Episode 67: Capital NO

Posted on by Christie Koehler

Download: Episode 67.

This week Audrey and I chat about the compromised NPM package that stole a bunch of credentials, OSCON code of conduct issues, and Guido van Rossum stepping down abruptly from BDFL of Python.

Show Notes

Now Broadcasting LIVE most Fridays

We broadcast our episode recordings LIVE on most Fridays at 12pm PT. Mark your calendars and visit recompilermag.live to tune-in.

We love hearing from you! Feedback, comments, questions…

We’d love hearing from you, so get in touch!

You can leave a comment on this post, tweet to @recompilermag or our host @christi3k, or send an email to podcast@recompilermag.com.

Transcript

CHRISTIE: Hello and welcome to The Recompiler, a feminist hacker podcast where we talk about technology in a fun and playful way. I’m your host, Christie Koehler.

Hi, everyone.

AUDREY: Hello.

CHRISTIE: Hi, Audrey.

AUDREY: Hi.

CHRISTIE: It’s going to be a scorcher today, as they say.

AUDREY: Oh, man.

CHRISTIE: Usually, my office stays…you know, we have all the windows open or the blinds open. Maybe I should close those to keep it cooler down here.

AUDREY: We get pretty aggressive about keeping the house dark.

CHRISTIE: Yeah. So, this is our live broadcast for Episode 67. It’s the 13th of July. Ooh…Friday the 13th.

AUDREY: Today is the start of summer birthday season in my family.

CHRISTIE: You have a whole bunch of them in summer?

AUDREY: Yeah, starting on the 13th.

CHRISTIE: I was supposed to be born in July but I was early. It’s a little after noon and what are we talking about today? We’re going to talk about the compromised NPM package. It sucked up a bunch of credentials, some OSCON code of conduct issues, and Guido van Rossum stepping down from BDFL of Python kind of abruptly. Then we’ll have things we love on the internet. But first, some announcements.

AUDREY: All right. First off, we are a community sponsor for DevOpsDays Portland. It’s happening September 11th through 13th. It is part of a worldwide series of conferences. They talk about software development, IT infrastructure, ops and the combination of all of those things plus the human side of it, how we work together, collaboration, healthy practices, and things like that. We have a discount code: RECOMPILERFRIENDS and that will give you 20% off your ticket.

CHRISTIE: I confirmed, it works. I’ll be there. I got my ticket.

AUDREY: Awesome.

CHRISTIE: I was just seeing tweets from DevOpsDays in Minneapolis.

AUDREY: I think that sounds right. I saw something like that.

CHRISTIE: Looks like some good interesting stuff, so I’m really looking forward to the one here in town. And then we’ve got a Recompiler issue recently gone online for everyone to read, right?

AUDREY: Yeah. Our Issue 8: Wildcard. All of the articles are online. Easily findable and readable. We have everything from cell networks and how they communicate, how the Stingray operations work to interfere with people’s communications to surveil people’s communications. Some stuff about citizen astronomers and their contributions, and a whole lot more. We also have a few more print copies available in the shop. That’s Shop.Recompilermag.com. But our goal is always that all articles are, in the end, free to read on the website so that they’re accessible in that way. And Issue 8 is the latest one to go live.

CHRISTIE: Awesome. Any other announcements?

AUDREY: We also are finishing up the reprint for The Responsible Communication Style Guide. We’re going to order a few extra copies, so you can definitely get your order in. And we have just some relatively minor updates but important stuff and we’ll have a stack of these to start sending out.

CHRISTIE: Awesome. And should I mention our other book that people can still pre-order?

AUDREY: Yes. Would you like to say something about that?

CHRISTIE: Sure. I think some of you know we did a Kickstarter for the second edition of our Community Event Planning book which is going to have all kinds of updates and improvements and interviews from different community organizers. The Kickstarter was successfully funded and we’ve got a…when it’s on BackerKit, what is that called? Is that [inaudible] campaign or a…

AUDREY: A pre-order shop.

CHRISTIE: Pre-order shop? So, it’s a pre-order shop up on BackerKit where you can still support us and still pre-order a copy of the book. I do not remember the URL for that so I have to put it in the show notes.

AUDREY: It’s a little bit long.

CHRISTIE: Yeah. All right. The NPM folks which is the Node Package Management system. I’m saying that because I always forget what NPM actually stands for. It might be Node Package Management.

AUDREY: That’s what it does.

CHRISTIE: Yes. So it’s both the sort of command line tool and also a registry of node libraries. And they had a rough day earlier this week. What happened was a library of packages, the developer for one of the packages, ESLint something, something…

AUDREY: Eslint-scope.

CHRISTIE: Eslint-scope. Anyway, one of the developers on the package that had sort of access to the repository had been reusing their login information on different sites and one of those other sites had a breach. And so, someone basically gained access to his account, regenerated tokens, pushed an update to this package with a little bit extra code in it. What that code did was look for an NPM or C file and then pull NPM token out of it and send it to a stats counter which presumably that person had access to so they can look at all those. And the reason this is kind of a big deal is that a lot of packages are configured to automatically update dependencies when there are new versions automatically. So any project that had one as of their dependencies eslint-scope resetting this new version and as part of the install update process would have run the script and shipped off their credentials.

AUDREY: And those automatic updates are usually recommended for security reasons, among other things, that you will always have the most up-to-date and patched version of the code. But it’s interesting how they can be a vulnerability in this context.

CHRISTIE: Interestingly enough, the way it was discovered was that the method used to pull the script which was hosted on Pastebin, it just tried to eval it right away and the method used to grab the information doesn’t guarantee that all the information would be delivered in one chunk. And so, sometimes when you run it, you’d get a syntax error and that was actually the initial error reported. I find that kind of amusing.

