As I have no idea about .NET development, I don't really understand the relation between these projects and .NET Foundation.
Is .NET foundation paying them money? Or what is the relationship between the projects and Microsoft/.NET Foundation?
Reading the "apology" on github, it seems that .NET Foundation/Microsoft thinks those projects are essentially theirs, and they are free to put them under their enterprise account to "simplify billing"
There are also some notes about copyright that I don't understand. Who owns the copyright? Microsoft or the maintainers?
edit: From the github "apology":
> Projects might not fully understand what joining the .NET Foundation means. We share a checklist with project maintainers on project changes they accept as part of becoming part of the .NET Foundation. That’s obviously not sufficient. We will post a new document that describes what you can expect when your project joins the .NET Foundation. This will include changes (observable or legal) and new benefits. It will also include changes that could occur later.
Yeah, scary, in the "you signed an agreement without reading it properly and now your souls, er, your projects belong to us" sense. And in the case of WiX Toolset, they apparently never agreed to the terms & conditions of the .NET foundation in the first place. Also, being forced by the .NET foundation to give an account admin permissions for your repos, and then having that account move your repos to GitHub Enterprise without your permission, even without informing you... I can understand how that creates mistrust.
According to the article, the only thing the .NET foundation did for them was provide certificates, other than that they did nothing for a very long time. And then, of course, this...
This is not about the legal ownership. This is about operational ownership. All these maintainers understood what they signed. However, they expected to be supported to do their work mostly their way. For good reasons since other foundations do it that way.
The .NET Foundation is however not communicating and supporting the community but focus on legal ownership including capabilities to enforce that (that is were some of the CoC and billing comments come from).
So it is mismatch of expectation. To blame is the foundation, because what you can read on the web page and the feedback of the maintainer community does not fit to their agenda so they could have understood this early and resolve it peacefully (they are the ones in power).
This is about open source leadership. They screwed up. Legally this is (mostly) fine, content wise it is (mostly) fine but the way how they operate is not okay. And saying sorry is not enough
I am really struggling to understand how those projects cannot be under .NET foundation control. If you ever worked on an Apache Foundation or Eclipse Foundation project, you know that you must use their tools for code hosting and processes for maintainer/lead election. That said, as a project lead of an Eclipse Foundation hosted project (not Eclipse IDE related), I never had the Foundation do something major to our project without properly disseminating the info about on a publicly readable mailing list in advance.
P.S. I read that .NET foundation board now meets every day. I think Apache/Eclipse Foundation boards meet every 1..3..12 months, at least judging by the rarity of emails summarizing their meeting minutes. If a board needs to meet every day, something must be really wrong.
Something is really wrong right now that's why they might be meeting every day.
Your experience with the Eclipse Foundation is very different from how the .NET Foundation has interacted. On top of that, communication has been very poor for a long time. I believe those two differences are at or near the root of all of these issues.
While it's easy to see how this sounds scary; the flip-side of this is that it's not clear if there's more to it than misperception/miscommunication.
To take the example from the blogpost; the author was particularly scared by the move into github enterprise. I don't want to dismiss that worry; but on the other hand - the only consequence of that move seems to have been that logged in members of the project have a very slight UI change. Obviously that's not what people are worried about; they're worried about... well, what else does that mean?
Well, what else does that mean? Is this really something to worry about, or is this really just a misunderstanding - or both?
> Well, what else does that mean? Is this really something to worry about, or is this really just a misunderstanding - or both?
It means microsoft has hijacked the repo. I don't think their intentions or anything else matters. This is imo crossing a huge line.
I was always kind of wary of github, ever since MS acquired it, and I have always made sure to not get trapped by using any lock in features. But I never assumed their lock-in includes going full SourceForge and hijacking people's repos.
Honestly, if GitHub/MS don't come out with a very good statement on how and why this will never happen again, I'll need to figure something out and make sure people use a different URL instead of pointing to my github.
It's absolutely something to worry about. If someone breaks into your house, you should be worried irregardless of if they stole something, or not.
I’m not sure how this is related to Microsoft’s control of GitHub. This was the .NET Foundation using application-level permissions that it was granted on each repo. It wouldn’t matter what platform was used, if it supported re-organizing project hierarchy, this could have happened.
Just to reiterate: the observable consequences of that "hijacking" is apparently an almost imperceptible icon most people don't even see. That cannot be worth getting this worried about; the worry needs to be something else, probably something that hasn't happened yet but the maintainers feel like it (whatever it is) is something terrible they believe the foundation now has the capability for, and do not entirely trust the foundation to refrain from exercising this unknown power in some future circumstance.
If that sounds absurdly vague, it's because the concrete accusations are that vague.
On the one hand: it's possible this tiny UI change does signify some deeper permissions change, but it's not exactly obvious what that would be (especially given the already admin nature of the dnfadmin account). Nor is it clear both the foundation and maintainer really understood what that permission might mean, if it even exists. It's not clear the maintainers have any specific reason to object in the first place!
The one thing that seems clear is that the github UI wasn't clear, allowing the maintainers and dnf to read very different things into a superficially trivial change, and that there's some level of miscommunication at the very least. But it's still not at all clear whether the actual change made warranted the fears expressed, not at all.
Personally, while the dnf clearly and objectively failed in its task of keeping maintainers on board, I can't help but also feel that these maintainers deserve a bit of opprobrium. They essentially started a major social media freak out, and cannot even express exactly what it is they're afraid of, let alone point to any evidence that whatever mistakes the foundation made weren't fixable by measures with less collateral damage.
It's all very nice to blame some scary sounding not-entirely-defined shadowy corporate conspiracy between github, microsoft and dnf, but at the end of the day meltdowns like this do harm, and it's just not clear that was at all warranted.
It might not be clear to you but as a maintainer and member of the Foundation it's very clear to me. The DNF used temporarily assigned permissions (assigned under the premise that they needed authority to fix a CLA bot) to move several repositories to their own organization. This is unacceptable by any measure.
Technically no, they used their permissions to include the organization in the enterprise. But the more relevant question is why that matters. As I tried to point out above, this has essentially 0 impact so far; so people must be worried about some future impact. Which specific one? How does this move cause problems that otherwise would not exist?
I think it depends on whether or not you are operating in good faith and you think he foundation is too. It sounds to me like people are attributing bad faith to this whole misunderstanding.
It’s unfortunate that this has become our mode of conflict resolution: blog posts, public apologies that don’t grovel enough and a trivial issue that people have turned into a political football so they can run that shit into the end zone and spike the hell out of it.
Grievance culture is weak, and frankly, dishonorable.
I might agree with parts of what you are saying but when the channel to communicate back to the "powers that be" is broken and you face (what feels like) an existential threat, the public forum is an enticing, sometimes effective but very messy option.
Anyone here old enough to remember when SourceForge was The Place(tm) to stick OSS code and then how it fell from grace?
I’m curious in what ways the MicroSoft take over of GitHub is and is not starting to feel like that.
For me, one is just the difference in scale. GitHub is vast in both content as well as tooling compared to SourceForge at it’s highest points. And a commercial entity orders of magnitude smaller than MicroSoft took over SF. The rate of descent into Not Good(tm) territory also seems slower and more ponderous.
But while the magnitudes differ, the vectors look similar. Not exactly the same, because history rhymes with itself before it repeats itself.
Curious what other similarities and dissimilarities other old timers see.
I remember when I first released the WiX Toolset publicly to SourceForge. I was up all night getting CVS prepped and writing my blog entry to announce it.
But this issue now really isn't about the source control hosting provider. It isn't even about Microsoft. It's about my relationship with the .NET Foundation who (now) holds the copyright of the project I released on SourceForge over 17 years ago.
GitHub actually had the tools I needed to move the project back. Not much more I could have asked for, honestly.
Would you ask for the copyright back? As in, it doesn't seem like they're helping you at all, so maybe you could tell them you're leaving and you would like to have the copyright back.
It might force them to show their colors, and if anything turn the brouhaha into something more clear cut.
My case is a little special because I developed the WiX Toolset when I was an employee at Microsoft. I never owned the copyright (Microsoft did). So, I wouldn't be asking for the copyright back... I'd be asking for it for the first time.
And there are advantages to a legally well protected entity holding the copyright. One for example: my company (FireGiant) is "firewalled" from certain legal issues.
So I'm still contemplating the future and don't have a real answer for you yet.
Interesting. From that description, it kind of sounds like you're both wanting your cake, and to eat it too?
Not sure what I'd do in your situation though. It sounds like you've put a shed load of time into improving "their" product, and don't really have much recourse if they don't want to play nice. :/
Though if you do fork it, it sounds like most of the non-MS employees would switch across to your fork?
I honestly see this specific bruhaha as more of a DNF issue and less of a github issue. Even though both are affiliated with Microsoft, I dont think this is the same as SourceForge’s fall from grace.
