow and called me at 4am to discuss "his ideas" with me for the project. I ended up having to change my number.
Thankfully 95% of the people I interacted with in the community were great and were great, but that other 5% was rough.
Old coworker of mine was/is(?) secretly the primary contributor to a a major console emulator. He revealed it to me only after working together for about 4 years.
He keeps it incognito because the vitriol his alias receives from impassioned members of the community makes him afraid of getting doxxed. He showed me some of them. I don't blame him.
Maintainers like Denis shouldn't be asking for donations, they should be sponsored the same way Nike sponsors athletes. If you're a burnt out open source maintainer or know someone who is, I'd love to talk to you. My job is to help create awareness about the issue with companies that depend on your package. I reached out to Denis because we all know he deserves better. Appreciate any leads you could additionally share with me.
Edit: I see you work for thanks.dev, which doesn't seem like it would cover the projects I mention below. I leave my original comment in case anyone else is interested in sponsoring the things I mention.
I'd like to find sponsors for a few non-web-related projects. In particular the Linux USB Gadgets userspace stack (libusbgx/gt/gadgetd/etc), a library for the Microsoft PST email format (libpst) and a tool for running linters/etc (check-all-the-things). Happy to chat about these over email.
> I'd have burned it all down the first time someone got pissy about a free thing I
Sadly this is the state of open source projects. People feeling entitled and doing nothing but complain. It's sad really because negative compacts often have a more lasting impact than positive ones.
From this article, Denis Pushkarev seems to be a remarkably principled developer in a horrible situation, and I admire his commitment to this project. Setting that aside, though, is anyone else alarmed that such a widely used project has exactly one maintainer who is able to push arbitrary changes without review? Especially one already in legal trouble and significant debt, unable to travel, for a project embedded in Fortune 500 e-commerce and (likely) intranet/administrative sites, with an extremely large surface area of used APIs where malicious minified code might easily go unnoticed and is highly difficult to audit?
I absolutely feel for his situation. Right now, the degree to which he could be threatened into allowing a malicious group to push changes in his name should not be taken lightly. Hopefully this article reaches the attention of some of the CISOs at companies who rely on the project, and a path towards a situation where multiple parties have visibility into release management can be explored. And honestly, such a solution might be the best thing to make Denis and his family less of a target.
(In the meantime, pin your core-js dependency, and track https://security.snyk.io/vuln/npm?search=core-js as well as npm audit. Arguably there should be an advisory category for known vulnerable maintenance situation - I'm not sure if such a registry exists. One might say that every open source project is vulnerable in some way, but there's nuance and splash radius to consider here, and core-js does not have much defense-in-depth at the moment.)
Well. There is little doubt that he would be a good fit for at least a normal Engineer position in any of these companies. If they didn't hire him yet your guess as of why is as good as mine.
Edit: This was not meant to be read in a negative kind of way. I'd try to hire him if I had an open position to fit.
> Now I cannot leave Russia, because after the accident I have outstanding lawsuits in the amount of tens of thousands of dollars and I am forbidden to leave the country until they are paid off.
Interesting. I know a person who somehow emigrated from Russia last year with some debt and is paying it off. But perhaps there is some other condition I don't know about.
But anyway it would be more difficult to emigrate to another country long term with a criminal record, they always ask about it on visa applications. If I was more cynical I would think an evil government could use the carrot of forgiving his lawsuits in exchange for pushing some backdoors but I don't think this would go unnoticed
Very unfortunate situation to be in, though my sincere hate for reckless russian drivers I have seen a lot in my life makes it a bit difficult to sympathize.
> Especially one already in legal trouble and significant debt, unable to travel
... and living in a country involved in war, run by a regime for which respect for the rule of law is a "nice to have".
If I were in FSB, I'd be banging at this guy's door right now, and making his life as comfortable as I can. Imagine dropping an obfuscated killswitch on half the global web, that is Real Power right there; or silently siphoning out credentials from FAANG-level companies; or or or...
We are incredibly lucky that Herr Putin's henchmen are actually not very good.
In one of my previous jobs, my CTO asked me who I thought was the most important person in the company was. I wasn’t sure. He pointed to the lady who was responsible for entering and maintaining data, on which the entire business was built upon.
She was a quiet person, who did her job exceptionally well. Yet, most people didn’t know her or didn’t realize her importance. I am certain she wasn’t paid that well either.
Point being, nobody is going to reward you, unless you ask for it. I once spent 4 years at a job, I did my job well. Didn’t get a single dollar raise. I didn’t ask, nobody cared either. Most I got was some praise in team meetings once in a while.
