Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

State and governance of the project? #767

Closed
yvele opened this issue Feb 12, 2020 · 46 comments
Closed

State and governance of the project? #767

yvele opened this issue Feb 12, 2020 · 46 comments

Comments

@yvele
Copy link

yvele commented Feb 12, 2020



Edit: The project still is alive, some other contributors like @slowcheetah have permissions for the project to keep going, see #767 (comment) 👍

Full summary of project governance here #767 (comment) 👍



Looks like @zloirock the author and main maintainer of the project will be will be unavailable for some time 1.5 years.

Sources: #767 (comment), #757 (comment), #747 (comment), #548 (comment)

What exactly is the state of the governance of this project?

The JavaScript community should be a bit concerned because @zloirock looks like to be the "only" maintainer. Does somebody else have admin privileges to write on this repo? Publish on npm and make this project not to die?

Or the only way is to "wait" for someone to fork this repo? Maybe someone from @babel (poking @nicolo-ribaudo and @danez 🤷‍♂). Looks like @babel doesn't have bandwith to fork this project.

A huge open source project (25M weekly downloads) like this should be maintained by more than a single person 🤔

Any clues on the future of this project?

PS: I don't know your personal story @zloirock but I'm grateful for your amazing work on this project.. hoping everything will be fine

Edit: This project is dead, see #767 (comment)

@ashpr
Copy link

ashpr commented Feb 14, 2020

@zloirock Making himself the only maintainer was extremely poor handling of such a well used repo.. but I can't say I'm surprised. He's been extremely protective of it.

I think, in time, this project may need to be forked.

@delanni

This comment has been minimized.

@danielrree

This comment has been minimized.

@yvele

This comment has been minimized.

@yvele yvele changed the title Is this project going to be unmaintained for a while? State of the project? Looks like dead, any official fork? Mar 14, 2020
@yvele yvele changed the title State of the project? Looks like dead, any official fork? State of the project? Looks like dead. Any official fork? Mar 14, 2020
@yvele
Copy link
Author

yvele commented Mar 18, 2020

@nicolo-ribaudo ryanelian/ts-polyfill#4 (comment)

Babel maintainer here 👋
We are probably not going to fork core-js because we don't have enough resources to maintain it.

🤷‍♂

@eiji03aero
Copy link

I bet this will be the SPOF of the year for js ecosystem

@devsnek

This comment has been minimized.

@orliesaurus
Copy link

This could potentially be bigger than left-pad's controversy. As the package maintainer & owner is MIA and seems to be for a while...

@joshxyzhimself
Copy link

Need to update babel docs if we ever move to another repo

@MichaelZaporozhets
Copy link

....yikes. Sounds like a fork needs to happen. And github should really look to provide a 'risk' rating to projects from a maintenance PoV... a project depended on by 4.5m users with 1 maintainer should visualise as a high-risk dependency.

@franciscop

This comment has been minimized.

@sgammon

This comment has been minimized.

@Suvitruf
Copy link

Why instead of discussing this repo future you are talking about this accident? It's irrelevant and will not help to solve the issue.

@slowcheetah
Copy link
Contributor

Stop spam & panic! I have rules for this repo and i have some time for fixing critical bugs and major updates.

@simskij
Copy link

simskij commented Mar 25, 2020

Stop spam & panic! I have rules for this repo and i have some time for fixing critical bugs and major updates.

Sorry for finding this highly unlikely (given how restrictive zloirock seems to be with permissions), but could you please provide some kind of proof for this claim? Like, adding a notice in the readme.

Edit: Proven 👍

@em92
Copy link

em92 commented Mar 25, 2020

@simskij
@slowcheetah merged this: #771

@simskij
Copy link

simskij commented Mar 25, 2020

@simskij

@slowcheetah merged this: #771

Great! Then @yvele should update the issue description to reflect that. 👍🏻

@em92
Copy link

em92 commented Mar 25, 2020

Btw, @slowcheetah, you can edit issue message by yourself.

@scottarc
Copy link
Contributor

scottarc commented Mar 25, 2020

@MichaelZaporozhets

....yikes. Sounds like a fork needs to happen. And github should really look to provide a 'risk' rating to projects from a maintenance PoV... a project depended on by 4.5m users with 1 maintainer should visualise as a high-risk dependency.

So, how much are the 4.5m users willing to pay for this feature?

One of the biggest challenges being discussed with any forks of core-js is a lack of resources. Contributing financially to open source projects can offset this challenge. Making demands without any skin in the game to help meet them is really unfair.

