PyPad
-
Kind of a left-pad-ish situation. But different, too.
-
I quite like the comments. It's why I wouldn't get involved in open source without a bigger pay cheque.
I cannot agree more. Such disrespect for the security of other people depending on your work just shows how it really is just a chore to them and they don't like the users (anymore).
Yeah, with users like you who wouldn't like them. Also the security of you application isnt his problem. It's your problem. Depending on external entities for services you haven’t paid for is your lookout.
-
Alternative take: the guy seems to not have made up his mind if he wants people to use his code. On the one hand, obviously he does as he’s contributed it to the public as open source. On the other, he hates the the idea that people can at least trust that the code is from him (so when it’s not thoroughly vetted it at least only contains first-party bugs or malware, but isn’t compromised by third party hackers) so much he rather just deletes his code than getting sent a free hardware token and taking 10 minutes time to configure it, sends a huge
to any potential users.
-
@topspin he did seem to realise he made a mistake hours later, and had it restored.
https://twitter.com/untitaker/status/1545476052536942592
edit: oh, he also enabled 2FA anyway but still opted to no longer maintain it.
atomicwrites' old versions have been purged from pypi · Issue #61 · untitaker/python-atomicwrites
pypi just told me i had to enable 2fa to keep uploading this package. because I thought that was an annoying and entitled move in order to guarantee SOC2 compliance for a handful of companies (at t...
-
That's what happens when you rely on the work of whiny, impulsive, tantrum-throwing, semi-autistic attention whores. Coding for "fun" isn't the deal. You're responsible for what your create, whatever the way it evolves. Both sides are different kind of idiots. Bloody open sores commies.
-
@loopback0 I understood it as intentionally deleting and re-uploading. Still going to assume that fucks over users.
-
I understood it as intentionally deleting and re-uploading.
Yeah but it seems it deleted more than he thought it would, so he needed PyPi to restore the rest to not fuck users over totally.
-
@Applied-Mediocrity said in PyPad:
That's what happens when you rely on the work of whiny, impulsive, tantrum-throwing, semi-autistic attention whores. Coding for "fun" isn't the deal. You're responsible for what your create, whatever the way it evolves. Both sides are different kind of idiots. Bloody open sores commies.
Yes and no. You are, indeed, responsible for what you create when programming for fun, but it's only an issue if you distribute the results. The stuff I've written at home has stayed at home, so I don't owe any "responsibility" to any user / consumer / customer.
-
I'd argue that you're only responsible to a point.
If you make a thing and distribute it, cool, if someone uses it. The world is therefore enriched on some level by it.
As for responsibility there is the legal kind and there is the moral kind. Anyone with a functioning brain would absolve themselves of the former with a sensible licence (even GPL would count IIRC), but it's the latter where it gets complicated.
You are, morally, responsible for it. Are you responsible for it forever? Are you responsible for fulfilling users' feature requests? Especially if they aren't features you didn't intend upon.
I would argue the answer to most of those is... well, no. You'd be surprised how shitty people get about it, like you owe these people something because they chose to use a thing you made and therefore apparently you owe them something - I've had people tell me that to my face without a hint of anything other than pure entitlement in their tone.
There is an onus on the people choosing to use these things too, to do whatever passes for due diligence, and ensuring that there is a continuity path there so that if you give up maintaining it for whatever reason, someone else can step in.
-
@Arantor how are you supposed to do due diligence if the author refuses to even authenticate themselves? The only reasonable outcome here is to conclude: this is hobbyist code. Good for him, but impossible to use.
-
@Steve_The_Cynic said in PyPad:
@Applied-Mediocrity said in PyPad:
That's what happens when you rely on the work of whiny, impulsive, tantrum-throwing, semi-autistic attention whores. Coding for "fun" isn't the deal. You're responsible for what your create, whatever the way it evolves. Both sides are different kind of idiots. Bloody open sores commies.
Yes and no. You are, indeed, responsible for what you create when programming for fun, but it's only an issue if you distribute the results. The stuff I've written at home has stayed at home, so I don't owe any "responsibility" to any user / consumer / customer.