The most disgusting part of the story is all hate and vitriol thrown at him. By people using his software for free, by people who are likely not even a tenth as good as he is - both as a person and as a programmer. All this in an industry with plenty of money. This is super depressing. I genuinely hope he gets to spend his future happy
You have to ask to the appropriate forum though, and that's what he got completely wrong. Getting npm to scream for help when a developer installs your package is equivalent to asking your peer for a raise.
I'd say that over 99.999% of the people who saw that message, created memes about it, etc.. did not have a corporate credit card and the power to use it at their discretion. If you want money from corps, THOSE are the guys you need to find and ask money from.
What I'm really struggling with is how much this contrasts with the story for the developers of Dwarf Fortress, who don't get that same hate and vitro piled on them, and in fact, people throw money at them because they want the developers to have money. To the tune of like $9 million or something! Whereas this guy, pouring his heart into something useful and not for fun, gets all this hate shoveled his way?
I guarantee they got all kinds of hate and weirdness sent their way, too. Any game with a notable userbase does, including the commercial ones. Like, weird, personal, abusive shit from people who demonstrably (it's pretty clear from their "ideas") have no idea what they're talking about and evidently have unfortunate (for everyone else, anyway) amounts of free time on their hands.
And I don't just mean "you monetized this in a way I dislike" or "boo, DRM" or "you had dozens of game-breaking bugs at launch" or whatever, which, maybe don't be a dick about it, but at least I get why those things upset people and, especially in the last case, why they might get a bit entitled-seeming about it, since they did part with money—no, it's over the tiniest, most trivial stuff, including, often, things that are the way they are for a very good reason and would piss off 100x as many people if the abusive jerk got his (or her, I guess... but realistically, it's just about always a "his") way. But no, this minor thing is wrong so you're incompetent and any idiot could do better and [some names they somehow came up with, sometimes with disturbing accuracy] who worked on that part should be fired immediately. JFC. They'll spam you with this crap, on every channel they can.
And that's if you're not a woman prominent in the project. Then you get the creeper shit, too.
There's no possible way the DF devs haven't seen their fair share of that.
(though, sure, they were ultimately able to monetize it in a way that very few passion projects of that sort ever can, and certainly not utility open source libraries—that part of the story's way different)
My personal bias is that open source authors and maintainers don't owe anyone anything. They're making their code available to anyone for free, and it's on you if there's something you don't like about it. You can always fork it if you need to. Heck, you don't even have to use it. Write your own thing if something fundamentally bothers you about it.
And yet there's a large group of people who think they're somehow doing you a favor by using your open-source code, as opposed to the other way around. I've tried to talk to some of them, to try to get some idea of it. It typically boils down to either
1. I used and advocated for the project, making it more popular, and therefore they owe me.
2. Using an open-source library is an investment. I'm making a compromise by not writing it myself exactly how I want it. I'm attempting to do things their way, which in some ways is mentally harder than writing it to begin with, so when it changes radically or goes away, or they ask me for support, they have done me dirty. I deserve better.
3. #2, except they recognize that the author/maintainer doesn't owe them anything and hasn't acted maliciously, but they're still bummed that they either have to change things or fork the project and maintain it themselves. It's emotional rather than logical.
Of the three, I can kinda understand the last one, but I'll never agree with it.
People playing the game (Dwarf Fortress) chose to play it and likely enjoy it. Those who use core-js likely need to use it to solve some weird problems, likely occuring while they're working on something else.
Myself i hate working in JavaScript ecosystem and every few months, when i need to update one of my packages, something is broken. I appreciate every person that worked on libs that i use but i hate everyone of those packages.
I do understand that not a lot of people here really understand the sheer direness of his situation. He stuck in Russia because of unsettled problems regarding his conviction. He almost certainly cannot immigrate into most of the countries because of said conviction - to have a work permit one have to provide a certificate of good conduct. He is cut off most options to receive money from abroad and several means to receive support at all. He has a family to provide. The economy of Russia is increasingly deteriorating, the quality of life is following suit. His son will soon feel a taste of state fascist indoctrination, it starts in kindergarten now in Russia. While most commenters here feel sad, I feel an utter horror.
HN is a little bit more “filtered” place: on Reddit and Twitter there are enough people who hate him just for the sake of hatred. He is Russian - they call him “fascist”. He has a road accident - they are intentionally omitting a little detail that a victim was crawling the road at night.
I didn't know about the memes and Twitter jokes. Even after that post, people still try to blame him.
I’m pretty sure this situation will convince some developers to instantly stop maintaining their OSS projects - and the world deserves it.
