Is it wrong to demand features in open-source projects?

Question

I have been using open-source software, and, the open-source Community is great at maintaining such projects. But, I have observed something in smaller open-source projects.

Whenever I demand some feature or complain about some vulnerability, small or big, there is always someone who says "Instead of reporting/demanding this, why not just create a PR with the demands fulfilled".

So, is it wrong to demand changes in open-source projects? Can't the users demand changes and the maintainers/contributors work on it?

Answer 1

Suppose that I tell you that I require you to cease posting here, immediately come round to my house, and cook me lunch. Your first response might, very reasonably, be "who on earth is this person and why should I spend my time and energy fulfilling his agenda instead of my own?".

It's not that demanding new features in open-source projects is wrong; it's that demanding anything from other people is wrong, particularly from people who have already given their work away to the world, and are continuing to give their time and energy to improve it.

The specific community bargain with free software is that you get the freedoms to run the code, to modify the code, and to distribute both verbatim and modified versions. You are not entitled to anything other than that: not bug-fixes, not new features, not documentation, not support.

That said, most people who write software and give it away are keen that other people should run it, and are interested to hear about how other people use it now and could use it better [1]. But there is a world of difference between being open to community suggestions and being required to service community demands. If the response you've had to previous demands is a polite rebuff that perhaps you should do the work yourself and contribute it back, then my principal surprise is that people were that courteous.

If you decide to approach some project with your suggestions and requests, remember that you do so as a supplicant, hoping that people who owe you nothing will choose to spend further time and effort making the changes you want, rather than someone with any entitlement whatsoever.

---

[1] Though this is not always true. Sometimes the author views the relationship as strictly one-way: (s)he's giving away what (s)he's made, and as long as you honour the licence, (s)he has no interest in hearing from you, and may take it amiss if you try to get more involved.

Answer 2

I'm not a native English speaker but to me "demanding" implies having authority. A policeman can demand that you show your hands; a teacher can demand that the students be quiet. A parent can demand that the children wash hands before dinner. If you indeed use that word or behaved like the authorities in these examples you imply having authority over the people you address. Since you do not they find your demand an imposition.

And consider that I'm a German, from Berlin, typically among the rudest people around (Americans feel attacked when we tell them in no unclear terms what they did wrong — something we love — and we have serious communicative trouble with many Asians).

An alternative attitude would be that of making a polite suggestion. A suggestion is constructive: It doesn't focus on the perceived deficiency as much as on a solution (even if it's only in form, not in substance). Therefore it is less hostile and invites a goal oriented dialogue.

After reading your complaint about EchoJS's lacking account verification I suppose that you find it unsalvageable, which means that you don't have any suggestion how to improve it. In that case you can still ask a question along the lines of "are there any ideas how to integrate account verification in the existing framework?". That is still more than a complaint; presumably, if your issue is indeed virulent, others also are motivated to solve it, and may join a brainstorming thread instead of becoming defensive.

Answer 3

It's not wrong to ask for features in open-source projects. Preferably in a gentle and well-educated manner.

Of course, the people maintaining it are under no obligation to fulfill that. Quite often, you might find that they don't implement it right away, but it stays there, awaiting someone motivated enough to do it (this could range from yourself coding it to someone being paid to code that).

And also, there are cases where a request will be outright rejected. not just the cases where the issue is invalid (such as reporting that something is missing that is actually available) but there are also cases when people request Very Bad Ideas™.

Even if providing a patch (which would really speed things up), it's possible that it can be rejected, on the basis on the idea itself, or the way it is being (mis)implemented. Still, Opensource allows you to use such patched version for yourself. In some projects it is common to have highly patched versions, which are kept in-sync across updates (e.g. mutt). Sometimes this can end up in creating your own fork with the feature you want.

Now, let's take a look at the problematic https://github.com/echojs/echojs/issues/12

It is phrased in a somewhat bitter tone, but it could be a useful report. Up until when you post the code to exploit it. I'm not saying full disclosure is always wrong, that's a big debate. However, by doing this you are clearly not making friends with the developers.

As others mentioned, this should have been preferable to send privately to the developers (through a mail to a designated security email address, directly to them, a restricted issue…).

In this case, I wouldn't consider a big problem publishing in public the description itself of the vulnerability, the implications of "there is no captcha stopping spam accounts" are obvious (and it was probably already in their roadmap). But publishing the code in an open issue tracker in the first interaction comes as rude. Just saying instead "I have a 16-line proof of concept I can provide you" would have been much nicer.

Now, some communities would like that a security issue was told completely in the open. You could do that with Linux with the blessings of Linus himself, although in practice issues found generally go through security (and there are strict limits on embargo times on linux-distros, for instance).

You could have been told, "please share your code" or "I cannot reproduce your claim, could you give us more details". And that would have been a completely different scenario.

And then, there is the big issue that you had been exploiting the vulnerability before reporting (or so they think). In a completely unwarranted way and without authorization.

It's true that from time to time, someone reports a vulnerability and, after being ignored or told it's not a vulnerability, they exploit -not without controversy- that "non-vulnerability" to prove their point (examples include Facebook, GitHub…).

However, exploiting a live, production system, without authorization, much further than would be needed to confirm the issue (which shouldn't be tested there, anyway) and telling everybody how to do further harm… It would be delusional to expect them to be happy about that.

Had you needed to first test the vulnerability, you should have prepared a local install, and test it on that laboratory you own. Or, in some cases, there are public test instances which are explicitly designated as allowing vulnerability testing.

