This is what happens when community doesn't care about upstream maintainers

[abitrolly]

event-stream dependency attack steals wallets from users of copay

https://github.com/bitpay/copay/issues/9346

[ljharb]

Your issue title does, indeed, seem a bit trolly. This happened because a bad actor tricked a prolific author into handing over control of a highly used, but unmaintained, package.

[SineSwiper]

From dominictarr/event-stream#116:

he emailed me and said he wanted to maintain the module, so I gave it to him. I don't get any thing from maintaining this module, and I don't even use it anymore, and havn't for years.

"Tricked".

[haykam821]

Yes, tricked. The bad actor was pretending to show good intent when requesting the unmaintained package from @dominictarr.

[abitrolly]

@ljharb I think this article https://www.ccn.com/breaking-numerous-bitcoin-wallets-may-have-been-compromised-by-rogue-developer/ gives more detail. In particular - "Why Does BitPay Use Upstream Libraries?"

[ljharb]

@abitrolly i understand that there are many entities that derive financial gain from open source that may not financially contribute back, but that's in no way the same as "the community doesn't care about upstream maintainers".

[abitrolly]

@ljharb where did I write about financial support? It is not about BitPay didn't paid some upstream lib maintainer money, it is about that people don't care about what happens upstream even if they have the resources and incentive to secure their dependencies (well, supposedly). It is taken for granted that upstream is okay, and, well, this misreading is also an indicator of consumer culture bias.

[ljharb]

@abitrolly i was referring to the section you mentioned in the linked blog post.

[brainwane]

@abitrolly Hey -- I appreciate that you started this discussion, and I hear what you're saying about how frustrating it can be that downstreams can, in effect, take upstreams for granted. But in the interest of helping this discussion proceed, would you be ok with changing the title of the thread to something like "This is what happens when upstream maintainers don't get enough support" or something else that's more neutrally worded?

[abitrolly]

Okay. I need to step down from this discussion and let you handle this opinion. Too defensive from my side. I guess the main point here is that for any other open source project that doesn't deal with finances we can say that there is no resources to maintain contact with upstream, but in this case the argument is weak.

I am not sure I know how to replace "don't care" with more neutral wording. It is already not classical "don't give you-know-what". And talking that project upstream needed support is also a speculation. I guess you also don't know what happens with your upstream dependencies. We are all ignorant to that. Coming from blockchain community, we have another technological brick that can change things, give our impaired brains tools to inspect internet ghosts of each other more clearly. If we accept that we don't care, because we can't see. I can change the title to "when community can not see", but first you need to persuade me that people want to see. I mean that in a positive sense despite the tone. Asking people would make "the community" more aware of itself, and then I can see the data, I can change titles based on evidence, and not because some speculation is better sounding than other.

[abitrolly]

@dominictarr response https://gist.github.com/dominictarr/9fd9c1024c94592bc7268d36b8d83b3a

[jdorfman]

We are moving off of GitHub for discussions, please use: https://discourse.sustainoss.org

Thanks!