Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Programming

Library Intentionally Corrupted by Developer Relaunches as a Community-Driven Project (fakerjs.dev) 61

Last weekend a developer intentionally corrupted two of his libraries which collectively had more than 20 million weekly downloads and thousands of dependent projects.

Eight days later, one of those libraries has become a community controlled project.

Some highlights from the announcement at fakerjs.dev: We're a group of engineers who were using Faker in prod when the main package was deleted. We have eight maintainers currently....

What has the team done so far?

1. Created a GitHub org [repository] for the new Faker package under @faker-js/faker.
2. Put together a team of eight maintainers.
3. Released all previous versions of Faker at @faker-js/faker on npm.
4. Released the Version 6 Alpha
5. Almost completed migrating to TypeScript so that DefinitelyTyped no longer needs to maintain its external @types/faker package.
6. Created a public Twitter account for communicating with the community.
7. Released the first official Faker documentation website....

Faker has never had an official docs website and the awesome Jeff Beltran has been maintaining a project called "Un-Official faker.js Documentation" for the last 3 years.

He gave us permission to re-use his work to create fakerjs.dev

8. Cleaned up tooling like Prettier, CI, Netlify Deploy Previews, and GitHub Actions.
9. Done a TON of issue triage and many, many PR reviews.
10. We've gotten in contact with the Open Collective and discussed a transition plan for the project.

We fully intend to extend Faker, continuously develop it, and make it even better.

As such, we will work on a roadmap after we release 6.x and merge all of the TypeScript Pull Requests in the next week....

We're now turning Faker into a community-controlled project currently maintained by eight engineers from various backgrounds and companies....

We're excited to give new life to this idea and project.

This project can have a fresh start and it will become even cooler.

We felt we needed to do a public announcement because of all of the attention the project received in the media and from the community.

We believe that we have acted in the way that is best for the community.

According to the announcement, they've now also forked the funding so the project's original sponsors can continue to support the community-driven development in the future, while the original developers Marak and Brian "were able to retain the $11,652.69 USD previously donated to the project."

Friday the official Twitter account for the new community project announced "It's been a week. We've merged all of the active forks. Currently at 1532 stars. Looks like everything is settling." [It's now up to over 1,800 stars.]

One of the new maintainers has posted on Twitter, "I'm just grateful to the faker community that willed itself into existence and stepped up."
This discussion has been archived. No new comments can be posted.

Library Intentionally Corrupted by Developer Relaunches as a Community-Driven Project

Comments Filter:
  • by Scoth ( 879800 ) on Sunday January 16, 2022 @07:07PM (#62178673)

    This is why you should never trust public repos in prod. Always have your own, private stuff and test every release. These are basics.

    • And in none of the articles I have seen there's any info about what this library do.
      It doesn't serm to be a very relevant library for me if I never heard about it.

      • Agreed, this thing is apparently hugely popular, I've got no idea what it is.

        Also, trying to find comments from the original author who did this, what's the link for that?

        • I'm guessing it's only popular among JavaScript devs. JavaScript code is always a mess, because there is basically no idiomatic way of doing anything, largely because there is no compiler. Python at least does some basic sanity checks, but js has none at all. Basically, the same reason perl sucks balls. If I were a js developer, I probably wouldn't read the code of the libraries either, because chances are you'd spend a few hours doing so and still end up totally lost anyways, and the only one who could mak

    • by AmiMoJo ( 196126 )

      In real life there often isn't time or money available to do that at many companies. So either you turn on the update feed, or you end up running 12 year old versions of Linux on production hardware.

      The problem is bosses don't see any value in maintenance.

    • You have your own private Linux repo etc?
      • by Scoth ( 879800 )

        My company does, yes. All updates, all libraries, everything we use runs through our internal centos repos. There's varying levels of approval and validation for different sources but short of a timebomb being introduced we should be pretty safe from stuff like this.

        For my home stuff I'm lazy and absolutely don't, but that's the risk you take.

  • by Anonymous Coward on Sunday January 16, 2022 @07:42PM (#62178745)

    it is a JS generator of random fake data that looks legitimate. e.g. random address (which may or may not exist), random e-mail, random user profile etc. its purpose is to be used in providing your web pages with meaningful test data rather than ipsum lorem.

    • by paulatz ( 744216 )

      The entire library is pretty much a bunch of definitions and a couple of lists. Original author managed to get 11k$ in donations for it, then he went throwing a tantrum because something. Probably the fault of feminism according to his twitter feed.

  • We don't live in a post-scarcity society. People have to earn a living, which means open source development either has to be bankrolled by companies donating their own resources, or by individuals who have other means of supporting themselves. So yeah, if you're a rich real estate developer who happens to also know how to code, great, I guess. On the other hand, if you're maintaining something you gave away for free that a lot of people are using, while you see your bills piling up, I could see how that

    • If these libraries are truly so popular, can their developers not simply secure a sponsor who is willing to pay whatever sum for visibility?

      • by greenfruitsalad ( 2008354 ) on Monday January 17, 2022 @03:22AM (#62179853)

        I still hold hope that what I've seen isn't universal but in my experience, companies are happy to make millions off of free software; happy to develop it further in-house (usually without contributing back) but as soon as the project appears to be in financial trouble, they'll look for costly commercial alternatives instead of funding the free software one.

        • That is irrelevant. I do not suggest that they fund it in exchange for the product but fund it in exchange for being able to run an advertisement.

          Perhaps GitHub should investigate allowing repository owners to run advertisements which would perhaps inspire far more software.

      • by dougmc ( 70836 )

        You make that sound so easy ...

        And if the money is truly being spent in exchange for visibility, such money tends to be incredibly fickle.

