Rob Mensching
@robmen
Followers
2,725
Following
92
Media
234
Statuses
9,480
@firegiantco CEO & Co-Founder | Benevolent Dictator of @wixtoolset | for more information
Redmond, WA USA
Joined March 2008
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
بورنموث
• 454463 Tweets
ارسنال
• 445504 Tweets
سيلتا
• 443417 Tweets
Arsenal
• 239647 Tweets
Miami
• 115363 Tweets
Osimhen
• 75669 Tweets
Bournemouth
• 71421 Tweets
Liverpool
• 67635 Tweets
Saka
• 66108 Tweets
Saliba
• 60138 Tweets
#الاتحاد_القادسيه
• 57611 Tweets
Arteta
• 34287 Tweets
Indiana
• 32675 Tweets
Oklahoma
• 31294 Tweets
Norris
• 30836 Tweets
Sainz
• 25383 Tweets
#StarAcademy
• 24028 Tweets
Nebraska
• 23183 Tweets
Sterling
• 22574 Tweets
Leclerc
• 19988 Tweets
Raya
• 18691 Tweets
Louisville
• 18204 Tweets
#BOUARS
• 17430 Tweets
Trossard
• 16743 Tweets
Merino
• 16524 Tweets
Martinelli
• 15208 Tweets
Auburn
• 14258 Tweets
Icardi
• 12419 Tweets
Kaizer Chiefs
• 11321 Tweets
Canes
• 11064 Tweets
Cam Ward
• 10047 Tweets
Lots of analysis of the xz/liblzma vulnerability. Most skip over the first step of the attack:
0. The original maintainer burns out, and only the attacker offers to help (so the attacker inherits the trust of the project built by the maintainer).
Read their words👇🏻 1/
40
1K
6K
This thread is a microcosm of the interactions in Open Source projects.
Consumers make demands (some polite, some not-so-polite) of one maintainer (rarely two) who does everything.
This is the way it works.
End of line
18
98
1K
Maintainer also reminds everybody how the world's software is built now.
"It's also good to keep in mind that this is an unpaid hobby project" -
8/
5
50
1K
We start with a reasonable request asked reasonably. But it will force the maintainer to address his "failings" (I know how this feels).
"Is XZ for Java still maintained? I asked a question here a week ago and have not heard back." -
2/
2
20
827
Aside: Given that the xz/liblzma vulnerability looks like a purposeful attack by "Jia Tan" should "Jigar Kumar" be considered an accomplice by actively encouraging the original maintainer to give up?
Not sure? We'll see this unhelpful consumer "Jigar Kumar" again soon.
6/
7
24
821
Maintainer acknowledges he's "behind" and struggling to keep up.
"Yes, by some definition at least, like if someone reports a bug it will get fixed. Development of new features definitely isn't very active. :-(" -
3/
1
12
739
Oh, and we are introduced to our attacker, in the same message.
"Jia Tan has helped me ... and he might have a bigger role in the future ... It's clear that my resources are too limited ... so something has to change in the long term." -
4/
1
19
718
Unhelpful consumer says unhelpful things
"Progress will not happen until there is new maintainer. ... The current maintainer lost interest or doesn't care to maintain anymore. It is sad to see for a repo like this." -
5/
2
17
716
Maintainer defends himself. This situation is not uncommon. 😢
"I haven't lost interest but my ability to care has been fairly limited
mostly due to longterm mental health issues but also due to some other
things." -
7/
2
15
715
Unhelpful consumer returns _a week later_.
"You ignore the many patches bit rotting away on this mailing list. Right now you choke your repo. Why wait until 5.4.0 to change maintainer? Why delay what your repo needs?" -
What purpose does this serve?
9/
4
9
674
The email thread ends. The complaining consumers offer no help and continue to make demands. Only the attacker is left.
"Jia Tan may have a bigger role in the project... He has been helping a lot off-list and is practically a co-maintainer..." -
13/
1
21
626
Maintainer explains the reality.