AUDREY: Well, we’ve seen other cases with compromises like that or compromised systems where debugging [inaudible] is often the first indication. And they don’t have to be right all the time. This thing can still be a significant grab for access even if it fails sometimes.

CHRISTIE: And they did get a number of credentials. So, that developer changed the password, revoked the tokens, enabled two factor auth, NPM itself revoked everyone’s tokens.

AUDREY: That had been updated within that time period?

CHRISTIE: No.

AUDREY: Absolutely everyone’s?

CHRISTIE: They had to.

AUDREY: Okay.

CHRISTIE: They didn’t update ones that had been updated after a certain time period.

AUDREY: Okay.

CHRISTIE: After the malicious package had been pulled. I don’t know if they’re still doing an audit but the ESLint folks published a post-mortem, kind of talks about it in detail. All of this was squared away within hours which I think is pretty responsive. The ESLint team apologized for sort of not having the best practices in allowing this to happen the first place. I really think they did a good job with this post-mortem. They say summary, affected packages, attack method, recommendations. So they include C package maintainers, don’t reuse passwords, use a password manager like LastPass or 1Password, enable two factor auth, and then they mentioned something called Lerna which I’m not sure what that is. Package maintainers should audit and limit the number of people who have access to publish an NPM.

AUDREY: That seems especially important.

CHRISTIE: It’s really easy especially with open source how people kind of come and go without the same kind of boundaries they do with employment that you can have a lot of people hold on to access.

AUDREY: And forget about it because you don’t check for a year, a couple of years even. And folks might have stopped contributing in that time period and not even necessarily said, “Oh, bye. I’m going now.” So you have to keep auditing.

CHRISTIE: Right. And there’s the security principle in general. It says that you have only the greatest amount of access or if the least amount of access that you need to your job done, I think, in open source culture where part of the reward is access that’s a little bit contrary. It says package maintainers should be careful with using any services that auto-merge dependency upgrades and that application developers should use a lockfile to prevent the auto-install of new packages.

AUDREY: That isn’t the default? I have a lot more experience with the Ruby ecosystem around this than Python.

CHRISTIE: I did not. This is not Python, this is node.

AUDREY: Oh, sorry.

CHRISTIE: We’re talking about Python later. I use NPM very minimally, so I’m not sure.

AUDREY: Okay.

CHRISTIE: And I didn’t go down that particular rabbit hole. What rabbit hole I did go down was this issue of package signing and whether that would have helped or not in this case. It seems to be a little bit of a contentious issue within the community. But I did find sort of in 2015, someone wrote a patch [inaudible] package signing. So basically I think the way this works is that someone would have a GPG private key, some kind of public private key encryption where you use a private key to sign the release before you update it basically. So that in addition to a token, you would need a GPG signature which can only be created with a private key that is password protected. So kind of like one more layer.

AUDREY: I’ve used that kind of system in a different context where you can expand the keychain. You can add more keys to the keychain that can sign things but you can’t reuse them across contributors.

CHRISTIE: Do most Linux packaging work that way?

AUDREY: Some of the system stuff.

CHRISTIE: I went and found the issue where they said we’re not going to accept this and lie [inaudible]. They basically said this adds a lot of complexity for an unclear benefit and this is something we want to figure out how to do but we want to figure out how to do it the right way. I think I saw some other tweets about it but I couldn’t track those down when we were planning the show.

AUDREY: It’s interesting that what caught your attention was the package signing and control over who can push a package because the part of it that I thought about and how it’s seen solutions for it before was that initial step of needing two factor authentication.

CHRISTIE: Right.

AUDREY: I think it’s been a while since I [inaudible] this. But I think on GitHub, you can require that everyone in your organization use two factor auth to be able to contribute to that project. And those kinds of settings do mean that you’ve got an organizational policy that’s firm.

CHRISTIE: Yeah.

AUDREY: And two factor auth can be compromised in various ways depending on which version of it you’re using. But it’s harder, it’s less likely. It’s not the first thing that people can go after. And even if somebody does screw up and reuse a password, it gives you just another layer there.

CHRISTIE: And it would’ve, like the tokens that were taken from a malicious script, that wouldn’t have been protected by two factor auth. But the way that the initial malware got pushed was because…like two factor auth would have probably prevented that or made it much harder.

AUDREY: And you figure whoever was trying this was brute forcing it. They had a list of e-mails and passwords off of one of those dumps from a previous compromise. And so, they would just be trying it against the system to see if anything stuck.

CHRISTIE: Right. And it’s not hard, once you have someone’s e-mail, it’s not hard to figure out other accounts they have or whatever. I’m pretty sure you can because when I was getting onboard with my most recent job, one of the things I really appreciated was that they required two factor auth. Required two factor auth to everyone in the organization. I don’t think that requires paid features either.

AUDREY: I don’t think so. It’s a really useful security step to take.

CHRISTIE: Yeah. Does ESLint have…looks like they have an organization, so they could do that. And I haven’t been on the end of requiring this, so I don’t know what kind of hassle you have to go through.

AUDREY: I don’t know that I’ve ever set it up but I’ve been on the receiving end of that. And you get some kind of a notification that you need to set up before you keep going. I think there’s something similar on Amazon’s cloud services too.

CHRISTIE: Yeah, probably.

AUDREY: I mean, that I’ve encountered specifically.

