Some more thoughts on FOSS Sustainability

The community pipeline problem

Last month I commented on FOSS Sustainability in the wake of the xz exploit on an overloaded maintainer. [1]

There's a massive elephant in the room.

How do we recruit new folks to help a maintainer maintain their code? More to the point, how do you recruit new people to fill in the gaps that maintainers need to fill? How do you grow interest and community to give maintainers the support that they need?

Sometimes a project's own worst enemy is the project founder.

The Benevolent Dictator for Life (BDFL).

Growing pains: when will the beatings stop?

Some of our communities have growing pains. Some of our communities don't have an issue with recruiting new people, but they do have an issue with toxicity.

I'd like to present an example of this from possibly the largest FOSS project we have. The Linux Kernel.

On May the 7th 2024 Kees Cook posted to the Linux kernel mailing list about a class of security bugs and laid out some suggestions as to how to fix them. This is what Cook does. He thinks about security bugs within the kernel and thinks about how to reduce the risk overall. Rather than playing whack-a-mole.

Linus Torvalds did what Linus Torvalds does. React without reading the entire proposal. Calls it stupid and threatens to tell everyone else not to listen to Cook because it's a stupid idea.

So to summarise, Torvalds reacts, and in front of the entire list tries to ruin Cook's reputation as a competent coder. Two days later after a careful back and forth driven by Cook, Torvalds grudgingly thinks about it some more. [2]

Torvalds has a history of being abusive on the list. In 2018 Torvalds apologised for his abusive behaviour on the list. Cook even says yes, there is an improvement. The abuse isn't as bad. [3]

It is still abuse, Torvalds hasn't really changed. Torvalds just uses fewer swear words now. Torvalds still attacks proposals on the mailing list. The mailing list still has a reputation for being a toxic space.

Meanwhile, while this abusive behaviour is commented on mastodon by another cis white male programmer, another project leader doesn't see what's wrong with the behaviour. Smaller projects in the meantime have an issue with recruitment for testing new releases and finding the bugs with that. The BDFLs have to appeal for help.

I think these things are linked. Why would anyone who's not a privileged cis male programmer get involved with your project? Why would folks who have faced abuse in their past volunteer to help you out and take your abuse? For free?

Like it or not, what you say in public, or on your community spaces is judged. Folks want a space where they can and work and communicate without having to take abusive communications.

The NixOS community also has its own issues with moderation and a clash between a diverse community, and cis white programmers who despair of the "woke" agenda.

Folks, there isn't an agenda. You have a community moderation issue that will turn into a sustainability issue for recruiting more contributions. You have already had your third most productive contributor leave the project. There are now 2 forks. You have a long-term risk of sustainability if you can't sort out these issues. [4]

STEM has a recruitment problem: Where are the girls?

We have systematic issues with recruitment into STEM in general. To be clear when we are talking about toxic communities and discrimination we aren't criticising specific individuals. We are criticising the systems of community that encourage that toxic behaviour.

We are criticising the behaviour that belittles others, the toxic behaviour of the 10x engineer. Because even 10x engineers need help on occasion. There are two points of view on this.

A project needs meaningful contributions that are technically correct and not hard to review. Projects don't want driveby contributions doing busy work.

What counts as a meaningful contribution is very open to interpretation. Maintainers often do not have the time, or frankly the spoons to look at suggestions, accept patches etc. So it becomes easier to create a culture of telling people to go away. A potential contributor runs the gauntlet and in the end, the contribution is more meaningful because you didn't waste the maintainer's time.

I understand why this could happen. I don't approve.

I see no questions from the maintainers. Asking why the patch was needed. Even when Cook took the time to anticipate the objections, Cook was flamed. The suggestions were rejected out of hand with breathtaking rudeness and a mild swearword. Torvalds has improved. The verbal beatings are a bit less severe on the psyche.

Torvalds doesn't code directly in the kernel anymore. Torvalds is merging in patches. He's a community leader. Frankly, Torvalds needs a filter, he's awful at community communication. [2-3]

Outside looking in

That email exchange over two days reminded me of the hyper-empathy I developed trying to anticipate the mood of my abuser. [2]

Were they in a good mood that day? Were they about to jump down my throat in full-throttled anger? Even before I opened my mouth as a child, I remember being very careful in my body language and trying to read the room. The empathy is very useful to me. But I wish I'd never had the experience of trying to avoid that abuse.

Folks, it's not great when the founder of the largest FOSS project gives off the same vibes as an abuser. It's not a professional-looking environment when the main community leader of that project has a reputation for brutal communication. It's not great when his tactics are emulated by other developers. It's toxic and abusive.

It makes me wonder where else they feel that kind of behaviour is acceptable. At a conference? In a restaurant with servers? It shows a lack of respect for your contributors who at the end of the day are giving you free work. (Even if it's their employers allowing them to do so during work.) You aren't directly paying them, it's free to you.

Show some respect.

People who are on the outside of your projects and who may know technical folks may never recommend your project to work with. Competent programmers may never collaborate with you because of your temper. Because of the fact you consider your abusive behaviour to be acceptable. So the people who keep contributing gradually filter out and you are left with assholes. Your community just cares about the code and the cult of your brilliance. Who do you trust to keep your code safe if you get run over by a bus?