"Finding a co-maintainer or passing the projects completely to someone ... it's not a trivial thing to do. For example, someone would need to have the skills, time, and enough long-term interest..." -
12/
2
12
608
Reasonable requestor (from the top of thread) demands more too.
"I am sorry about your mental health issues, but its important to be
aware of your own limits. I get that this is a hobby project for all
contributors, but the community desires more" -
10/
3
8
549
No-longer-reasonable requestor offers suggestions but no help. Consumers just consume.
"Why not pass on maintainership for XZ for C so you can give XZ for Java more attention? ... Trying to maintain both means that neither are maintained well." -
11/
3
12
547
@AndyDentPerth
Maybe important for an attack but burnout is more common of a problem than most seem to realize. It's all failure with varying degrees of negative outcome.
It's a problem I think we should solve.
Note: I've not yet bought the conspiracy theory that these people cooperated.
5
7
367
Heartbleed was a mistake. xz/liblzma looks malicious. What do they have in common?
Unsupported maintainers.
5
54
357
In case, you thought my story about maintainer abuse was at all made up. This was posted just five minutes ago.
13
31
326
I feel sick to my stomach right now.
In the last two weeks, someone at
@dotnetfdn
moved
@wixtoolset
into the .NET Foundation's private GitHub Enterprise.
They did so after I explicitly told them I did not trust them enough to make them an admin in our project.
I feel betrayed.
14
60
272
@rjrodger
200 companies paying a $500/year to a project with a single maintainer is $100,000 salary for the maintainer.
Slide those numbers around based on the importance of the project and I think there are very reasonable futures.
100x$50 = $5000
500x$100=$50,000
etc.
12
6
116
Posted "How the .NET Foundation kerfuffle became a brouhaha" at
11
38
100
Here is a snapshot of the whole page for posterity in case the abusive consumer chooses to delete their comment (as they should):
2
0
96
@uniquponym
That's scarily possible. But the fact remains we have a maintainer sustainability problem right now.
0
1
86
The only real question is: How do I respond, if at all?
(Wrong answers appreciated, especially if they are funny)
26
0
77
@WithinRafael
Ouch. Owned on the oldest CVE in this domain.
I wonder if .NET provides enough control for executables to work around these attack vectors.
6
0
70
@SheaZerda
@SwiftOnSecurity
Correct.
You are not missing anything. You understand perfectly. It is not complicated. :)
1
0
49
@GMcHorseman
I've heard the conspiracy, but I haven't seen the proof... yet. In the end, that fact only matters for this attack (which is dramatic all by itself). The interaction (even if manufactured) between the consumer and the maintainer is all too common in OSS projects.
2
0
45
@timsneath
Office has always maintained its own UI Stack. Teams went a tad bit rogue to get into the market fast. This is Teams aligning to the Office web stack (React).
That is part of why it's faster. Office doesn't mess around with UI perf. Now I wish they'd fix their ugly dark mode. :)
0
0
43
The challenge with money for OSS maintainers is that one time donations do not provide stability.
Say I get a one time $5,000 gift. I could buy some really nice hardware once. It will not sustain me year over year.
However, if 100 companies pay $500/yr then I have $50,000/yr.
I spent a few years at Google and the OSSF literally trying to give money to OSS maintainers, and I can confidently say funding won't fix these problems.
We had more money than we could possibly give away. This is not a funding problem, sorry. These takes are wrong and
40
30
376
4
3
41
@davidfowl
Defense system instituted after the first time a laid off employee retaliated.
I found that large systems evolve to protect against low chance/high damage situations because Law of Large Numbers suggests they will/have seen it.
This is a major reason I enjoy my small company.
1
0
39
WiX v4 is getting closer. The bugs are getting fewer and smaller. Yesterday, I fixed 7 of the 8 bugs for v4-rc.3 (and the last bug is an error message improvement).