I would understand some criticism or not politely worded bug reports (especially from young users), but hatred... All of this filth... Today I’ve been disappointed in developers a lot.
I really wish Denis to stop maintaining core-js and find a real job. Haters will get what they were fighting for, his family will get the money.
It's a misconception that people hate him for being rssian. It's more like people dislike finding a consistent genocide apologist who has been publicly supporting the mass murderers for many years. This is a systemic position of his. In his late post he suggests that the murdered Ukrainians are somehow the same as the ruscist rapists who killed them. In the past he was shifting the blame for the rssian fascist ethnical cleansing to Ukraine as well:
https://twitter.com/TheLarkInn/status/1625276917363646465.
This does correlate with the color of his passport but it's just that — a correlation. His actions speak louder than words. Encouraging people to send him money equals indirectly funding the genocidal maniacs. Don't fund the terrorists, it's as simple as that.
> In November 2019, Denis Pushkarev, maintainer of the popular core-js library, lost an appeal to overturn an 18-month prison sentence imposed for driving his motorcycle into two pedestrians, killing one of them.
> His son will soon feel a taste of state fascist indoctrination, it starts in kindergarten now in Russia.
While I certainly don't know any specifics about what things are like in Russia, I suspect this is not so different from most other countries in the world. Here in America, children are made to pledge their allegiance to the flag of the US every morning with a hand over their heart. This is before they have any concept of what the words "pledge" and "allegiance" even mean.
Can you remind me when was the last time US waged a conquest war under the pretext that neighbor state has no sovereignty right because people there are not a real nation? And to strengthen that point killed tens of thousands of civilians?
While Russain economics supposedly "deteriorating", it will be easy for him to found $5000 net a month job working as front-end developer, allowing to paying a mortgage for a pretty good flat and paying for private kindergarten.
Buying property in Russia right now is insanely bad investment. Quality of life includes access to customer goods (which are mostly imported, thus largely sanctioned) and medical care (which is heavily import-dependent too, and also prone to rapid brain drain).
i believe it only takes a national ID to cross the border into Armenia, where there is a flourishing Russian expat community full of IT experts but sure
He wouldn't pass customs check at the border, due to standing debts and/or after-sentence probation. You can only enter Armenia with national ID if you travel by flight - but the boarding will be denied for the same reason. Travel passport is probably frozen as well. The only country he can go to is Belarus - there is no border control. But to travel from Belarus he would be required to pass the same customs check. Moreover, travelling to Belarus would be a violation of probation terms.
I always heard people talk about how "open source is broken", but I'm honestly in shock after reading this.
Is this normal? That one guy can contribute code that is used on thousands of the top websites worldwide and not one of the numerous multi-billion dollar companies that use his code are even willing to donate an amount equivalent to an average developer's salary?
I mean, how is this that possible? It's not like when a company the size of Spotify uses core-js they just add it to their project without thinking. No, they know how important the project is. They know the effort involved in building and maintain a project like core-js. Yet they can't even throw the dude a few thousand dollars a year to say thanks?
Am I missing something here? Is the fact that he's Russian having an impact on the companies willing to offer him support?
It honestly seems insane to me that so many people are able to reach out with messages of hate for adding a donation message to free software, but only a handful of people / business would offer support.
I'd be willing to guess that the vast majority of applications (if not all) dependent on core-js are pulling it in as a transitive dependency of something else-- most via either a direct dependency on `@babel/preset-env` or indirect dependencies on the same through scaffolding projects like create-react-app.
That leaves core-js in a position where it's kind of invisible-- projects like Babel are very visible and pull in a decent chunk of cash via developer donations and corporate sponsorships. Core-js, on the other hand, isn't something most developers ever deal with directly-- if you don't go and dig through your dependency tree, you may never even know it's there. Until it starts making noise in your console on 'npm install', at least-- and then it looks indistinguishable from spam, from something you never even explicitly installed, no less.
>It's not like when a company the size of Spotify uses core-js they just add it to their project without thinking. No, they know how important the project is.
The devs at Spotify know how important that project is. But the people who control the money, middle and upper management, might now even know what Javascript is. Why would they spend money for something that's free? They're under pressure to cut costs anyway.
Throwing dollars at MS or Oracle, on the other hand, is nice for managers because you get service, accountability, responsibility, guarantees, and lawyers to talk to for that money. Money is paranoid. Open source can't give you that, it's always only one poor coder.
> Why would they spend money for something that's free? They're under pressure to cut costs anyway.
But isn't this like saying, "what's an AWS? Why do we need that thing?"