Thank you, Steve The Bleeding Obvious.
Are you responsible for it forever?
Yes. Until you pull the plug. You can do so at any time. Unfortunately your nerd cred will tank sharply if you do, which is why people keep on maintaining. Nerd cred is everything.
Are you responsible for fulfilling users' feature requests?
Not at all. But the unfortunate consideration outlined above applies.
due diligence
The primary reason why we use other people's work is because we, for one or several reasons, can't be arsed to do it ourselves. This has gone to ludicrous extent in the past two decades. That's why I'm saying both sides are idiots. Open sores is shit principle by hazy-minded commies that has not made the world a better place one bit.
And if a nuclear power station goes kerblam because of a bug in your atomicwrites.py, I'm going to hold you responsible.
-
@Applied-Mediocrity did someone kick your puppy today?
-
@Arantor how are you supposed to do due diligence if the author refuses to even authenticate themselves? The only reasonable outcome here is to conclude: this is hobbyist code. Good for him, but impossible to use.
I'm personally fine with that. When I look at importing modules into things, I assess if this is what it is, and consider whether I'm prepared to take on the maintenance myself in absentia (because that's the calculation you have to make with importing any kind of third party code) - and I've both accepted and refused code from hobbyists in that exact fashion.
I've also written code that has since been taken over by others, as well as making things that I've given away.
Hell, I still have people asking me about plugins I wrote 10+ years ago... I just wish others did the same thinking I did.
-
@Applied-Mediocrity said in PyPad:
Yes. Until you pull the plug. You can do so at any time. Unfortunately your nerd cred will tank sharply if you do, which is why people keep on maintaining. Nerd cred is everything.
More fool them if they keep maintaining stuff under those conditions.
"Nerd cred" is nothing. (That's a big part of why I don't distribute my code, combined with the small point that I have nothing to prove, which is arguably more or less the same thing.)
At work, I have to deal with the code for a third-party (BSD-licence open-source) daemon that implements, in a questionable fashion, a network protocol that's an essential part of a feature in my product. It's ugly code, and marginally functional, but we put up with it because it's less unfit for purpose than all the alternatives.
-
-
...than getting sent a free hardware token...
FWIW, they don't have enough tokens to send them to every "critical" project, much less every maintainer and owner in those projects. Their blog and giveaway's numbers say they have 2000 pairs of tokens to give away to ~3500 projects. (Doesn't stop people from using an authenticator app, which is apparently the other choice, but still.)
-
@Steve_The_Cynic said in PyPad:
At work, I have to deal with the code for a third-party (BSD-licence open-source) daemon that implements, in a questionable fashion, a network protocol that's an essential part of a feature in my product. It's ugly code, and marginally functional, but we put up with it because it's less unfit for purpose than all the alternatives.
Ran into something similar a while back, but had to implement the protocol myself rather than use any open-source code. I'm sure my code was still ugly and marginally functional, though. :)
-
@Applied-Mediocrity said in PyPad:
Open sores is shit principle by hazy-minded commies that has not made the world a better place one bit.
Please have all my upvotes.
-
authenticator app
I didn't know physical tokens where still a thing. Even before 'rona I started collecting entries in the MS authenticator app. I need 3 just for my company accounts and several more for customer connections.
-
See, not everyone who makes and releases open source is doing so for nerd cred, some of us do so simply because we made a thing for our own use and felt like sharing in the hopes it would be useful.
But clearly the response we should be having is to hoard our shit, guard it jealously and tell everyone else to fuck off.
If that had been the attitude when I was younger, I don’t think I’d ever have gotten into this industry because how is this different to having the books of type-in listings that were everywhere in the 1980s? (Yes,
I’m aware that the copyright state is different and that legally you couldn’t just reuse chunks of that code because no such licence, but the books often made it clear that you were expected even encouraged to do such things.)
-
See, not everyone who makes and releases open source is doing so for nerd cred, some of us do so simply because we made a thing for our own use and felt like sharing in the hopes it would be useful.
