I know this is not point of the article but:
> The PR was bigger than what I felt I could sensibly review and, in honesty, my desire to go through the hours of work I could tell this would take for a project I no longer used was not stellar.
The PR: https://github.com/django-money/django-money/pull/2/files?di...
Do others share this sentiment?
This doesn't look like a particularly big PR to me, judging solely by the amount of code changed and the nature of the changes at first glance.
Are most of your PRs at work tiny, couple lines of code at most? Am I sloppy for not even consider reviewing this for "hours"? Are all code bases I have worked on sloppy because features often require changing more code than this?
Trust goes a long way. Microsoft had given me read/write access to full Windows source code on my first day despite that I was only hired to work on certain parts of the kernel and drivers. I'd never been shown this kind of trust before; other companies I'd worked with always had layers around trust, so, this kind of "you're 100% one of us now" message on my first day had made me extra happy and motivated at Microsoft. I was extra careful protecting source code too. Loved working there until the day I quit.
Another possible outcome of "I gave commit rights to someone I didn't know": https://github.com/dominictarr/event-stream/issues/116
I've given commit and other "dangerous" access (moderator or admin privileges) to people I don't personally know or barely know for a long time now and I don't think I've ever regretted it.
My criteria is usually just a willingness to improve the situation. I can observe this over time via pull requests, forks and general community participation.
I'm very reluctant to give access to someone asking for it. I firmly believe this is something that should be given and not to be expected.
I did this with every first committer to https://github.com/zladx/LADX-Disassembly : giving commit rights immediately (so that they can merge their first PR themselves).
I did wonders to foster a community of contributors, and get more patches coming. The CI ensures nothing breaks, and there never was any trust incident.
I think Graeber used to say that if you tell most adults that "Here's your power. I dare you to be responsible with it" they will.
(The notable exception are people who specifically seek power. Somehow they seem to be the least responsible with it.)
I wanted contribute a fix for a bug that I ran into all the time to https://curlconverter.com/ . The author gave me commit access while I was still working on my first PR (or shortly after) without me asking. I appreciated the trust and I ended up contributing way more than I originally intended to.
See also [0]. Rutger argues that if you have never trusted someone like this (somewhat) blindly, you may have indeed protected yourself from some misery, but you are also overwhelmingly denying yourself the better parts of life. Because "most people are kind" (which is the original Dutch title of the book btw).
[0] https://en.wikipedia.org/wiki/Humankind:_A_Hopeful_History
Discussed at the time:
I gave commit rights to someone I didn't know - https://news.ycombinator.com/item?id=12522654 - Sept 2016 (100 comments)
My personal rule is that you get commit access after some number of good PRs, depending on the project. Has worked out quite well:
- instar. I had two guys basically rewrite the entire thing and make it WAY better. I had a good vision for the API but my implementation was pretty bad.
- mutmut. I would never have gotten windows support going without help. (Although I am thinking of abandoning windows anyway soon...)
- iommi. This project is much more complex and has a certain philosophy, but we gave commit access to one developer pretty fast as it was super obvious from the first PR what kind of deep thinking he did.
All in all, great success.
These days getting commit rights to inject malware into an already popular gem has become a real threat.
In 2016 I think it wasn't yet/wasn't recognized.
I am very sympathetic to the suggestion in OP prior to recognizing that there may be people actually actively trying to abuse your trust to intentionally inject malware.
I've never had giving away commit rights backfire on me.
And if it did, sorting out the mess and reverting a malicious commit wouldn't be the end of the world.
I created/maintained a popular project for years[^1], and recently passed ownership to someone else. It's been great seeing issues resolve, PRs merge, etc, after languishing for a while :)
Man I remember having to monkey patch that library to do some caching of the exchange rates. Otherwise it would do dozens of requests for the same information exchange rate.
I maintained the pjax library at one point. This is what the author posted at the time:
https://twitter.com/MoOx/status/955903710617620482?t=BvPIWQ-...
Another similar article, "the pull request hack":
This happened with clojupyter for me. I just gave everyone who submitted something good commit access, and a handful of people who are way better clojure coders than me made it way better in every way.
If the maintainer of a package trusts everyone on the Internet, then users who trust that maintainer (by installing their package) transitively trusts everyone on the Internet, which they might not have expected if the maintainer didn't declare this position upfront.
Maybe we need a way to declare in the package and repository metadata that the maintainer considers it world-writable and it shouldn't be installed or updated without very carefully reviewing the code of every new version.
> Spoiler: trusting your contributors works
I'm glad it worked for him, but just want to remind people of survivorship bias: https://xkcd.com/1827/
I was around around when pugs[0] was a thing, and the "commit bit to everyone who wants it" was kind of magical.
I am not sure you'd want this for everything, but for quick paced experimental work it seemed to be incredibly effective.
Glad it's not the case but that could have worked out very differently for him and all the users of that project.
Giving commit rights to some random person is risky, and will only happen to "celebrity" contributors, with enough social validation. That means not everyone will get it, regardless of how good job they do contributing to a fork or proposing solutions.
So I really appreciate projects like JazzBand [1], that gather likeminded contributors and individuals that want to harbour open source repos around an ecosystem (Eg. Django), while giving some assurance on governance. If JazzBand would be around in 2016, django money would be a very good candidate to be harboured by the org.
On a meta level, I really would love that more OSS devs would user orgs, rather than personal accounts and repos, so that they can grow their projects with a team, rather than becoming the bottleneck and gatekeeper for development.
[1]- https://jazzband.co/
Strange that all of this happened without a single bit of ongoing communication. I always talk with people continuously whenever there is a collaboration.
This would be a godsend for a popular repo that's abandoned. But, other packages still use it and they may or may not migrate to a new package.
Careful there, some made one mistake like this and still have to support it 20 years later.
Very positive article, thank you! I wish I had similar experience!
Glad it worked out that one time, but, could never be me
Your milage may vary
Counterpoint: gorhill and uBlock. IIRC, gorhill (Raymond Hill), creator of the popular uBlock adblock extension, wanted to step down and hand the reins off to a contributor. The contributor then promptly removed all references to gorhill and started charging for the plugin and turning the extension into an affiliate marketing product.
This reddit comment covers it pretty well: https://reddit.com/r/ublock/comments/32mos6/_/cte0a3n/?conte...