Is there really no one technical saying, "look we need to offer support to core-js because core-js is the software that ensures our website works for everyone using it".
And you're a large company who project depends on core-js (like Spotify) it just seems sensible to offer a little support to the project to ensure it continues to be well maintained, and also so if you need anything the maintainers will prioritise you.
Even if your only concern is money, then it probably pays to ensure your software works and isn't dependent on some guy in Russia continuing to make his life a living hell just so your product is functional.
The Node.JS library ecosystem (for better or worse) is modeled as small libraries which do only one thing, and often have dozens of dependencies. And those in turn, have their own dependencies.
So when you import a library, you're bringing in a lot of other libraries as well. Some large companies have stringent audits (for licenses etc), but most care (or are aware) only about the library they imported. core-js is probably a dependency for many others, and especially transpiler toolchains which are common in JS.
I completely understand this reasoning for smaller companies, but a company like Spotify will care deeply about the dependencies in their project. Just because core-js is a dependency of a dependency simply doesn't matter and if anything, makes it even more essential. Unless they're extremely incompetent, any 3rd party code that's to be deployed to their entire user base is presumably being reviewed in detail.
And I guess I'm not even sure I buy the argument that most developers don't know about core-js. I know I'd be extremely concerned if I was hiring an experienced frontend dev who didn't know what core-js was. Anyone who's thought about browser capability before should have had to think about polyfills, and naturally their use of core-js. It also comes up a lot when trying to optimise bundle size given the size of core-js.
> That one guy can contribute code that is used on thousands of the top websites worldwide and not one of the numerous multi-billion dollar companies that use his code are even willing to donate an amount equivalent to an average developer's salary?
Well, every multi-billion-dollar company has a mechanism for paying for commercial software. If they need Windows or Photoshop or Solidworks they're more than happy to pay the asking price.
The problem with open source software is the asking price is zero.
Most multi-billion-dollar companies also engage in some charitable giving. They probably use their entire charity budget every year - maybe they're supporting food banks, or earthquake victims, or cancer research.
But getting the Russian polyfill guy out of jail probably isn't a registered charity. And even if it was - there's a lot of charities out there.
Some multi-billion-dollar companies have budgets to sponsor open source projects. Apple, Microsoft, Google and others donate >$125k/year to the Apache foundation, for example [1].
But that money is spread very thinly - how many developers do you think contributed to, say, a basic Ubuntu installation? And plenty of companies don't budget for this at all.
Some open source projects use options like 'dual licensing' where you have to pay to use them in closed source projects (Qt, for example) or offer support contracts or paid add-on products (Ubuntu Pro, for example)
But it's not like Qt are rolling in cash - or that the community had any great love for Ubuntu Pro.
As you'll note, all these options sound a lot more difficult than just getting a job at one of these big corporations.
The problem that a lot of people don't get is that corporations can't just donate money to things like that to be nice. They have accounting and legal obligations, they can't just throw money around for funsies. If you phrase things their way, like selling them a product on contract, you can easily get tens of thousands from them. But a "please donate" link on your site won't get anything.
It's definitely time for him to let this project go, working on it is a literally thankless task and the level of entitlement shown towards his work has been infuriating to watch. The outrage towards him daring to ask the community for help, something done in an act of desperation, is a real wake up call for open source maintainers - the community doesn't give a fuck about you, they want your code and they want it free.
The psychological burden of carrying such an important but relatively unknown project has trapped him in this state of desperation for years now. It's tunnel vision and sunk loss thinking, time to quit.
Agreed, but I think it goes beyond tunnel vision and sunk costs. He clearly likes helping developers! He is a good-hearted person who will feel bad screwing over a bunch of people who depend upon him. The main thing that's getting him to shift is that now he has a spouse and a child who depend upon him much more directly, and so he's even less willing to disappoint them.
I mean, that part isn't really surprising or noteworthy. Lots of people in russian prison don't deserve to be there (the ones detained on protests, political cases etc).
> the community doesn't give a fuck about you, they want your code and they want it free
This is why I'm skeptical about non-free software licenses. Maybe we should all be applying AGPLv3 to our free software code instead of stuff like MIT or BSD. That way anyone who just wants to exploit people's work at their jobs to make a killing while simultaneously hating them for it will have to look elsewhere.
Nobody actually follows the philosophy of "you take, and give as you can"
As the article mentions, nobody else contributed to corejs in a meaningful way. Everyone takes, but nobody gives. This is called tragedy of the commons, and it is a well-known problem in economics
Pretty easy to say when you’re not the guy stressing out about paying bills while six-figure earners whose jobs are made significantly easier because of you trash you.