Exactly. I write a lot of stuff (most of it not code) and eventually, most of that will end up online (or at least, that’s the intent), completely for free for anyone who wants it. Although I create this stuff for my own use and/or amusement, I’m delusional enough to think that maybe a few other people will have a use for (or just like) it too, but I’m not delusional enough to think anybody would want to pay me for it. Hell, even if I would write something I suspect would sell well, I’d probably still give it away for free because I CBA to do all the work needed to sell it …
-
@Applied-Mediocrity said in PyPad:
Open sores is shit principle by hazy-minded commies that has not made the world a better place one bit.
Please have all my upvotes.
I'm sorry if open source software killed your puppies. I don't know about it having made the world better, but AFAICT the world is going to shits anyway so
What I do know is that most of the technologiy-related things that have given me pleasure in my life would simply never have happened without it and my life would have been a lot poorer for it.
-
@ixvedeusi said in PyPad:
@Applied-Mediocrity said in PyPad:Open sores is shit principle by hazy-minded commies that has not made the world a better place one bit.
Please have all my upvotes.
I'm sorry if open source software killed your puppies. I don't know about it having made the world better, but AFAICT the world is going to shits anyway so
What I do know is that most of the technologiy-related things that have given me pleasure in my life would simply never have happened without it and my life would have been a lot poorer for it.What can I say, I'm sorry your life looks like this?
-
I guess none of the people bitching about open source use Linux then. Or is that somehow different magically?
Or use Debian or any Debian derivative, or is that somehow magically different too?
Edit: or Firefox. Or VLC. Or literally any piece of software that uses something like libpng which includes a scary number of otherwise closed source things.
Or NodeBB. Or Node. Or Apache httpd.
The world as we know it today is fucking built on open source. Deal with it.
-
The world as we know it today is fucking built on open source.
And it's shit.
Deal with it.
Yeah, I'm dealing with it allright.
EDIT: It's funny how transparently religious OS is. You can't say you don't like it and have people just shrug and move on. No, you have 'OMG how can you not love our lord and savior' sermon upon you the moment you show yourself to be a heathen.
-
What can I say, I'm sorry your life looks like this?
Well, open source software does in fact exist, and I therefore can do all these things. So to me it looks like you, who seem to be so offended by its very existence, are the one losing out.
And it's shit.
It is indeed. You seem however to have this strange notion that this is due to people sharing around source code and that if people stopped doing that it would somehow be better.
-
@ixvedeusi said in PyPad:
It is indeed. You seem however to have this strange notion that this is due to people sharing around source code and that if people stopped doing that it would somehow be better.
It's not because of people sharing stuff. I'm not sure if you pretend to not know it, or you genuinly think it is.
It's because of OS being a toxic culture, which promotes bad attitudes and practices and produces shit software. With 'who is actually responsible for anything here', discussed here, being one of major shitshows of OS.
-
It's not because of people sharing stuff. I'm not sure if you pretend to not know it, or you genuinly think it is.
It's because of OS being a toxic culture, which promotes bad attitudes and practices and produces shit software.It just doesn't seem to me that commercial software is that much better in that regard. They are both shit; the main difference is IME that open source software is less actively, intentionally crippled or working against me than commercial products.
ETA: and with open source software I can still think "at least I haven't paid through my nose for this pile of crap".
-
@ixvedeusi said in PyPad:
It's not because of people sharing stuff. I'm not sure if you pretend to not know it, or you genuinly think it is.
It's because of OS being a toxic culture, which promotes bad attitudes and practices and produces shit software.It just doesn't seem to me that commercial software is that much better in that regard. They are both shit; the main difference is IME that open source software is less actively, intentionally crippled or working against me than commercial products.
I know you think that.
-
@MrL and that’s not the problem you think it is. You seem to assume that all open source has the same problem - but it doesn’t, and that’s why I take the view I do.
A good many of these projects understand that they do have a responsibility to provide support for what they have created. Again, see most of the projects I mentioned where they understand they have some responsibility and generally try to support what they have made and released, with admittedly varying qualities.
