thoughtwisps One commit at a time

duplicity

I’m tired. I’m sorry if that is a boring way to open a post, but it’s the truth. The truth of the feeling that’s comfortably settled itself somewhere deep within my body and won’t let go. Fractal tentacles of black inky liquid curling around my insides.

Maybe I should have used fatigue. A more elegant word. Tres French. Tres chic.

Or exhaustion. Maybe I should have used that. On a recent Tube journey through the hellscape that is rush hour London, the word popped into my mind (no place better to engage in a little mental gymnastics than the armpit of your fellow rush hour commuter). Exhaustion. Like exhaust but with an extra -ion. The condition of being an exhaust. A human exhaust.

I suppose that is an apt description of how I feel. A human exhaust. Everything else has dissolved.

I went to sleep in the early hours of the morning struggling to keep my sleepy eyes awake as I typed the last touches on a reverse engineering writeup I’d promised to deliver a few days earlier. I knew the writeup would have been better if I had just left it to the morning, proofread it again and then hit send, but the guilt- the guilt of promising to deliver and then failing - would not let me be and I suspected would not have let me fall asleep. The sense of self-worth is tied too closely to achievements. I’ve been failing spectacularly at the achievements part lately, so the guilt is even more acute.

(Warning: start of rant - you may wish to skip to another post).

In any case, this post is not about our broken models of human value, the London Underground system or exhaust, though I could probably fill these pages with ramblings about all three. Instead, I’m going to talk about something that was making the rounds on Twitter yesterday: the maintainer of a very popular npm package had stepped down and transferred control of the package to an interested third party that had been making contributions to the repository. This kind of thing happens in open source projects and is nothing out of the ordinary. The new maintainer then integrated some code into the package that turned out to contain a malicious payload. Users (big companies among them) were affected. Cue: initiate absolute clusterfuck where the previous maintainer gets shit for transferring the ownership without ‘proper vetting’ (based on the comments I read, no one actually suggested how to properly do this). I was glad the conversation was quickly steered into the direction of open source sustainability problem, because yes, we still have a problem of paying maintainers unless they work for a company that supports an open source project financially or allocates company time. Strangely, most companies, including the billion dollar behemoths don’t have a problem with profiting from open source projects. Anyway, people far more eloquent and knowledgeable about this topic have made better writeups of the situation and why it needs fixing.

The security breach and the ensuring cluterfuck reminded me of a conversation I had a few weeks ago with a hiring manager, who gently asked me about my GitHub and the kinds of contributions I had been makind to open source. I could see their face fall when I described contributing to documentation and community in a few projects. Apparently, it’s only code that counts. Good luck learning how to use an open source project without good documentation. I was then gently prodded to make contributions to the company’s open source project, which would ‘be good for getting hired in the future’.

I’m not going to go into how this ‘github as your cv’ hiring practice disadvantanges people who may be excellent in their day jobs, but don’t work on open source full time and have other obligations outside of work (family, hobbies, carer duties, civic duties, life?) - others have done so already and far more eloquently. What I am going to say though is this. Everyone seems to want to see open source contributions until you go to work for them. After that, it’s going to be ‘jump through these 50 legal hoops we’ve setup to prevent you from open sourcing any code’.

/rantover

Now it’s back to our regularly scheduled programming.