There will be a WiX v4.0.0-rc.4. But RTM might be the build after that.
Definitely getting closer.
2
8
34
@stephenrwalli
@Carnage4Life
I don't understand why a manager would say they will hire someone but not make the time to help the new hire improve.
Red flags aplenty.
1
0
37
@JeremiahOshan
If you have any voice, please, please, please request a "spoilers free" mode and make it work on Windows browsers. I would watch 300-800% more minutes if the scores and goal celebrations were not ruined by scrolling around looking for games to watch.
3
1
34
In case it wasn't clear from earlier tweets, WiX v4 was
successfully released today.
6
7
31
Yeah, don't hire these people. They can't get the logo for their services right. It's pretty embarrassing.
I've asked them to remove the WiX Toolset logo.
4
2
26
My follow-up post with some recommendations on how Open Source maintainers could be supported.
2
2
27
@IanYates82
@rjrodger
Some companies provide teams with a morale budget to be used as the members of those teams see fit in "team-building exercises."
One option might be for companies to provide teams "sustainability budgets" to distribute to their OSS dependencies as those teams see fit.
2
1
27
@davidfowl
Not microservices per se but all web functionally (sites, fns, apis) is in one repo with CI/CD yaml files that build+deploy the correct web functionality based on what directories changed.
2
0
22
@terrorobe
@badlogicgames
I wasn't talking about the attacker, the current "maintainer". I was talking about the original maintainer.
1
2
20
I joined a new team at MSFT (the BIG team) which planned to use: C#. To learn this brand new language I rewrote
@wixtoolset
v1 from VBScript to C#/.NET 1.0 in a couple weeks. A year+ later WiX v2 was released as MSFT's first OSS project.
Now bringing WiX v4 to .NET 6.
With 20 years of .NET, what was the first version of .NET you worked with, and what did you build?
355
19
186
1
0
16
@jacobheider
We don't run it. We just support it. People who run the world get paid. People who maintain the world get ignored.
1
2
15
@Carnage4Life
My understanding is that there are "movie business" companies that provide cash as props. You basically "rent" money to make your movie/music video/YouTube clip.
I think I learned that from 50 Cent on Colbert.
50 was discussing how much "posturing" was necessary in his work.
2
2
15
@richardjfoster
@dotnetfdn
@wixtoolset
Your last sentence is the part I just can't get over. My distrust was just a feeling built up over years of neglect and churn.
Now... this.
1
0
14
Serious question:
WinXPSP2 runs **extremely** well on modern hardware (it is so fast).
So, what feature(s) in a later release of Windows is worth the performance difference?
(Not security fixes, let's assume those would be fixed if WinXP was in service).
12
1
14
Fun fact: This cake for the OSS release of WiX was made by my girlfriend at the time. A couple years later, she was my wife.
In honor of nostalgia, today's Deployment Dojo will be an "Ask Me Anything".
Join live or Tweet questions @ me here.
Today is the 19th anniversary of our release as an Open Source project.
It's also WiX v4 release day.
Feels like getting two birthdays in one day.
2
10
47
7
2
14
Not strictly true. We've done the work in WiX Toolset to harden our installation executable so that they are safe because they are often run straight out of the Downloads folder or a Temp folder.
But it takes work to do so.
Reminder:
It's never been safe to run a program out of a directory that contains other untrusted files.
2
31
130
2
2
14
@rickasaurus
@GeoffreyHuntley
@dotnetfdn
@wixtoolset
Also, while I'm sure it's technically possible for .NET Foundation members to call up GitHub employees and ask them to transfer ownership of GitHub projects, I'm pretty confident that GitHub would never entertain that thought since it would destroy all of *GitHub's* credibility.
2
0
14
@timk519
@JoshuaSteinman
Maybe. It also reads like a bad day at the "Open Source office". That's the problem.