Here’s the thing, though: closed source ain’t exactly any better. Companies are no more obliged to offer support for things than open source folks for the most part - at least at our level. Bit different at big big contract level but for us little folk?
How many closed source products exist where the vendor gives no fucks about fixing bugs and instead just heaps new features in to keep the money flowing? How many closed source products out there have security issues that will never be fixed? At least with open source that is a choice you have.
-
@MrL and that’s not the problem you think it is. You seem to assume that all open source has the same problem - but it doesn’t, and that’s why I take the view I do.
If I didn't make myself clear enough about OS proselytism: I heard it all before, I'm not reading it again.
Please attempt to shrug and move on, like I'll do just now.
-
@Arantor when the closed source crap disables the license servers or just doesn’t fix the bugs, there’s nothing you can do about it. Since this doesn’t leave you with the “fix it yourself” option, it means less work for you.
-
@topspin then I only have to go find a replacement product.
-
You all focus on open/closed source too much. The problem is completely different: repositories like pip or npm are not in any way curated and they let individual maintainers break shit.
Other repos, for example Linux distributions, don't work that way. You can't delete a package from Debian because you had a bad day. Now of course applying this kind of management to npm or pip is going to cost you a lot of money and slow down "progress", but it sure can be done.
-
The industry is hopelessly bloated with utterly shit things done fast that have only become viable because most of the software used is free for grabs. Commercial software used to be a limiting factor.
As the OS sphere itself often complains, most of the users do not contribute back in any useful way, they only take. The OS is largely - but insufficiently, often just enough to not die - funded by the big players like Meta, Google, M$, Red Hat and Intel, with various others largely sponsored by them (like Apache and Mozilla), or governments (like CERN).
I cannot say that the quality of software would be better with closed source commercial developments - most likely not or worse - but there would be far, far less of it. Which is fine by me. Even if it all was, in fact, shit, if there's less software, there's also less shit.
OS is not some kind of hackerpunk or pinnacle of altruism. It's a horrible techno-cult enslaving useful idiots and owned by the corporations, and you're apparently gullible enough to believe otherwise.
-
@Applied-Mediocrity good to know I am at least a useful idiot, even if I am an idiot.
-
@Applied-Mediocrity good to know I am at least a useful idiot, even if I am an idiot.
It's not a step up, as intuition would suggest.
-
authenticator app
I didn't know physical tokens where still a thing.
I still have two that are attached to game company accounts; they came with Collector's Editions way back when. Probably should get some backup keys or whatever they do for those before the batteries die.
I haven't been a big fan of authenticator phone apps due to how they (don't) handle a dead or lost phone. There's also the weirdness of needing your phone to log in to your phone and the various programs on your phone. This is helping, right?
-
@Applied-Mediocrity said in PyPad:
I cannot say that the quality of software would be better with closed source commercial developments - most likely not or worse - but there would be far, far less of it. Which is fine by me. Even if it all was, in fact, shit, if there's less software, there's also less shit.
I'm not convinced. Maybe there would be less different software packages in the universe, but my computer (and company servers I run stuff on) would almost certainly have more software. I mean, look at the bloat that is modern Windows. Or that thread on Oracle database code. At this point even my X11 desktop looks more consistent than Windows, and it weighs like 20x less.
-
@MrL I personally like the idea that something I made (for my own satisfaction) was also useful to someone else.
I realise that this is more ammunition for you to look down your nose at me but I’m fine with that. It’s almost like different people value and prioritise different things.
-
@Applied-Mediocrity said in PyPad:
OS is not some kind of hackerpunk or pinnacle of altruism. It's a horrible techno-cult enslaving useful idiots and owned by the corporations, and you're apparently gullible enough to believe otherwise.
There is a possibility to just use the corporations-funded code and the advantage of having the source (usually the best documentation available, maybe except IBM) without being religious about that.
But then again one would miss the opportunity to be blasphemous edgelord...
-
@Applied-Mediocrity said in PyPad:
owned by the corporations
So we should instead use closed source software... oh wait.