Going further than simple demands, and asking for the platform to besmirch a project's reputation as "high risk" for the users who are unable or unwilling to evaluate the project according to their own risk matrix... I'm not even sure how to classify. It's definitely a degree further than simple entitlement.

Open source is hard.

Forgetting that there are humans involved in the maintenance of open source is deceptively easy, but harmful.

@tom-sherman
Copy link

I would like to urge everyone to try not to discuss @zloirock personal life in this issue, it's really not the forum for it. This is an important conversation about the maintenance of a critical JS dependency, we don't want to lose relevant comments in the noise. Thanks 🙂

@simskij
Copy link

simskij commented Mar 25, 2020

To keep the discussion focused, maybe @slowcheetah could even hide all comments focusing on @zloirock's personal life (including this one)?

@simskij
Copy link

simskij commented Mar 25, 2020

How that big project can be still a private repo? shouldn't it be cared by some js foundation?

In my opinion, it would feel pretty lousy to make such a decision without the core maintainer being present to weigh in.

@MichaelZaporozhets
Copy link

@MichaelZaporozhets

....yikes. Sounds like a fork needs to happen. And github should really look to provide a 'risk' rating to projects from a maintenance PoV... a project depended on by 4.5m users with 1 maintainer should visualise as a high-risk dependency.

So, how much are the 4.5m users willing to pay for this feature?

One of the biggest challenges being discussed with any forks of core-js is a lack of resources. Contributing financially to open source projects can offset this challenge. Making demands without any skin in the game to help meet them is really unfair.

Going further than simple demands, and asking for the platform to besmirch a project's reputation as "high risk" for the users who are unable or unwilling to evaluate the project according to their own risk matrix... I'm not even sure how to classify. It's definitely a degree further than simple entitlement.

Open source is hard.

Forgetting that there are humans involved in the maintenance of open source is deceptively easy, but harmful.

I’m not saying it’s up to the maintainer to necessarily disclaim potential risks- rather, an automated t-shirt sized risk assessment for dependency by github would be a neat feature.

I also strongly disagree that risk necessarily reflects inversely on quality... I’m confident a lot of the oss stuff I use for my private/personal projects would probably be a high-risk in an enterprise environment, but that’s fine. Right tool for the right job, etc.

Anyway, this is off-topic, I’m really just advocating for stronger governance around a project that is so important to everyone.

@yumetodo
Copy link

There are simple questions:

  1. When enough money is provided, contributors can continue to maintain core-js?
  2. Is it still suitable to use Open Collective or Patreon to give money to contributors?

@sheerun
Copy link

sheerun commented Mar 25, 2020

Currently he is the only administrator on Open Collective so distributing funds from it is probably not possible

@jmackay-io
Copy link

jmackay-io commented Mar 25, 2020

I disagree a lot with the "risk rating" requests outlined here. Just publicize the administrators of public repositories and let people decide for themselves. Not that it would have mattered in this case because this painted a perfectly clear picture.

I think the real culprits are the Babel team because they definitely knew this was a high-risk project, and they still forced millions of consumers to add it as a dependency. Even if individual developers identified core-js as risky, there's nothing most of them could have done about it.

@yvele yvele changed the title State of the project? Looks like dead. Any official fork? State and governance of the project? Mar 25, 2020
@yvele
Copy link
Author

yvele commented Mar 25, 2020

Stop spam & panic! I have rules for this repo and i have some time for fixing critical bugs and major updates.

@simskij
@slowcheetah merged this: #771

Great! Then @yvele should update the issue description to reflect that. 👍🏻

Issue description updated. Is that good enough?

@IanKemp
Copy link

IanKemp commented Mar 26, 2020

....yikes. Sounds like a fork needs to happen. And github should really look to provide a 'risk' rating to projects from a maintenance PoV... a project depended on by 4.5m users with 1 maintainer should visualise as a high-risk dependency.

Or... or - developers could do some due diligence and risk assessment themselves before just pulling in every random JS library that comes across their radar.

A bizarre concept in JS land, I know.

@brodycj
Copy link

brodycj commented Mar 26, 2020

#548 (comment)

The idea of anyone owing so much money or going to prison just for an accident sounds ludricous (ridiculous) to me. I wonder if there is any way we could find some help for an appeal.

@ghost

This comment has been minimized.

@brodycj
Copy link

brodycj commented Mar 26, 2020

I think it is up to the dependents to upgrade to the latest version, which seem to be cleaned up.

