[HN Gopher] Free software hijacked Philip Hazel's life
___________________________________________________________________
Free software hijacked Philip Hazel's life
Author : fanf2
Score : 263 points
Date : 2024-06-20 09:14 UTC (13 hours ago)
(HTM) web link (lwn.net)
(TXT) w3m dump (lwn.net)
| RcouF1uZ4gsC wrote:
| > To date, he said he had received "no communications whatsoever"
| about taking over the project. Perhaps, once the word gets out
| more widely, a qualified maintainer will step forward to take
| PCRE2 into the future.
|
| I think more and more open source projects will be targeted by
| intelligence services.
|
| Open source maintainer is a stressful, thankless job which pays
| peanuts compared to what you could get for the skills and time.
|
| Driven, talented individual who feels they are sacrificing for
| the good of society and are not being properly appreciated is the
| stereotype for a person who can be turned.
| neilv wrote:
| > _[...] individual who feels they are sacrificing for the good
| of society [...] is the stereotype for a person who can be
| turned._
|
| Turned towards... something that sounds consistent with the
| values for which they're sacrificing?
|
| Or is the theory about more of an "f-word these ingrates; I
| might as well get paid" reaction? Or towards a role that makes
| them feel important or appreciated?
|
| Would this theory distinguish people doing open source mainly
| because it's technically interesting to them, from those who
| are in it more for the community, from those who are strongly
| motivated by principles?
| currency wrote:
| "Turned" may be the wrong word. "Cozened" might be more
| correct. There may be no good way for an individual to
| identify someone who is being paid to take over their project
| from someone with a genuine interest.
| ChrisMarshallNY wrote:
| As the person that authored and maintained a fairly important
| (but obscure) project, for ten years, before handing it off, I
| can relate to this chap.
|
| For my part, I suspect no intelligence service would really be
| interested in the project, and, even if they were, I'd not
| "turn."
|
| Personal Integrity seems to be considered a quaint anachronism,
| these days, but I do run into folks, here and there, that seem
| to have it.
| kjellsbells wrote:
| But how would you know?
|
| The FSB (say) dont send you a bunch of flowers and a pull
| request from fsb.gov.ru. We saw from the xz situation that
| this class of attacker can start out genuinely helpful and
| use sockpuppets and social engineering over a long period of
| time to infiltrate projects.
|
| For all we know, (put on tinfoil hat now) there could be
| committers in major projects now who have spent years acting
| "normally" to earn trust but are sleepers.
| ChrisMarshallNY wrote:
| Fair point.
|
| Not so sure that I'd call it "tinfoil." Probably quite
| realistic.
|
| It's easy for me to say. I write software to support a
| fairly small, tight-knit, demographic. We all tend to know
| each other, so trust (or lack, thereof) is fairly
| established.
| baq wrote:
| Yeah no tinfoil needed, xz was exactly that, except sloppy.
| We won't hear about a second attempt for a long time after
| it's happened.
| hnlmorg wrote:
| For all we know, intelligence services might have already
| had multiple successful attempts prior to xz so they just
| got complacent on that particular one.
|
| The problem we have is you can't prove the absence of
| something.
| lelandfe wrote:
| Struggling to find it now, but one of the crazier scams
| I've seen was for an NFT company who was making, IIRC,
| cards.
|
| A person joined their Discord claiming to be a former
| Ubisoft 3D designer and was confirmed by other former
| coworkers. They began to ship actual, high quality 3D work
| as a contractor and earned the trust of the channel.
|
| ...and then ultimately tried to drain their wallet at the
| end. Best they could guess was that the scammer(s) paid
| freelancers and then presented the work.
|
| Vetting people online is really hard.
| ghaff wrote:
| >Open source maintainer is a stressful, thankless job which
| pays peanuts compared to what you could get for the skills and
| time.
|
| Well, it needs to be something of interest to a company that
| will pay someone to be a maintainer as part of their day job.
| Or it needs to be something that someone has built a business
| around--but, as you suggest, their job is now a lot more than
| just being a maintainer and, in many cases, they make a lot
| less than just taking a job at a company.
| bityard wrote:
| I'll agree with thankless. But I'm confused about "pays
| peanuts," because unless you get hired by a company paying you
| to work on open source software, or have somehow cracked the
| code to acquiring extremely generous patrons (donations), I
| would say being an open source maintainer typically pays
| nothing at all. Which is fine for a lot of us who consider it a
| hobby and would never _want_ to be paid for it.
