| |
| ▲ | bgbntty2 a day ago | parent | next [-] | | Seems like a statement to reassure users who don't necessarily have any trust in the new maintainer. And even if the users trust the new maintainers, it's better to have the reassurance of previous maintainer on top. Trust is not transitive, nor should it be. We (the users) trust the previous maintainer. They trust the new one. We don't (naturally). The old maintainer says they'll review the new one's work, so we'll have trust the old maintainer (mostly). Not that the whole trust system can't improve in various ways in general. But for now we have to trust someone. | | |
| ▲ | sevg a day ago | parent [-] | | > Seems like a statement to reassure users who don't necessarily have any trust in the new maintainer. The statement didn’t seem reassuring. It’d have been reassuring to hear something like “This person has been a committer for X period, and has demonstrated Y and Z.” > They trust the new one. Well my point is it doesn’t sound like they actually do trust the new maintainer. Maybe just poor choice of words, but it didn’t fill me with confidence. | | |
| ▲ | altairprime a day ago | parent | next [-] | | ‘I’ll keep an eye on the project and speak up if I discover my trust was misplaced’ is a kind reassurance to the anxious community, but anxiety will just use it as a launchpad for more anxiety. Nice of them to try, though. I suspect a lot of folks would be horrified at how typical the former maintainer’s approach to trust is in actual reality. It ends up being necessary because there are maybe a single digit number of people in the world who are willing to commit to long-term project maintenance (beyond their own pet peeves, anyways) at all, and with the general hostility towards compensating anyone for their work in software, it’s not like a maintainer can afford to hire and develop a protégé. This is how maintainership worked in CPAN for decades and, barring a culture shift towards paying project maintainers for their maintenance effort, it’s how it’s going to continue working in most projects as us maintainers grow tired and fade out. | |
| ▲ | bgbntty2 a day ago | parent | prev [-] | | I agree - the statement could've been much more convincing. But it's above the threshold for me. Although I agree if the new maintainer had some creds, it would've been better to use them in a similar reassurance like in your example. But it's hard to really vouch for someone, even if they've made X commits for the past Y years, etc.. Lots of examples here. If it's still a random/(pseudo-anonymous) account you're trusting, unless there have been some real life appearances or if it's an account that's been proving itself for years, you can only trust them so much. Basically I agree the message could be interpreted as "I don't trust them, so I'll be on the lookout for anything malicious", but, honestly, at first I just read it as "I trust it, but you can't really trust anyone, so I'll still be on the lookout". |
|
| |
| ▲ | PurpleRamen 16 hours ago | parent | prev | next [-] | | There is an uncounted amount of trusted people who turned to malice, especially in vulnerable situations. Even if someone initially was trustable, they can always have a change of motivation for whatever reason. And that's leaving out accidental fuckups turning harmful. At this point it's clear that even in open source, blind trust can be harmful long term. | |
| ▲ | sneak a day ago | parent | prev [-] | | Lack of trust is not the same as distrust. | | |
| ▲ | sevg a day ago | parent [-] | | I didn’t mention “distrust” in my comment :) |
|
|