        Twitch, OnlyFans, etc. allow viewers to offer "tips" that are visible by all the viewers -- the open-source equivalent might be putting the name of the contributors in a README file, which is fine, but ... it's not very effective at encouraging sponsors.

        If this model could be adapted to open-source software that might do it, but I have no idea how one would make it work.

        A

    • There are a lot of ways to earn money from coding. The most obvious would be to sell the code instead of releasing it as open source. Another way would be to release the code as open source, but under a restrictive license (GPL or one that bans commercial use) and then charge money for a differently-licensed code. You can also provide support, add requested features for money etc.

      However, the question is - how necessary are the libraries in question? I have not used them (probably not even used anything tha

      • by AmiMoJo ( 196126 )

        From what I can tell the library wasn't particularly interesting, it just provided a commonly used utility function. It became referenced in numerous Stack Overflow answers that people copy/pasted. The author eventually noticed that everyone was using it, but nobody was interested in paying for it.

        The real issue is that it wasn't something terribly valuable, just something that became popular because it was free and popular in low quality SO answers. There was little chance of monetizing it.

        The best option

    • I can see the annoyance. The answer here though is to just stop developing it. If feeling generous, offer to let someone else take control. The maintainer was feeling an obligation he didn't have.

      Or be more direct about asking for funding. Contact the big companies that us it, and request that they support the project. A few will and that's all that's needed.
  • Now this guy (Score:5, Insightful)

    by hdyoung ( 5182939 ) on Sunday January 16, 2022 @07:58PM (#62178773)
    goes down in open-source history as exiting the community by throwing a juvenile tantrum.

    know what he could have done instead? He could have posted "Hi everyone, I'm burnt out, the open-source community is starting to get under my skin, and I'm sick of making other people money off my work and getting zilch for it. I'm gonna hand my creation over to fresh meat who will continue the utterly unrewarding maintenance work, and leave like a pro with my head held high."

    Too bad that ship sailed. junior-high-school level tantrum it was.
    • It started a public discussion about many things. That alone to me is worth something substantial.

    • Well, you need to be a little careful there. That exact sequence of events is what led to the event-stream fiasco.
    • Guess what.. he did make a github issue which said that A YEAR AGO.  And no one cared. He told people a year ago to fork the project. Why didn't the community come together then?  This community action actually gives legitimacy to be a dick vs not being one.. because one gets results and.. the other didn't...
      • A year ago. Here try this experiment: Go to your boss and tell him you'll quit as soon as he hires someone else. I'm guessing you'll be still working a year from now too.

        No one cared because he continued to maintain the project. Why would anyone care about something which works? If he had abandoned the project like he should have then it would have lied dormant for a few months until someone needed something *THEN* the community will come in and fork. And only then. There's no point forking maintenance of s

    • by AmiMoJo ( 196126 )

      He could also have added that he was available to hire if any company using his code wanted to.

    • Sadly we are more toxic than his behavior was childish. Whe are chastising & shaming him because he had an emotional breakdown and acted on it. We are living and feeling beings, and I bet everyone has done something stupid at least once in their adult lifetimes.
      • I honestly believe this site will eventually destroy itself by toxic users. Most everyone on here suffers from Dunning-Kruger and Superiority Complex.
  • And nuts and bolts still aren't sexy. Just ask the NTP crowd. How did it ever come to this? Well, it probably lies at the feet of the original maintainer, but... How do you fix it once it's come so far? People will do their absolute best to not pay for sh*t when it's "free", even when the author still has a mortgage or rent payment to make and he or she has been very clear about that. 20M weekly downloads? 19K projects that depend on it? He might have went about it the wrong way but he had a VERY va

    • So he made people take notice, probably in the wrong way, but he made people take notice despite all of the noise out in the world.

      There's no "probably" about it. Even if you somehow don't think deliberately breaking all other people's dependent projects is wrong... he basically destroyed any possibility he had at getting a career writing code or doing other sysadmin work.

    • Microsoft's Github called him, "Donkey Brains." You couldn't find a more disgraceful and disrespectful group of "Professionals."
    • by Burdell ( 228580 )

      No, he doesn't have a valid point. Nobody forced him to put his code under an open source license - he chose that. Getting mad when people follow the license you chose for your code has no valid basis. If you're developing an open source project for free and it isn't making you happy anymore, just walk away. There's never a reason to toss the grenade over your shoulder as you do so. If your project is useful and needed, somebody will probably fork it and keep going (as is happening here). If not... software

      • Licences are like operating systems, marriage agreements, and many other things. Something one would assume is chosen for technical reasons, but in reality most that chose it never bothered to investigate it, and simply do what everyone else is doing.

        I've had many discussions with developers that had licensed their code under licences they clearly did not understand even the superficial details off. — A surprisingly common misconception seems to be that they can revoke it if they later regret it while

      • No, you don't have a valid point.
    • There's an NTP 'crowd'? Where?
  • SSL.

    It's illogical to rely on the generosity of wealthy parasites.

  • by jjaa ( 2041170 )
    So another face of open source: you can reap the fruits of somebody elses labor. Aaand you can max profit short term with a publicity stunt, profit which can last until people realize you fail to deliver and initial effort was just for show.
  • If you want to make money from open-source software then, in essence, you need two things: (1) good-enough programming skills to develop the software; and (2) a viable business plan that enables you to make the money, for example, sell consultancy, tech support or training courses based on the software. Most open-source developers, including me, have (1) but not (2), which is fine if you are happy to do the coding as an unpaid hobby or as an altruistic gift to the world, and then you seek money from a diffe

"Remember, extremism in the nondefense of moderation is not a virtue." -- Peter Neumann, about usenet

Working...