• cAUzapNEAGLb@lemmy.world
    link
    fedilink
    arrow-up
    142
    arrow-down
    1
    ·
    7 months ago

    I will maintain ownership of the repository, but I won’t pass it down to anyone else. First, because I feel it’s not up to me to decide who to pass the project down to, and second, because there is no one else to pass the project to.

    “But I want and can maintain it, can I take it over?” Let me put it plain and simple: No! I don’t know you, I don’t trust you! Fork it and carry on!

    Bravo

    • 乇ㄥ乇¢ㄒ尺ㄖ@infosec.pub
      link
      fedilink
      arrow-up
      23
      arrow-down
      1
      ·
      7 months ago

      second, because there is no one else to pass the project to.

      If I ever maintain a FOSS Project this one will be one of the things I need to figure out along the way, surely there’s someone trustworthy out there, surely

      • lemmyvore@feddit.nl
        link
        fedilink
        English
        arrow-up
        44
        arrow-down
        2
        ·
        7 months ago

        But why take a chance? It’s easy for anybody who’s truly interested to fork it, and if you’re calling it a day it’s all the same to you.

        The problem with endorsing someone else is that they inherit all the clout without having put their time in. Let them prove themselves.

        • 乇ㄥ乇¢ㄒ尺ㄖ@infosec.pub
          link
          fedilink
          arrow-up
          13
          arrow-down
          1
          ·
          edit-2
          7 months ago

          But why take a chance?

          This could be a simple answer as : I don’t wanna cause inconveniences to my users to a more complexe one such as… umm, ideological reasons… I don’t want to see a project I started get archived or taken down…

          Let them prove themselves.

          It’s a requirement…

          to me finding mainteners is part of what makes a FOSS project successful

          • hitmyspot
            link
            fedilink
            arrow-up
            6
            ·
            7 months ago

            As I see it, there are 3 options.

            Allow forks and let community sort itself.

            Pass on to someone trusted, that ideally has been part of the project for a long time, or even the start.

            Have a fork that is officially endorsed.

            Depending on the software, different approaches may be appropriate. For something like this with VPN, I would want the fork to be vetted by the community before trusting it. If the original owner endorsed one, id probably update to it quickly but keep an eye on the community.

            If it was something with less security risk, id probably move quicker if features were added I like. With something like this, with higher risk, id be assessing forks and alternatives equally.

      • SzethFriendOfNimi@lemmy.world
        link
        fedilink
        arrow-up
        16
        ·
        edit-2
        7 months ago

        Lesson learned from the whole XZ thing. Anything related to security does run the risk of nation state actors abusing trust. Makes it hard to do right

    • IverCoder@lemm.ee
      link
      fedilink
      English
      arrow-up
      4
      ·
      7 months ago

      I vaguely remember some money calculating-related project guy who received a PR that heavily optimized and updated the project. Since he was very busy and no longer really wanted to maintain the project, rather than reviewing and merging the commit, he gave the contributor complete access to the repo for them to maintain the project at their own discretion. The project was unpopular back then—when he looked back a few years later, he was surprised to discover that the project had racked up several thousands of stars.