CHRISTIE: Though I automatically start to tense up whenever I even start to think about permissions for Amazon stuff just because it’s so like…I mean, the reason we get all these CH Matzo and sen7 equivalent on S3 buckets is because of, I think, the layer of complexity. So, it’s not just requiring two factor auth for accounts that are going to be administering and spinning up new services and whatnot, but also then all the permissions for the services itself. It’s so complicated.

AUDREY: Yeah, it can get very complicated fast.

CHRISTIE: I hadn’t had time to look because morning stuff and getting ready for the show. But I think another set of indictments came out today from Mueller’s investigation. And I just took a quick couple of peeks and part of it includes compromising Clinton campaign, election analytics, and they mentioned cloud service provider. And basically, they got into a server hosted on a cloud service and were able to make backups of it and then pull the backups. They didn’t say Amazon.

AUDREY: But it is a likely option.

CHRISTIE: It’s sounding like the NPM folks got a lot of crap for this which kind of happens every time there’s something with NPM. And so, there’s this [inaudible] from one of the engineering managers sort of about ‘hey, we’re people. Maybe don’t threaten us and send nasty things like when there are issues’.

AUDREY: I know that a lot of…I mean, NPM has a great staff and they are absolutely under a lot of pressure, like the role that their service plays in the software ecosystem is really significant. And they have so many more people who depend on it than the number of staff. So they often are under a lot of pressure to resolve things quickly and not everyone is nice about it.

CHRISTIE: Right. I do think this is one of the risks of open source too is that especially if you give so much away for free and the more that you embrace community in a way that they don’t have to pay for, I feel like it really ups the sort of nasty component or whatever.

AUDREY: Then you have to think about ways that people contribute productively to create that sense of participation and co-ownership that isn’t exploitative, I think is what you’re kind of getting at.

CHRISTIE: I’m just thinking like in a business where you don’t give stuff away for free, the the social contract to me has some much clearer boundaries. And that’s not to say that they’re asshole customers or asshole businesses. But I think it’s much easier to fire a paying customer than it is to fire a free customer. Do you know what I’m saying?

AUDREY: Oh, for sure. I think that maybe there’s like community amplification in both ways. I’ve seen communities that are really good about the idea that even users are kind of contributor and they all support a certain environment for that. And I’ve seen communities that are very polarized in this way, like increasingly burned out set of maintainers or people doing this work and a whole lot more people that are upset that they’re not getting what they want.

CHRISTIE: I think that can be a function of size, too. Well, that’s the other thing is that if there’s a much more direct relationship between your users and your paying customers, sometimes the resources can be clearer.

AUDREY: And if there isn’t an implicit common framework for the social interaction, then you have to create it. Like you’re saying, being a customer are shortcuts that because we have some expectations about how customers and companies interact. But in communities, there’s just much more randomness even around that. You have to set it out.

CHRISTIE: Yeah, people come to expect things from you. But it’s not clear on what terms it makes sense for that to be. Anything else with NPM?

AUDREY: No. I’m glad that they were able to resolve it really fast.

CHRISTIE: Me too.

AUDREY: It probably was a pretty intense thing to have to deal with that day.

CHRISTIE: We ended up talking about communities and open source labor was a really good segue to our next topic.

AUDREY: Yeah.

CHRISTIE: So, was this just yesterday? Oh, my God!

AUDREY: It’s really been a week. I just have to say that this has just really been one of those weeks where, I don’t know, lying in the bath for 12 hours would be appropriate.

CHRISTIE: I don’t even really know what happened other than like, “Oh, here again. It’s Friday already and I’m exhausted.”.

AUDREY: It’s really hot out.

CHRISTIE: Yeah, and I still have a whole bunch of work to do before I can call it a weekend and it’s really warm out. The dogs are just like…all the pets are like melted all over the floor. So, Guido van Rossum is the creator of the Python language and has been the BDFL, the Benevolent Dictator for Life since then, since the early 90’s, mid 90’s, and messaged to Python committers list which is public for reading. We’ll have a link to it. It says Transfer of Power and it references PEP 572 which is the python improvement proposal. It’s sort of their RFC process. It was a contentious one about assignment operators. Guido says, “I’d like to remove myself entirely from the decision process. I’ll still be there for a while as an ordinary core dev and I’ll still be available to mentor people possibly more available. But I’m basically giving myself a permanent vacation from being BDFL, and you all will be on your own.”

AUDREY: The first thing I thought when I saw this was, “Oh, burnout is so painful.”

CHRISTIE: Yeah.

AUDREY: It really is. And I’m sure that this will seem both abrupt and expected from people who’ve been involved. But it’s really hard to see anybody get to that stage of burnout where the best that they can do is to say, “I’m done.”

CHRISTIE: Yeah. “I’m not going to appoint a successor. So what are you all going to do? Create a democracy? Anarchy? A dictatorship? A federation?” And I say this with tremendous empathy for Guido and burnout and having health issues, like all that fucking sucks. There’s also a little bit of a fuck you and I feel like whether it’s intentional or not.

AUDREY: In the community not having found a solution to this yet. I guess what I saw on that was you haven’t organically created a structure for this yet but now you’ll have to.

CHRISTIE: Well, he starts off by referencing this really contentious thing. So this doesn’t sound planned. This sounds very reactive.

AUDREY: And you think it’s kind of, “Well, if you think you can do it better then…”.

CHRISTIE: No, I don’t think there’s…I’m not assigning any intention to it. I think that one of the really hard things about burnout is that if you’re so burned out, all you can do is put everything down and walk away. That is an inherent kind of fuck you because you’re not sticking around to do the work of succession.

AUDREY: Okay.

