[Haskell-cafe] Future of package cryptonite

Tue Mar 16 00:19:16 UTC 2021

Hi Ximin,
Cc: haskell-cafe

According to the mail archive[1], your messages are not delivered to
haskell-cafe. So, I'm citing your response below.

[1] https://mail.haskell.org/pipermail/haskell-cafe/2021-March/

--Kazu

From: Ximin Luo <infinity0 at pwned.gg>
Subject: Re: [Haskell-cafe] Future of package cryptonite

> Sven Panne:
>> Am Mo., 15. März 2021 um 01:17 Uhr schrieb Kazu Yamamoto <kazu at iij.ad.jp <mailto:kazu at iij.ad.jp>>:
>> 
>>     We should also take care of "memory", "foundation" and "basement".
>>     No action is taken for over a month to
>>     https://github.com/haskell-foundation/foundation/pull/549 <https://github.com/haskell-foundation/foundation/pull/549>
>> 
>> 
>> Somehow I'm getting more and more allergic to all these hasty unwarranted "I want to take over package XY" requests. The last release of cryptonite was less than 7 weeks ago, a PR for foundation was not merged within 5 weeks, etc. etc.  For god's sake: If you are in such a hurry, just fork locally! Or even better: Give the maintainers a huge pile of $$$, most of them are doing their stuff in their spare time, so you can't expect SLAs where you would have to spend 5 digit sums as a company. Or you can fork visibly on e.g. GitHub under a different package name and let other people decide which variant to take.
>> 
> 
> The cryptonite bugfix release in January is the *only* activity on the package for many months. As I understand from Kazu, Vincent has personally decided to quit, he just has not publicly announced it (nor made any other communications).
> 
> So this bugfix release seems more of a "I guess I should really do the minimum to stop possible harm", rather than performing expected maintainer duties & making progress on the overall Haskell ecosystem.
> 
>> "Taking over" a package can almost be seen as robbery from the point of view of the original author, and it is actively discouraging people to make their code Open Source. We should be much, much more sensitive in the Haskell community, I haven't seen such things in other language ecosystems.
>> 
> 
> Haskell as an ecosystem is much smaller than other language ecosystems, and maintainers of key libraries like cryptonite going AWOL is unfortunately more common. Given that, it is expected to see more requests like this.
> 
> Implicit in all of these requests is that, if the original maintainer restarts their normal maintainer activities, they can immediately re-exercise their maintainership activities and previous access.
> 
> Package namespaces are a shared resource and its consequences affect everyone, and so "ownership" is not as simple as "who got it first". That is why we have a package takeover process in the first place. [1] One extreme case outside of Haskell would be the left-pad npm example. Nobody is taking away copyrights, licenses, or source code away from anyone; nobody has the power to do that.
> 
> [1] https://wiki.haskell.org/Taking_over_a_package
> 
>> Having said that, I think that a few projects are blocked by stack issues before they can support GHC 9.0. It would be great if things would be released more in lock-step, I dream of a world where a new GHC comes out in sync with cabal, stack, Stackage, Haskell language server etc. all supporting the new compiler. Other language ecosystems are lightyears ahead regarding this... :-/
>> 
>> Cheers,
>>    S.
> 
> -- 
> GPG: ed25519/56034877E1F87C35
> https://github.com/infinity0/pubkeys.git