Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

State and governance of the project? #767

Closed
yvele opened this issue Feb 12, 2020 · 45 comments
Closed

State and governance of the project? #767

yvele opened this issue Feb 12, 2020 · 45 comments

Comments

@yvele
Copy link

@yvele yvele commented Feb 12, 2020



Edit: The project still is alive, some other contributors like @slowcheetah have permissions for the project to keep going, see #767 (comment) 馃憤

Full summary of project governance here #767 (comment) 馃憤



Looks like @zloirock the author and main maintainer of the project will be will be unavailable for some time 1.5 years.

Sources: #767 (comment), #757 (comment), #747 (comment), #548 (comment)

What exactly is the state of the governance of this project?

The JavaScript community should be a bit concerned because @zloirock looks like to be the "only" maintainer. Does somebody else have admin privileges to write on this repo? Publish on npm and make this project not to die?

Or the only way is to "wait" for someone to fork this repo? Maybe someone from @babel (poking @nicolo-ribaudo and @danez 馃し鈥嶁檪). Looks like @babel doesn't have bandwith to fork this project.

A huge open source project (25M weekly downloads) like this should be maintained by more than a single person 馃

Any clues on the future of this project?

PS: I don't know your personal story @zloirock but I'm grateful for your amazing work on this project.. hoping everything will be fine

Edit: This project is dead, see #767 (comment)

@ashpr

This comment has been minimized.

Copy link

@ashpr ashpr commented Feb 14, 2020

@zloirock Making himself the only maintainer was extremely poor handling of such a well used repo.. but I can't say I'm surprised. He's been extremely protective of it.

I think, in time, this project may need to be forked.

@delanni

This comment was marked as off-topic.

Copy link

@delanni delanni commented Feb 18, 2020

Looks like the Karma Police got him...

@danielrree

This comment was marked as off-topic.

Copy link

@danielrree danielrree commented Mar 13, 2020

It's going to be unmaintained for 1.5 years to be exact. So the project is essentially dead (just like the person he ran over by motorcycle).

zloirock's comment:

our stupid law.

Can't really call stupid the law that sets punishment for running over (and killing) someone on pedestrian crossing.

@yvele

This comment was marked as off-topic.

Copy link
Author

@yvele yvele commented Mar 14, 2020

https://translate.google.com/translate?hl=en&sl=auto&tl=en&u=https%3A%2F%2Fkraevoy--alt.sudrf.ru%2Fmodules.php%3Fname%3Dsud_delo%26srv_num%3D1%26name_op%3Ddoc%26number%3D1733512%26delo_id%3D4%26new%3D4%26text_number%3D1

The verdict of the court Pushkarev D.The. convicted that DD.MM.YY , driving a motorcycle " 袧小 ", registration plate *** , moving at a speed of 60 km / h, in the area

, in violation of paragraphs. 1.3, 10.1, 14.1 of the Rules of the road of the Russian Federation, did not give way to pedestrians R.G. and P.A. crossing the carriageway through an unregulated pedestrian crossing indicated by signs 5.19.1 and 5.19.2, as well as road markings 1.14.1, and allowed a collision with these persons.

As a result of a traffic accident, pedestrians R.G. and P.A. bodily injuries were caused, including those causing serious harm to health on the grounds of danger to life. From injuries sustained pedestrian P.A. died at the scene of a traffic accident.

The crime was committed by the convicted person under the circumstances detailed in the court verdict.

At the hearing Pushkarev D.The. actually admitted guilt.

As a result of a traffic accident, pedestrians R.G. and P.A. bodily injuries were caused, including those causing serious harm to health on the grounds of danger to life. From injuries sustained pedestrian P.A. died at the scene of a traffic accident.

convicted under Part 3 of Article 264 of the Criminal Code to 1 year 6 months in prison with a sentence in a penal colony, with the deprivation of the right to engage in activities related to driving, for a period of 2 years.

Ok 馃様

@yvele yvele changed the title Is this project going to be unmaintained for a while? State of the project? Looks like dead, any official fork? Mar 14, 2020
@yvele yvele changed the title State of the project? Looks like dead, any official fork? State of the project? Looks like dead. Any official fork? Mar 14, 2020
@azu azu mentioned this issue Mar 17, 2020
@yvele

This comment has been minimized.

Copy link
Author

@yvele yvele commented Mar 18, 2020

@nicolo-ribaudo ryanelian/ts-polyfill#4 (comment)

Babel maintainer here 馃憢
We are probably not going to fork core-js because we don't have enough resources to maintain it.

馃し鈥嶁檪

@eiji03aero

This comment has been minimized.