And even if you were (wrongly) testing in the production site, absent explicit consent to do otherwise, the proper action would have been to stop any further action once it's confirmed.

(Additionally, do remember that even attempting to attack a site might be illegal on the applicable jurisdiction)

This is akin to you telling a car company they should make their cars bulletproof, since a bullet which came into the hood/bonnet (in an easy way you explicitly detail) makes the motor of the car explode, bursting in flames… through an open letter published in the newspaper… the day after you have been shooting to cars on the city center all day.

‎​

Finally, albeit it pales in comparison to the above, I would also like to bring attention to a problem with the attitude you showed. Such as the final phrases

The decision is up to you, whether you want to run such a community, or, shut it down, at least temporarily, fix these problems and run it again.

Saying that it's the duty of users to not spam is just transferring the burden. If you refuse to take action now, it's just bad for all users, People can manipulate votes to favour bad posts without ever getting caught.

or in the replies

I am pretty sure that even without all that exploitation, had I informed you all about this, no one could have cared any less about this issue.

You came angry and confrontational, demanding things from people which don't get even paid for that, after wreaking havoc in the community. That's quite a different scenario than what you asked above. Taking all of that into account, and reading their patient responses, I would consider your issue was extremely well received by them.

Answer 4

Let's refocus the question to address the security aspect of https://github.com/echojs/echojs/issues/12 (other great answers already address the tone of demanding a fix and calling for a volunteer project to be shut down).

When I complain about some software vulnerability there is always someone who says "Instead of reporting/demanding this, just create a PR".

I've never seen a software project say, "You fix it!" after somebody reports an in-scope security vulnerability. OTOH, they'll probably say "You improve it!" if you make a feature request.

Either

• they care about the security of their users and they will take responsibility to fix it, or
• they've decided that security is an out-of-scope feature, and your security report is actually a feature request to increase security (and a bug report against their docs, which should call out security limitations -- thanks @supercat!)

---

So, is it wrong to complain about some software vulnerability in public forums?

Yes. If you're going to communicate about security vulnerabilities without straying outside the law¹, you have a responsibility to know about Responsible Disclosure. Google has a short policy, easy to read.

Echo JS doesn't have a fancy GitHub template educating you about avoiding unethical hacker behavior, but let's take a look at what happens when you report a issue at another project:

That linked Security Policy says:

Security issues and bugs should be reported privately to the Microsoft Security Response Center (MSRC), either by emailing [email protected] or via the portal at https://msrc.microsoft.com.

Please do not open issues for anything you think might have a security implication.

That's good advice for every GitHub repo you interact with: Please do not open issues for anything you think might have a security implication.

---

1. In the US, I don't know of criminal laws against sharing vulnerabilities, but you don't want to end up in a civil lawsuit proving you aren't responsible for claimed damages. e.g. Facebook's Responsible Disclosure promises that "Facebook will also not pursue legal action for against you for clear accidental or good faith violations of its policy or these terms." which I think clearly implies what irresponsible disclosure might lead to.

Answer 5

Yes, it is wrong to demand anything of open source projects.

Open Source developers tend to first and foremost implement features or work on bugs that are relevant to themselves; and secondarily they will work on features that bring the software further along because the changes are useful and "good" (subjectively speaking, in the opinion of the developer). Also, unless they are very mellow people, they react quite fiercely towards demands.

So the correct way to reach your goal is to lead the developers to want to have the feature you're interested in.

That means: create a ticket or user story in their bug/task tracking system, and explain what happens (or what does not happen), why you would like it to change, and what the benefit for everybody is.

When explaining why you would like it to change, do not be purely personal - this is not for your own sake; but use your own case as merely an illustrative example why the feature would be useful to many people.

Answer 6

I'm not sure you (for whom English is presumably a second language) understand what the word "demand" means:

to ask or call for with authority : claim as due or just

If, however, English is your first language then you're be a rude and presumptuous jack a$$ for demanding that someone else do something for you for free.

Answer 7

Is it wrong? Who knows - that depends very much on personal position.

Is it helpful? I'd argue not. If you're not writing the code yourself, you need to persuade someone else that they want to make the changes.

A time-honoured means is to offer payment - but don't assume that alone will convince anyone, no matter how large the amount.

A more constructive way (assuming you have the capability) is to propose a patch - and be prepared to accept criticism and update the patch before it's accepted.

The weakest way is to suggest that a change would improve the code and hope that the maintainer agrees strongly enough to implement that change herself.

Demanding a change would very likely just be ignored (or at best, politely rebuffed) in most development communities I've seen.

Answer 8

So, is it wrong to demand changes in open-source projects?

Yes, it is wrong.

The maintainer(s) of the project don't owe you anything. They are under no obligation to do what you want.

Consider this analogy. Alice makes chocolate chip cookies for her family every Friday and, he makes some extras to give to folks in the neighborhood. Bob loves Alice's cookies, and one day Bob tells Alice "I like cookies with walnuts, and I'd like the cookies to have walnuts on them." Alice explains that her family likes them without walnuts, but she would be happy to give Bob the recipe so he can make his own. She doesn't know if the recipe would work with walnuts, but it's a good starting point. Bob doesn't like this answer. He tells Alice again that he expects her to make cookies the way he likes them.

I think we can agree that Bob is out of line for expecting Alice to change how she does things for him, much less demanding it. So too it is with open source maintainers and users.