I can imagine copilot being another point in the not-so-good direction, but is there anything else you are thinking of when comparing Githubs trajectory to SourceForges?
I'm curious about this. I've used sourceforge for nearly two decades, but I was skeptical of it well before the controversial takeover. There are certain UI elements that sourceforge used and uses that I always relate with early 2000s click-the-monkey style ads and malware. I still trust certain button styles more than others. I still trust certain website themes more than others. Well before GitHub was the juggernaut of open source it was, I felt like I had some instinct of legitimacy compared to sourceforge or self-hosted subversion or tortoisesvn.
I think this is an important classification. When I, and I assume many of the people here, see an email to them or a friend that looks legitimate, we check the sender's full email (as opposed to the shorthand displayed, which is meaningless), and often don't click on any links, opting to physically type a url into our browser and navigate to where we should instead. There's some feeling that something is funny, in the same way some people don't buy thousands of dollars of cheap makeup from Avon and others do.
I still trust GitHub and am a happy customer. I don't think they're going the way of the buffalo. I definitely can see how (again, not an opinion I hold), one could perceive UI/UX changes that they don't like as a sign of imminent downfall.
The understanding of natural instincts in relation to simpler interactions have some reasonable explanations, albeit not universally agreed upon. How dare we have the audacity to claim an understanding of human instincts when it comes to the youngest universal man-made change to our species possibly ever?
It's not to pick on you, but why do people spell it with a capital S?
I've seen it in several comments over the years. But their spelling and logo, at least going back to the 80'es, have been "Microsoft". I think they might have been "Micro-Soft" for the first year, but that was 45 years ago.
MicroProse, on the other hand, went with the capital P.
I actually do write Microsoft usually. I’m not sure what came over me. I was a tired when I wrote the original? Maybe typing out GitHub and SourceForge triggered a StudlyCaps LoveFest in my brain. Thanks for the correction.
I've found that there's a cool git repo place called "Source Hut" - which takes the "hacker" and "open source" ethos. they've got some git and some other tools that github doesn't have, and are looking pretty interesting.
Sounds pretty cool. Their native CI has an endorsement by Andrew Kelley, and while it might just be advertising based on something nice he said once, it works for me ! The ability to SSH in especially is a feature I could really use.
In any case I appreciate it doesn't try to cast itself as a free service while remaining affordable. I've got my fill of arcane, polymorphic subscription models.
Github _is_ the embrace phase. It is sad that a lot of OSS projects do not see it. MS has through Github control over OSS. As someone noted in another post they want admin access. This means that they can do what they want with your code even injecting malware.
I wonder if people wanting to deprecate FTP do not have a hidden agenda. Because with https you are at the mercy of an organization.
The .NET Foundation wanting admin access to repos of projects under the .NET Foundation umbrella is very much not the same thing as how the people who run GitHub could backdoor any repo they like whenever they want, obviously they can they have the source code to the hosting platform.
Except that's pretty hard to do without developers noticing because you'd need to engineer some hash collisions to get their local git clones to accept the code changes.
So let's limit the paranoia to where it actually applies, shall we? The .NET Foundation has made a right mess of this, but it's not the same thing as Microsoft trying to backdoor all open source code on GitHub. I'm pretty sure the people there are smart enough to realise how much that would backfire.
Oh I think we’ve started the extend phase. Did you notice they put out their own GitHub specific git cli? And they removed ssh links and replaced them with links specific to their cli
Are you sure about that? I certainly don't recall that, and it seems like it would be a bad UX idea anyway: you can't clone a repo via SSH without having an account (and a pubkey registered), so showing the SSH string to people who aren't logged in seems counterproductive.
`gh`is great for handling pull requests and other GitHub specifics. I still use `git` for everything else, so I dunno how much it does, but it makes sense if `gh` overlaps with some `git` commands to round out the tool.
`hub` had the same functionality and could be used either standalone or integrated with git so `git hub` ran hub commands to e.g. manage a pull request.
gh is just trying to get you to stop using git itself
Or actually, they aren't replaced everywhere: the "Code" tab still has HTTPS and SSH in addition to the GitHub CLI; the "Pull Request" tab has only the CLI.
“The OSS projects”? Such a sweeping claim would need some proof or at least references to show what you drew your conclusions from. Until then, I'm booking this under paranoid phantasy.
SourceForge? What is that. That coffin is nailed shut, buried and long forgotten. I don't care if they have new management and have changed the trust I had in that site was forever damaged by spreading adware in every download.
Really? it feels nothing like it honestly, source forge amongst other things started and ended with poor developer experience, in part they died from being outclassed.
SourceForge is (and always was) more oriented towards end users, this is why when you visit a project's page you get a big fat DOWNLOAD button at the top of the page, a user score, buttons to be notified for updates, etc, when it was last updated, followed by a summary about what the project is, what its releases are, the categories it belongs to, its license and then UI to rate the project, comments by users, etc and the main buttons are about said summary, files to download, more reviews, support, mailing lists, forums, wiki, news (some projects have more or less, depending on the configuration) and at the end access to source code repository. At the sidebar there are even related projects and places where you may find other projects in case the one you are looking at doesn't meet your requirements.
For developers obviously only a small part of that is relevant but the service is not really primarily for developers and since developers "hold the keys" it makes sense that once services that care more about developers appeared many developers moved there. From a user's perspective it is sad though since pretty much every other supposed alternative does not provide a lick of SourceForge's features and the fact that there isn't any after all these years shows -IMO- how much most FLOSS developers care about their users.
On the other hand SourceForge always had a terrible UI, especially in its earlier days and while its current incarnation is the best its ever been (aside from the oversized elements) it still often feels like a mess of elements jumbled together and while they do provide a lot of useful functionality, it is often behind very clunky interfaces.
> From a user's perspective it is sad though since pretty much every other supposed alternative does not provide a lick of SourceForge's features and the fact that there isn't any after all these years shows -IMO- how much most FLOSS developers care about their users.
Counterpoint: the readme (or GitHub.io site) in combination with lightweight features like the star count is a good enough replacement for all of the bespoke knobs on SF. OS app stores have also become a thing since SF’s decline and they’re a better route for most non-technical users.
I have never once been lured into clicking a sleazy download button on GitHub and I recall that happening on the semi regular when I visited SF back in the day.
And? Loads of projects moved to GitHub when there was no Microsoft-employee involvement because it's just a very good service. And for a good long time, nothing else out there existed which could even start to compete with it. GitLab came along somewhat later.
If you are logged in they disable the ads, or at least the generic ads. They still have the "business software" category which is essentially ads for SaaS and commercial software, but that is its own section you have to explicitly go at.
I'm not trying to be lazy (ok maybe a little bit), but can someone please provide like a 3-4 sentence summary of what happened? Everything I've seen on this either assumes you already know, or is very long and rambly, or both.
Many projects joined the .NET Foundation after it was created. It didn't really do anything for them (I think they basically sponsor meetups), but it wasn't harming anyone either.
The .NET Foundation asked for owner access on the author's repository (for a CLA bot). The author declined and a workaround was organized.
Years later the .NET Foundation asked for "owner access" on the author's repository (to allow them enforce Code of Conduct across all repositories). The author declined.
The CLA bot stopped working. The author was told it would work if he gave it owner access. The author was annoyed because they previously had a workaround. They gave in and gave @dnfadmin owner access (temporarily, it was later revoked after the CLA bot was set up, thanks /u/ethbr0 for the correction).
Some time later the author realized that the project had now been silently moved to GitHub Enterprise (likely in the short window @dnfadmin had owner access). The author states that projects in GitHub Enterprise can be entirely controlled by the owner of the account (the .NET Foundation). This transfer happened silently.
Independently, this happened to another project (who had coincidentally had an issue with a Microsoft employee and former contributor force a pull-request into their project: https://github.com/reactiveui/splat/pull/778). The change itself seems innocuous, but the approach bothered people.
People are upset because of how tone-deaf all of this is. They would like the .NET Foundation to stop trying to gain complete control over the member projects. They would especially like for their projects not to have their ownership changed silently.
Edit: For the record, I do not believe this is part of some embrace, extend, extinguish plan on behalf of Microsoft. I think these accusations actually cheapen what has happened here. I suspect this was more of a "can we make this process easier and more convenient for the .NET Foundation"-type thing.
The people involved with this will have to do some soul searching. The .NET Foundation should operate in service of its member projects, not the other way around.
I think this is on point. We once had an issue with open street maps, that caused our routing system to not be capable of directing citizens and employees to the second biggest municipality in our country because a one way street had the wrong direction marked in OSM by mistake.
This had a huge impact on us. With thousands of employees and citizens calling our IT support staff of 5 people every day.