I generally agree with the idea that nobody owes anyone else anything, but in this case, I think he should’ve been let it all burn to the ground — maybe then the ingrates would be able to understand how critical his library is.
A long post, but the final paragraphs sum up both the problem and the ask:
"This was the last attempt to keep core-js as a free open-source project with a proper quality and functionality level. It was the last attempt to convey that there are real people on the other side of open-source with families to feed and problems to solve.
If you or your company use core-js in one way or another and are interested in the quality of your supply chain, support the project."
This is not the type of FOSS ecosystem that Stallman wanted to achieve; it's the ecosystem that big business wants: people work for free and profits multiply and accumulate at the top. That is what MIT licensing fosters. If you want a different world, use a different license model.
Unfortunately, the JS world is effectively built on freeloading, so any licensing restriction is seen as a capital sin against "the community" of temporarily-embarrassed-FAANGs. Meanwhile, actual FAANGs laugh all the way to the tax-haven-based bank, and the lone guy in Nebraska/Russia continues to starve.
Completely agree. I think I'm going to start using the AGPLv3 for everything from now on. It's not like I'm making anything so critical as this core-js library but still.
This old post's made a huge impression on me but it never really sank in until today:
Readit News
What he did was incredibly valuable to a huge number of successful people and corporations. But no one owes him anything. That's the point of open source. If they did owe him something, they wouldn't have used it. They used it because it was great, it was established/known, it was available with no strings attached whatsoever. Again, that's the point, that's why it's popular.
But also, he owes them nothing. He doesn't have to keep maintaining the most comprehensive, up-to-date, and flexible package, as a full-time job, for free. He could could have just stopped after his first couple years where it was an inherently fulfilling passion project, he could just put in a couple hours a week, whatever. People would make do, it would still be quite valuable for a lot of people for a long time. Or those other projects and companies would come up with an more up-to-date alternative when really needed.
You really don't have to be a martyr, and we don't have to "give up on open source" or whatever. You can just make stuff available that you wanted to do anyway. Sometimes it leads to bigger opportunities, sometimes (usually?) not. Don't slave away and sacrifice your personal life because of what you think you deserve if you do, that's not going to materialize that way.
Remember this is all stuff just offered up with NO WARRANTY, NOT EVEN FITNESS FOR PURPOSE etc. And in practice it's super super valuable that way. Even without you sacrificing yourself. Let companies spend the big bucks on it, just work on what's fun in your free time.
I think the disagreement here will continue indefinitely because it is a question of (personal and professional) ethics. Ethics doesn't necessarily offer easy answers, just sometimes hard questions. In every discussion like this on HN you see the direct conflict of several competing Ethical Frameworks that people choose to live by which is why the discussion will likely always recur and it will always seem like two or more teams talking past each other.
"What do we owe to each other?" is a massive, hard ethical question. It's not just an easy economic question with an answer of "well he did the work for free, so obviously it is priced at free" though many ethical frameworks, especially on HN, happily stop there. Some ethical frameworks, on the other hand, don't believe there is any such thing as "free labor", just "exploited labor" and find guilt in every bit of open source usage, expect some amount "owed" in backpay to eventually pay back. Some of those same ethical frameworks still feel that "open source" is an ideal, a community good, but also think that for the health of the community as a whole, some support needs to be given to individuals in that community when/where/as they need it, for the good of the whole, and that both things can be true: "open source creates good software" and "open source sometimes creates the conditions to exploit labor (and we owe it to ourselves to mitigate that)".
I can't tell anyone what their ethical framework should be, just that this discussion will likely remain an impasse because it is about personal and professional ethics. How much I feel that I owe the most exploited of the workers in our industry, is something that keeps me up at night sometimes, and that guilt doesn't come from "nowhere" and I'm well aware of the economics and the license agreements in play: that guilt comes from the ethical frameworks that I hold dear and am unlikely to waver on.
I strongly disagree. Only because so many people feel that he owes them something.
I see a lot of open source use the same way. Companies use open-source contributions but don't contribute back any of the value they receive. I'm strongly in favor of using strict GPL licensing or dual licensing for corporate and nonprofit use for every open source project. I know people like the MIT license so that people will use their projects, but fundamentally if you want open source to continue then open source contributions need to be enforced, because otherwise it doesn't happen
He's the maintainer of a major software library. Everyone who depends on his work does owe him gratitude and respect. They'd have to pay me big bucks to care enough to do what he did, so I respect him for doing it.
Thankfully 95% of the people I interacted with in the community were great and were great, but that other 5% was rough.