|
| I also have to believe that if it's a true open source project
| (meaning, without commercial aspirations), then any stress must
| be self-induced. FLOSS authors don't owe anyone features, bug
| fixes, or explanations. And any that are delivered are totally
| voluntary.
| bee_rider wrote:
| I totally agree with this but haven't actually maintained any
| open source projects. Have you?
|
| For me at least, it is easy to say the, I'm quite sure,
| objectively correct thing. Open source hobby projects have no
| obligation to anybody, just release code for fun, and anybody
| who expects more is the problem and should be ignored.
|
| But there are lots of reports of burnout and stress. So I
| think there must be strong social pressure that people fall
| to, despite not having any legal or ethical obligations.
|
| I mean for most of time, all of pre-history, humans got by
| with informal social structures and a feeling of wanting to
| provide their friends continued help, despite a lack of a
| real state or legal framework, and mostly informal ethics. So
| it isn't that surprising that people feel like they have a
| real obligation to users when they've been working on a
| project for a while, right? Helping others is a human
| instinct.
| zrn900 wrote:
| > Open source maintainer is a stressful, thankless job which
| pays peanuts compared to what you could get for the skills and
| time
|
| Precisely why Open Source must fund itself with things like
| freemium. Otherwise its impossible to justify the effort it
| requires in the long run. Like how the freemium format has been
| very successful in the WordPress ecosystem and many individual
| devs have made a very good living by developing their
| themes/plugins/services and creating sustainable communities
| around their software - independently without any kind of VC
| money. It is a good pattern that keeps the control of projects
| in the community's hands.
| zexbha wrote:
| This was great to read. I had never heard of Philip Hazel until
| today. Although I appreciate the work that he's done in
| maintaining PCRE, I hope that I am never in the position where I
| am still working on a project at that age.
| neilv wrote:
| What would you be doing instead at 80, if not working on a
| project?
| SapporoChris wrote:
| Depends
| neilv wrote:
| Hopefully you aren't overly occupied with Depend brand
| undergarments.
| recursive wrote:
| Thank you. Yes. That's the joke.
| neilv wrote:
| I clarified for people who didn't recognize the joke. Do
| you discourage that?
| froh wrote:
| maybe they do maybe they don't --- I happen to appreciate
| it, as I'd missed it otherwise.
| HanClinto wrote:
| :slow clap:
| ChrisMarshallNY wrote:
| I had never heard of him, but can completely relate.
|
| I plan to pop my clogs at the keyboard.
|
| The coroner is gonna have to rub "YTIa3W[?]" off my cheek.
| mmastrac wrote:
| The dedication to the Unicode textual representation of your
| ASCII demise is much appreciated.
| JeremyNT wrote:
| > _I hope that I am never in the position where I am still
| working on a project at that age._
|
| "Hijacked" - used in the title here but not in any of the
| actual quotes - implies that Phillip is some sort of captive of
| his projects' success, but I'm not sure that's true. After all,
| he stepped away from Exim (an incredibly notable project) many
| years ago, so it's not as if he is incapable of walking away
| when the time is right.
|
| So, presumably, he has only worked so long on these projects
| because he finds meaning and/or enjoyment from doing so. I can
| only hope if/when I reach the age of 80 I'll have something
| meaningful like this I could contribute to!
| jzb wrote:
| I borrowed the title from a talk he did in 1999, but didn't
| find a way (mea culpa) to work that naturally into the story.
|
| I do believe that, yes, he has enjoyed the work and "hijack"
| is employed tongue-in-cheek.
| jxramos wrote:
| Yah I kept searching for a highjack connection thinking he
| got hit by malware or something like that. Never found it so
| I think you're right.
