This is the best way to conclude a project like this, I wish more clear cut "this is the end" choices were made. An ecosystem with zombie projects isn't healthy.
> I've been giving less and less attention to PiVPN, and the desire to keep up with it is no longer what it once was.
I wonder if financial/monetary incentive would change this. I don't think it would personally (because putting a value on your free time/mental load/time you can spend with your loved ones doing something else away from the PC is precious)
On the flip side... $500/mo? $1k/mo? $5k/mo? I'm sure most projects that go "defunct" open-source-free-no-financial-incentive-thanklessly-help-build-something could probably find "motivated maintainers" for $3k/mo on average? Internationally?
Is the "capitalist" answer "this repo and all of its efforts are not worth $3k/mo to the open market"?
A lot of these projects are made in people's leisure time, without profitability, for other fellow geeks, and the users also uses them in their hobbies. And as fellow geeks, we are more likely to be financially poised to be on the other side of the equation: getting paid to write code, rather than being able to pay a developer's wage, at least not in the long term, not in any maintainable manner. Can you afford to pay yourself 3k/month to maintain such a project, without any profitability, just for a hobby?
Agreed. Also often the gap between what people will pay for a hobby project and what money is being made at a tech company by the people who have the hobby is vast. Sometimes there are contractual restrictions on taking money from other jobs simultaneously that complicate it.
>You could probably get someone, but would you get someone good (competent, trustworthy, etc)?
The same could be asked of people who work on open projects for free, could it not?
Is a financial reward (or lack of such reward), in and of itself, some sort of implicit indicator of the quality of the person putting forth the effort?
> Is a financial reward (or lack of such reward), in and of itself, some sort of implicit indicator of the quality of the person putting forth the effort?
It is an implicit indicator of how much that person cares about the project.
I don't think we need to make a study of it to be sure that GitHub and Sourceforge are rife with free software ("free" in terms of beer, and in libre, and also in compensation) in various states of incompletion, haphazard execution, and sheer abandonment.
I mean: The open-source community has certainly produced a ton of excellent software for free, but it has also produced (and published) a lot of false starts, loose ends, broken or forgotten code, and unfinished or unpolished work.
Open-source volunteerism is awesome, but it isn't all ponies and rainbows.
Perhaps the author(s) of some of these things might care more about finishing and maintaining them if their ongoing efforts were producing a meaningful amount of money as a reward.
> Perhaps the author(s) of some of these things might care more about finishing and maintaining them if their ongoing efforts were producing a meaningful amount of money as a reward.
Have you looked at the average state of commercial software lately?
Yes, it seems to be much worse than it used to be in (pick a timeframe that relates to your own rose-tinted "back in the day"), but some of it is excellent.
Does any of this somehow mean that a financial incentive must make free (beer and libre) software worse?
If so, why and how?
It does not to follow, for me, that rewarding software authors with money must make things worse.
I've personally put a fair amount of money into various tip jars for free software authors who create stuff that is important to me. There is no part of me that thinks that me doing this somehow disincentivizes them from continuing to do outstanding work.
Maybe not quality of the person, but quality of the job done, absolutely.
When working for free on my hobby projects, I do my absolute best. Now try to pay me $3.50 per hour for similar work (strictly +Infinity% more than before!), I'll probably flat out refuse / won't focus on it as much.
Why? I wish people would put their projects in something like https://www.codeshelter.co so anyone who's interested can maintain them, instead of just killing them.
You can maintain it right now. Make a fork, and continue development. You might even get some shoutout from the original devs. It's all open source after all, making this repo read-only doesn't mean the project's dead if the community is vibrant enough.
The community matters. It's one thing to get control of the official websites, official packages, etc, and another to have to tell every single user "come use my fork".
There are accidents on the highway, planes crash, fires in buildings, etc. Let's reason about Jia Tan - a problem, not a danger to all of FOSS - not, like everything else these days, just embrace ignorant fears.
It's cool to destroy social trust, to deny it and abandon it. The counterargument is right in front of your nose - the incredible, infinite, world-changing world of FOSS. Think of all those amazing projects, social trust working over and over and over.
You're going to throw all that out over one guy? The only thing we have to fear is fear itself.
This is not what I meant. But I prefer a fork of an abandoned project which needs to gain new trust to be installed instead of a new release pushed through an auto update after 3 years that installs malware.
The parent comment was not about someone from the community taking over (which to be honest was the case in the xz story) but about posting the project on a „projects without maintenance“ site for any random person to take control.
So you're saying that if projects continue choosing to sunset without handing over the keys to the kingdom, open source will stop existing?
This is simply not even close to true.
Edit: I can't reply to your reply, so here will do. You've completely ignored my main point. I get that you want projects to pass on the torch, but saying open source will otherwise die is ridiculous.
> "But I want and can maintain it, can I take it over?" Let me put it plain and simple: No! I don't know you, I don't trust you! Fork it and carry on!
For something security critical like VPN, ownership change is a big deal. Users trust project's reputation. So if there is not a a trusted successor, shutting it down is way better that giving it up to unknown people.
That's not what they meant at all, don't be obtuse. The community exists around the project (in this case the repo and associated website etc). If you fork it then you have to hope that the community follows you to your fork and that then everyone coalesces around it. This isn't guaranteed to work though, so passing the existing project onto a new maintainer is a much better way of retaining the existing community. That is what was meant when talking about the community.
The earlier comment is concerned for the users being orphaned by the project they used. The project is concerned with protecting the trust the users placed in the project by using it.
To trivialize the concern of the project seems worse because it prioritizes convenience in a particularly sticky area (security/privacy) as well as forcing a less informed choice on the user (who they are trusting).
There's probably a nice parallel here where we consider the NRL's role in Tor and how FOSS practices, EFF funding, and transparency meant it preserved user trust.
The maintainers are vetted before joining, and are removed if they do something untoward, but when the choice is between killing the project or giving it to some random person, Code Shelter provides a better alternative.
What if they pass the joining process but then later sneak something in that goes undetected until things go boom? There are alternatives, you can fork the original project, and things will go on. As others have said too, you can just update the underlying software and there's a good chance that the wrapper itself will continue functioning, providing there are no giant breaking changes and by that point, a fork or alternative will likely have handled it.
What if there's no joining process, and they contact a maintainer directly, and peer pressure them to hand over the project, and the maintainer does, and then they sneak a backdoor in some binary test files?
That scenario is exactly what PiVPN is avoiding by refusing to nominate a new maintainer and telling interested parties to fork--so what is your actual and concrete objection?
> I wish people would put their projects in something like https://www.codeshelter.co so anyone who's interested can maintain them, instead of just killing them
So to me that says you want it both ways, for while I appreciate what the codeshelter folks are trying to do, it is a task that is going to turn out Sudden But Inevitable Betrayals. Instead of contacting a maintainer directly, they just look sufficiently polished that codeshelter says "yeah, sure, OK" and hands it over.
Forking the project and earning your own trust really is the safe path forward.