Copy link

@eiji03aero eiji03aero commented Mar 24, 2020

I bet this will be the SPOF of the year for js ecosystem

@devsnek

This comment has been minimized.

Copy link

@devsnek devsnek commented Mar 25, 2020

For those in need of an immediate replacement, https://github.com/es-shims may provide what you need (and the project welcomes maintainers, if you feel like contributing)

@orliesaurus

This comment has been minimized.

Copy link

@orliesaurus orliesaurus commented Mar 25, 2020

This could potentially be bigger than left-pad's controversy. As the package maintainer & owner is MIA and seems to be for a while...

@joshxyzhimself

This comment has been minimized.

Copy link

@joshxyzhimself joshxyzhimself commented Mar 25, 2020

Need to update babel docs if we ever move to another repo

@MichaelZaporozhets

This comment has been minimized.

Copy link

@MichaelZaporozhets MichaelZaporozhets commented Mar 25, 2020

....yikes. Sounds like a fork needs to happen. And github should really look to provide a 'risk' rating to projects from a maintenance PoV... a project depended on by 4.5m users with 1 maintainer should visualise as a high-risk dependency.

@franciscop

This comment was marked as off-topic.

Copy link

@franciscop franciscop commented Mar 25, 2020

Please read the full report. It doesn't seem so black and white:

he emphasizes that he was unable to notice pedestrians in a timely manner, since they were below the light level of the vehicle headlights ( R.G. - was lying, P.A. - tried to raise her), were dressed in dark clothes, street lighting was insufficient, he ( D. Pushkarev ) was blinded by the high beam of an oncoming car. Further, the author discloses the contents of the witness statements of A.A. A.Yu. A.M. I.K. A.S. , focuses on the behavior of victims at a pedestrian crossing, which contradicted the requirements of paragraph 4.6 of the Rules of the road of the Russian Federation. He notes that the victims were intoxicated, behaved inappropriately.

@sgammon

This comment was marked as off-topic.

Copy link

@sgammon sgammon commented Mar 25, 2020

@franciscop that's why you're supposed to drive slow enough that this never happens, because you have time to stop.

@Suvitruf

This comment has been minimized.

Copy link

@Suvitruf Suvitruf commented Mar 25, 2020

Why instead of discussing this repo future you are talking about this accident? It's irrelevant and will not help to solve the issue.

@slowcheetah

This comment has been minimized.

Copy link
Collaborator

@slowcheetah slowcheetah commented Mar 25, 2020

Stop spam & panic! I have rules for this repo and i have some time for fixing critical bugs and major updates.

@simskij

This comment has been minimized.

Copy link

@simskij simskij commented Mar 25, 2020

Stop spam & panic! I have rules for this repo and i have some time for fixing critical bugs and major updates.

Sorry for finding this highly unlikely (given how restrictive zloirock seems to be with permissions), but could you please provide some kind of proof for this claim? Like, adding a notice in the readme.

Edit: Proven 馃憤

@em92

This comment has been minimized.

Copy link

@em92 em92 commented Mar 25, 2020

@simskij
@slowcheetah merged this: #771

@simskij

This comment has been minimized.

Copy link

@simskij simskij commented Mar 25, 2020

@simskij

@slowcheetah merged this: #771

Great! Then @yvele should update the issue description to reflect that. 馃憤馃徎

@em92

This comment has been minimized.

Copy link

@em92 em92 commented Mar 25, 2020

Btw, @slowcheetah, you can edit issue message by yourself.

@scottarc

This comment has been minimized.

Copy link
Contributor

@scottarc scottarc commented Mar 25, 2020

@MichaelZaporozhets

....yikes. Sounds like a fork needs to happen. And github should really look to provide a 'risk' rating to projects from a maintenance PoV... a project depended on by 4.5m users with 1 maintainer should visualise as a high-risk dependency.

So, how much are the 4.5m users willing to pay for this feature?

One of the biggest challenges being discussed with any forks of core-js is a lack of resources. Contributing financially to open source projects can offset this challenge. Making demands without any skin in the game to help meet them is really unfair.

Going further than simple demands, and asking for the platform to besmirch a project's reputation as "high risk" for the users who are unable or unwilling to evaluate the project according to their own risk matrix... I'm not even sure how to classify. It's definitely a degree further than simple entitlement.

Open source is hard.

Forgetting that there are humans involved in the maintenance of open source is deceptively easy, but harmful.

@tom-sherman

This comment has been minimized.