| throw0101c wrote:
| Not mention of the music software:
|
| > _Hazel is also known for his typesetting software, in
| particular "Philip's Music Writer",[5][6] as well as programs to
| turn a simple markup into a subset of DocBook XML for use in the
| Exim manual, and to produce PostScript from this XML._
|
| * https://en.wikipedia.org/wiki/Philip_Hazel
|
| * https://en.wikipedia.org/wiki/Philip%27s_Music_Writer
| neilv wrote:
| I'm not sure this is correct, but I made a quick guess at which
| is the most representative Debian package for PCRE, and got this
| order of magnitude of direct and indirect dependencies for it:
| $ apt-cache --recurse rdepends libpcre2-8-0 | tr -d ' |' | sort |
| uniq | wc -l 52160
| adolph wrote:
| Looks like another example for Explain XKCD:
|
| https://www.explainxkcd.com/wiki/index.php/2347:_Dependency
|
| https://xkcd.com/2347/
| socksy wrote:
| And thus a good candidate for funding from
| https://www.sovereigntechfund.de/ , should there be some
| trustworthy individual or group that could maintain it (I
| always felt like while this project is admirable, it should
| be regarded as a point of national security for nation states
| to maintain core infrastructure in-house)
| gmuslera wrote:
| https://xkcd.com/2347/
| lisper wrote:
| Someone should write an article like this about Edit Weitz.
|
| https://github.com/edicl
| throwaway89201 wrote:
| > Now, he is ready to hand off PCRE2 as well, if a successor can
| be found.
|
| My dear friend Jia Tan - although I hear they go by a different
| name now - might be interested in taking over maintenance of
| PCRE.
| bee_rider wrote:
| > I asked Hazel, given the recent XZ backdoor attempt, how he
| intended to vet any prospective PCRE2 maintainers. He replied
| that it was a good question "to which I have no answer. I will
| have to see who (if anyone) makes an offer".
|
| He's clearly aware of the problem, so there's that at least. It
| is a tricky one.
| mistrial9 wrote:
| so this "clever" drive-by comment is the extent of dealing with
| the actual systemic situation.. while every person reading this
| is benefiting from the software, and some not reading this are
| trading stocks on surveillance software. "go buy some stock" is
| the next useful comment on this? FU basically?
| arp242 wrote:
| Connecting qualified would-be maintainers with projects looking
| for a maintainer is a tricky problem. Who here even knew PCRE2
| was looking for a new maintainer?
|
| I took over some fairly widely used Go projects, but only _after_
| they were archived. I had no idea they were looking for someone
| to maintain it.
|
| There's a bit of a catch-22 here:
|
| - If a project is already well-maintained then no one really
| needs to contribute anything.
|
| - If a project is poorly maintained due to lack of interest or
| time, then this will also discourage contributions - the first
| think I check before contributing is whether previous PRs are
| actually getting merged.
|
| For larger projects where there's always something to do, like
| Exim, this usually isn't a big issue. But for smaller more
| narrowly scoped projects like PCRE2 this is more of an issue. I'm
| not surprised he's having a harder time with PCRE2.
| fanf2 wrote:
| There's a PCRE2 issue that Philip created last week, and which
| I submitted here, but it didn't get much traction.
| https://news.ycombinator.com/item?id=40657607
|
| This LWN article is helping to spread the word.
|
| (I worked with Philip before he retired.)
| arp242 wrote:
| Yeah, that's exactly the kind of stuff very few people are
| going to see. Even this HN post here is seen by relatively
| few people.
|
| Also, about 90% of the people respond will fall through. I'm
| sure people say "yes" with the best of intentions, but saying
| "yes" in a wave of enthusiasm is easy, and then spending a
| lot of hours on it ... not so much.
|
| My favourite example is someone who said "yes, I'll help
| maintain", was added to the GitHub repo, made a new issue
| with a long plan on how to deal with the many open issues,
| and ... was never seen again. Never actually dealt with any
| of the open issues. I'm sure this was done with the best of
| intentions (and their profile said they're a student, so I
| don't want to judge harshly), but this was a rather marked
| example that made me laugh.
| apitman wrote:
| I worry about new maintainers who feel the need to leave some
| sort of a mark on projects by adding unnecessary features and
| dependencies. I get it, true maintenance of a stable project,
| where you only fix bugs and security issues, is not glamorous.
|
| It's a tired meme but we really do need some concept of
| "finished" in our field, along with the necessary incentive
| structures to enable people to do the needed maintenance on
| finished software in perpetuity.
| dingnuts wrote:
| isn't the whole point of intellectual property law to align
| incentives?
|
| it's no coincidence that corporations that own proprietary
| code don't have this problem.
