Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 16 submissions in the queue.

Submission Preview

Link to Story

What happens when the maintainer of a JS library downloaded 26m times a week goes to prison for kill

Accepted submission by exec at 2020-03-27 19:29:11
News

Story automatically generated by StoryBot Version 0.2.2 rel Testing.
Storybot ('Arthur T Knackerbracket') has been converted to Python3

Note: This is the complete story and will need further editing. It may also be covered
by Copyright and thus should be acknowledged and quoted rather than printed in its entirety.

FeedSource: [TheRegister]

Time: 2020-03-27 03:10:44 UTC

Original URL: https://www.theregister.co.uk/2020/03/26/corejs_maintainer_jailed_code_release/ [theregister.co.uk] using UTF-8 encoding.

Title: What happens when the maintainer of a JS library downloaded 26m times a week goes to prison for killing someone with a motorbike? Core-js just found out

--- --- --- --- --- --- --- Entire Story Below --- --- --- --- --- --- ---

What happens when the maintainer of a JS library downloaded 26m times a week goes to prison for killing someone with a motorbike? Core-js just found out

Arthur T Knackerbracket has found the following story [theregister.co.uk]:

In November 2019, Denis Pushkarev, maintainer of the popular core-js library, lost an appeal to overturn an 18-month prison sentence imposed for driving his motorcycle into two pedestrians, killing one of them.

As a result, he's expected to be unavailable [sudrf.ru] to update core-js, a situation that has project contributors and other developers concerned about the fate of his code library.

Pushkarev, known as zloirock [github.com] on GitHub, mentioned [github.com] the possibility he may end up incarcerated in a thread last May discussing the addition of post-install ads [theregister.co.uk] to generate revenue for a project that so many use and so few pay for. He anticipated he may need to pay for legal or medical expenses related to his motorcycle accident.

In that thread, developer Nathan Dobrowolski asked, "If you are in prison, who will maintain [core-js] then?"

Pushkarev offered no answer. Since his conviction last October, the need to resolve that question has become more than theoretical.

A discussion thread [github.com] started in February asked whether core-js can survive in the absence of Pushkarev, who has been the primary maintainer of the project. To date, only Pushkarev [github.com] has issued official releases, the last of which arrived on January 13, 2020.

At least one other project contributor, an individual associated with GitHub account slowcheetah, has "collaborator" status – basically, write permission – and claims [github.com] to be able to issue updates. But it's not clear whether this person's stewardship will be sufficient to sustain faith in the project.

Another JavaScript cryptographic library known as jsrsasign [github.com] faces a similar challenge: its maintainer, Kenji Urushima, hasn't been active since April 2018. Programmers who use the software have expressed concern [github.com] about the lack of communication and an unaddressed vulnerability, noting that 350 npm projects depend on the library, including some by Microsoft and Mozilla, among others.

The situation facing core-js and jsrsasign underscores the many challenges facing popular open-source projects, particularly those that have seen usage grow without changes in governance. One of the coders participating in the discussion asked how it is that such a widely used project can be in the hands of a single individual rather than a foundation.

If core-js went dormant, it probably wouldn't cause as much trouble as the left-pad incident [theregister.co.uk] of 2016. Nothing would suddenly break and developers would have time to revise dependent code. Nonetheless, a transition plan may have helped.

In an email to The Register, Ben Balter, senior product manager for community and safety at GitHub, said the company is continuing to think through repo ownership transfers in cases where project maintainers are unresponsive. "In a preferred situation, we want to make sure that we’re proactively mitigating issues in advance," he said.

"We encourage maintainers to move popular projects from their personal account into an organization. In addition to gaining access to advanced community management features, adding at least one other maintainer as a co-owner further ensures the project can continue, even if one maintainer is unavailable."

He added maintainers can signal that they intend to step away from projects by setting their GitHub status to "away," to let contributors know they will not be responsive during this period.

Balter said GitHub has processes for transferring account ownership in the event of illness that apply to relatives, collaborators, coworkers, and business partners. Forking dormant repos is also an option, he said, noting that GitHub can potentially re-position a fork if it takes over as the canonical source of the project. ®


                                        Sponsored:
                                        Webcast: Why you need managed detection and response [theregister.co.uk]
                               

-- submitted from IRC


Original Submission