I already wouldn't recommend FOSS to some of my friend's children. The girls because well, not safe. The boys because I don't want them to learn how to be assholes from developers who think that kind of behaviour is acceptable.

When you say you are criticising the code, not the people, that's not true. You may have told yourself that it is true. It's not.

We are our code

You need to acknowledge that you program your values into your software code. The way you code is your thoughts on how to solve a problem or do a task. When you call code decisions stupid, you are calling the coder stupid. You are being abusive. You are negging that contributor. You demonstrate the fact you don't rate their contributions, you don't respect them as people enough to take the time to ask them why they need that code change. It means that past contributors may not want to help you anymore, because they don't want the verbal beatings. They are not encouraged.

The people on the outside, who aren't coders, but like me (Computer Scientist) understand enough about code to know this. When we see you deliberately calling the code moronic, or stupid and threatening to tell everyone to not take a contributor seriously. We see this as abusive behaviour. To try to get an inconvenience to your code view and therefore your worldview to leave.

You show that you are threatened in some way by their contributions and you lash out.

People shouldn't have to slowly gain your trust over years before you take some time to review and ask questions about why a potential contributor made that decision.

People should not have to threaten to fork and leave your project for you to see that some contributors engage in behaviour to put their worldview into a project.

Torvalds clearly demonstrates to the entire Linux Kernel community that he doesn't respect Cook. Or apparently, the thousands of systems that integrate the linux kernel and the fact that the EU has concerns about the software supply chain.

Tech is political

"Tech isn't political," you say. I know you mean "I prefer the status quo, go away."

Some of our FOSS leaders are from a different time in tech and from a very privileged circumstance. Many of our male programmers who started on the Commodore 64 need to realise this is a very privileged circumstance. I am of a similar age. But I didn't know about computers in my backwater town until the age of 12. Neither of my parents considered the Commodore 64 or the idea of programming games etc.

I only learned about computing from the spectrum, playing games in primary school. This was a rare circumstance when the teacher needed us to be distracted or as a reward. Many male programmers of my age and older, had parents who got them equipment and the magazines where you hand-coded in and fixed bugs in the code. I saw the world around me, and as I gained some more limited access to computers I had questions.

"How does the computer know to output what it does to me? How does it know how to do that?"

I chose computing as I wanted to understand how the computer knew to do what it did.

Your next generation of contributors may have started with projects like Raspberry Pi. But some of them did not. So how do you foster in these folks? How do they find you? What kind of community will they find when they look at your mailing list.

Well, the Kernel lore list does demonstrate what kind of toxic community it is quite well. Thank you, Linus Torvalds, for your blistering example. It's not something to be proud of.

How do you get different viewpoints about how your code decisions may factor into human rights violations?

"Tech isn't political," you say. That translates to me as "I don't want to take responsibility for my code. I don't want to think about how my attitude supports the status quo". I don't want to have to think about what I say.

You have to think about how your code interacts with other people's code folks. This is no different. [7]

But I'm not evil I'm doing good work in FOSS

I know some of you are anxious, in case you are judged as a terrible individual. That isn't what we want. However, if you are seriously worried that something you post in the discourse may be used against you in a "cancelling" or you use the word "woke" as a pejorative, perhaps you have some work to do. Perhaps you need to look at your past interactions and think about the people that are missing from your project.

Perhaps you need to consider your place in the patriarchy and why it makes you nervous when non straight, cis, white folks are asking for some thought and consideration. When we are asking not to be abused on list. Listen to folks when they explain why your attitude is abusive. This isn't a free speech issue. It's a freedom of association issue. It's a community safety issue. [5], [7]

If you feel threatened by us, if you fear us stealing your place somehow, take a moment and consider how you've got to that thinking. Did you do that to someone else?

Who's missing? Who did you trample over with your need to defend yourself rather than listen and ask questions without bias?

Which projects are those folks contributing to now? Who's encouraging the next generation to embrace which projects? Why is that? Just why won't folks who go through Outreachy come to help your project? [6]

Why are you so uncomfortable with learning new viewpoints? Ask this of yourself. Please do it in your own time though. I don't have the time or the spoons to validate your need to not think of yourself as a bad person. I know you aren't. But if you keep on harassing folks or being so abusive in the replies, I may revise my opinion.

That opinion will be from how you interact with others when you think I'm not looking. Someone else will be looking, chances are they told me about you and I verified that.

We work around the missing stair, gradually your projects will stagnate in the same tired bullshit.

But we will build our communities, even if the tech and the code we create are technically inferior. It will be a more productive community.

We don't have to take the aggression, so we won't. Frankly neither should Kees Cook have to take the abuse on the list either.

[1] A Few thoughts on FOSS Sustainability -

[2] [RFC] Mitigating unexpected arithmetic overflow


[4] A leadership crisis in the Nix community -

[5] Pop Culture Detective - Patriarchy According to The Barbie Movie

[6] Outreachy

[7] But he does good work -