When I used our OSM official “City off X” account to fix it, I was an utter idiot and submitted both a real life picture I took myself as well as a Google maps and a krak maps (Danish map service) screenshots. I didn’t know this wasn’t legal, because I was an idiot, but it resulted in our fix getting reversed and a week long discussion with the OSM community members about fixing the damn street.
We made the street one way. But we couldn’t fix it in an OSS map service because the community wouldn’t let us because we made a stupid mistake.
We’ve now switched our services to Krak. But I can promise you that if we had, had the admin power to force our chance through during those days, we wouldn’t have given any regards to the OSS community.
If an popular tool wasn’t working within the .Net framework CLA I imagine the process would be somewhat similar inside Microsoft.
It’s just one of those things where the OSS community processes and Enterprise process of “get this fixed right now, at any cost by any means, ignoring every standard we may have, just get it fixed, now. Then make sure it never happens again.” that happens every now and then when the beast awakens, clashes. I’m not sure how you can avoid it, as Enterprise will never want to comply with OSS processes when it’s in a hurry.
Regarding the OSM part, how was that illegal? You had 3 different sources for your information. The pictures you took were only your own and you were free to use them for whatever you wanted. Using a copyrighted map to validate that the images were correct is entirely within the use allowed by those maps. The edit was based on the pictures and your real life observation, not those other maps, so you own the edit, which your are well within your right to contribute to OSM.
I get that the OSM community is trying to practice something equivalent to a clean room reimplementation, but that's equivalent to a person in the "cleanroom" being shown a public domain code library and then a file from that same library, but taken out of a ROM dump. Yes, they saw the copyrighted file, but they also saw the public domain file so they're entirely within their right to base their reimplementation either partially or fully on it.
I'm not sure this observation is to the point. Most enterprises do not allow this kind of behavior either, unless you happen to sit at the right place in the hierarchy. If you had violated the terms of service of Google Maps, they would probably have banned you immediately too.
But yes, it may seem a little confusing that even though you can do X, it may not be appropriate.
I think that's also why people are upset in this case. They actually did try to protect themselves from power grabs, only to find themselves cheated.
By the way, there's a Danish mailing list for OSM. I don't know if you explained the issue there, but if you did, I think it's likely someone would have made the correction for you relatively quickly.
But there was also the photo made by the user. I'm trying to understand the legal aspect of this. If Google felt they suffered so much of this, they should bring a (civil) lawsuit against the user that uploaded that photo. Why would OSM care in this situation?
Because OSM wants to be really really sure their data is not tainted and gets them or their users into trouble. As such, anything that suggests that you are using improper sources for editing and is noticed will get you looked at, maybe get someone to double-check your past edits, ...
And since its a community consensus thing, people will wait a few days to reintroduce a change once it has been challenged unless the challenge is obviously unreasonable. It's not like a change being delayed a few days is some unreasonable big punishment, it's just part of QA process to run. Maybe wasn't strictly necessary here, but it's a really obvious warning signal to trip.
(To make a (admittedly stretched) software analogy, if you submit a PR somewhere and show disassembly from the Windows kernel as evidence that it's a good algorithm others also use, it'll also cause some concern, and you would've been better of just showing your solution on its own)
I don't understand. Cannot you create a PR and fork the project (and use your fork in the meantime until the PR is merged)? This is what I do when I use opensource libraries. They being opensource shouldn't mean that you get blocked by them.
> I suspect this was more of a "can we make this process easier and more convenient for the .NET Foundation"-type thing.
I suspect there was also just a different picture on what the .NET Foundation even meant inside and outside of MS. It's different people working on it inside MS than the ones who originally set things up, and the new people may not have even seen their actions as trying to take control of anything because they were under the impression that everyone considered them in charge already.
This issue is really only about the .NET Foundation and not Microsoft. Otherwise, you may very well be correct.
The leadership of the .NET Foundation changed twice since my project joined it. So it is very possible (likely?) norms and expectations did not have flowed from one set of leaders to the next. I don't know. I'm still waiting to hear.
The proper way would have been to leave the project alone, notify the maintainers of problems if any turn up and remove the project from the .Net Foundation if the problems persist.
Of course from the issues that came up the last few days it seems that there is literally no point in joining the .Net Foundation and kicking a project out is essentially doing the maintainers a favor.
I don't understand your scenario. Microsoft isn't involved here. I mean Microsoft uses the WiX Toolset (my project) but they have never suggested forking it. I'm confused where you were going with this.
The proper "open-source-if-a-bit-dickish" way would be to do exactly what the .NET Foundation did here, but where the letter said "You will need to add this admin for compliance with our policies" that word policies would be studded with footnotes to policy pages, reams of meeting minutes, and archives of open mailing list discussions.
Apache and Eclipse and others all mandate that they control a lot of minutia of source control like what .NET Foundation seems to want to be doing with their GitHub Enterprise account, but their transparency policies mean all of the discussions of that are open and no one is surprised when changes happen.
Incompetent workers, it's that simple really. MS assigns college degrees to projects, those college degrees understand very little about software, much less the culture of repository ownership and open source relationships. Too many employees, not enough experience heading them.
Microsoft and orgs like it are too big, you cannot trust a massive machine to be efficient, there's little incentive for proper management.
Au Contraire. From the bylaws posted publicly so far, it seems, they aren't truly independent of each other.
Microsoft is the "Founding Member" of the .NET Foundation. They are entitled to appoint an Exec. Director (ED) and the board has no say in this matter (The current ED is the person who forced a commit on a member project). The ED's tenure has no expiry other than when Microsoft feels the need to change (or they leave). All other board members are elected for a set term.
Lastly, the ED can block any board resolution; aka, the elected board needs Microsoft's blessing to do literally anything.
I have not. I am not a foundation project maintainer or have had any direct interactions with the foundation. My understanding mostly comes from following the community.
But this is what Rodney Littles is quoted as having said in his interview with The Register
> From Littles' perspective, though, the .NET Foundation is insufficiently independent from Microsoft, does too little to help its member projects, and lacks a strong sense of mission or purpose.
This is definitely not the case. The .Net Foundation is not staffed by Microsoft, nor is it owned by Microsoft. It’s an entirely distinct entity though I believe some board members work for Microsoft.
That’s where the poor & questionable transparency comes in, they try to market it as independent but it was formed and funded by Microsoft with the Executive Director whose performing all the objectionable actions an MS employee who is also the only person that is able to approve all material changes made to the foundation whose position can only be filled by the founding member who is Microsoft, in effect they are the silent hand making all the power moves to its member projects without their consent, wishes or even a courtesy notification. Then to try downplay the bad PR you had the MS VP Director with no visible ties to the foundation willing to jump on a call to disgruntled members so they can downplay their MS foundation employees actions behind close doors.
I don't think this applies as a general rule. One could imagine reasons why they should have access (of different kinds), especially when they employ key maintainers and are the driving force behind the project.
Project maintainers had their projects moved from their public GitHub accounts to the DNF's GitHub Enterprise account without notice. Some maintainers only found out about the transfers of their projects because of this[1] discussion.
Technically speaking it wasn't that discussion. That discussion was opened after we started realizing what had (and had not) happened. But your summary is otherwise correct. :)
So nothing changed with the source code or its licensing, only the location on github? That seems a bit inconsequential, tbh. Are there strings attached to the new location? If no, then move on.
Writing the whole entry was challenging because there is a lot of detail I wanted to provide to being everyone along the journey. I've seen some people drop in at any isolated point and say, "Why is this a big deal?"
Also I'll be the first to admit that when in story telling mode, I am not particularly terse. :)
Extremely bizarre that the main concern in this thread is with GitHub, even though they did absolutely nothing here: the repo that was transferred had given admin rights to the DNF account for a bit. What the DNF did here is questionable, no doubt, but seeing people here claim this portends the death of GitHub is disappointing.
I realize it's weird to argue against you, because you wrote the article and are the one affected by this.
But, i disagree. Even if it were an entirely different company. The fact that GitHub didn't send an e-mail and that repos can be hijacked like that, is in itself something GitHub needs to address. And thus at the very least, GitHub needs to be dragged in.
Meh. Other people here have pointed out it sends email to the people in the GitHub Enterprise. So, they probably missed a place to add auditing.
To that point, I've had GitHub people tell me they never imagined the feature I used to get out of GitHub Enterprise to be used that way. I got lots of emails (since I owned the target organization) but maybe the GitHub Enterprise did not?
The email would be nicer, but what's the solution exactly? The admin of one project moved it somewhere else - how do you restrict that, if the admin has total control over a project?
Are there improvements that could be done to allow these bots to perform with less rights? That would be something maybe github could tackle but it's not the worst thing about this problem.
> how do you restrict that, if the admin has total control over a project?
This isn't a new problem, how do you prevent a rougue admin from kicking all other admins and taking over. The simplest and a pretty effective solution is to have another privilege level: Founder. Of which there can only be one, and admins can do everything, except strip the founder of their rights. (And/or transfer the repo, if the founder can't easily undo that.)
