Jeff Atwood on security (blog post)
-
What I don't get is how this explanation magically makes it so Atwood isn't running a business based on Discourse.
Now explain that second part.
Never said that. I never argued that point. I said he's not selling the software. Because he isn't. He's selling a service. You said he's selling the software. Therefore I was contesting your inaccurate statement
-
Never said that. I never argued that point. I said he's not selling the software. Because he isn't. He's selling a service.
SO THIS WHOLE FUCKING EXCHANGE IS ABOUT PEDANTIC DICKWEEDERY!?
fuck you
-
No, but who cares?
Finally, some honesty on your part. But if you don't care, why do you keep lying?
-
SO THIS WHOLE FUCKING EXCHANGE IS ABOUT PEDANTIC DICKWEEDERY!?
Yes it is, but this is actually important. These words have important distinctions, use them correctly. Since you didn't, it was obvious you didn't actually understand the distinction.
-
What I don't get is how this explanation magically makes it so Atwood isn't running a business based on Discourse.
What I don't get is why you think Atwood running a business makes anything not open source.
-
SO THIS WHOLE FUCKING EXCHANGE IS ABOUT PEDANTIC DICKWEEDERY!?
As the primary pedantic dickweed in this thread, HOW DID YOU NOT KNOW THAT?
-
-
To this conversation? No, it isn't.
Eh, yeah, actually it is. There's nothing wrong with his business model (aside from maybe the markup on the VMs, not sure what the actual price/markup model is). In fact, it could be much worse.
Argue the quality of the software all you want, but the business model is sound and pretty fair to both sides. They're providing a service and "peace of mind" in exchange for money.
-
In fact, it could be much worse.
He's selling Discourse, how could it be worse?
EDIT: Oh wait sorry he's not "selling" it selling it he's only "selling" it selling it if you define "selling" to mean something other than "selling" PEDANTIC DICKWEEDERY!!!
-
SO THIS WHOLE FUCKING EXCHANGE IS ABOUT PEDANTIC DICKWEEDERY!?
fuck you
Welcome to the Daily WTF.
-
I wonder if I can get a pendantic dickweedery badge... I was called out on it after all :)
-
He's selling Discourse, how could it be worse?
EDIT: Oh wait sorry he's not "selling" it selling it he's only "selling" it selling it if you define "selling" to mean something other than "selling" PEDANTIC DICKWEEDERY!!!
He's selling hosted discourse. Notice what I did there with the hosted word? He's not selling Discourse.
-
they have people doing QA stuff
They have devs clicking around the app after they make a change to make sure it doesn't fuck up outright. (I hope.) That's not proper QA, that's the basic step of development.
So the outrage is about people making money from open source?
The outrage is about people making money from open source while also expecting people to do work on the project for free. That includes not only actual code work, but also reporting bugs and otherwise improving on the software.
They're not a non profit, and their business model is centered around Discourse. It's as if you ran a charity which forwards donations to poor kids or whatever, but also sells merchandise for profit. At that point, you can't expect volunteers to do your sales - you have the resources. And so do they, with a huge margin to boot.
TANSTAAFL, I suppose, but that goes both ways.
-
DigitalOcean is centered on Linux though, so does that mean they've got a bad business model?
-
Does anyone think, if @blakeyrat moves the goalposts enough, they'll end up back where they started?
-
DigitalOcean is centered on Linux though, so does that mean they've got a bad business model?
Well if they expected users to fix their hypervisor when it goes belly-up...
-
The outrage is about people making money from open source while also expecting people to do work on the project for free. That includes not only actual code work, but also reporting bugs and otherwise improving on the software.
As long as their licence doesn't make the product useless to me, I have no immediate problems with this:
- I get the product for free
- If there is something wrong with the product I can either:
- fix it for myself, optionally releasing that fix to other users / the company handling the project
- pay someone to fix it for me
- pay the company maintaining the project for support, making them directly responsible for any fixes (within constraints of the contract we signed, of course)
- I could also be the one hired to fix it and make money from it
Now, if you feel cheated by not being paid for contributing to a project, well, I saw no promise of payment, nor any binding contract forcing you to contribute. You can use the software for free if you want. You can even fix bugs in your own copy and never share the patches.
Is the model perfect? Fuck no, nothing is. Is it massively unfair? By no means. I can open Discourse consultancy, today. And I can charge for installs and customizations without breaking a single law or contract of any kind. Do you want to deny me that right? Or do you want me to have that right but deny Jeff the same right?
-
The outrage is about people making money from open source while also expecting people to do work on the project for free. That includes not only actual code work, but also reporting bugs and otherwise improving on the software.