1
0
14
@dotnetfdn
Alternatively (or additionally!) buy support directly from a company that employs the maintainers of the OSS projects you depend on.
You are directly supported. Project is directly supported. Everyone benefits. Sustainable OSS.
1
0
13
The WiX v4.0.0 build process is underway. Even though I've already done 6 pre-releases this build feels a touch surreal.
Taking me back to where it all started back in 1998, the
@crystalmethod
's Vegas is my co-pilot today.
3
2
12
@rickasaurus
@GeoffreyHuntley
@dotnetfdn
@wixtoolset
My mistake was to grant the .NET Foundation admin access to our organization to fix a problem with their CLA bot.
We didn't notice they moved us to the .NET Foundation GitHub Enterprise account underneath.
1
1
12
Patrik is too kind here. He blurred the username.
I don't know what it's going to take to beat the entitlement out of OSS consumers but it is past time.
I am so over it.
My new battle cry: "AS IS"
Buddy, we don't have to provide anything.
(but work on this is in progress)
10
3
101
1
0
12
Of course, I am the one with a major release in 4 days.
April 5th is WiX v4 RTM and that is no April's Fools Day joke.
@Perksey
@terrajobst
@bretajohnson
Today **is** a good day to write your own code and ignore the rest of the world.
0
0
3
2
2
11
I can't believe I've been running FireGiant (10) for almost as long as I was at Microsoft (12). It feels more like 3 years have passed, not 10.
There is still so much more to do. Exciting times.
We were so focused on finishing WiX v4.0.1 (and some cool new stuff coming soon) that we forgot yesterday was our 10th birthday.
A new release of WiX is a great way to celebrate. On to the next 10!
1
1
4
1
0
11
@phillipsj73
@peteri
@dotnetfdn
@wixtoolset
To be fair, I felt it was mostly drama myself (I called it a "maintainer kerfuffle" after all) until it turned into an existential threat to my project *and* my company.
But for the unaffected: listen, learn and, in the end, search out the truth.
0
0
11
I love to see so many people publicly coming to the same conclusion. This one is snarky. I love it.
I tried diplomatic in my blog post
I too can't believe that these people you don't pay aren't doing the job you want them to do
4
67
880
1
0
11
@camilomoresala
@bessiec
@Carnage4Life
No offense but almost every single word in your response reinforces the "attitude they think they know better than customers".
In my company, support assumes the customer is correct. Our responsibility is to discover the root cause, not demand specifics until the customer does.
1
0
11
And those 100 (or more) companies are the ones that want your project to succeed the most. The relationship is naturally, mutually beneficial.
1
0
11
Yeah, cause I was just sitting on the sofa.
Comments like that make me want to take the whole month off.
Comments like that certainly don't make me want to help them.
2
0
10
Why as an existing customer do I pay more than a new customer? Seriously considering switching Internet providers every 12 months.
5
0
10
Okay, I think I'm finally prepared to admit failure.
I'm giving up on Azure B2C.
I'm going back to passwordless authentication using OTPs over email.
5
1
10
@terrajobst
A 9 year old C++ programmer? How is this guy not over the moon impressed by his kid?
3
0
10
After the release today, I considered writing some thoughts about the state of OSS maintainership in light of the Hashicorp+Redis events.
Now there is this exploit, exposed by the burnout of a maintainer.
Things are breaking. I'm afraid we're not looking at the right problems.
The sad part about today's xz/liblzma discovery is that again critical infrastructure was maintained by overworked volunteers without sufficient assistance or support. We, as professional software engineers, or even we, as society, relying on their volunteer work, failed them.
2
26
129
0
2
10
@dustinmoris
Except it does serve to preserve the quoted tweet should the original author delete it. That's been important more than once.
1
0
10
@dustinmoris
This is a bad take. It is too much of a conspiracy theory and requires way more coordination than Microsoft applies to the .NET Foundation.
The lack of attention (in general) is _actually_ the problem.