Clearly the org is far too gone at this point. It's a dead project people are funneled into that doesn't serve a purpose. Maintainers should do like the history of software has. Drop it and organize anew.
A massive red flag for all this are the words "code of conduct". They're not "bad" to have, generally projects already have them, they were previously called "rules". But if the "code of conduct" is filled with title 9 speak then you know you're dealing with corporate types, not developers. For those that haven't taken title 9 training, you're told to be the gestapo morality police and actively go out of your way to vocally suppress any discussion that might involve something that could have the potential to be discriminatory. This is done for liability protection, for the company. Not because it would actually be discriminatory/immoral. Yet somehow its made it's way into software repos.
That's fine, the point given is that when orgs push for it, and they're doing so like they did here, that's a massive red flag that whom you're working with is not qualified to be doing that work. Call it an "org smell".
I also really dislike the fact that code of conducts usually present a very american-centric view, sometimes even a silicon valley-centric view, for projects that are supposed to be open to people all over the world.
I don't think that's true. For example, the recent changes to the Ruby code of conduct removed the parts about assuming good intentions. On the other hand, the guidelines:
> When disagreeing, please reply to the argument instead of calling names. "That is idiotic; 1 + 1 is 2, not 3" can be shortened to "1 + 1 is 2, not 3."
> Please respond to the strongest plausible interpretation of what someone says, not a weaker one that's easier to criticize. Assume good faith.
> Please don't use Hacker News for political or ideological battle. It tramples curiosity.
HN ideology is basically "we're all adults here, act like one". People that push for stuff like code of conducts usually consider that these guidelines are not enough to protect marginalized people. So they add stricter rules about how to act. That means that you have to agree with them about who is marginalized, that they need protection and how to protect them. I don't think any of this is universal. Note that I don't mean that this is a good or a bad thing, just that it's politically charged in some way. That's nothing new, since free software has always been politically charged. But the values conveyed by code of conducts are not always the same as the "old values of free software/open source". This is of course very vague, because everyone has their own values and most projects aren't very clear about what their values are. But you can see the consequences of that change when you see how the opinion on Richard Stallman changed, or how Linus evolved. Again, I'm not saying any of this is good or bad. I'm saying that things are changing and not everyone agrees with it.
Now on the American-centric part. I don't think I can add anything worthwhile to what's already in this article: http://antirez.com/news/122.
They generally have a strictly US-history based view of how to treat other people and deal with their insecurities and problems. They're also invariably passive-aggressive and just plain hostile in places.
When you are in a stage of pulling CoC rules out, you are already nuclear and hostility is already ongoing.
They are US based, yes, but they are usually good rules. Whether a CoC is bad or good is in the hands of the humans enforcing it. The .NET Foundation shows terrible human to human handling of a non CoC related topic.
A CoC is always toxic, because it is the flag of a moderating team that is not adult enough to recognise that you can tell someone "no" without having some sort of "legal body" to point to.
More importantly, a CoC is a commitment by the moderation team to follow a certain standard, instead of giving it a position of "whatever we say is right, if we don't act, sucks to be you". (And at the same time, it's just that, a commitment, it can still be ignored or misused, it's not an automatic fix for anything)
A CoC is an admission that whoever moderates the community is not capable of doing so without having something to hide behind and point at. Culture is not improved by introducing rules-lawyering and avoiding personal responsibility, that is how you ruin it.
Edit: What good does a commitment do anyway, if it guarantees nothing and changes nothing? It's just someone shouting, hoping someone else hears and approves. If anything, that underlines my point about the fundamental immaturity of the decision to introduce a CoC.
Edit2: I understood your point to be that introducing a CoC means a commitment, which is somehow something that is good. When all this commitment does is deflect responsibility, that is not a healthy result. I feel like that addresses your point fine.
A CoC doesn't automatically deflect responsibility. As a moderator you still need to actually moderate, and you get the feedback for doing so. As a commitment, it actually puts an extra burden on the moderator, since there's now an explicit thing people can point to when criticizing your (in-)actions.
I happen to have gained a moderator role in a community that has a pre-existing CoC. I'm not sure why I would "hide behind" or "point at" the CoC when acting in that role, I'm perfectly fine with telling people off (or more if necessary) without doing so.
And yes, if you assume the worst of everybody commitments don't have any value. But people generally attempt to actually uphold things they commit to, and thus it is seen as a positive signal, even if it's not a guarantee. (Ideally we wouldn't need CoCs because the baseline established by them would be such a universal commitment in society that you could just assume it to be valid everywhere, but experience shows that's apparently not the case) Several community members told me that it has been relevant to their decision to interact/join.
EDIT: and even if you say just a commitment is worth anything (as said above, I personally also don't think "has a CoC" is that much of a signal without seeing how mods actually act, but clearly other people do), that's quite a difference from a blanket "CoCs are always toxic".
I think the problem for current members is that they gave away their copyrights for some small benefits (code signing and DNF branding??). Which might have been shortsighted but I think at the time it seemed like the DNF was going to give them more benefits. So they would probably have to create a new project name and stop using the old accounts?
Thanks, I read your article, but I was under the impression that when you joined DNF they acquired your copyright from your previous sponsor foundation which happened on your decision?
If they used some special microsoft insider access to github to move these projects... that's gonna really harm trust in github. They really oughta make it clear that they did NOT do this, or make it clear how it can never happen again.
I mean, they’re clearly heading toward stealing control of associated open source projects away from the founders/maintainers so I don’t think there’s even room to discuss “repairing trust.”
You might discuss repairing trust with a burglar you caught in your house after his criminal trial. At this point, Microsoft is the burglar and he’s still in your house with the ski mask on (unless you would prefer for the burglar to be a she).
With all due respect, this simply doesn't make any sense. The projects are all released with OSI approved licenses. To use your analogy, all the stuff is already on the front lawn with "For Free" signs.
Also, this is about the .NET Foundation not Microsoft.
They are not stealing it because in most cases they... Legally ... own it. However, doing something behind the back of the people operating it is tone deaf, stupid and shows a great degree of arrogance and mismanagement. They pulled nuclear options dozens of times in this move. For what: to reorganize billing and streamlining processes. That is not good enough a reason to go nuclear on a maintainer w/o conversation.
I think those affected have commendably kept their cool so far but I’d say this (diversity Trojan horse, “we need full control to enforce the CoC, whoops you’re fired goodbye”) is a playbook that will be often repeated in the coming years.
"Gave" is generous in that it fails to mention how that access was gained - supposedly needed for a tooling account to ensure inclusion/code of conduct guidelines being followed, IIRC?
My apologies, I read your post and understood the bot access part. However the timing of it sure as looked smelly to me, that's why I wrote "supposed".
I probably shouldn't have speculated it was all a set up, but even if it wasn't all kicked off with that intent, how it was then used sure was not ok. It reeked of trickery and deceit, which I construed as social engineering from that point of view - hope that makes sense (edit: #1).
Kudos on handling this, and hope you're doing well all considered. It was fantastic to read how you claimed the ownership back.
#1) that they requested "Yesterday we announced Foundation-wide Code of Conduct Enforcement. Part of making that work requires that the dnfadmin GitHub user has owner permissions to GitHub organizations."
No problem. I'm really just trying to keep the story straight.
The only issue I have with the timing is that I told them I was not comfortable with them as admin on the repo yet as soon as they were made admin (to fix the CLA bot, which happened to be only a week or so after my email) this happened. No social engineering necessary but really poor timing on top of non-existent communication.
I'm thinking the Oxford definition was used here by the author (ie tricked into giving up a password):
"(in the context of information security) the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes."
I didn't really want to argue it any further as the issue was inflamed, but I absolutely think that when an account privilege was requested purely for "trivial thing A and we really really need it because think of the children", for it to then be used in the next breath for "evil thing B" - then what else is it but a more sophisticated social engineering attack? (I would certainly like to know if there's a better definition of it.)
For the benefit of the doubt there could very well be things going on in the background where the account access was discovered by someone else than those who requested it, and then jumped on the opportunity. However that's giving a fair bit of leeway.
Is it possible that anything which @dnfadmin is an owner of is automatically migrated by GitHub the moment it becomes an owner? Maybe they never realized that what happens?
The fact that moving WiX out of public Github did not generate any emails while moving it back did generate a lot of emails is the suspicious part. There's probably an utterly mundane explanation as to why, but it's also possible that there's a MS-only "move this repo without notifying anyone" option.
Moving it out back to public GH was done by transferring the repo(s) between organizations. The move into GHE moved the organization as a whole to GHE. So it's conceivable that moving organizations as a whole to (or even from) GHE does not send emails. To be clear that's still bad, especially given how the user could only know of this move if they were logged in and looking for one tiny bit of text in the repo homepage, but it's a non-malicious explanation.