He keeps it incognito because the vitriol his alias receives from impassioned members of the community makes him afraid of getting doxxed. He showed me some of them. I don't blame him.
I'd like to find sponsors for a few non-web-related projects. In particular the Linux USB Gadgets userspace stack (libusbgx/gt/gadgetd/etc), a library for the Microsoft PST email format (libpst) and a tool for running linters/etc (check-all-the-things). Happy to chat about these over email.
https://github.com/linux-usb-gadgetshttps://github.com/pst-format/libpsthttps://github.com/collab-qa/check-all-the-things
Nah, he should get creative.
1. Silently change the license to GPL.
2. Wait a few billion downloads.
3. Meticulously sue one company after the other.
Sadly this is the state of open source projects. People feeling entitled and doing nothing but complain. It's sad really because negative compacts often have a more lasting impact than positive ones.
Dead Comment
I absolutely feel for his situation. Right now, the degree to which he could be threatened into allowing a malicious group to push changes in his name should not be taken lightly. Hopefully this article reaches the attention of some of the CISOs at companies who rely on the project, and a path towards a situation where multiple parties have visibility into release management can be explored. And honestly, such a solution might be the best thing to make Denis and his family less of a target.
(In the meantime, pin your core-js dependency, and track https://security.snyk.io/vuln/npm?search=core-js as well as npm audit. Arguably there should be an advisory category for known vulnerable maintenance situation - I'm not sure if such a registry exists. One might say that every open source project is vulnerable in some way, but there's nuance and splash radius to consider here, and core-js does not have much defense-in-depth at the moment.)
In a completely unrelated matter, Google search results quality has really declined in the last few years...
Edit: This was not meant to be read in a negative kind of way. I'd try to hire him if I had an open position to fit.
> Now I cannot leave Russia, because after the accident I have outstanding lawsuits in the amount of tens of thousands of dollars and I am forbidden to leave the country until they are paid off.
Interesting. I know a person who somehow emigrated from Russia last year with some debt and is paying it off. But perhaps there is some other condition I don't know about.
But anyway it would be more difficult to emigrate to another country long term with a criminal record, they always ask about it on visa applications. If I was more cynical I would think an evil government could use the carrot of forgiving his lawsuits in exchange for pushing some backdoors but I don't think this would go unnoticed
Very unfortunate situation to be in, though my sincere hate for reckless russian drivers I have seen a lot in my life makes it a bit difficult to sympathize.
window['__core-js_shared__'].versions
Just more evidence of how prevalent and important that library is.
... and living in a country involved in war, run by a regime for which respect for the rule of law is a "nice to have".
If I were in FSB, I'd be banging at this guy's door right now, and making his life as comfortable as I can. Imagine dropping an obfuscated killswitch on half the global web, that is Real Power right there; or silently siphoning out credentials from FAANG-level companies; or or or...
We are incredibly lucky that Herr Putin's henchmen are actually not very good.
She was a quiet person, who did her job exceptionally well. Yet, most people didn’t know her or didn’t realize her importance. I am certain she wasn’t paid that well either.
Point being, nobody is going to reward you, unless you ask for it. I once spent 4 years at a job, I did my job well. Didn’t get a single dollar raise. I didn’t ask, nobody cared either. Most I got was some praise in team meetings once in a while.
The most disgusting part of the story is all hate and vitriol thrown at him. By people using his software for free, by people who are likely not even a tenth as good as he is - both as a person and as a programmer. All this in an industry with plenty of money. This is super depressing. I genuinely hope he gets to spend his future happy
I'd say that over 99.999% of the people who saw that message, created memes about it, etc.. did not have a corporate credit card and the power to use it at their discretion. If you want money from corps, THOSE are the guys you need to find and ask money from.
I really don't understand people.
And I don't just mean "you monetized this in a way I dislike" or "boo, DRM" or "you had dozens of game-breaking bugs at launch" or whatever, which, maybe don't be a dick about it, but at least I get why those things upset people and, especially in the last case, why they might get a bit entitled-seeming about it, since they did part with money—no, it's over the tiniest, most trivial stuff, including, often, things that are the way they are for a very good reason and would piss off 100x as many people if the abusive jerk got his (or her, I guess... but realistically, it's just about always a "his") way. But no, this minor thing is wrong so you're incompetent and any idiot could do better and [some names they somehow came up with, sometimes with disturbing accuracy] who worked on that part should be fired immediately. JFC. They'll spam you with this crap, on every channel they can.
And that's if you're not a woman prominent in the project. Then you get the creeper shit, too.
There's no possible way the DF devs haven't seen their fair share of that.
