When Open Source turns sour: A brush with mistaken identity
Note: Names have been anonymized and links omitted to stifle potential flame wars.
As an enthusiastic advocate for Open Source, I find it easy to get caught up in the excitement of collaboration, innovation and the sense of community that comes with being part of this movement.
We love Open Source and “we” includes everyone from seasoned code and non-code contributors (e.g., art direction/design) to curious beginners. However, it’s crucial to remember that “we” also includes bad actors who may exploit the trust and openness that make Open Source so special.
Recent events in the Open Source world have brought this reality into sharp focus. The xz situation, reminiscent of the infamous Heart Bleed vulnerability, reignited the debate about the need to support and compensate Open Source maintainers.
As the community grappled with these issues, it seemed like we were all ready to move on to the next thing—until a personal experience of public shaming brought the dark side of open source uncomfortably close to home. Shaming might be common online, but in Open Source communities, the reliance on reputation and collaboration makes it especially damaging to contributors.
On April 8, I received a Slack message from a co-worker we’ll call “Murray.” My heart started to race as I read his words: “Hey! I was reading some random stuff on Hacker News and your name popped up.” He went on to explain that he had fallen down a rabbit hole investigating a suspicious-looking Zsh plugin manager called “zi”(the alleged bad actor in this story). My name had been mentioned in an article related to this tool and Murray had stumbled upon edits to a Wikipedia page made by someone sharing my name.
As Murray put it, “You might want to reach out to the author to explain that, to avoid having your name mixed into this.” My heart sank as I realized this was not good. The excitement and pride I usually felt about my contributions to the Open Source community were quickly replaced by a sense of dread and uncertainty.
“Ok Justin, breathe in, breathe out, let’s take care of business.”
The investigation begins
The article in question was actually a thread on Mastodon. The theory was that since I was involved with creating the Zsh logo, I was somehow possibly involved with “zi.”
This is true. After I helped create the logo for Zsh, I uploaded the new logo to Wikipedia on behalf of the Zsh organization. Zsh, like some Open Source projects, didn’t have a logo. This led folks (even Wikipedia!) to use the “Oh My Zsh” logo by mistake.
Lesson learned: a catchy logo can help avoid confusion and protect your project’s reputation.
I responded to the author:
I got another Slack message from yet another colleague. This rumor had legs. Let’s call her Joan, “Hey, did you see that HN post?” Yikes, ok, I need to update HN before this gets out of hand. I thanked her and wrote:
Breathe in, breathe out…
Then I went to check on the Mastodon thread.
Relief. Luckily, I resolved this issue quickly. I appreciate the author giving me the benefit of the doubt and quickly reversing course when my name was cleared.
The aftermath
Open Source is undoubtedly one of the best communities I’ve ever had the pleasure of being a part of. It’s filled with amazing people who genuinely care about the world’s greatest software supply chain. However, this also attracts negative elements, which can lead to finger-pointing that inadvertently harms innocent contributors, the sustainability of the ecosystem, and, most importantly, the community.
So remember Open Source community: Amazing people, world-class software. But without a logo? Pure Zsh-aster.
Also, when you’re stressed, remember to breathe in and out.
Note 2: It’s probably easy to find the Mastodon thread in question, so please don’t harass the author of that thread! We are cool now.
Note 3: Murray and Joan were my grandparents’ names. They worked with the guy who introduced me to Open Source.