Copy link

@tom-sherman tom-sherman commented Mar 25, 2020

I would like to urge everyone to try not to discuss @zloirock personal life in this issue, it's really not the forum for it. This is an important conversation about the maintenance of a critical JS dependency, we don't want to lose relevant comments in the noise. Thanks 馃檪

@simskij

This comment has been minimized.

Copy link

@simskij simskij commented Mar 25, 2020

To keep the discussion focused, maybe @slowcheetah could even hide all comments focusing on @zloirock's personal life (including this one)?

@simskij

This comment has been minimized.

Copy link

@simskij simskij commented Mar 25, 2020

How that big project can be still a private repo? shouldn't it be cared by some js foundation?

In my opinion, it would feel pretty lousy to make such a decision without the core maintainer being present to weigh in.

@MichaelZaporozhets

This comment has been minimized.

Copy link

@MichaelZaporozhets MichaelZaporozhets commented Mar 25, 2020

@MichaelZaporozhets

....yikes. Sounds like a fork needs to happen. And github should really look to provide a 'risk' rating to projects from a maintenance PoV... a project depended on by 4.5m users with 1 maintainer should visualise as a high-risk dependency.

So, how much are the 4.5m users willing to pay for this feature?

One of the biggest challenges being discussed with any forks of core-js is a lack of resources. Contributing financially to open source projects can offset this challenge. Making demands without any skin in the game to help meet them is really unfair.

Going further than simple demands, and asking for the platform to besmirch a project's reputation as "high risk" for the users who are unable or unwilling to evaluate the project according to their own risk matrix... I'm not even sure how to classify. It's definitely a degree further than simple entitlement.

Open source is hard.

Forgetting that there are humans involved in the maintenance of open source is deceptively easy, but harmful.

I鈥檓 not saying it鈥檚 up to the maintainer to necessarily disclaim potential risks- rather, an automated t-shirt sized risk assessment for dependency by github would be a neat feature.

I also strongly disagree that risk necessarily reflects inversely on quality... I鈥檓 confident a lot of the oss stuff I use for my private/personal projects would probably be a high-risk in an enterprise environment, but that鈥檚 fine. Right tool for the right job, etc.

Anyway, this is off-topic, I鈥檓 really just advocating for stronger governance around a project that is so important to everyone.

@yumetodo

This comment has been minimized.

Copy link

@yumetodo yumetodo commented Mar 25, 2020

There are simple questions:

  1. When enough money is provided, contributors can continue to maintain core-js?
  2. Is it still suitable to use Open Collective or Patreon to give money to contributors?
@sheerun

This comment has been minimized.

Copy link

@sheerun sheerun commented Mar 25, 2020

Currently he is the only administrator on Open Collective so distributing funds from it is probably not possible

@jmackay-io

This comment has been minimized.

Copy link

@jmackay-io jmackay-io commented Mar 25, 2020

I disagree a lot with the "risk rating" requests outlined here. Just publicize the administrators of public repositories and let people decide for themselves. Not that it would have mattered in this case because this painted a perfectly clear picture.

I think the real culprits are the Babel team because they definitely knew this was a high-risk project, and they still forced millions of consumers to add it as a dependency. Even if individual developers identified core-js as risky, there's nothing most of them could have done about it.

@yvele yvele changed the title State of the project? Looks like dead. Any official fork? State and governance of the project? Mar 25, 2020
@yvele

This comment has been minimized.

Copy link
Author

@yvele yvele commented Mar 25, 2020

Stop spam & panic! I have rules for this repo and i have some time for fixing critical bugs and major updates.

@simskij
@slowcheetah merged this: #771

Great! Then @yvele should update the issue description to reflect that. 馃憤馃徎

Issue description updated. Is that good enough?

@IanKemp

This comment has been minimized.

Copy link

@IanKemp IanKemp commented Mar 26, 2020

....yikes. Sounds like a fork needs to happen. And github should really look to provide a 'risk' rating to projects from a maintenance PoV... a project depended on by 4.5m users with 1 maintainer should visualise as a high-risk dependency.

Or... or - developers could do some due diligence and risk assessment themselves before just pulling in every random JS library that comes across their radar.

A bizarre concept in JS land, I know.

@brodybits

This comment has been minimized.

Copy link

@brodybits brodybits commented Mar 26, 2020

#548 (comment)

The idea of anyone owing so much money or going to prison just for an accident sounds ludricous (ridiculous) to me. I wonder if there is any way we could find some help for an appeal.

@dave-dm

This comment was marked as off-topic.

Copy link

@dave-dm dave-dm commented Mar 26, 2020

can we remove finally his job ad spam from the install logs now?

@brodybits

This comment has been minimized.