If that's true and GitHub doesn't send mails for this particular thing, even it sends mails for more or less anything else if you don't disable it, paired with the fact that such a change is almost invisible if you don't know what to look for, makes it even more suspicious.
If there where changes post MS acquisition of GH to this parts this would look like planed long hand.
I'm curious about this too. I was told (by someone at GitHub) that the features I used to do the move are brand new and were not expected to be used the way I did. It is very possible pieces are missing in the audit trail GitHub creates.
Meh. I might be more interested if I actually had a GitHub Enterprise myself.
I'm curious about this too. I was told (by someone at GitHub) that the features I used to do the move are brand new and not expected to be used the way I did. It is very possible pieces are missing in the audit trail GitHub creates.
Meh. I might be more interested if I actually had a GitHub Enterprise myself.
There is no "special" access in GitHub, and no person as far as I know has such an access. I work at Microsoft, but GitHub side is very detached so I don't think there was any collaboration.
It would appear different.
Microsoft stealing projects into a private enterprise space is a different action than putting them back to public.
Stealing generates no emails, but restoring to public generates a lot of emails.
It would appear there's a backdoor system for them.
I've been an admin of an organisation that was moved into an enterprise org (with consent) and can confirm that this does not generate emails for the child org.
As I read it, there’s two different things happened. The foundation moved a repo they were given owner (or maybe admin) access into an enterprise GitHub account, which doesn’t generate a noisy trail of email.
The OP used a workaround of starting a new GitHub project a couple of project renames, and a project transfer - which did generate a flurry of notification emails.
(I’m surprised the “move into enterprise account t” action doesn’t at least notify all owners on the account. If it normally does, and these ones didn’t, that’s a super bad look for both the foundation and GitHub…)
What's the difference between "moving a repo...into an enterprise Github account" in the first paragraph and a "project transfer" in the second? I would have thought that "project transfer" is just another term for "moving a repo into a different account", so the only thing that seems different is going to enterprise versus going from. It seems kind of odd that email notifications wouldn't be the same in both cases.
I assume moving into an enterprise account is a single click (although I've never dione it, so :shrug:).
The workaround "project transfer" used/suggested for getting back _out_ of that enterprise account gets explained in the article like this:
1) Create a new GitHub organization, normally. For example, name it new-yourorgname
2) Rename your organization in GitHub Enterprise in the Settings to something like, dnf-yourorgname
3) Rename the organization from step 1 to your desired organization name. You want to complete this quickly after step 2 so no one takes your organization's name.
4) In the GitHub Enterprise dnf-yourorgname go into each repository's Settings and transfer the repo to the brand new yourorgname organization.
Not at all surprising that generates a flurry of emails, especially since in the authors case step 4 needed too be done 44 times, once for each repo in the org.
There is no reason to suspect that they did. As I wrote, I granted admin access to my GitHub organization. No other special access was needed after that.
Arguably, for those who want to / have to work in the .NET ecosystem, it is better that .NET is adopting an open source model, even if imperfect.
This actually lessens the vendor lock-in problem and also means less of a risk of Microsoft pulling out of providing security updates for key components.
So far as I can observe, C#, F# and .NET Core as a platform for web development have benefited from the OSS-ification in the form of more dynamic and transparent progress/evolution.
This doesn't make sense to me. My company (FireGiant) sells support contracts for the open source project for companies that want guaranteed incident response times/SLAs.
And Microsoft isn't involved. The .NET Foundation holds the copyright.
They "love open source" because that's what makes most business sense. FOSS is part of the developer zeitgeist so much that you can't avoid dealing with it. MS and others have bashed them for years, but it only got stronger. So it only makes sense to tone down the denial and start accepting that it won't go away.
It is not how it looks for those still targeting Windows desktop, a maze of incompatible GUI frameworks each competing for dev attention and a stagnate UWP .NET tooling, lack of comprehension to understand what AOT means, isn't doing great.
When you invest work into a code-base that depends on something like .NET, you are taking up some stake in the community and ownership of that base. You do need at the very least security updates, but you also need support and documentation. It's hard to describe fully in words. And most of the time, you can't just switch that particular part of your stack overnight. I'd rather be stuck with a community that looks healthy.
And you can argue about the trade-offs of different "ownership structures", and compare for example the .NET foundation over the Django/Python foundation over whatever Java is currently doing.
Do not worry. .NET is a good choice independent of this hickup. The maintainer will change their foundation backing and the .NET Foundation will serve its original purpose: owning the core .NET runtime so AWS, Google, Samsung and Microsoft can take save bets on it.
JavaScript had it nodejs drama, Perl its community drama, Swift it's drop of support from IBM, the Linux Kernel has Linus, etc. They are still there and strong.
Well, I would never choose .NET if I had any choice. It's much too verbose and is dominated in terms of productivity by many other frameworks/ecosystems. Some people seem to enjoy it, and more power to them, but if I ask, they often haven't done much of anything else.
Hm, the reason I am still in .NET is that whenever I try to move to something else, the productivity suffers immeasurably:
- Most of the stuff outside of .NET, Java pair suffers from lack of refactoring tools, and are therefore unsuitable for sufficiently large projects. The exceptions are TypeScript (which is OKish, but lacks performance) and Go (which is tailored for web dev and has a few major drawbacks as programming language).
- Most non-dynamic languages apart from .NET, Java, and C++ have very limited debuggers.
Some leaders just need to issue “all hands” commands every now and then. These commands often make little sense to those at the receiving end. But those leaders need this to have their leader status confirmed. It serves also as proof of authority to their superiors.
This is particularly frustrating when an organisation switches leadership and goes from participative to hierarchical. I think this is what happened here: .NET Foundation leadership must have changed and with it came a new, hierarchical leadership style.
That's just the release manager asking for help with getting the release out. The wording also strikes me as fairly playful (it's a maritime reference!) so I fail to see how that's "fully corporate" or makes python "formerly open".
This isn't a literal "I am your boss, you MUST work now", this is "hey, I'm the person who volunteered to get this release out, please help if you can!".
Apparently the view I voiced is controversial. I can see how some organisations vitally depend on a strong decision hierarchy. The military for example, or some startups. Someone running such an organisation will not be open to the view that such decisions can frustrating for their employees.
Does anyone else love these technology psycho-dramas? I really don't have a dog in this fight but I find myself following them more avidly than a netflix mini-series.
It is drama about people, power and emotions. People read books which are classified as drama. And honestly, this conversation is really civil (at least after moderation and ignoring everything which contains EEE and $ as a string) and therefore also a good read.
An open source umbrella organization pulled rank and the member projects are connecting the dots to see that Microsoft views them as unpaid employees.
No, it's not hyperbole. Go check the foundations website and you'll find that Microsoft has exclusive access to the highest level of power in the self-styled "independent" organization written right in to the bylaws.
How are those two entities separate? MS has a non-removable seat on board and gets to appoint the director. I'm sure that DNF is seen as division from inside MS.
It was setup for failure. I am pretty sure this exclusive access thing was to protect core .NET not the community projects. But exactly that is a core mismatch between what the foundation is and what people expects.
The corporate hierarchical malarkey that gave Novotny the wherewithal and motivation to do this should be ripped out root and branch, as well as whatever specific job role that currently defines the executive directorship.
I'm not saying Novotny should be fired, simply that the Foundation has demonstrated a corporate behavior fundamentally at odds with its supposed reason for existence.
Respect for community and contributors was obviously not encoded into the design of the organization. That a board exists to rectify, rationalize, or abet mistakes isn't enough. They have to fix the root of the problem, which is that Novotny was able to do this at all. They need to make an explicit and ironclad promise to developers.
They allowed institutional structure to oppose their mission. That won't change with mere words and staffing shuffles.
I’m a bit alarmed by the many issues here. I’ve heard a lot from the maintainers but much from the foundation.
- continued lack of communication
- for so many issues to occur to multiple parties paints a picture of it being routine
- that no immediate reversals have happened with utmost immediacy
- the ethos of the maturity model
- the policies apparently being enforced - even now…
- for calls to solve things privately
It’s culturally indicative of the foundation’s values whether they know it or not.
A healthy community is one where discussions happen in the open, good and bad.
This is not good, and I’d recommend the community coming together and maybe finding or forming an alternative - which is difficult I know.
Yeah, the (continued) lack of communication is not great. But the timing is admittedly pretty poor for the .NET Foundation as well. They just brought on new board members this week. So delays are kinda' expected... but I would have communicated differently.
From the GitHub thread it seems like these projects willingly transferred the copyright to the DNF when they joined; is that not the case? If it is what grounds do they have for being upset?
What's being done here is changes to how the project is managed. Basically inserting an upper management over the heads of existing maintainers. AFAIK, this right was not given (or at least the maintainers did not intend to give) to the umbrella org.