CHRISTIE: I’m trying to think of a good analogy.

AUDREY: I mean, the phrasing ‘fuck you’ always sounds very adversarial to me. I don’t know.

CHRISTIE: Yeah, I can see that. It probably depends on your relationship with people not doing things. Do you know what I mean?

AUDREY: Kind of.

CHRISTIE: Like I am particularly sensitive to people just walking away and leaving things a mess, I guess is what I’m saying. And I’m not saying Python is a mess. I feel like I’m just going to generate a bunch of hate mail for us.

AUDREY: Again, we have a lot of empathy for what happens when you’re this burned out. We’ve seen it.

CHRISTIE: I mean, I think we’ve all had that experience where you’re working with someone and then they go, “I’m done,” and walk away. And you’re like…it’s a kind of breaking of a social contract, I think. And maybe I’m more sensitive to that than some other people are.

AUDREY: I don’t know. I can think of a significant example where I did that and yeah, it was uncomfortable on all sides.

CHRISTIE: And again, I’m not ascribing any kind of intention. Maybe a better way to describe it is just like when a leader abruptly steps away and they have called themselves BDFL and there isn’t a succession plan. And I find the wording in this kind of vague, like to me, permanent vacation is not synonymous with ‘I’m retiring’ or ‘I’m resigning and stepping down’..

AUDREY: When we started talking about that too, I realized that the examples I could think of that mirrored this were all ones where later people did come back and reclaim some of that decision making power. Because when you just step away in the middle of things without any transition plan, without any leadership plan, things don’t automatically form in your wake. Sometimes everyone just sits there trying to figure out how to do anything or they don’t come to good solutions. They don’t even come up with a new BDFL. They just let it sit.

CHRISTIE: I was trying to think of different ways this has gone before and I didn’t get very far in thinking of that. You know what it is? Maybe it’s that I’m reading some anger in the language and maybe that’s where I’m getting what I’m calling fuck you.

AUDREY: Yeah.

CHRISTIE: I don’t know. Maybe that’s a better way to put it.

AUDREY: I have no doubt that he feels angry to go through a really tough community process to find people being adversarial when you hoped it would be constructive, to find that it was beyond your capability to mediate that. All those things would make me pretty angry.

CHRISTIE: The other thing that kind of concerned me. It doesn’t seem like the Python Software Foundation was given a heads up nor has there been any…so Guido’s also the president of the Python Software Foundation. It’s not clear to me unless he’s stepping back from that role or not too.

AUDREY: I asked people on Mastodon if they had any questions or any aspects of that, that they hoped that we would talk about. And understanding the specifics of it and the impact that will have on the project’s ability to operate seems like that’s the first thing. When I asked people a little bit more generally, I heard, “Well, maybe this isn’t a big deal,” because he was supposed to be sort of in a symbolic role as much as anything. But I don’t think symbolic rules give you burnout. I don’t think that if you were just there to kind of wave and say, “Hey, great job,” I don’t think that that’s the situation that gives you burnout. Obviously, some things have been very dependent on his participation. So this can’t be a simple transition.

CHRISTIE: Right. In this article in LWN kind of goes over what was going on with the PEP 572. I read this critique pretty quickly but it was like managing a pep debate is not a symbolic role. You’ve got a whole list of questions in here that people ask. Do you want to talk about these?

AUDREY: Yeah. So aside from…specifically, what’s going to happen next. That sounds like something that the Python Software Foundation and the core contributors are going to be talking about possibly for some weeks trying to decide what the best kind of leadership structure for them to take is. I also got asked like, is this inevitable, which absolutely I think is there’s no for-life that makes sense in this context. They’re not Supreme Court justices and even those retire.

CHRISTIE: Yeah.

AUDREY: For-life probably isn’t the way that we should talk about this role anyhow. Somebody suggested to me that we should be thinking about how you’re the leader emeritus. That’s something that we went through a lot on OpenSource Bridge. What that emeritus position would look like. That seems really important. And I mean, I think people in leadership decisions, I try to tell everybody this as often as I can like always be thinking about your exit. Be thinking about your exit before you’re burned out, before you want to step away when you’re still super excited to do your job. Because if you do that then you’re keeping an eye out for people who you can mentor and train. You’re keeping an eye out for the decision making bottlenecks that you have, the things that everybody comes to you for and you’re not letting those things kind of fade into the background where because now everybody has to go find that. They have to go kind of do a discovery process on how the thing actually operates because it hasn’t been explicit. And when you have somebody in that kind of role, they are subsuming just a whole bunch of work that may not be documented, may not be explicit to people, may not be visible to people. Maybe just fully internalized. And so, the earlier that you can think about that even just talking it through with people or taking notes or raising it in your conference talks, the sooner that you do that, the more that you can work together as a developer community to do something about that.

CHRISTIE: I think documentation and making as many things explicit as possible is all really good. Whenever there’s a change in leadership, there will be a change in process. You could document how you were doing things perfectly and new people are always going to do things at least slightly their way.

AUDREY: For sure.

CHRISTIE: And that’s doesn’t…and I say this because I had to go through a process with this with OpenSource Bridge. It was a little painful and and I finally just realized it was normal. It doesn’t mean I did anything wrong in it or did a poor transition. That’s a pretty normal process and outcome.

AUDREY: I think benevolent dictators are still single point of failure people. I think taking on that role is blocking other people from becoming effectively involved in technical leadership. I think that just giving yourself that title means that you’re stuck with it until you’re sick of it. And I don’t think that that’s a very healthy choice either.

CHRISTIE: I think everything about it is an [inaudible]. I mean, there can be value in having a final decision maker but I think that you can have something like that without a BDFL.