(though, sure, they were ultimately able to monetize it in a way that very few passion projects of that sort ever can, and certainly not utility open source libraries—that part of the story's way different)
My personal bias is that open source authors and maintainers don't owe anyone anything. They're making their code available to anyone for free, and it's on you if there's something you don't like about it. You can always fork it if you need to. Heck, you don't even have to use it. Write your own thing if something fundamentally bothers you about it.
And yet there's a large group of people who think they're somehow doing you a favor by using your open-source code, as opposed to the other way around. I've tried to talk to some of them, to try to get some idea of it. It typically boils down to either
1. I used and advocated for the project, making it more popular, and therefore they owe me.
2. Using an open-source library is an investment. I'm making a compromise by not writing it myself exactly how I want it. I'm attempting to do things their way, which in some ways is mentally harder than writing it to begin with, so when it changes radically or goes away, or they ask me for support, they have done me dirty. I deserve better.
3. #2, except they recognize that the author/maintainer doesn't owe them anything and hasn't acted maliciously, but they're still bummed that they either have to change things or fork the project and maintain it themselves. It's emotional rather than logical.
Of the three, I can kinda understand the last one, but I'll never agree with it.
Myself i hate working in JavaScript ecosystem and every few months, when i need to update one of my packages, something is broken. I appreciate every person that worked on libs that i use but i hate everyone of those packages.
One dog asks another why do you sleep inside on the rug in the warm, while I live outside in the doghouse on a chain?
The inside dog answers, because I entertain and you serve.
I didn't know about the memes and Twitter jokes. Even after that post, people still try to blame him.
I’m pretty sure this situation will convince some developers to instantly stop maintaining their OSS projects - and the world deserves it.
I would understand some criticism or not politely worded bug reports (especially from young users), but hatred... All of this filth... Today I’ve been disappointed in developers a lot.
I really wish Denis to stop maintaining core-js and find a real job. Haters will get what they were fighting for, his family will get the money.
Is that verifiable? Because...
> In November 2019, Denis Pushkarev, maintainer of the popular core-js library, lost an appeal to overturn an 18-month prison sentence imposed for driving his motorcycle into two pedestrians, killing one of them.
https://www.theregister.com/2020/03/26/corejs_maintainer_jai...
Unfortunately Russia judiciary system is far from ideal and fair but better to trust that system than to take his word as truth.
While I certainly don't know any specifics about what things are like in Russia, I suspect this is not so different from most other countries in the world. Here in America, children are made to pledge their allegiance to the flag of the US every morning with a hand over their heart. This is before they have any concept of what the words "pledge" and "allegiance" even mean.
Is this normal? That one guy can contribute code that is used on thousands of the top websites worldwide and not one of the numerous multi-billion dollar companies that use his code are even willing to donate an amount equivalent to an average developer's salary?
I mean, how is this that possible? It's not like when a company the size of Spotify uses core-js they just add it to their project without thinking. No, they know how important the project is. They know the effort involved in building and maintain a project like core-js. Yet they can't even throw the dude a few thousand dollars a year to say thanks?
Am I missing something here? Is the fact that he's Russian having an impact on the companies willing to offer him support?
It honestly seems insane to me that so many people are able to reach out with messages of hate for adding a donation message to free software, but only a handful of people / business would offer support.
That leaves core-js in a position where it's kind of invisible-- projects like Babel are very visible and pull in a decent chunk of cash via developer donations and corporate sponsorships. Core-js, on the other hand, isn't something most developers ever deal with directly-- if you don't go and dig through your dependency tree, you may never even know it's there. Until it starts making noise in your console on 'npm install', at least-- and then it looks indistinguishable from spam, from something you never even explicitly installed, no less.
The devs at Spotify know how important that project is. But the people who control the money, middle and upper management, might now even know what Javascript is. Why would they spend money for something that's free? They're under pressure to cut costs anyway.
Throwing dollars at MS or Oracle, on the other hand, is nice for managers because you get service, accountability, responsibility, guarantees, and lawyers to talk to for that money. Money is paranoid. Open source can't give you that, it's always only one poor coder.
But isn't this like saying, "what's an AWS? Why do we need that thing?"
Is there really no one technical saying, "look we need to offer support to core-js because core-js is the software that ensures our website works for everyone using it".
And you're a large company who project depends on core-js (like Spotify) it just seems sensible to offer a little support to the project to ensure it continues to be well maintained, and also so if you need anything the maintainers will prioritise you.
Even if your only concern is money, then it probably pays to ensure your software works and isn't dependent on some guy in Russia continuing to make his life a living hell just so your product is functional.