Yeah, but a stupid owner does what they did as nuclear options, a smart owner has the power but never use them but convinces people and let them work loosely as long as this is possible.
This is a cooperate thinking applied to a foundation. Is a recipe for failure.
The copyright applies to the source code the copyright is written on. Lawyers then argue who owns the "project" (GitHub organization/repository). For example, the copyright is not applied to the issues in the issue tracker.
But the argument is about whether the .NET Foundation could do such a thing. The argument is whether they should. And, the .NET Foundation chooses that they should take over the projects, project maintainers can make different decisions themselves.
I think not just US, also Switzerland among other places. But either way, Copyright was signed over, and that has real implications. Although, in this case I gather that initially the Copyright owner for the given project was Microsoft, then some other foundation, and now .NET foundation. So, it's not like the maintenaners signed over anything they had, really. As sad as it is, legally it has never been theirs. Good thing the license protects some freedoms.
So... about a decade ago, a guy was found guilty and convicted to 5 years in jail for unauthorized computer access because he scraped a data from open website (see this for details: https://www.zdnet.com/article/jury-convicts-hacker-over-at-t... ). Can somebody explain to me, why isn't foundation guilty of the same crime? Clearly, they were given an access so that they install a bot, not to take over the project.
Might be tangential but I have not seen a word addressing this fuckery from either Jon Galloway or Scott Hanselman or any of the "dev evangelist" type people. Weird
I think it is well established by now that this .NET Foundation is ultimately answerable to Microsoft. Also, Claire - who started the "kerfuffle" - is a Microsoft employee.
Given how especially Scott always has a big opinion about how great OSS is and how much Microsoft loves OSS, and given how it was ultimate MS employees that were responsible for creating this current distrust, I think it would be very appropriate for them to voice their opinion about this.
And, who knows, maybe they are doing something behind closed doors. But I very much doubt they'll embarrass their employer by speaking up in public. They know who pays their salary and are much to good at corporate politics to do that.
That doesn't seem like a super meaningful statement, not least because it's both excessive and insufficient. If you have a git repo on your laptop, microsoft or the dot net foundation or whoever can't alter it. If you make a repo on github, they still can't touch your local repo, but they can do things to the repo on their side. And so, yes, controlling more of the stack would give you more control; if you pushed it up to a gitea (or whatever) instance on an AWS EC2 instance that you manage, then it's vanishingly unlikely that someone can change "ownership" of the data (by modifying the metadata in git(hub|ea)), but of course AWS could do whatever they want to to your instance - so do you own it? Okay, well let's put it on a server that you bought yourself, and that you run in your basement (or even a colo; actually it doesn't change the situation). If you want anyone else to use it, you still need an ISP and probably (practically) a domain/DNS (read: domain registrar and name server(s)). In practice, you'll never own the whole stack, but on the other hand, you shouldn't need to, and in many cases you don't.
> That doesn't seem like a super meaningful statement, not least because it's both excessive and insufficient.
That's very disingenuous.
The "application server owner" has all the control. The "server owner" can transfer my repo, copy my PRs, inject their own PRs, and even lock me out.
If I control the server, it becomes VASTLY more difficult to impersonate me or inject a change without my permission or cooperation.
Sure, it can be done, but it will take far more than just a couple people of random employees typing for a couple minutes at a keyboard to pull it off. Someone will have to spend real money to usurp my DNS, set up another website, copy all the data (which they may or may not have full access to), etc.
The cost to compromise me is orders of magnitude higher if I control my own servers.
It's not disingenuous, it's a difference in magnitude and threat model. Owning your server gives you things that a hosted offering doesn't, and fails to give you other things. That may be a good trade off, but it is a trade off (ops isn't nothing), and it's not an absolute, both of which mean that dismissive statements about owning your own servers are less than helpful.
I started a project that I hope to maybe turn into a product (foss/community edition hybrid approach). One of the tech stacks I evaluated was mono-based, using c# and the .net libraries.
I ended up turning down that choice due to a couple of factors, but one of them was the glacial pace of .net process and development. It just didn't look or feel like a healthy ecosystem, if you weren't paying microsoft $$$$. Just a ton of small warning flags around the community, the stack, and the maintenance of core projects.
C#, .NET, and the associated ecosystem doesn't feel good to work with, out of date, and in desperate need of modernization. The alternatives (spring, flask/falcon, lightbend) all seemed much more modern and easy to work with.
I actually have a concrete example of this: one of the features of my project is that you can define yaml based configuration documents, and share them. Using something that was easy to write for small but coherent configurations was crucial - XML was right out. The .NET ecosystem's yaml support is not great, feels kinda janky, and yaml validation is a paid product! That's completely untenable for something that's still in the weekend work phase. And it wasn't just that, but tons of things I had become accustomed to in python were either incredibly immature or paid. Not to mention that the built in build system was horrific, confusing, and had weak documentation. It's probably a lot easier when you just write a check to a contractor to set up a template for your team, but I have no luxury. Sure, some of this is on me, but I wanted to get started building and the .net ecosystem repeatedly got in my way until I was forced to give up.
So, upon hearing that the .net foundation is spending all of its time generating stacks of bureaucracy and causing internal drama, I feel like I made the right choice. At this point, it's unlikely I re-evaluate .net for future projects unless I hear massively good things (like what happened with java, which took a decade).
> C#, .NET/FCL, and the associated ecosystem doesn't feel good to work with, out of date, and in desperate need of modernization.
I recently built a company over the past year with .NET (after not using it for 5+ years) and felt the total opposite. I suspect you may be referring to the old .NET back when you needed Mono to run it on anything but Windows? .NET Core has been out for a few years and is an amazing improvement, the APIs (especially for web dev) feel very complete and modern, and there have been a lot of neat language features added in the recent major versions. The old .NET was definitely clunky though for targeting anything but Windows apps or servers.
Not sure what you are referring to for the paid products - .NET Core is now open source and even accepts PRs. Although there is no official YAML support still, so maybe the third party library was paid? JSON is a great option these days and .NET's new JSON parser is really fast and uses much less memory (Years ago C# got support for the new Span<T> and Memory<T> types which allow type-safe access to the underlying memory, making serialization operations much better since there isn't a bunch of copying and allocating involved any more)
This is our experience too. We have 5 software engineers maintaining 3 mobile apps, 1 desktop app, 1 SDK product, and 1 web-app (Blazor) all with a shared C#/.NET code base that is bringing about $6M annually if you include the associated hardware product revenue. I’m not aware of many other tech stacks out there that can “natively” integrate with hardware/sensors and get that level of code sharing maintained by such a small team.
How is your experience with using Blazor and also creating the mobile apps (not even sure what .NET tech is used for that these days)? I maintain a web and mobile app so using C# across all platforms would be amazing, but I thought Blazor was still too new so I decided to use TypeScript & React for the web and mobile apps.
While Xamarin has some pain points it definitely satisfies a market need for “native” cross platform development. My company uses it quite a bit.
With .NET MAUI on the horizon as the evolution of Xamarin it has a future. Although I do wonder if the Blazor (mobile bindings) might end up having the brighter future. Kind of seems like the back up plan to appeal more to the HTML/CSS web devs who don’t want to adopt/learn the XAML UI markup.
Sadly(or luckily, for the people that haven't had any contact with the ecosystem), you must have missed the semi-recent open source developments around .NET Core. It's open, has a very healthy community and is well supported by Microsoft.
Sure, back in the days when you had to rely on Mono for cross-compact, this is exactly the answer you'd expect from anyone, but it couldn't be further away from the truth nowadays with the modern runtime and ASP .NET Core.
I can't refute your examples, but I think on one hand, C#/.NET has a lot of modern stuff you maybe didn't see, which you'd wish other languages had. The lang has great features (i.e. properties; the libraries for collections/concurrent collections; System.Linq; and Tasks, to name some). VS has great profiling tools (cpu/memory) if you know how to use them. Package and dependency management were bad, but I believe got some needed improvements starting with .NET Core. Things like that.
OTOH, that said, I don't actually prefer C#/.NET, when I think of those techs I don't think of a great OSS ecosystem (more like marketing blog posts by Microsoft MVPs, as opposed to technical deep dives by passionate engineers). I also think of github repos with at least 10x more open issues than stars or forks. These techs have great features, and they're used for successful projects/companies, but there's something about the fact MSFT owns them that makes me not want to use them at all, and just prefer golang/java/etc.
They're not microsoft employees. It's just MS has explicitly recognized them.
There's an irony that the award MS gives to passionate engineers in the .Net community has been completely misunderstood by someone outside of it.
If you want to see a great example of a passionate engineer who's been awarded the MVP, go read a few Rick Strahl blog posts.
Another one was Scott Hanselman, though I believe he joined MS like 10 years ago.