AUDREY: So I think a good question for people in communities that have that kind of leadership role is to start asking themselves what would be a healthy transition. Start asking like what that would look like. And you don’t necessarily need the leader even to be a part of that conversation at first because you’re thinking about how would you all benefit the most in a leadership transition.

CHRISTIE: And you can practice that, you can role play that without the leader actually stepping down. They can go on a vacation or something and you can have the number two step up and be that point person for a given period of time. Give them practice.

AUDREY: Like with the pep type process to start appointing delegates to be the lead on each of them when it comes time to bring it to the full developer conversation. You can start to see pieces of that. Just try it, find out. Discover what’s not going to work.

CHRISTIE: What else? Single point of failure. Are there projects that have BDFLs and not-so BDFLs. I don’t know about a lot of these. Is DHH still the main decision maker on Ruby on Rails?

AUDREY: I’m not sure. I haven’t looked in a while. Some have kind of a core team but also a figurehead. And I think that the figurehead thing still means that people will come to that person with things even that can be collectively resolved. I think it’s something that you have to be really careful about.

CHRISTIE: Two humans can’t occupy the same space at the same time. So whatever space you’re occupying, you are preventing another person from occupying it. And I mean that can be hard to think about but I think the more that we talk about it, the more we can normalize it.

AUDREY: One of the things that I keep bumping up against is I guess this way that those BDFL positions and those community figureheads prevent people from…I mean, not explicitly most…sometimes you see people manipulating this. Most of them aren’t trying to block their community’s growth by doing that. But I think that it does implicitly prevent people from learning what they do. Does that make sense? I think implicitly it just creates kind of this bubble around it that makes it hard for people to learn what that person does. And if they don’t know, if they don’t understand that in any detail, then they can’t understand what it looks like for somebody else to take on that role. They can understand what piece of it they could do and they go, “Oh, wow! I could never…” And maybe that’s true or not but I’ve learned a lot in the last 10 years in terms of community organizing and technology management stuff. So, I believe that more community members can acquire these skills and to take on a piece of this. But they can’t do that if there’s just this bubble around it that makes it look out of reach.

CHRISTIE: Right. I think these are really challenging because humans are ego-driven and we don’t like change. And if we create this thing and it takes off and it brings us visibility and prestige and drives us in some manner, it’s really hard in the middle of that when it’s all or mostly in that positive to start planning for that going away. So yeah, I get it.

AUDREY: I’ve experienced like a fear of erasure even in that process. Like will there be a point that nobody remembers what I started, what I contributed? I’ve encountered this. They start to describe it as like sort of an amorphous community. They generalized the responsibility rather than seeing that there are people who were key at the same time that it was a community effort. There’s a tension there but I think it’s really important to see that and to not just say one or the other.

CHRISTIE: Right. And I think one of the things that a project lead and people, core committers and stuff can do, and this is really hard but I keep coming back to this, is document what you’re doing as you’re doing it. It’s much harder to do that after the fact. But having that history of this is why this thing was created, this was who was involved, that is so useful looking back.

AUDREY: And even shitty documentation is better than nothing. If all you do even is to just like brain dump relentlessly, I’ve been able to reconstruct quite a bit from that.

CHRISTIE: Yeah, you can reconstruct and polish a lot after the fact if you have the nuggets there. But you’ll forget the nuggets if they’re not written down somewhere. And luckily in open source, we have a lot of artifacts. If you’re thinking 10, 15, 20 years out, I mean, GitHub wasn’t a thing when Python started. How many issue have they had, I don’t know. But surely they’ve had to make a couple of migrations till they lose any data.

AUDREY: Yeah, you can lose history in all of these things. And it’s funny for all of the sort of open source, open community aspects of this. We don’t do a lot of the oral history gathering. Some of the practices that people can make use of to collect that even if it’s not like a big documentation process. Those oral histories are important too.

CHRISTIE: It’s one good thing about podcasts. We’re getting more of that. But again if you’re not saving those, then who knows if you can read an MP3 in 20 years. Although MP3s have been out a long time now, I just realized.

AUDREY: It’s silly, you shouldn’t count on it. Back to that digital archiving article that we were in. I mean, [inaudible] migration always.

CHRISTIE: Anything else with the Python stuff?

AUDREY: I just want to say that I wish the best for the community and I hope that they can have a really conscious and kind process for deciding what to do next.

CHRISTIE: Yeah. I second that. Okay, so OSCON is next week.

AUDREY: In Portland.

CHRISTIE: In Portland where it has been a lot. OSCON is O’Reilly’s Open Source Convention. It’s the 20th year which I think must…does that take it back to when it was their Perl convention?

AUDREY: It might. It started out as a Perl convention. When I started going, it still had a lot of remnants of that.

CHRISTIE: Do you want to talk about this, Audrey?

AUDREY: The other morning, a colleague of ours, Sage Sharp, took a look at the Code of Conduct for OSCON and discovered that they had added specific piece of requirements in there, I guess, around considering political affiliation of protected group.

CHRISTIE: Yes. They added it to the bit about we want to be welcoming and respectful to people regardless of gender, blah…blah…blah…political affiliation.

AUDREY: And in addition to that, through the conversation on Twitter, we found out that the speaker agreement that O’Reilly has been using had also added a line about refraining from political and religious speech during their presentation. Does that sound right?

CHRISTIE: Yep. In keeping with OSCON’s Code of Conduct, I will refrain from religious and political speech.

