The Bus Factor: Life for Open-Source Projects After a Developer's Death

30 points by klint 7 years ago | 6 comments
  • chis 7 years ago
    Why not just fork the repo? I’d be annoyed if software I depended on was taken over by new management and messed with with.
    • wink 7 years ago
      I'd say this works 9/10 times - or more, but sometimes it would be nice (or important) - to really hand the exact namespace off to a different person/org.

      This was a solved problem with domain names - but with the de-facto standard of github and projects being "in the namespace of a user" (if they don't create a separate org for this purpose they could then hand off without losing their username) it's a problem again.

      And Go is notoriously bad for this. Had this problem a while ago where one library author just changed his name from uppercase first letter to all lowercase. On a case sensitive filesystem this actually breaks imports :(

    • zbentley 7 years ago
      This was thought provoking. Questions that arise after reading:

      - How do you verify proof-of-death of developers who may be working from an environment where they can't easily separately verify their identities (e.g. house arrest, or people who are working in secret due to legal or cultural barriers to their being OSS engineers)?

      - What happens to people whose death is faked, e.g. by a government wishing to take control of a project in order to introduce vulnerabilities or be an obstacle to further development?

      - What happens when someone dies and people impersonate their family/inheritors in order to take control of their projects for unethical reasons? Given that a lot of the value here is political ("lead maintainer"-type titles) as opposed to physical (data on servers somewhere), are there any laws that affect this behavior? This is a regrettably common phenomenon with non-software inheritances; can developer communities do better?

      - What happens when someone dies who didn't leave instructions for the event of their death, and the legally- or traditionally-entitled inheritors harm their project or otherwise act unethically with it? Is the answer just "fork it" with all of the FUD that entails? Or can something else be done?

      • searls 7 years ago
        Disclosure: I was a developer interviewed and quoted in the piece.

        These are all good questions. I'd suggest that the trickier edge cases you outlined are indeed very tough scruples as they pertain to open source (but also as they pertain to all property & copyright law).

        I would say based on the experience I shared in the article with Jim that it's very likely that a very large proportion of open source contributors have _relatively simple_ situations but near-zero planning in place for the inevitable. The best someone like GitHub could hope to ask for is a death certificate and an executor of the estate being able to produce a document that assigns the rights of digital assets to some named individual. It wouldn't take very long to do (and I did it myself shortly after I had this experience following Jim's passing).

        But even that is a pretty blunt, communication-intense implement. The much, much easier solution for maintainers to simply share access & knowledge as soon as a project gains any amount of significance at all with people they can trust. Platforms like GitHub & npm could introduce pretty simple "inactive account" features that allow named beneficiaries to be added as owners in the event an account goes dark, without needing to bring family & estate attorneys into all this.

        • zbentley 7 years ago
          Thanks for the thoughtful response!
        • sn9 7 years ago
          The solution to many of these questions might be for the "dead-man's switch" discussed in the article to require interacting with an email account with a public/private key system.

          E.g., if someone doesn't log in to an email account after, say, a year, it starts auto-replying with that information suggesting the person might have died or is otherwise incapacitated, setting into motion a process to verify what happened (like just being burnt out on open source development). It could also trigger a similar email to the inheritors of the project.

        • jimaek 7 years ago
          This is something I have tried to address in my own open source project https://github.com/jsdelivr/jsdelivr/wiki/What-to-do-if-I-di...