They addmitedly muddy the waters by awarding the MVP to their own employees writing about their new stuff, but even they can be passionate and interesting. Scott Guthrie's time on ASP.Net is a good example.
When you join the MVP program you are an evangelist. You are briefed, you are under NDA and you start to have a very different view that the broader community. Not every MVP is like that, but while I like the content they create I see them seriously disconnected from many .NET developers and actual use cases.
I think that is because product teams at Microsoft more or less expect MVPs to function as evangelist of the things they want to communicate marketing-wise. Originally the program started as recognizing community leaders/technical experts in specific MS technologies, but I feel things got hijacked somewhat along the way. Teams see MVPs as credible voices towards their audience so naturally the tempatation to use them as marketing voice is there.
Add to that the fact that MVPs themselves are passionate about those MS technologies so they for most part do want to repeat marketing line.
I used to be MS MVP, not for developer tech but for it pro side of things, and definitely saw these ”asks” in the messaging the product team did towards us from time to time.
> The alternatives (spring, flask/falcon, lightbend) all seemed much more modern and easy to work with
I never thought I'd see Spring(or any of those) described as more modern and easy to work with than .Net haha. Spring is the Java land web framework bloatlord. It's quickly fallen behind and out of favor in recent years with the hip crowd preferring micro frameworks like Quarkus or Micronaut. Spring abandoned hot-reload in favor of restarting app context which takes FOR EV ER on larger projects; .Net is releasing hot reload as a first class platform feature as we speak.
.Net runtime is one of the hotest pieces of action on the planet. AOT compile, multi-core threading, async/await, Span<T>. Mono is pulling its weight too with compile to WASM. Then you have ASP.NET, Entity Framework, and a lot of other really great and performant build blocks.
Ah yeah, I was using core I think. Sorry, it's been a while, I kinda glazed over the acronyms and names over time. Since it was my own project, I really was trying to do things "the modern way".
Frankly, I don't remember. It's been a long time and using .net was a failed experiment.
>Why were you targeting mono then?
Well here's another issue with .net I ran into... really unclear guidance from numerous sources who all really wanted you to use THEIR stack and thus end up paying THEM.
I did multiple things, multiple attempts to make it work. I tried to do it "the right way" from various sources.
The reason I was targeting mono at some point was because I wanted to run a microservice, without paying windows server licenses fees, and as best I can tell, that was the root runtime I'd need to target.
Keep in mind that this was me, going in blind into a large and established ecosystem. I don't think going astray detracts from some of my bigger complaints, such as the poor quality of community open source libraries.
> Well here's another issue with .net I ran into... really unclear guidance from numerous sources who all really wanted you to use THEIR stack and thus end up paying THEM.
Meaning no offense, but it’s hard to see how you ended up so far off the mark. The .Net frameworks and runtimes (.Net Framework, .Net Core, and mono) have always been free. Likewise for the Asp.Net web framework you would have been using for web applications. I’ve been in the .Net ecosystem for over 10 years and I’m not aware of _any_ paid web stacks that would align with the quote above. Not to say that they don’t exist somewhere out there to extract money from foolish enterprise IT departments, but they aren’t even close to mainstream. If you did this experiment within the last 5 years it would have been extraordinarily hard for you to miss out on .Net Core, especially considering it was built to do exactly what you want - microservices with Linux as a first class citizen.
> really unclear guidance from numerous sources who all really wanted you to use THEIR stack and thus end up paying THEM
Sorry but at this point it is hard to believe you are posting in good faith and not trolling. Even back in the Windows only days the runtime was free and there was free dev tools (VS C# Express). Mono was free too, and open source. I know no paying runtime and I've been using the language and tools as a daily driver for a decade.
It's been possible to build micro-services in ASP.net Core running on Linux (and in Docker containers) for the last 3 years very easily.
Agree, I decided not to reply - if, a year ago, you ended up on the path of "compile to run on mono", you didn't bother to read any of the .net5 documentation - and without checking, likely just the main download page for dotnet core. /shrug
Why would you start a project on a platform then build that product on a foundation of one of that platforms weaknesses instead of one of its strengths? This anecdote is not good evidence against the platform.
You're referring to the YAML point? The way I read it, it sounds like the poster only learned about the issue when they ran into it during development. That being said, a couple of specific complaints is probably not the best argument against a broader platform.
I remember XML support in .NET being excellent. The author could have used C# classes that would serialize/deserialize to/from the XML, then used built-in tools to generate an XML schema for the config files. The schema could then be consumed by vendors or other connected projects using .NET and have perfect, code-first, statically typed interop. You'd never be writing XML itself or the schemas or the serialization/deserialization code. You can't get any of that with YAML, it doesn't support that sort of safety. You'd have to manually implement all the safety checks and serialization/deserialization for a worse end result. Of course that would be a bad outcome.
the .net ecosystem is somewhat pay to win - its like the apple store of the devtool world, clients are actually willing to pay. if your company has the funds, you have access to some of the best tools in development, but you can get pretty far with its free options too.
C# is quite a nice language to work with. historically projects were very enterprisey oop monsters but cleaner functional paradigms are trending in the .net space.
You can absolutely write in a functional style. It does not have to be the enterprise OOP monsters of the past.
Apart from something radical such as adapting a Hindley-Milner type system, I'm not sure it can support functions much better than it already is.
I think most people simple oppose to the idea of a static type system, and my experience is that static type checking is an absolute time saver in the long run for large long lived. Significantly.
This list to me reflects a different element of the .NET ecosystem: .NET teams don't just buy into .NET, they also adopt often buy whole hog into a grab bag of other MS solutions alongside.
Are Windows Server, SQL Server, Azure DevOps, Teams, Chocolatey, and PowerGrep really a better dev experience than Linux, Postgres, Github, Slack, apt, and actual grep?
Many are debatable, but SQL Server & Windows Server are honestly a huge pain to deal with, and on top of that cost a boatload in licensing fees. Even Microsoft has decided Azure devops is a waste of time post github acquisition and it is apparently eventually going away. Teams honestly sucks in comparison to Slack.
That is seriously outdated in 2021. A modern .NET developer use Postgre, SPAs like everyone else, vscode notebooks, VS Code, etc.
Visual Studio or JetBrains rider is the only thing a professional developer needs. Which is tiny investment for a professional. The rest of the products I have not seen in new projects use for years.
It's not, although Microsoft absolutely tries to make it much easier to write/deploy/maintain C# in an all-Azure tech stack. That's good or bad, depending on whether you have other reasons to be on Azure.
I'd say Visual Studio (not VSCode) is pretty much the only not-really-optional, not-really-free dependency. I suppose that means you also need to buy Windows.
Personally, while I use(d) C# for work and I think it comes with a solid toolchain and I have no big complaints, I have never chosen it when I could choose the stack from the beginning.
Closest I can think of is the days of yore where .NET Component licensing was a thing that was encountered frequently enough it was mentioned more prominently in books. This was useful for a lot of 3rd party developers that wanted to provide either tooling or runtime libraries to IT Shops. UI Toolkits and other 'specialized' libraries would use this mechanism as a way to keep some level of IP Protection.
I ran into this scheme in the wild with Devart's DotConnect for Oracle; at the time it was worlds better than the free 1st party providers, and came with some interesting T4 templates for generating models for either EF or their special adaptation of L2S, and MVC CRUD HTML generation. Fairly cheap for an unlimited site license too.
it's been about a year but it was a death by a thousand papercuts kinda thing.
I want to add that I was not an experienced python developer at the time - I'd used it for a handful of simple automation scripts. My day job was writing scala.
- targeting mono under nginx on linux, from within windows was really difficult, I could never quite get it to work
- no support for monodevelop on windows - cross platform was crucial to me and it just got so onerous. And maybe it's just me, but I was really hitting a lot of frustration with visual studio.
- i wanted to use both yamlschema (broken at the time) and jsonschema (paid)
- msbuild is abysmal with useless error messages. I struggled to run a simple shell script during the build process.
- a couple of libraries I tried were broken or unmaintained. The .net ecosystem seems to have very low quality of community maintained tools.
- no clear guidance around using DAPR without paying microsoft (which i guess is fair, but being vendor locked before I even start is a rough look)
- ... and that's all I can remember. There was more.
I fully acknowledge that some, if not all, of those complaints may be self-inflicted. I can't say that, for my first complicated project in python, it's been completely smooth sailing.
However, with python/falcon, it didn't feel like I was fighting with the ecosystem to define a package, import the package into a microservice codebase, and then get the service running with full test coverage. It didn't feel like I was fighting to bring a third party library in, verify it's actively being maintained, and start using it.
I spent as much time getting a simple microservice hello world with authz/authn validation and a reasonable packaging system, in python, set up in about time as it took me to give up on msbuild.