-
@Kamil-Podlesak said in PyPad:
the advantage of having the source (usually the best documentation available
That's another horrible pitfall of the OS movement - that the source is also the (often only) documentation. Source can be an addendum to documentation, but it must never be a substitute or even the primary reference. But writing good documentation is a tremendously valuable skill, more so than programming itself. It is difficult, because it involves both communication and technical competency. It's also time-consuming and, most importantly, it's not fun, therefore if you're not being paid for it, it doesn't seem like worth doing. Unlike code farted into the whole wide world, a well-documented product is expected foremost to be useful to someone else.
-
@Applied-Mediocrity said in PyPad:
owned by the corporations
So we should instead use closed source software... oh wait.
Perhaps you think you have made some sort of clever argument here, but you have not.
-
@Applied-Mediocrity said in PyPad:
@Kamil-Podlesak said in PyPad:
the advantage of having the source (usually the best documentation available
That's another horrible pitfall of the OS movement - that the source is also the (often only) documentation.
No. This has nothing to do with "OS movement", this is how it works in the real world.
Source can be an addendum to documentation, but it must never be a substitute or even the primary reference. But writing good documentation is a tremendously valuable skill, more so than programming itself. It is difficult, because it involves both communication and technical competency. It's also time-consuming and, most importantly, it's not fun, therefore if you're not being paid for it, it doesn't seem like worth doing. Unlike code farted into the whole wide world, a well-documented product is expected foremost to be useful to someone else.
Yeah, and how is that relevant to the topic of Open Source? It's not, it's a generic statement.
The only difference is that with OS, I don't need to use disassembler. Well, TBH, there is also an option of "commercial with sources," which works quite nicely too. It prevents me to (legally) make patched version, but that is quite rare anyway.
-
@Kamil-Podlesak said in PyPad:
this is how it works in the real world.
Ah yes, the "real world" argument. Always an indicator of someone's imagined intellectual superiority,
because clearly your fellow developers - who do not, however, share your beliefs - must be imagining things.
-
@sebastian-galczynski said in PyPad:
You can't delete a package from Debian because you had a bad day.
True. One could file a bug against
ftp.debian.orgwith scary-looking codewords likeROM; outdated; RC buggy; orphaned, but that only gets it out of the next release.
-
Austria, Belgium, Canada, France, Germany, Italy, Japan, Spain, Switzerland, United Kingdom, and the United States
I personally know more developers from outside these countries than ones living in these countries, but I suppose that PyPI have done their homework and chose the places where the developers of the "critical" packages actually live.
The option to use a TOTP app of the developer's choice sounds reasonable too. It's not like Google where you have to link an Android phone or a phone number. One can still be pseudonymous and keep their privacy if they want to.
I wonder what their solution will be to the situation when the malefactors buy or otherwise legitimately take over packages ("would you like me to take this package you're clearly not interested in maintaining? I'll even pay for it...") and then put malware inside it. Or hell, sometimes it's the legitimate developer of the package deciding to put malware inside because this was the plan all along, or because they are fed up with being a maintainer or because they heard something in the news and publishing malware sounded like a good idea.
Another question for me would be account recovery. If you lose the password or the TOTP device, what do you do next? This can make the situation back into a single-factor authentication scenario.
-
I wonder what their solution will be to the situation when the malefactors buy or otherwise legitimately take over packages
That's not addressed by this. But it wasn't before either, so no loss.
Another question for me would be account recovery. If you lose the password or the TOTP device, what do you do next? This can make the situation back into a single-factor authentication scenario.
That's the problem I have with 2FA. For me, personally, it's only been a mechanism to deny my legitimate access. And Google/Faceboook/et al. trying to use it for gathering data, but you said that's not the case here.
-
Another question for me would be account recovery. If you lose the password or the TOTP device, what do you do next? This can make the situation back into a single-factor authentication scenario.
Apps like Authy have the option for backups or sync across multiple devices. Also most services I've got 2FA setup for offer recovery codes.