Right; he's getting all pissy because he has to pay (in time/money/whatever currency) to maintain a product THAT ONLY EXISTS TO MAKE HIM MONEY. Yes, idiots, I understand other people can make money off it too, that doesn't change this point at all. Not only that, but he's already getting tons of free labor in the form of patches, bug reports, etc. And he's still bitching about it.
That's the issue here.
-
-
Right; he's getting all pissy because he has to pay (in time/money/whatever currency) to maintain a product
Your lies know no bounds today.
-
Right; he's getting all pissy because he has to pay (in time/money/whatever currency) to maintain a product THAT ONLY EXISTS TO MAKE HIM MONEY
I'd get pissed if people demanded money for reporting security bugs too. (Note this isn't for fixing bugs, just for reporting them)
That's essentially holding me hostage.
-
As long as their licence doesn't make the product useless to me
Not the licence, no...
I can open Discourse consultancy, today. And I can charge for installs and customizations without breaking a single law or contract of any kind.
I do wonder if you can. But again - you can open Oracle consultancy too, or MS consultancy. Doesn't make Oracle or MS a non-profit, and doesn't make it any more ethical for Oracle or MS to rely on the community to fix their shit.
Obviously, both companies do that (MS I know of, I'd be surprised if it's not the case for Oracle) with error reporting, bug trackers, etc. - but both companies also don't bitch about how users send them no bug reports and don't contribute, and employ huge QA departments so that they don't have to rely on users for that.
-
But again - that's not what they're selling. They're selling hosted discourse, complete with support and stuff. The Discourse open source project is just the software it's running on.
-
But again - that's not what they're selling. They're selling hosted discourse, complete with support and stuff. The Discourse open source project is just the software it's running on.
Okay, let's see a different example. Microsoft recently open-sourced ASP.NET 6, and a few other parts of .NET. Obviously they profit from Azure and other parts of the system, but as far as ASP.NET is concerned, they're just as much "not-selling" as CDCK doesn't sell Discourse.
So, if MS were to complain that people don't fix their shitty code, expect their product to work without contributing themselves, and blame them for bugs, would that be just as just as in Discourse's case?
-
If there was no Discourse, they would make no money.
If Discourse chases people away for having security flaws, they make no money.
What do they spend more time doing,
bikesheddingimproving Discourse, or "supporting" it?Discourse is clearly the product being sold, regardless of the details of how the contract is negotiated. The fact that it's also being sold for $0 with no support changes nothing about it being the product.
-
being sold for $0 with no support
Hello, deare
free vpsDiscourse user.You are a free user, so please FUCK OFF.
Have a nice day.
Dave, VPS.meJeff, CDCK team
-
Discourse is clearly the product being sold, regardless of the details of how the contract is negotiated. The fact that it's also being sold for $0 with no support changes nothing about it being the product.
I wanted to reply directly to @Maciejasjmj but this quote is just too perfect not to use. I'll indulge in a bit of FTFY, if it's all the same to you:
DiscourseMySQL is clearly the product being sold, regardless of the details of how the contract is negotiated. The fact that it's also being sold for $0 with no support changes nothing about it being the product.Hello, Oracle. Still relying on community? Yes, yes they are.
DiscourseUbuntu is clearly the product being sold, regardless of the details of how the contract is negotiated. The fact that it's also being sold for $0 with no support changes nothing about it being the product.Hi there, Canonical. Still pulling those community patches? Good, good.
Now, I'm not saying you all are wrong when you say that there's more important shit to be fixed than changing avatars to circular. But can we stop with this bullshit of Discourse being some special snowflake in the open source model? It isn't. It's a classic open source project, with all the advantages and disadvantages of the model.
It wasn't started as a lovechild of a garage nerd, but by a company? Ubuntu was started by Canonical as well.
Again, I acknowledge the problems with Discourse. But let's separate those problems endemic to it from problems of the open source model, shall we?
-
-
If all companies could get their IT employees to work for nothing, they would.
Hell, if they could get their sales and accounting employees to work for nothing, they'd do that too. Why pay if you don't have to? So to Blakey's point, we should stop providing free QA, because it devalues the worth of QA.
That said, I doubt I could stop myself from reporting issues when I find them. The "payment" of getting bugs fixed is high enough to be worth my time in my own personal estimation, and like most human beings, I find it hard to keep in mind the long-term damage to the reputation of my profession when the short-term payoff is high.
-
Hello, Oracle. Still relying on community? Yes, yes they are.
Fine enough; I was wrong about Oracle. I wouldn't contribute to MySQL personally.
Hi there, Canonical. Still pulling those community patches? Good, good.
Well if people submit them, they pull them, whaddaya know. If they didn't, they'd be forced to push money to fixing Ubuntu if they wanted to stay afloat supporting it.
But let's separate those problems endemic to it from problems of the open source model, shall we?