Copy link

@brodybits brodybits commented Mar 26, 2020

I think it is up to the dependents to upgrade to the latest version, which seem to be cleaned up.

@slowcheetah

This comment was marked as off-topic.

Copy link
Collaborator

@slowcheetah slowcheetah commented Mar 26, 2020

can we remove finally his job ad spam from the install logs now?

No

@mryellow

This comment was marked as off-topic.

Copy link

@mryellow mryellow commented Mar 27, 2020

No

Why not?

He still looking for a job while incarcerated?

@dominikaaaa

This comment has been minimized.

Copy link

@dominikaaaa dominikaaaa commented Mar 27, 2020

Yes, it would be nice of him to be able to get back up on his feet after spending 1 and a half years in prison, before going to which he spent 6 months without a job maintaining an open source project for free.

@slowcheetah

This comment was marked as off-topic.

Copy link
Collaborator

@slowcheetah slowcheetah commented Mar 27, 2020

No

Why not?

He still looking for a job while incarcerated?

@zloirock ask me don't remove that

@ashpr

This comment was marked as off-topic.

Copy link

@ashpr ashpr commented Mar 27, 2020

No

Why not?
He still looking for a job while incarcerated?

@zloirock ask me don't remove that

This proves time and time again that @zloirock is completely unfit to manage this repo.

I'm not doubting this technical abilities.. but his approach has been absolutely god awful. Specifically with this job thing and his long absence.

  • Extremely limited collaboration.
  • Advertising in our logs, which has actually been reported to have caused issues on CIs due to it maxing out log files.
  • Threatening to delete the repo if NPM enforces a ban on logs.
  • He has had job offers but he is turning them down.
  • Now he's incarcerated for 1.5 years and he still refuses to remove it. He actually went out of his way to make sure its not removed.

Can you not see how absolutely mad this is?

I suggest we make a push for es-shim or babel should seriously consider forking.

@MKRhere

This comment has been minimized.

Copy link

@MKRhere MKRhere commented Mar 27, 2020

Since the original concern (does this project have an interim maintainer) is addressed by @slowcheetah, can we close this issue? @yvele

@yvele

This comment has been minimized.

Copy link
Author

@yvele yvele commented Mar 27, 2020

Since the original concern (does this project have an interim maintainer) is addressed by @slowcheetah, can we close this issue? @yvele

Let's wait for the next release to be published on npm and then I'll be comfortable closing this issue.

When you have a look at the releases you can see that only @zloirock was in charge of publishing them.

On npm the only collaborator is zloirock 馃し鈥嶁檪

In the meanwhile I'm not confident that this project is going well regarding governance...

@yvele

This comment has been minimized.

Copy link
Author

@yvele yvele commented Mar 27, 2020

@slowcheetah are you able to inform us on the governance strategy?

  • How many people have GitHub and npm permissions on this project?
  • What kind of permissions? Administrative privileges?
  • Are you still in contact with @zloirock regarding this project of course. Does he provide you with directions? (e.g. not removing the job ad )
  • Is there a "leader"? Someone that can handle the architecture vision of the project?
  • This project is quite related to babel-preset-env are some of the maintainers in direct relation with @babel?

In the future, should we expect "only" fixes or also new features? What about #139 #496 ?

Maybe we should make write a little doc about governance good practices 馃 this may be very sane.

I'm not experimented with open source project management, but I think something should be done regarding the governance of the project 馃挭 I wish collaborators good luck, this looks quite challenging.

@slowcheetah

This comment has been minimized.

Copy link
Collaborator

@slowcheetah slowcheetah commented Mar 27, 2020

@slowcheetah are you able to inform us on the governance strategy?

  • How many people have GitHub and npm permissions on this project?
  • What kind of permissions? Administrative privileges?
  • Are you still in contact with @zloirock regarding this project of course. Does he provide you with directions? (e.g. not removing the job ad )
  • Is there a "leader"? Someone that can handle the architecture vision of the project?
  • This project is quite related to babel-preset-env are some of the maintainers in direct relation with @babel?

In the future, should we expect "only" fixes or also new features? What about #139 #496 ?

Maybe we should make write a little doc about governance good practices 馃 this may be very sane.

I'm not experimented with open source project management, but I think something should be done regarding the governance of the project 馃挭 I wish collaborators good luck, this looks quite challenging.

  • Only me an @zloyrock have npm permissions
  • All privileges
  • Yep. I have contact with @zloirock, but it is "delayed" because carantine situation now.
  • I will try to dive in project but now i can't say that i am "leader". I am "support". There is some chance that within a few months @zloyrock himself will have access to the project.
  • I no have direct relation with @babel. I have nothing to say

I am diving in project now. if @zloirock will not have direct access to the project, I will discuss disputed issues with him and try to do further support and development of the project.