AUDREY: And these two elements are extremely problematic from, I guess, multiple pieces of it including the way that there are political beliefs that are really anti-humane against the existence of various people in our communities and repressive of people in our communities. There are ways that people’s identity can be inherently political because it’s outside of certain frameworks, conservative frameworks. There’s ways that it can be abused just enormously. And because it’s a behavior and not a thing that you are, because it’s a behavior, it’s not a good choice for that part of your code of conduct.

CHRISTIE: Right. Yes, that’s a good way to put it. So I’m looking at their Conferences Code of Conduct, and there’s no changelog on it. To my knowledge, they didn’t make an announcement. So to me, this also raised an issue of…we worked with OSCON back…was it 2011 or something when they first adopted theirs. And so in my mind, I was like, “Okay. OSCON has a Code of Conduct.” And I wouldn’t go check it out extensively every time.

AUDREY: Right. I knew that I thought it was kind of a weak Code of Conduct and I think we’re both dissatisfied about a lot of parts of that process.

CHRISTIE: Right.

AUDREY: But they did have something. They did tell us verbally and in their other statements that they were really trying to learn how to do this and that they were going to enforce that Code of Conduct.

CHRISTIE: Which we know they haven’t done a great job at.

AUDREY: It’s been…

CHRISTIE: I guess I didn’t mean to indicate like…I think it’s great but just that once I’ve…in my mind and this is just me, if I’ve sort of verified a conference has a Code of Conduct, I don’t keep it on my stack to keep checking that.

AUDREY: It seems…I mean, it’s possible but I hadn’t really thought about the possibility that Codes of Conduct can get worse over time. I guess I thought maybe they can get diluted. I had hoped that nobody would start off with something better and then add a really bad choice in the middle of it.

CHRISTIE: And they’re not the only one that has this political affiliation thing in their Code of Conduct.

AUDREY: No, they’re not. I’ve found a bunch of examples.

CHRISTIE: Yeah. Sage tweeted about this and then I jumped on it, you jumped on it. Coraline jumped on it.

AUDREY: Because Coraline was…

CHRISTIE: Speaking.

AUDREY: Yeah. Was intending to speak this year. I haven’t spoken there in a few years.

CHRISTIE: So, Coraline published a post saying they were not going to speak. I don’t think this has been updated to say otherwise. So about an hour…it was like an hour and 20 minutes after Sage posted that, Tim O’Reilly responded. Made it worse.

AUDREY: Certainly, we learned a lot about the intent behind that element of the Code of Conduct.

CHRISTIE: Right. We don’t have Tim’s thing linked in here exactly. It was something like…let me see if I can find it.

AUDREY: It was right in the middle of the [inaudible] conservative and be civil conversation that a lot of people have been having.

CHRISTIE: Right. So Tim first specifically mentioned the GOP and then said like, “It’s not okay to demonize these people just because they’re part of the GOP. If we want people to change, we have to walk on…” sort of stuff like that. I don’t think anyone was particularly happy to see that. A little bit later, Tim also said, made it seem like he didn’t know about the changes.

AUDREY: Also, I think we determined that the conference chairs didn’t know about the changes.

CHRISTIE: Right, at least one of them.

AUDREY: At whatever point this was added, both to the speaker agreement and to the Code of Conduct in general, at whatever point this was added, they did not go through a process where they informed the people that I think most needed to know about it. I can remember the last time I added an element to the OpenSource Bridge Code of Conduct and I know that I asked both conference chairs and the [Stumptown] Syndicate Board if they were okay with that element, explained the reasoning behind it, wrote up some texts, sent it to those same people, updated the documents, agreed on how we’re going do training around it and made sure that attendees knew that there was a new element. It was just a weapons policy. But still, it was something that would be a significant change, another expectation that we had and we went through these steps to make sure that all of the people who needed that information had it and could act on it.

CHRISTIE: Exactly. And so having the CEO of the company be out of the loop and the conference chairs, it makes me wonder who’s enforcing this. It just spoke to me about that that process is broken. Aside from the problematic language that was added to both the code of conduct and the speaker agreement.

AUDREY: And who’s enforcing it is a really good question because as [inaudible] posted OSCON’s inadequate history with enforcing their code of conduct does come down to, in part, people not having a clear sense of who the decision maker was and being very slow to respond to things that were obvious problems. Big safety issues with plenty of information available on what would be a reasonable way to handle it but failed to take timely action in part because there was so much back and forth about who should make that decision and what decision they should make.

CHRISTIE: Right. And a key part of…you, Audrey, trained people in this and I know from experience too that a key part of Code of Conduct response is…why do alarms make noise when you have your phone on silent, I don’t know…is having that very clear and a big part of that is role playing, like going through scenarios and thinking them through.

AUDREY: We practice what to say. We practice what we’re going to say when somebody reports a thing, what pieces of information we need to make a decision, what a reasonable decision would be for a certain scope of the problem, and how to resolve it. We practice every piece of that. And I think people absolutely should be going into the conference where they have that responsibility with that kind of training.

CHRISTIE: So that came out for me. And then the sort of the language that was added and the way folks, both Tim and others, talked about it sort of gave me some hints that maybe people don’t really understand the Code of Conduct entirely. And I realize maybe sometimes I pick apart language a little too much or maybe not. For one thing, I was thinking, they add political affiliation to the list of people that they want to feel welcome regardless of their relationship, their identity, their gender identity, expression, political affiliation, whatever you want to call that, or identifiers. But that thing they added to the speaker’s agreement in keeping with our Code of Conduct, ‘I will refrain from religious or political speech’, that was never in either version of the Code of Conduct expressly prohibited. So I’m thinking, “How did they get there?” I’m thinking, if you’re a certain kind of person and you say, “Oh, I want to be welcoming in my behavior to people regardless of their political affiliation or religion,” I will refrain from any political speech or religious speech. It’s kind of like, “Oh, I won’t be racist by being colorblind.”