I've found bootstrapping python microservice development on windows to be quite well supported. I didn't find that with .net.
I think the only time I've found people this far off the main track is users that only know C#/mono coming from Unity Engine.
> targeting mono under nginx on linux...no support for monodevelop on windows
Because you should have never been anywhere near mono.
Even a year ago, if you followed the main .NET documentation it would have directed you to install the .NET 3.1 or 5 SDK on to your linux environment and get setup with VSCode. It's the first step in the hello world tutorial: https://dotnet.microsoft.com/learn/dotnet/hello-world-tutori...
> no clear guidance around using DAPR without paying microsoft (which i guess is fair, but being vendor locked before I even start is a rough look)
Dapr is not a Microsoft product. Microsoft does not offer commercial support for it. There's docs for the .NET library on the Dapr website, along with various community support channels available.
> I've found bootstrapping python microservice development on windows to be quite well supported. I didn't find that with .net.
Bootstrapping a worker service or ASP.NET Core on windows is either a few clicks in VS, or a one line command via the dotnet CLI.
Have you tried using .NET Core? It's a pretty thorough reworking of .NET Framework that is officially supported by Microsoft on Mac, Linux, and Windows, and pretty much all of my experiences with it thus far have been positive. VS Code has great built-in support for it.
IMHO for startups, productivity and development speed usually beats performance and enterprisy-ness (looking at you, Spring).
F# dominates C# there, but Django, FastAPI, various other options for Node or other languages, are simply easier to learn and faster to iterate. You can change/reload a Django app several times before the C# compiler finds a problem with your static types in a bigger codebase...
And to me it seems like you can acquire technical debt in C# just as fast as with any other language. Maybe faster because it is harder to learn and less "obvious" with all the DI magic. Of course, if you are proficient in C# and its ecosystem, you can write some damn fine software in it. If so, I wish you the best of luck finding affordable coworkers who can do the same.
I'm not saying it's at the same time. And yes, type feedback is mostly instant.
The code base I'm currently working on takes a long time to compile and sometimes there are errors. Or there are runtime errors. Combined with the much higher volume of code I have to write, and the greatly reduced readability C# does feel a lot less productive than Python.
Usually when I see that, it's because someone's implemented an inappropriate pattern, or gone over board on 'SOLID' principles or whatever.
C# developers seem especially prone to getting trapped in stupid implementations that massively bloat the code. For taking some Uncle Bob dictat to an unnecessary extreme, or implementing a dangerous pattern like CRQS stupidly for a simple CRUD app. Less a reflection on the language and more of a reflection of the enterprisey culture.
I was interviewing in the C# world recently, it was quite disheartening to hear the same phrases repeated 'hybrid microservices' (i.e. we've got the worst of both worlds in one project! But our TA got to put microservices on his CV!) or 'we value SOLID code' (i.e. we've massively over-engineered our code, development has slowed to a crawl, there are far too many interfaces, and debugging is a nightmare!).
But you can write great, terse, code in C#, and I feel much quicker than dynamically typed languages. I feel like I can implement the same code much faster in C# than I do in the equivalent javascript, even though I've been writing javascript for longer, and that's down to the autocompletion and snippets of a powerful IDE, which dynamic languages will never be able to match. It's also much easier and quicker to move code, refactor, and generally redesign your code on the fly as you're exploring the problem space.
Even Javascript has quite a bit of autocompletion nowadays, with all the annotations coming from typescript. Much less typescript itself. Frameworks on the JS side also massively improved.
Same thing with Python. Not that it really needed annotation much, the productivity always was quite high, whatever people not using Python said. Now there is static type checking and the IDEs got even smarter. In my experience even statically typed software still needs automated and manual testing so much of the benefits are limited.
That's unfortunate. That's not how I wrote it. The blog post is about the .NET Foundation and--ultimately--about one very consequential action they took recently.
A scorpion wants to cross a river but cannot swim, so it asks a frog to carry it across. The frog hesitates, afraid that the scorpion might sting it, but the scorpion argues that if it did that, they would both drown. The frog considers this argument sensible and agrees to transport the scorpion. The frog lets the scorpion climb on its back and begins to swim. Midway across the river, the scorpion stings the frog anyway, dooming them both. The dying frog asks the scorpion why it stung despite knowing the consequence, to which the scorpion replies: "I couldn't help it. It's in my nature."
Maybe it is just me but I find this headline inscrutable. I have no idea what is meant by kerfuffle or brouhaha. More common vernacular might be better. Does it mean "a minor argument became a foundation threatening problem"? Does it mean "an interpersonal conflict impacted the whole org?" I don't know... And probably do not care at this point.
The title came from a comment from one of the maintainers of the WiX Toolset. I called the initial missteps a "maintainer kerfuffle" and he responded, "As long as it doesn't turn into a brouhaha".
Now that I think about it, I didn't write the blog post for the uninitiated. If you didn't understand what was going on, that was fine, it was content for you.
I don't know how I ended up here on Hacker News. :)
Though in the case of .NET core they'd have to extinguish their own ecosystem that was closed source, then they open sourced it and they partially opened the development process that was completely internal.
For developers in the .NET ecosystem the OSS-ification is a net win (pardon the pun). If you are a Newcomer to .NET, you still should expect that Microsoft has some control over the ecosystem, just as the rest of the community also has certain rights and powers (through forking and patching) if it comes to that. Microsoft also controls part of the Node ecosystem (npm) and Typescript. Google controls Android and Angular. There are always tradeoffs, it's more important to be aware than to avoid all of them.
I want to express my sympathy towards open source maintainers and builders. Really they go through so much shit they dont need to go through more, but I think this has made most open source maintainers either too sensitive or their fuck-o-meter go crazy.
There is obvious a communication issue from the .net foundation but also from the maintainers themselves.
If they ask you for X permission, you cant just say no, sorry but you are part of an organization and it doesnt work that way, one way or another regardless of what was told to you X years ago, things might change and you will need to take an active stance to it.
Horrible move from the foundation to ABUSE their admin rights and move the repo to GitHub Enterprise, but posting a tweet about your emotions and then trying to find a way to move the repo without reaching out to someone is not the way to go.
Most likely even if the person did reach out to someone, the reply would be dry and late, but this is something that has been cultivated by the maintainers as well. As the article mentions "the communication was shit but it was fine as long as it didnt affect me" - not direct quote.
I think both sides need to reconsider their communication channels and behaviors.
They both need to understand that one way or another they have an obligation to each other.
I hope communication and transparency will help to not have similar issues in the future.
You are correct about communication being the core of the issue.
I understand what you are saying with "If they ask you for X permission, you cant just say no, sorry but you are part of an organization and it doesnt work that way". But I didn't say no to the requirement from the .NET Foundation. I was happy to enforce the Code of Conduct. Where I drew the line was granting admin access to an alias. The .NET Foundation owns the copyright but they don't own me. I'll also argue they don't own the issue tracker and other non-source code things in the project. And opinions on that could differ so conversations could be in order.
Also, I didn't spend a lot of time in the blog post discussing the evaluation of repercussions but Bob and I did talk about the for a while. In the end, I decided that those of us that work on the WiX Toolset would be in a better place to communicate if our organization was in "public". I take responsibility for that decision and I'm transparent about what and why I did it.
But, in the end, I agree with you. Communication and transparency will help to avoid similar issues in the future.
Of course I only have the view that is presented as I dont know what is happening further, if there were more talks etc.
Maybe I am wrong in that sense and there was more substance than I realize, and as I said I am 100% with you, large organizations should not abuse their power.
I hope that it gets better and I hope to not have offended you. (my comment has already been downvoted as per usual HN environment when someone is not taking the side of the majority )
You are doing the right thing. The .NET Foundation has to learn and change OR release the projects back into the wild (also legally). Otherwise, they will receive the bill by hundreds of project forking and changing names, creating damage to the ecosystem and leaving them with a mess no one wants to take care of.
Is .NET foundation paying them money? Or what is the relationship between the projects and Microsoft/.NET Foundation?
Reading the "apology" on github, it seems that .NET Foundation/Microsoft thinks those projects are essentially theirs, and they are free to put them under their enterprise account to "simplify billing"
https://github.com/dotnet-foundation/Home/discussions/39
But reading this article, and the one below, the maintainers think otherwise?
https://www.glennwatson.net/posts/dnf-problems-solutions
There are also some notes about copyright that I don't understand. Who owns the copyright? Microsoft or the maintainers?
edit: From the github "apology":
> Projects might not fully understand what joining the .NET Foundation means. We share a checklist with project maintainers on project changes they accept as part of becoming part of the .NET Foundation. That’s obviously not sufficient. We will post a new document that describes what you can expect when your project joins the .NET Foundation. This will include changes (observable or legal) and new benefits. It will also include changes that could occur later.
....ok? That seems scary, coming from Microsoft