Next week I hope to talk with him about the current bugfixes and come to the conclusion whether a new version is needed now.

@yvele

This comment has been minimized.

Copy link
Author

@yvele yvele commented Mar 27, 2020

Thanks you @slowcheetah 馃檹 I think we all have enough informations... And I think I can close this issue now 馃 if you agree of course. Issue edited.

@apasov

This comment was marked as off-topic.

Copy link

@apasov apasov commented Mar 27, 2020

According to the testimony @zloirock is sentenced to serve his term in so called 泻芯谢芯薪懈褟-锌芯褋械谢械薪懈械. It is something like lightweight prison or open prison. Inmates there have much more freedom than in real prison. I believe it's possible to have daily internet access there. So it might explain why he is still looking for a job while incarcerated.

I suppose that currently @zloirock is in 小袠袟袨 because he issued an appeal and is waiting for the trial for the appeal. In 小袠袟袨 conditions are very strict - you cannot have internet access there, but you can have supervised phone calls and personal meetings with relatives and/or friends several times per month. After the court rejects or approves his appeal he will be sent to the lightweight prison where he will be able to continue maintaining this repo.

Also one day served in 小袠袟袨 counts as 2 days in 泻芯谢芯薪懈褟-锌芯褋械谢械薪懈械. It means the more days he spends in 小袠袟袨 the sooner he will be released. E.g. his term is 1 year and 6 months, but if he spends say 3 months in 小袠袟袨 his remaining term in 泻芯谢芯薪懈褟-锌芯褋械谢械薪懈械 will reduce to 1 year instead of 1 year and 3 months. So he'll be freed by 3 months earlier. If for some reasons he spends all his term in 小袠袟袨 he will be released in 9 months instead of 1 year and a half.

Maybe @slowcheetah can confirm or deny my assumptions.

@nektro

This comment was marked as off-topic.

Copy link

@nektro nektro commented Mar 27, 2020

No

Why not?
He still looking for a job while incarcerated?

zloirock ask me don't remove that

This proves time and time again that zloirock is completely unfit to manage this repo.

Then don't use this project. Move on.

@joshmanders

This comment was marked as off-topic.

Copy link

@joshmanders joshmanders commented Mar 27, 2020

This proves time and time again that @zloirock is completely unfit to manage this repo.

You don't get to make that decision.

I'm not doubting this technical abilities.. but his approach has been absolutely god awful. Specifically with this job thing and his long absence.

Fork the repo and maintain it yourself then.

  • Extremely limited collaboration.

Just because his project got popular doesn't mean he has to let anyone who wants to come in and make sweeping changes.

  • Advertising in our logs, which has actually been reported to have caused issues on CIs due to it maxing out log files.

That's a problem with npm and yarn for not suppressing logs correctly, or the end user for not setting log levels to the appropriate ones.

  • Threatening to delete the repo if NPM enforces a ban on logs.

His code, he can do with as he please, don't like it, fork it and maintain it yourself.

  • He has had job offers but he is turning them down.

Just because he's looking for a job and someone gives him an offer doesn't mean it's a good fit and he has to accept it just to remove a console log to appease entitled people like you. You want the advertising to stop, maybe you should donate your money towards its development so that he doesn't need to do that.

  • Now he's incarcerated for 1.5 years and he still refuses to remove it. He actually went out of his way to make sure its not removed.

See above.

Can you not see how absolutely mad this is?

Can you not see how absolutely entitled you're being and that nobody here, not even @zloirock has to acknowledge or owes you a single thing, at all?

I suggest we make a push for es-shim or babel should seriously consider forking.

Good luck.

@yvele yvele closed this Mar 27, 2020
@mattlubner

This comment has been minimized.

Copy link

@mattlubner mattlubner commented Mar 27, 2020

I think this thread needs to be locked. The conversation looks like its (again) spiraling downwards, in the direction of frustration at the log messages.

Look, we all have opinions on the log messages. This isn't the place to discuss them, and frankly, if you're bothered by them (like I am), then put that energy into a more productive form of dissent (such as championing a solution). We're a creative bunch, so I have confidence we as a community can think of ways to address the systemic problem of developers needing support for their OSS efforts. No one is actually helped by the collective complaining that's happening throughout the GitHub issues for this repo.

Keep the thread on-topic. The questions seem resolved, so let's move on to other things.

Repository owner locked as resolved and limited conversation to collaborators Mar 27, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
You can鈥檛 perform that action at this time.