AUDREY: Yeah.

CHRISTIE: It’s a weird kind of leap. Do you know what I mean?

AUDREY: Sure. But again, it fits into that [inaudible] idea quite directly. But the best thing that we can do is to not talk about it.

CHRISTIE: Right. But it’s a logical leap that is not actually represented by the policy that they publish.

AUDREY: Sure. It tells you a lot about the intentions.

CHRISTIE: But I think, to me, it was sort of like a light bulb moment and thinking about…because I saw other people make similar categorical errors. Anyway, it just told me something about the way that people interact with policy. And then I noticed it again when I was reading O’Reilly’s posts where they say they’re going to pull out the language. It says, “The Code of Conduct was amended in 2017 to add political affiliation to the list of issues that attendees should be respectful about.” That is different than we’re going to create a conference environment that does its best to be welcoming to people belonging to those groups. It’s not the same thing.

AUDREY: I see what you’re saying. I created a checklist for determining whether a Code of Conduct is going to be effective because we have this conversation a lot. And there are two elements in it that are being conflated backward and forward. One of them is the groups that we look out for. There are groups that we look to make sure that they are safe and not harassed. And then there are the things that constitute harassment. And those are two separate sections.

CHRISTIE: Yes.

AUDREY: Because the existence of some of these race or gender sexuality is not harassment to discuss. It is harassment if it’s used against them. But those are different things.

CHRISTIE: Yeah.

AUDREY: And like you’re talking about with colorblindness. Colorblindness is still racist. It’s still a racist way of interacting with people.

CHRISTIE: Right.

AUDREY: And those have to be two separate things. But if you don’t understand that, you haven’t looked at the structure of the policy and how it works. And that’s why I frame it as effectiveness. If those things are just one blob, then you can’t come to consistent decisions about how people should act.

CHRISTIE: Right. I don’t think we can achieve a policy that is understandable in that way to everyone who might read it or might come to your conference. I think that would get so wordy as to be not useful. But I think if you’re in the reporting chain, you have to understand it and not make these categorical errors. And so when I see things like these from Tim O’Reilly, that’s pretty concerning.

AUDREY: It makes me wonder how much he was…even though the Code of Conduct materials, some of it’s written directly by him, it makes me wonder how much he understands the process at all. Not just their own document but does he understand how a Code of Conduct actually works?

CHRISTIE: Are you for giving him the benefit of the doubt and tracking him up to ignorance or inexperience? But also, I think sometimes people scramble things intentionally or it serves them to do so, and so they aren’t motivated to not do it. I had another moment yesterday and I texted you about it where I said I think there’s a certain kind of political person or a person with political skill and I mean liberal political skill that is almost antithetical to good policy writing and enforcement because where good policy writing and enforcement requires explicitness and good understanding of categorizing a certain kind of political skill relies on vagueness and murkiness.

AUDREY: There’s more that you can manipulate or…I can’t think of the word for now.

CHRISTIE: Manipulate or rewrite history?

AUDREY: Yeah, or prioritize, like forcibly prioritize. I was just going to say that one of the other things that we looked at, spoke to this, I think, about O’Reilly’s history with open source and [inaudible] as political issues, and the ways that there has been manipulation of the conversation that maybe reflect more behavior.

CHRISTIE: Yeah. Bradley Kunn, who was at Free Software Foundation is now at Software Freedom Conservancy, had a pretty thoughtful post on this and gave some really specific examples of sort of how Tim…one that OSCON’s always been overtly political and how Tim has a track record of manipulating things to sort of push a particular political agenda. I think this is a good read, for sure.

AUDREY: I really chafe at the idea of saying Tim O’Reilly is inexperienced in any aspect of this. For one thing, he’s older than me.

CHRISTIE: And I think as someone who occupies that prominent space and talking about how tech should be used especially in regards to government should really have a better understanding of policy, in my opinion.

AUDREY: And not just a wishful thinking, imagined view of it.

CHRISTIE: A couple of times during this I thought back to when I was really looking at the language of the COC and how people were talking about it. I was going back to the boss of my old job where I was trying to get shared agreement and clarification on some wording about something and they just said like, “You’re focusing too much on the exact words. I’m just going to tell you what it means.” And it’s like, “Wait a minute, no.” Part of the reason you write something down is it’s a signifier of what the agreement is.

AUDREY: And if all of the people that are most important to the process, if they can’t all read it and see the same thing with maybe a little bit of flexibility, but if they can’t come to the same basic conclusions about what it says, then you don’t have good language. You have not written something that is precise enough.

CHRISTIE: And then the reason why this is not solved at all for a lot of us is this closing two sentences of O’Reilly’s post where it says, “We will remove political affiliation from the Code of Conduct and the prohibition on political speech from the speaker agreement. But we continue to ask attendees and speakers to respect the spirit of what was intended by both: to keep the conference a place where people feel welcome, and can focus on the technical content and social interactions that bring them to the event.” I tweeted that as we’re removing the letter of the law but not the spirit.

AUDREY: And I think that that’s how a lot of people thought to. It will certainly be interesting to see what happens next week.

CHRISTIE: I was going to make some quip about they don’t actually seem to deal with problematic actors so the chances of them actually imposing consequences on someone either direction is minimal but that doesn’t make it better.