Okay: most open source projects support their community and either give it some decisive power, or otherwise encourage it to do normally well-paid work for free. Jeff's encouragement is "well you want it fixed so fix it yourself".
What the fuck are you talking about?
Just as fair, fine, that was a bit of linguistic diarrhoea.
-
The "payment" of getting bugs fixed is high enough to be worth my time in my own personal estimation,
Well you're the user, so your choices are "reporting bugs to get them fixed" or "not reporting bugs and not getting them fixed".
Normally there's also an option of "make a campaign for your admin to change that shitty piece of software to phpBB", but we're handicapped in that one.
-
Okay: most open source projects support their community and either give it some decisive power, or otherwise encourage it to do normally well-paid work for free.
This is where
The "payment" of getting bugs fixed is high enough to be worth my time in my own personal estimation
usually comes in.
Now, the fact that this is handled poorly by most of the discodev crew is another matter and I agree is annoying and, at times, maddening.
-
your choices are "reporting bugs to get them fixed" or "not reporting bugs and not getting them fixed".
More accurately, my choices are "Report bugs to get them fixed and, in so doing, provide free QA work, infestimally reducing the amount QA is considered to be worth" or "Do not report bugs outside of my paid position, keeping the value of QA work infestimally higher but ensuring the bug is not fixed in a timely fashion."
And the former still wins.
-
That said, I doubt I could stop myself from reporting issues when I find them
Oh, I sure can. On one hand, there are open source projects I use at work. I am happy to report bugs for these projects for free, because I benefit financially from those projects (indirectly).
On the other hand is Discourse. I'm not benefiting financially from using it, but Jeff is (indirectly). I feel no obligation to help him fix his bugs. Especially if I'm going to catch grief from him if I do.
-
Why don't you just hand Atwood $20 bills directly?
-
Because some people are nice people
-
If I thought it'd improve our level of service, I would. $20 isn't that much.
-
You'll have to explain this, what seems to be, mental disconnect to me.
If you found a bug that affects you in a commercial application, would you not report it so it gets fixed for you? And would you not be aware that the bug would get fixed for all of the users, potentially bringing the company you bought the product from more customers? And I doubt you'd get paid for that.
Now, the lack of any other kind of QA in Discourse is a separate issue as I see it. It's not something I'm dismissing: It is a problem.
But you seem to be vehemently against reporting any bugs. Would you change your position if Discodevs implemented proper QA before the product reached us and we still found the bugs that slipped by them?
-
I'd gladly donate to the DailyWTF community, but to Discourse? Fuck it.
Hell considering the constant downtime and the erasure of my old forum posts, I figure HE owes ME. A lot.
-
Ok ill explain it this way: I'm on a phone and its impossible to quote your post to answer it, so fuck Discourse.
-
Why don't you just hand Atwood $20 bills directly?
I volunteer to do stuff for all sorts of people and organizations all the time. It's OK that you're not willing to do that. I just hate hearing you whine about your precious time.
-
erasure of my old forum posts
They still exist, just not in a form you can access right now
-
Does anyone think, if @blakeyrat moves the goalposts enough, they'll end up back where they started?
That's in theory possible, but in practice the goalposts don't even stay in the same city, let alone the same stadium, so it's not likely.
-
The Earth is still round, y'know.
-
The Earth is still round, y'know.
Where's that thread where we talked about circumnavigating without going over an ocean?...<not really asking
-
Where's that thread where we talked about circumnavigating without going over an ocean?...
hmmm... doable... of course i'd need a hell of a lot of dirt to fill in the oceans, and to raise some parts of the land that were covered by displaced oceans... but yes i think i could manage that.
-
Where's that thread where we talked about circumnavigating without going over an ocean?
Clearly it could be done with a submarine.
-
that Atwood isn't running a business!
-
Ok ill explain it this way: I'm on a phone and its impossible to quote your post to answer it, so fuck Discourse.
I just quoted your post. From a phone.
Sounds like your problem (in this case) may not be discourse. That left a bad taste.
-
Therefore, probably he's talking about someone else.
Ok, not us then, at least not any public reports any of us made.
I also don't think he talks about us.
From reading Meta... pretty damn sure it isn't about TDWTF.
People report that "the Google PageSpeed score is slow, it says 'remove render-blocking JavaScript'."
Is any of this advice useful?
@sigurdur said:
Wow, this is actually my specialty, website speed optimization.
For images - adding a kraken.io API for image optimization would be a big step.
Render blocking javascript - adding async to the scripts might improve the PS score if you don't rely on the javascript to run in the imported order.
The CSS - if you can inline it in the header, you'll increase your PS score.
There's topics about bullshit security issues, but I can't find them right now (may have been deleted)