|
| has anybody considered that maybe Richard Stallman was wrong?
|
| maybe it ISN'T a good idea to volunteer your time to write
| libraries that corporations will use to make billions, while
| begging for donations.
|
| maybe, sometimes, libre licensing is a mistake specifically
| because it leaves maintainers with no reasonable avenue for
| compensation
| apitman wrote:
| These are definitely questions worth considering.
|
| > it's no coincidence that corporations that own
| proprietary code don't have this problem.
|
| I would argue they have a similar but worse problem.
| Someone at google creates an awesome product. They get
| promoted and leave the project. Someone else is assigned to
| maintain the product, which slowly gets worse over time
| either a) because the new maintainers are less
| skilled/driven or b) because programmers perceive
| themselves as being paid to write code, and it's fun, so
| they're going to change things even if nothing needs to be
| changed.
|
| I've seen so much commercial software get worse over time.
| I'm not sure if I have the causes right, but there's
| definitely something wrong with the model. In contrast,
| I've found open source software to be far better for far
| longer. It might stop being maintained, but it almost never
| gets worse in my experience.
| notRobot wrote:
| Surely that's a decision to be made by the author(s) of the
| code?
|
| There is no objective "right" or "wrong" when it comes to
| libre.
|
| I have written dozens of libre projects. I don't want them
| to be proprietary. I don't want to make money from them. If
| I did, I'd simply use a proprietary licence, no one forced
| me to go libre.
| ekidd wrote:
| > _it 's no coincidence that corporations that own
| proprietary code don't have this problem._
|
| Proprietary programs have a different, interesting problem:
| They eventually disappear. In 1995, the year PCRE2 was
| born, I was doing classic MacOS GUI programming on a 680x0
| machine, running Metrowerks CodeWarrior as my IDE, and
| relying on a bunch of tools that are now gone. The
| proprietary technology I used in those days is now almost
| universally extinct. I think only BBEdit still exists.
|
| A couple of years later, I switched to Emacs and Linux, and
| they're still going strong a quarter century later. I hope
| to get another couple of decades out of VS Code (or a
| fork). I can deploy Linux apps to containers. And PCRE2 is
| still going strong. Oh, and I can still typeset math with
| LaTeX.
|
| I think there is real value in software that is "done",
| with stable APIs and very conservative maintenance, which
| can remain in use for decades. That's a world I want to
| live in. Let me keep using proven technology where
| appropriate, and switch only when I find a good reason to
| switch.
|
| > _maybe it ISN 'T a good idea to volunteer your time to
| write libraries that corporations will use to make
| billions, while begging for donations._
|
| I sometimes avoid letting my projects get _too_ successful
| in order to minimize my support costs. But in general, if
| you want to earn money from software (open source _or_
| proprietary!), you 're going to need to build an actual
| business. Using a proprietary license isn't magic. I can
| use a restrictive license, find no customers, and still
| earn no money. It's the easiest thing in the world.
|
| If you want money for an open source project, you're still
| going to need to focus hard on the business part. The
| easiest way to do this is consulting. Your users will still
| capture 99.9% of the value from your software, but a
| successful open source project can still be turned into
| decent revenue-- _if_ you keep working at the business
| side, too.
|
| Mostly, when I release open source, it's because I've
| created something useful, but I _know_ that it would make a
| lousy startup for one reason or another. My employer is
| happy to go along. They see that a tool is useful
| internally, that we couldn 't sell it to _our_ customers
| without a massive pivot into a difficult market, and the
| tool isn 't hugely useful to our direct competitors. So why
| not share it? Sometimes we get a useful PR! Even better,
| designing a tool to make sense as open source sometimes
| makes it more reusable internally.
| saurik wrote:
| > has anybody considered that maybe Richard Stallman was
| wrong?
|
| > maybe it ISN'T a good idea to volunteer your time to
| write libraries that corporations will use to make
| billions...
|
| If you are writing libraries that are being used by
| companies as part of proprietary software at all -- much
| less to make billions -- then you didn't pay attention to
| Richard Stallman.
|
| > isn't the whole point of intellectual property law to
| align incentives?
|
| Yes: which is why Richard Stallman and the Free Software
| Foundation specifically came up with a model which uses
| copyright law _against_ proprietary software via the idea
| of "copyleft".