AUDREY: I think that the whole thing is full of broken stairs. I have on one occasion seen them take a security issue seriously to work directly with somebody to make a good safety plan. But I’ve seen a lot more cases where they just…I don’t know somebody, who’s relentlessly clueless is doing more than not paying attention or not trying.

CHRISTIE: That’s an abdication of responsibility.

AUDREY: And this stuff is hard but you can still figure it out. I mean, it’s stressful, it’s not fun, it’s not my favorite skill to use, but you can figure out how to do this and just be more responsible to your community.

CHRISTIE: I feel that unlike a strictly commercial tech conference that OSCON has benefited so much from the open source community that that really is, they ought to be held to a higher standard.

AUDREY: I would say that they’ve benefited from sitting in that space between the two. They’ve benefited a lot from being part way between the free software part of the open source community and the commercial open source side of it. Putting themselves right in the middle has been quite profitable and helped sustain the conference over 20 years.

CHRISTIE: Isn’t it the main reason that they’re even relevant, aside from their publishing?

AUDREY: OSCON specifically?

CHRISTIE: Yeah.

AUDREY: I think that their conferences are pretty affluential not just this one, influential.

CHRISTIE: But OSCON is the anchor of that.

AUDREY: It has been.

CHRISTIE: I don’t think any of the other conferences are approaching 20 years old.

AUDREY: No.

CHRISTIE: Maybe more like 10. Whoa! That turned out to be a packed show. We’ve got some things we love on the internet this week.

AUDREY: Good.

CHRISTIE: I’m finally sold on web apps, Audrey.

AUDREY: Finally, in the year 2018.

CHRISTIE: Yup. Because vim, VI-iMproved has been ported to web assembly and can now run in the browser. And there’s a working demo of it. I’m saying it’s a little tongue-in-cheek but it’s funny. A lot of clever web things all kind of turn my nose up at because that’s how I am. But now you know the secret. You just apply it to them and I’m like, “All right, I’m there.”

AUDREY: So as long as we keep things command line, it can still be in the browser?

CHRISTIE: Yeah. You can call me a walking contradiction but I’m okay with that. So check that out. I’m a little disturbed that the web, that the browser has become a compilation target for basically anything you can write in higher level language. But I do think it’s kind of neat.

AUDREY: It opens up a lot of distribution.

CHRISTIE: I saw someone tweet and I haven’t tracked this down again yet, but basically said like they wonder if this won’t become sort of the archive format for binaries because of that. And I thought that that was an interesting thing to think about.

AUDREY: Yeah.

CHRISTIE: And then I guess doing things like playing whatever this decade’s version of Oregon Trail is in the browser when we’re doing podcast 20 years from now or 30 years from now.

AUDREY: We should give that one another try. Do another Oregon Trail session.

CHRISTIE: What have you got for your favorite thing?

AUDREY: For my favorite thing? After spending unexpected day talking about OSCON’s Code of Conduct and whether we need to allow fascist political beliefs at our conferences…

CHRISTIE: No. Sorry, I just want that to be clear.

AUDREY: I mean, a capital NO. But anyhow, because I spent a lot of time on that, that I wasn’t expecting to and I got to the end the day and I was like, “What even happened here?” I decided that the best antidote was to look at videos of capybaras and guinea pigs and pandas. And my favorite thing is this short informational piece about Cheesecake, the capybara who is a foster parent to many adorable puppies.

CHRISTIE: And ‘puppies’ is not like the term for baby capybaras.

AUDREY: Oh, no.

CHRISTIE: Puppies here you mean dog puppies.

AUDREY: Yeah. Little fuzzy dogs.

CHRISTIE: Nice.

AUDREY: Apparently, capybaras I guess are really good at fostering both other capybaras babies and other fuzzy critters.

CHRISTIE: Was it you that tweeted the whole thread about capybaras with different animals’ babies?

AUDREY: I think that was somebody else but I probably would have shared it.

CHRISTIE: It’s pretty cool. Oh my God, puppies. No, no. I have too many dogs already. Don’t even think about it.

AUDREY: Somebody in my neighborhood is giving away Pitbull puppies. I’m like, “Oh, I could but I can’t.”

CHRISTIE: I love dogs. They’re a lot of work when they’re grown up and there are so much work when they’re puppies. You know how much Birdie turned our lives topsy-turvy for like a year.

AUDREY: I have experience with puppies. I know how much work there.

CHRISTIE: You got to have lots of time to dedicate and lots of pet gates.

AUDREY: That’s a very cheery note to end on.

CHRISTIE: Yes.

AUDREY: Warm, fuzzy, soft.

CHRISTIE: Yes. Curl up in front of your local air conditioner and cuddle a puppy. All right. I think we’re done with our show for the week. Talk to everyone soon. Thanks Audrey.

AUDREY: Thank you.

CHRISTIE: And that’s a wrap. You’ve been listening to The Recompiler Podcast. You can find this and all previous episodes at recompilermag.com/podcast. There you’ll find links to individual episodes as well as the show notes. You’ll also find links to subscribe to The Recompiler Podcast using iTunes or your favorite podcatcher. If you’re already subscribed via iTunes, please take a moment to leave us a review. It really helps us out. Speaking of which, we love your feedback. What do you like? What do you not like? What do you want to hear more of? Let us know. You can send email feedback to podcast@recompilermag.com or send feedback via Twitter to @RecompilerMag or directly to me, @Christi3k. You can also leave us an audio comment by calling 503 489 9083 and leave in a message.

The Recompiler podcast is a project of Recompiler Media, founded and led by Audrey Eschright and is hosted and produced by yours truly, Christie Koehler. Thanks for listening.