Skip to content

Commit

Permalink
.
Browse files Browse the repository at this point in the history
  • Loading branch information
@matklad
matklad committed Oct 24, 2023
1 parent 50f1f04 commit c2ce058
Showing 1 changed file with 6 additions and 6 deletions.
12 changes: 6 additions & 6 deletions src/posts/2023-10-18-obligations.dj
View file
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
# Unless Explicitly Specified Otherwise, Open Source Software With Users Carries Moral Obligations

My thoughts on the topic of whether maintainers owe you anything. Speaking as an author, a maintainer,
a user of, and a contributor to open source software.
a user of, and a contributor to open-source software.

Let's start with a thing which I find obvious and non-negotiable: I can't lie in my README.md.

I can't write "this software is reliable, fast, and secure" if in fact my software is slow,
crashes, and comes with a backdoor pre-installed. More generally, if I promise something in the
readme, I'd better to follow up on the promise and be ready to apologize if I fail.
readme, I'd better follow up on the promise and be ready to apologize if I fail.

If I create expectations between me and my users, I am on the hook for conforming to them.

Expand All @@ -17,9 +17,9 @@ builds to some package registries, I am already creating some expectations. The
users (and writing usage instructions aimed at a general audience _is_ an act of inviting users)
forms an agreement between me as a maintainer and the user.

Expectations, but how much? Let's say that tomorrow at this place I am run over by an automobile.
Expectations, but how great? Let's say that tomorrow at this place I am run over by an automobile.
That would be a tragedy for many reasons! But should I worry, on top of all that, that I can no
longer swiftly react to vulnerabilities reported against my open soft software? Obviously not! And
longer swiftly react to vulnerabilities reported against my open-source software? Obviously not! And
that's the bound on expectations here: it is absolutely ok for a maintainer to do absolutely
nothing.

Expand All @@ -28,7 +28,7 @@ etc, and then add a backdoor to my software, I am wrong. Yes, I didn't explicitl
readme that I am not going to add a backdoor. Still, there is a basic, implicit expectation about
software security, and it is wrong for me to violate it without an explicit mention.

So I think the default expectations for a published open source project boil down to:
So I think the default expectations for a published open-source project boil down to:

* As a maintainer, I can do absolutely nothing, and that's OK.
* At the same time, I can not be actively hostile to my users.
Expand All @@ -54,6 +54,6 @@ Usually, it's enough to just not have a readme at all, or have a very short read
obvious that the project isn't supported.

However, if you do have a nice README with installation instructions and such, that constitutes a
"yes" answer. And then you, as a maintainer, is responsible for a tiny bit of life of your
"yes" answer. And then you, as a maintainer, are responsible for a tiny bit of life of your
explicitly invited users. It's not expected that you do much (in fact, doing nothing is totally OK),
but the amount of expectation is greater than zero.

0 comments on commit c2ce058

Please sign in to comment.