0
1
10
@RachelTobac
My hope is that this discussion leads to experiments to find some "OSS sustainability" solutions.
1
0
9
@JeremiahOshan
Bring Arlo back to the Sounders! He is IMHO the absolute best soccer commentator ever. I listened to podcasts of him calling the Sounders games I watched in stadium, he is that good. :)
0
0
10
@ardalis
@citizenmatt
Oh, if you've never used them, you're in for a treat. They are so much nicer than .sln files.
Check out:
1
5
10
Should the foundation proactively list companies that develop and support their OSS projects (ie FireGiant for WiX Toolset)? These companies provide a very direct route to project sustainability.
I'm biased (duh). What do others think?
❓Does your company use
#opensource
software?
🔥Are your software assets reliant on
#OSS
?
🕳️Do you wonder how your company would survive without
#OSS
?
If you answered YES to any of these questions, check out .NET Foundation Corporate Memberships:
2
2
3
1
5
10
@jeremydmiller
I'm on a huge break myself. I don't have a timeframe where I see myself going back to provide free assistance. Something snapped. I feel taken advantage of now.
My new answer (if I feel like typing it) is: It's open source. Read the source code or buy a support contract.
0
0
9
@IanYates82
@rjrodger
In other words,
@IanYates82
, I'm agreeing with you. :)
We need to pay some attention to the problem and experiment with different solutions to see which can work. Right now, nothing is being done.
1
0
9
Just because you delete a GitHub issue doesn't mean nobody saw it.
Email notifications go out with the issue's full text as soon as it is opened.
Project maintainers probably have notifications turned on for their projects.
Do not insult those you seek help from.
2
3
9
@dustinmoris
@timsneath
It is entirely possible that the Office UI team is larger than any of those UI teams in DevDiv. :)
The Office UI stack is used by a suite of multibillion dollar apps. They are not messing around. They also don't tend to share.
2
0
8
Haters gonna hate but
@github
is Microsoft's best opportunity yet to show that their Open Source transformation that started in 2003 is real.
I don't know if this acquisition done well will be enough to silence the haters but done poorly it will do immense damage.
#NoPressure
2
4
9
@Aaronontheweb
@richardjfoster
@dotnetfdn
@wixtoolset
Yes, yes. Blog post in the morning (trying to summarize everything so I don't forget in the future).
1
0
9
@jarredsumner
@getsentry
Entitled users doubling down on acting entitled. These users do NOT like it when something challenges their take-all-give-nothing approach to consuming open source.
0
0
9
To be clear, this is it. This was the final RC for WiX v4. RTM is less than three weeks away.
If you find an issue, do file it. But know that it's late and we're only taking showstoppers into WiX v4 now.
0
2
9
@mjasay
I implore you,
@sogrady
,
@adamhjk
,
@IanColdwater
, and any other Open Source thought leader to delay your debates on the definition of open source and put this maintainer support problem front and center.
Please use your broad platforms to explore real solutions.
👇🏻1/
"High priority" but unwilling to pay (or, as shown below, not much). Folks, this is not the right way. Forget license changes: think about supply chain.
1
3
19
1
1
8
@terrajobst
I think I'm looking for the impossible. I was hoping you found a way to push back in such a way that they understood the approach they took was wrong, whether or not their allegations were true, such that everyone would change their behavior. :)
4
0
9
@adamdotdev
Seems like something they get to decide. If others are uncomfortable with it, they don't need to use any of those 400 packages.
Seems more like something to not generalize.
4
0
9
Restart handling is some of the most tedious parts of setup development work.
3
0
8
@david_whitney
@henriksen
@csharpfritz
@dustinmoris
FYI: traversal projects address bullets 3, 4, 5. They are better than .sln files in all ways and have nothing to do with VS. With education, traversal projects also solve 6. :)
The one downside is traversal projects cannot be opened by IDEs. That's fixable (by the IDEs).
1
0
8