The Node.JS library ecosystem (for better or worse) is modeled as small libraries which do only one thing, and often have dozens of dependencies. And those in turn, have their own dependencies.
So when you import a library, you're bringing in a lot of other libraries as well. Some large companies have stringent audits (for licenses etc), but most care (or are aware) only about the library they imported. core-js is probably a dependency for many others, and especially transpiler toolchains which are common in JS.
And I guess I'm not even sure I buy the argument that most developers don't know about core-js. I know I'd be extremely concerned if I was hiring an experienced frontend dev who didn't know what core-js was. Anyone who's thought about browser capability before should have had to think about polyfills, and naturally their use of core-js. It also comes up a lot when trying to optimise bundle size given the size of core-js.
Well, every multi-billion-dollar company has a mechanism for paying for commercial software. If they need Windows or Photoshop or Solidworks they're more than happy to pay the asking price.
The problem with open source software is the asking price is zero.
Most multi-billion-dollar companies also engage in some charitable giving. They probably use their entire charity budget every year - maybe they're supporting food banks, or earthquake victims, or cancer research.
But getting the Russian polyfill guy out of jail probably isn't a registered charity. And even if it was - there's a lot of charities out there.
Some multi-billion-dollar companies have budgets to sponsor open source projects. Apple, Microsoft, Google and others donate >$125k/year to the Apache foundation, for example [1].
But that money is spread very thinly - how many developers do you think contributed to, say, a basic Ubuntu installation? And plenty of companies don't budget for this at all.
Some open source projects use options like 'dual licensing' where you have to pay to use them in closed source projects (Qt, for example) or offer support contracts or paid add-on products (Ubuntu Pro, for example)
But it's not like Qt are rolling in cash - or that the community had any great love for Ubuntu Pro.
As you'll note, all these options sound a lot more difficult than just getting a job at one of these big corporations.
[1] https://www.apache.org/foundation/thanks
And yet a single bad/pointless/redundant meeting can easily cost 5k or more in time alone.
Companies throw money away constantly.
Dead Comment
The psychological burden of carrying such an important but relatively unknown project has trapped him in this state of desperation for years now. It's tunnel vision and sunk loss thinking, time to quit.
This is why I'm skeptical about non-free software licenses. Maybe we should all be applying AGPLv3 to our free software code instead of stuff like MIT or BSD. That way anyone who just wants to exploit people's work at their jobs to make a killing while simultaneously hating them for it will have to look elsewhere.
This old post's made a huge impression on me:
https://web.archive.org/web/20091210171517/https://zedshaw.c...
> “Hey your software is awesome! Can I get it for free so I can use it at work and make money or please my boss? That’d rock! (for me).”
> I want people to appreciate the work I’ve done and the value of what I’ve made.
> Not pass on by waving “sucker” as they drive their fancy cars.
That's a pretty polarizing mindset. The community wants to be a community - you take, and give as you can. Nobody owes anyone else anything.
As the article mentions, nobody else contributed to corejs in a meaningful way. Everyone takes, but nobody gives. This is called tragedy of the commons, and it is a well-known problem in economics
I generally agree with the idea that nobody owes anyone else anything, but in this case, I think he should’ve been let it all burn to the ground — maybe then the ingrates would be able to understand how critical his library is.
Well there are some backers out there:
https://www.npmjs.com/package/core-js
"This was the last attempt to keep core-js as a free open-source project with a proper quality and functionality level. It was the last attempt to convey that there are real people on the other side of open-source with families to feed and problems to solve.
If you or your company use core-js in one way or another and are interested in the quality of your supply chain, support the project."
This is not the type of FOSS ecosystem that Stallman wanted to achieve; it's the ecosystem that big business wants: people work for free and profits multiply and accumulate at the top. That is what MIT licensing fosters. If you want a different world, use a different license model.
Unfortunately, the JS world is effectively built on freeloading, so any licensing restriction is seen as a capital sin against "the community" of temporarily-embarrassed-FAANGs. Meanwhile, actual FAANGs laugh all the way to the tax-haven-based bank, and the lone guy in Nebraska/Russia continues to starve.
This is fantastic, and it applies in so many other situations - I'm stealing this phrase (it's openly licensed, right?)
This old post's made a huge impression on me but it never really sank in until today:
https://web.archive.org/web/20091210171517/https://zedshaw.c...
> “Hey your software is awesome! Can I get it for free so I can use it at work and make money or please my boss? That’d rock! (for me).”
> I want people to appreciate the work I’ve done and the value of what I’ve made.
> Not pass on by waving “sucker” as they drive their fancy cars.