|
| I think there are people out there who fundamentally
| believe in doing service for other people... as long as
| they aren't taken advantage of! Aligning this incentive by
| encoding this moral contract into a civil one is the goal
| of the FSF.
|
| (Now, I won't say they nailed it... GPL2 failed to foresee
| and prevent DRM, and even GPL3 has issues with the new era
| of cloud hosting; but like, they did much better than
| anyone probably should have expected.)
|
| Contrary to the title of this LWN post, PCRE2 is not "Free
| Software" and is actually licensed under BSD; the result is
| that, yes: a ton of companies use this library and they
| make billions.
| lcouturi wrote:
| Permissively licensed software is still free software.
| The BSD licenses are approved by the FSF as free software
| licenses. They're simply not copyleft.
| grotorea wrote:
| Yes but what I think previous poster meant is that you
| can't use a permissive license and then blame RMS when
| you feel used by a corporation using it to make
| proprietary software.
|
| edit: because RMS/FSF's position is not simply "all free
| software equally good and you should spend your time
| building some with any license"
| moomin wrote:
| It might be more accurate to say that ESR was wrong. It
| might be even more accurate to say that ESR regards the
| obvious deficiencies of the model he popularised to be
| features.
| arp242 wrote:
| There are very few non-trivial projects that are truly
| "finished" in the sense of "will never need any changes".
| There's always bugs, there's always a changing ecosystem
| (even for C), and for many projects once in a while you do
| want some new features.
|
| For example a new feature added last month is the new
| pcre2_set_max_pattern_compiled_length() function, to limit
| the size of compiled patterns. I assume that wasn't added for
| the craic but in response to a real-world use case. There are
| also plenty of bugfixes and smaller changes.
| apitman wrote:
| If you read my second sentence above, I think we're in
| almost perfect agreement. Unless I'm misunderstanding you?
| My definition of "finished" includes provisions for bug
| fixes and important features.
| ajkjk wrote:
| Seems like it would be a great feature on github, or for a
| standalone site, if a critical mass of usage could be reached
| and the site was trustworthy (i.e. not trying to monetize the
| information somehow).
| jdonaldson wrote:
| PCRE2 is specified through its implementation, which has so
| many edge cases and special flags that most people can't reason
| about what kinds of problems it could cause.
|
| I really wish more people used PEG parsing. I wrote a library
| for it in Haxe that was surprisingly fast despite being
| interpreted : https://www.youtube.com/watch?v=CtNQvjyioGQ
| dehrmann wrote:
| This is an interesting problem open source might start facing.
| There are a lot (I assume) of mature, critical libraries with a
| single owner. These libraries started their life around 30 years
| ago, and the maintainers are ready to move on. Taking on
| maintenance isn't very exciting since all the fun work's been
| done, but the open source world needs it.
| acdha wrote:
| That's what I was thinking, too. There are some fun aspects but
| there's also a lot of stress: if you fix a bug, what are the
| odds that someone added a dependency on that behavior in one of
| the thousands of dependencies which accumulated over the
| decades? Yes, tests are great but I'd still bet that your inbox
| would get more grumping than thanks until we can unbreak open
| source culture.
| tresclow wrote:
| https://xkcd.com/1172/
|
| Are we sure this whole discussion can't be reduced to just
| links to xkcd strips?
| kelnos wrote:
| > _unbreak open source culture._
|
| This aspect isn't really specific to open source culture,
| it's human nature. People want free stuff. People feel
| entitled to free stuff. People feel entitled to the
| uncompensated labor of others.
| rurban wrote:
| Zoltan Herczeg, the jit maintainer is capable enough, and he is
| doing most of the work anyway.
| moomin wrote:
| My instant reaction to this was "Wait, is that PH10?". Read the
| article, and of course it is.
|
| Even in the 90s he was a famous hacker around the Computer Lab.
|
| (The username, for those not familiar with Cambridge Lore,
| indicates he was the first PH to be given an ID using the scheme
| applicable in the mid-eighties. Someone will no doubt reply with
| a more precise timeline.)
| mnw21cam wrote:
| I met him briefly when I was at Cambridge in the late 90s. I
| can't remember why I did, but I do remember that he was an
| absolute legend back then.
___________________________________________________________________
(page generated 2024-06-20 23:00 UTC)