@slowcheetah

This comment has been minimized.

@mryellow

This comment has been minimized.

@5HT2
Copy link

5HT2 commented Mar 27, 2020

Yes, it would be nice of him to be able to get back up on his feet after spending 1 and a half years in prison, before going to which he spent 6 months without a job maintaining an open source project for free.

@slowcheetah

This comment has been minimized.

@ashpr

This comment has been minimized.

@MKRhere
Copy link

MKRhere commented Mar 27, 2020

Since the original concern (does this project have an interim maintainer) is addressed by @slowcheetah, can we close this issue? @yvele

@yvele
Copy link
Author

yvele commented Mar 27, 2020

Since the original concern (does this project have an interim maintainer) is addressed by @slowcheetah, can we close this issue? @yvele

Let's wait for the next release to be published on npm and then I'll be comfortable closing this issue.

When you have a look at the releases you can see that only @zloirock was in charge of publishing them.

On npm the only collaborator is zloirock 🤷‍♂

In the meanwhile I'm not confident that this project is going well regarding governance...

@yvele
Copy link
Author

yvele commented Mar 27, 2020

@slowcheetah are you able to inform us on the governance strategy?

  • How many people have GitHub and npm permissions on this project?
  • What kind of permissions? Administrative privileges?
  • Are you still in contact with @zloirock regarding this project of course. Does he provide you with directions? (e.g. not removing the job ad )
  • Is there a "leader"? Someone that can handle the architecture vision of the project?
  • This project is quite related to babel-preset-env are some of the maintainers in direct relation with @babel?

In the future, should we expect "only" fixes or also new features? What about #139 #496 ?

Maybe we should make write a little doc about governance good practices 🤔 this may be very sane.

I'm not experimented with open source project management, but I think something should be done regarding the governance of the project 💪 I wish collaborators good luck, this looks quite challenging.

@slowcheetah
Copy link
Contributor

slowcheetah commented Mar 27, 2020

@slowcheetah are you able to inform us on the governance strategy?

  • How many people have GitHub and npm permissions on this project?
  • What kind of permissions? Administrative privileges?
  • Are you still in contact with @zloirock regarding this project of course. Does he provide you with directions? (e.g. not removing the job ad )
  • Is there a "leader"? Someone that can handle the architecture vision of the project?
  • This project is quite related to babel-preset-env are some of the maintainers in direct relation with @babel?

In the future, should we expect "only" fixes or also new features? What about #139 #496 ?

Maybe we should make write a little doc about governance good practices 🤔 this may be very sane.

I'm not experimented with open source project management, but I think something should be done regarding the governance of the project 💪 I wish collaborators good luck, this looks quite challenging.

  • Only me an @zloyrock have npm permissions
  • All privileges
  • Yep. I have contact with @zloirock, but it is "delayed" because carantine situation now.
  • I will try to dive in project but now i can't say that i am "leader". I am "support". There is some chance that within a few months @zloyrock himself will have access to the project.
  • I no have direct relation with @babel. I have nothing to say

I am diving in project now. if @zloirock will not have direct access to the project, I will discuss disputed issues with him and try to do further support and development of the project.

Next week I hope to talk with him about the current bugfixes and come to the conclusion whether a new version is needed now.

@yvele
Copy link
Author

yvele commented Mar 27, 2020

Thanks you @slowcheetah 🙏 I think we all have enough informations... And I think I can close this issue now 🤔 if you agree of course. Issue edited.

@apasov

This comment has been minimized.

@nektro

This comment has been minimized.

@joshmanders

This comment has been minimized.

@yvele yvele closed this as completed Mar 27, 2020
@mattlubner
Copy link

I think this thread needs to be locked. The conversation looks like its (again) spiraling downwards, in the direction of frustration at the log messages.

Look, we all have opinions on the log messages. This isn't the place to discuss them, and frankly, if you're bothered by them (like I am), then put that energy into a more productive form of dissent (such as championing a solution). We're a creative bunch, so I have confidence we as a community can think of ways to address the systemic problem of developers needing support for their OSS efforts. No one is actually helped by the collective complaining that's happening throughout the GitHub issues for this repo.

Keep the thread on-topic. The questions seem resolved, so let's move on to other things.

Repository owner locked as resolved and limited conversation to collaborators Mar 27, 2020
@zloirock
Copy link
Owner

Holy shit... Apparently, it's time for me to think for whom I make core-js and why.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests