Seems like an innocent enough mistake. Remind me of when I once helped organize a volunteer hackathon with people from different companies. We created a Slack organization just for the occasion. At the end of the event, I was supposed to ask all attendees to delete all the data we had given them before they went home. The message I posted to #general (the channel everyone in a Slack organization is required to be in) with @everyone tagged was something to the effect of:
"Thank you everyone for contributing to our shared mission. When you are done with your work today, please delete all the data from your machines. Hope we see each other again soon!"
Slack gave me a dire warning that my message would send notifications to so many people across so many time zones. This didn't surprise me because attendees came from various countries for the event. So I dismissed it.
But I had accidentally sent it to my company's Slack organization instead of the hackathon-specific one. I didn't realize it until a co-worker sent me a private message asking why I had just tried to fire everyone at our company.
The real problem was that so many people felt the urge to reply to that PR making it so much worse than a single ping.
I can live with the random message that has nothing to do with me, but having to delete an endless stream of messages because so many people felt the need to reply already knowing that it would go out to everyone is really annoying
I happened to be hit by the Github incident. The worst is not the guy who made the mistake (happens) but the fools who hit Reply-All to first complain about spam and then to yell at each other to stop hitting Reply-All, making the problem exponentially worse ... facepalm
Oh and one has even posted a "goatse" image there ...
Happened in my wife’s company of around 40k people. Mail to all, replies to stop replying, many hours to stop the firestorm. Then next timezone 8 hours out started replying. I don’t know why they didn’t just kill permissions to the mailing list.
Similar thing happened at uni when I was doing a PhD.
The graduate office had some sort of mailing list which included all PhD students (or maybe even graduate students). There was maybe one mail a year to this list.
At some point someone replied to the list (don't ask why the allowed everyone to post), they want to be unsubscribe, trigger a torrent of emails of people wanting to unsubscribe, people telling people to use the link on the email, people asking why they get this email, others telling everyone to stop replying (the irony). It was a study of human psychology.
The whole thing lasted a week, I think in the end somebody was competent enough to restrict who could write to the list or maybe they just nuked the list.
I’ve seen this happen in some context at least once every five years throughout the 30 years of my career. The absolute best ones cause large scale incidents due to the volume of the messages. I always looked at it as a random celebration that brings all the trolls and introduces them to the idiots.
It's the "law" of numbers. 400k pings, even if only 1% clicked on the repo, and maybe 10% of them commented: that's 400 comments to make. Even on internal repos I've never seen productive discussion really happen past 50 or so comments.
And then the news broke out and that drove even more than 1% to check out the drama. Maybe even had some people sign up for Epic just to check it out.
All of those 400k people were notified because the author tagged a group containing 400k people. For every comment, 400k emails went out.
I never commented, but I received an email for every comment in that issue. The email queue was so backed up that I was receiving emails for quite some time after the issue was closed.
The worst is that it becomes clear eventually that people are responding just to troll.
The casual vandalism of hundreds of thousands of people’s time and attention is absolutely mind-boggling to me. I saw similar things at large (50k+ employees) companies when some reply-all chain got started — people who clearly knew better, replying just for the lulz.
If it were up to me, I would have fired them immediately. Nobody has the right to conscript other people into their personal sense of humor.
It's annoying to get useless email, but 95% of the non-spam email I receive everyday is useless crap: T&C changes, some company newsletter that somehow I never unsubscribed to, other notifications deemed so important I cannot unsubscribe to, a GitHub thread I subscribed to years ago and now has a very active discussion.
It's not like every single person received 400k emails in one go, it's 400k people receiving those 10 or 20 messages from the same thread over an hour. Annoying, waste of time, but not unheard of.
The attitude annoys me more than the actual effect.
I’d also fire someone who “trolled” the company by spraying graffiti on the side of the building. Trivial to remove or even ignore, yes, but the unprofessional and juvenile mindset, taking pleasure in annoying everyone else, is enraging all by itself even if no practical harm was done.
This is not an Epic employee that trolled the company.
This is random people on the Internet that probably didn't even know they were part of that notification group, as explained elsewhere in this thread, and then joked around a little longer than they should have. It might not been immediately clear to some that each of their responses was to be sent to all 400k.
Not at all the same crime as you paint it to be. In any case, there is no one that's fireable here, so no need to try looking for some kind of righteous justice here.
I don't think it's trolling, it's just having a lighthearted moment in an unexpected situation. You can't blame individuals for doing what they're supposed to do, i.e. replying to emails; at that point it's the moderators' jobs to kill mailing permissions or something.
>the unprofessional and juvenile mindset, taking pleasure in annoying everyone else, is enraging all by itself even if no practical harm was done.
People want GitHub to fix their system. Epic also has annoying process whereby you have to join their GitHub organization to access certain free tools, which is why they have a GitHub group with 400k people in the first place.
Edit: What great timing—someone just opened a new issue with the same tag. This needs to be fixed on GitHub’s end.
> If it were up to me, I would have fired them immediately. Nobody has the right to conscript other people into their personal sense of humor.
I’d just fire everyone with a sense of humor, that’ll show them.
I’ve heard some people spend whole minutes setting up a joke for the punchline. How many billions of dollars does that cost the economy each year one has to wonder.
I doubt it. If you look at the PR, it does not add any value at all, but introduces a mistake ("for our repositories"), plus the commit message is kind of strange.
I don't quite get the mindset here. I'm (slowly and lazily) learning a new language, and can't imagine going into some native speaker's repo and trying to correct it...
Blame the interviewers who require OSS contributions. Same with DigitalOcean and their "hacktobefest"¹, or whatever it's called. LKML is full of attempts at these. For some reason I remember a particular exchange (but it's quite typical) between Linus and some random 16 year old ESL student, who bugged Linus for days to accept his "typo fixes" (most of which weren't really typos), and Linus's replies in the manner of "lemme get right on that". From what I understand it's just something you have to deal with as a prominent OSS figure.
I am subscribed to the mailing list used to discuss development of the Django project. This is a very frequent occurrence. There is a constant stream of wannabe contributors that feel somehow inclined or compelled to ask the mailing list for a primer on contribution instead of reading the myriad disclaimers and existing documentation. It’s often obvious that they’re incredibly green behind the ears and barely know what Python or Django are, let alone how to use it. I personally find the combination of hubris and dishonesty jarring, though I appreciate that at the core of it is a cultural difference that I just don’t understand.
Bullshit. The number of jobs that require OSS contributions is minimal, and I've never seen that requirement for anything close to an entry-level job. This is people doing resume padding and making it worse for everyone: OSS contributors, interviewers and future candidates that don't engage in this spam.
And Hacktoberfest, before those incidents, was something for real OSS contributors. Not for spammers wanting a free T-shirt.
Blame the channels on Youtube that are teaching people to make inane contributions to game the system, the people spreading lies like "you need OSS contributions to get a job" and finally the people doing it. This is the reason we can't have nice things.
This kinda looks like an attempt to get a commit into a bigger open source repository. It'd look nice on a resume to say you "contributed to Unreal Engine on GitHub".
As someone who works with a lot of junior devs in India, I know the competition for early career roles in tech is immense, and so folks look at "open source contribution" as a "brownie point" to add in your resume. Having a "contributed to Unreal Engine" sounds great on paper and 3/5 companies would just take it at face-value and move this guy's resume higher up the stack.
And we have enough seasoned devs who try to be helpful to these junior folks and point out that the easiest way to get started in OSS is to provide/fix documentation for OSS since it's usually low barrier to entry + usually lacking in most OSS repos (The people praising the rr documentation is a great anecdote). But looks like the "quality" bit is lost in translation somewhere.
A company really wouldn't at least ask what the contributions were? What kind of 'competitive market' is it where you can lie so easily and get away with it?
When we hire people I usually check out the Person's github account and see for myself what the contributions were. For me it's more of a hint "these forked repos are worth a look". But that's because we are a small startup and everyone in the hiring pipeline knows how to use github. I can easily imagine that you can get some of the early filters in larger companies with meaningless OSS contributions because the people involved at that stage lack the knowledge or time to verify.
A large portion of Indian resumes are copy-paste fake resumes. It’s a big country with a large number of desperate incompetent undereducated poor people.
It doesn’t matter how successful it is, it matters whether many people think it’s their best chance.
But that's so weird because even if that's on the resume, any interviewer would be interested in know what the contribution was. Maybe revealing that you only "fixed typos" would do more harm than good?
Depends on your level of honesty. Given that you're fixing typos to say that you contributed to a project, you'd probably double down and quote the number of PR (remember to only do 1 typo fix per PR) and then add a real bug you may have fixed or make one up.
Unfortunately the entire interview process is why I usually try to hire former co-workers.
I am in several communities that receive many users from the east and that is very common of them: absolute disregard for the rules, common courtesy or even common sense. If they want something, they will keep asking for it even if it's offtopic or even the wrong channel/group/forum/etc until they get it, regardless of whether they are disrupting ongoing conversations or whatever. I suppose that it's a cultural thing.
This reminds me of something that happened to me a couple of years ago, near the start of the pandemic and when we had recently switched from Skype for Business to Microsoft Teams.
I needed to set up a one-to-one Teams meeting with a colleague, so I hit the 'Schedule meeting' button, added my colleague as an attendee, filled in the meeting name, date and time.
I saw that Teams was asking me to select a channel. I didn't realise this was an optional field, so I just selected the General channel in my department's Teams channel. It seemed the most appropriate. And so I sent out the meeting invite, thinking it would only go to one colleague (the only one I had selected as a participant).
I realised something was wrong a few moments later when I started receiving out-of-office responses from people I didn't recognise. I checked the meeting invite in my sent folder and realised it had gone out to the entire department. Hundreds of people, including all the senior managers and even the CTO!
Turns out that when you specify a channel when creating a meeting in Teams, it also sends the meeting invite to everybody who has access to that channel which, in this case, was the entire department. There was no indication that this would happen, however.
Still, I learnt my lesson. Now I know not to select a channel when creating a Teams meeting.
I try to not mix work and personal content on the same laptop, I’ve seen too many glitches (although usually not quite that embarrassing). Slack has been my one exception (although only on my phone). Thanks for the valuable reminder.
> I try to not mix work and personal content on the same laptop
It's kind of jaw dropping to me at how this is still not the norm and how people gratuitously mix personal and work content on the same devices, both mobile and desktop.
Purchasing, carrying, and maintaining two devices is expensive, heavy, and tedious. Easy always beats safe. Not to mention that there may be significant overlap between work and play for some people. I code Magento (PHP) during the day and contribute to open source PHP efforts as a hobby. In which environment (work or personal) should my notes and bookmarks be?
When I have a company issued laptop I use two machines. When I don't, then I use two accounts on the same machine. Most Linux distros even allow fast account switching in different virtual consoles. I use a different background and panel color for the personal and work environments. It's not a perfect solution, but neither is separate devices.
My work and hobby life is completely entwined. I have one powerful machine and micromanage my time by switching between windows of work and leisure.
Add the fact that I do coding as work and video editing as a hobby which both need powerful machines, and it would be very stupid, unmanageable, and inconvenient to buy two MacBooks.
I remember when I worked at an Alphabet company and they offered the option of using your personal phone to sign in to work stuff. (It wasn't Slack, it was one of the seventeen different chat systems they had going at the time.)
There was a teensy-weensy little caveat: Google IT could wipe your personal device at any time!
That's... odd. Was this a long time ago? Because these days Android has work profiles that specifically exist to let you shove work stuff in its own separate space that can be managed separately from the rest of the device, and Google itself not using the feature that they built into the OS to support that exact situation would seem really weird.
Google does use Android work profiles - if you have an Android device. Unfortunately, iOS doesn't really have an equivalent concept (e: see comment below), so device-wide privileges are necessary there.
Everyone has their own level of comfort, of course. I've worked for two employers now whom I've given the power to erase my personal iPhone in exchange for the convenience of not needing to lug around a second phone.
Disclosure: I work at Google; opinions are my own.
Oh, thanks for the link. Looks like I'm out of date. Seems to be a relatively newish feature (~2020), but on the surface that does seem ideal. I haven't dug into the specifics, so I'm not sure if there's a gap preventing its use or if it's just a matter of priorities.
I don't have any real insight into this but my guess would be that enterprise stuff moves slowly and often has complaints about the new solution not having all the management features they used to use.
Yeah, it was a while ago, and it's possible that I could be remembering some details wrong. It just struck me as "no, I would rather carry a separate work phone if I have to."
That’s a widespread problem. I worked for a dramatically smaller IT firm and it also gave employees the opportunity to register their phones with the company’s Exchange service; when I asked my boss whether we should warn them about the power that gave us, he felt it would just cause unnecessary alarm.
well, probably, but maybe it meant that while it gave the power to do this he would never do it. However one should never say never in business, so maybe naive.
Umm, I remember a time when Personal Computers were seen as universal, do-it-all devices. And there was this expectation, you know, that your FOSS-OS will put all your security and privacy choices into your hand. That was roughly before folks took the red pill and went all-in on intransparent browser apps and would program their change-the-world app for themselves, to be released when ready. Unlike today where they flaunt non-novel, insignificant, uninspired crap on github.
I put a prepaid sim card in my old phone and use it exclusively for work 2fa. Now I can turn off that phone at my convenience and when this gig is over I can just switch to a new sim.
How so? Hopping around in your home network should not be possible by default and would be a gross overreach by any IT department, even beyond “you put data on this device and therefore we will search the entire thing”.
Indeed, my work laptop is heavily firewalled, always assumes to be on an unsafe network, and uses a vpn and zscaler. Say you are on an airport wifi - I wouldn't expect corporate IT to scan the neighboring devices. No way it's going to snoop around on my home network, that would just expose the machine.
Interesting perspective difference; I was referring to protecting the work computer from threats, not the home network from corporate. You must work at happy places…
Apparently you would also be surprised by how common it is to use a home printer, a home wifi access point, etc. and have IoT devices in the network. Corporate firewalls and scanners only protect against unauthorised connections and known threats; zero-day exploits can still be much more effective from a local network.
I have a pretty dim view of endpoint security, seeing it mostly as a thing that works against me rather than for me. I feel that any threat model that includes "zero-day exploits" is almost always poorly formed and sensationalist, rather than grounded in a genuine evaluation of security tradeoffs.
Many people are effectively sheep and will install a company app on their personal phone because "wow it's so convenient everything is all on one device".
That said ... employment is at-will, so there are no real rules here. It's not that different from if you sign up to be an Uber driver you're expected to have a car and a phone that you are willing to use for work, or you can't take the job. Nobody says it has to be the same device as the one you use for your personal email, it's just that you are expected to have a device for the job. So nothing legally prevents them from requiring you to have a device with the company apps on it, in return for you accepting some hopefully big enough salary.
For software engineering, if the salary is on the low end of market I expect work to buy me a work phone, if they require me to install any apps. If salary is on the high end, then I wouldn't fuss about it too much, I could just buy myself a separate personal phone for work with the pile of extra cash, but them buying me one would still be a nice, appreciated gesture.
There is no right, just a personal choice. If you have to lug around the company provided laptop if you want to check your work calendar/email/slack/whatever, you may start to consider using your personal device.
My solution to this is to have two separate accounts on my work laptop.
One for work, the other one for side projects, personal browser, courses, learning, etc.
As long as you're not doing anything illegal and are running on a non Administrator account, I think it is a good compromise vs having to carry a second laptop.
Your company likely has full access to that account and I would generally not recommend using any devices owned by your employer for side projects unless they specifically allow you to in some sort of legal contract that says something along the lines of them not owning everything you do on that account.
No, they don't. At my company we buy our own laptops, and we expense them. There is no VPN and no company owned software installed. And most of what we do is Open Source anyway.
> specifically allow you to in some sort of legal contract that says something along the lines of them not owning everything you do on that account
Not a problem, my side projects are just for learning purposes. They're open source, and most of them end up abandoned. I'm not running a side business on a company laptop, so they can own everything if they want, I'm fine with that.
Did the slack warning not tell you the number of people it was going to ping? At least nowadays it says something like "You're going to ping X people in Y timezones".
Right you are, yes, it was that same message. I suppose what I meant to convey is, "despite the thoughtful safeguards built into Slack, I still managed to screw this up." :) I really appreciate Slack and it is my preferred workplace communication platform, so I hope no one reads my anecdote as criticism of the product. I can't think of any way Slack itself could have done more to prevent my mistake.
As more context, I do remember thinking, "that X number seems higher than I would expect, but maybe we had a lot of folks who signed up for the event that didn't show." I worked at a small company so the size of the company was on the same order of magnitude as the number of invitees to the event (~100). I explained away the Y time zones because I knew some people traveled internationally. I was also operating on very little sleep, so that probably didn't help.
Well I used to have a gmail lab plugin which forced me into answering arithmetic questions when it was past 23 hours in my local time and I tried to send an e-mail
Free Code Camp had a bug in their email notification system several years back. I suspect they weren’t incrementing the index in their loop… Since I was the first person in the email list, I got an email for every person in their list. I had to shut my phone off, as the notifications were going out of control and couldn’t keep up.
Fun fact, Gmail caps threads at 100 messages. So I had a full page of 100 email long threads in gmail on my phone.
I did that exact bug once. But I didn't just get one email for each subscriber, since the index didn't increase the loop never terminated. Took me some time to actually kill the process (PHP script running at some provider back in the day). Got over a 100k emails to my Gmail, so much that my account crashed and it took a few days before I managed to log in again (got an error saying something went wrong when opening gmail in the browser). So at least then it was very possible to ddos someone's mailbox.
Yeah, pretty much. I forcefully shut my phone off, as I was unable to just get to the settings, and then was trying to DM the guy via Twitter to try and get it to stop. Eventually it did stop and he reached out to tell me what went wrong.
It's difficult to strike a balance between "Are you sure?" and a message describing precisely what you're going to do and why it's unusual in these warnings. Slack could include the org in their message though
The only notable thing here IMO is the lack of limits imposed by GitHub on notifications. Apparently a random tag of `@microsoft` in the comments was enough to notify 4000 people [1] as well.
I have no idea why the user is even being mentioned in this headline. I haven't used GitHub in a while, and am unfamiliar with orgs and subgroups, but tagging a developer subgroup on a PR seems...a reasonable thing for a new contributor to do? How is it their fault that the developer subgroup has been hijacked by this organization to mean "Anyone who has ever signed the Terms of Service To View Our Code"?
The correct thing for Epic Games to do here would be to rename the group to `@EpicGames/terms-of-service-signatories`, and restrict `@EpicGames/developers` to people who have requested access to open a PR. Assuming that people should magically know not to mention `@EpicGames/developers` in their PRs because Epic is doing some ToS shenanigans is preposterous.
I guess I'll be looking carefully at mentions the next time I have to use this social network [2] masquerading poorly as a code review tool to submit a pull request.
[2] Looking at the profile of the contributor making the PR tells me that GitHub has apparently decided to let their users independently rediscover the experience of SuperWall on Facebook circa 2007.
> How is it their fault that the developer subgroup has been hijacked by this organization to mean "Anyone who has ever signed the Terms of Service To View Our Code"?
I was wondering why on earth epic has 400k github accouns. This explains it.
People who blame that kid are ridiculous. People who are asking to punish him somehow are pathetic.
There should be no way to send any non-premoderated information to 400k people (from the system that has some trust and is unlikely to be filtered) - “spam” is the most innocent thing that might happen. It's just a fly you should ignore.
Political, religious, and radical extremist groups could use it for a much more dangerous impact. If it so incredibly easy to send a message to 400k users, malicious actors could find some more sophisticated ways to get an audience of millions of users for their needs.
agree, whatever that kid did, it is not as bad as the first commenter there spamming everyone knowingly. which is not as bad as the second commenter who is even less original yet still seeking attention, ad infinitum. the last commenter is the biggest jerk IMO.
The kid was annoying but if the discussion was closed and restricted immediately it wouldn't have amounted to much (Granted, it was a very late Saturday night for Epic's timezone, so I'm not surprised it lasted a few hours). The follow up is what made this headline news.
Now the dude who posted goatse and ruined the whole thing should be completely banned from Github. I guess I see why image uploads were restricted for so long there.
part of it is timing. This happened late Saturday night in America. If this happened during normal daytime hours it woulda been shut down in a few messages.
Also, I'm sure Github has spam filters itself, so obvious attempts at ads may not even make it to the PR discussion.
> How is it their fault that the developer subgroup has been hijacked by this organization to mean "Anyone who has ever signed the Terms of Service To View Our Code"?
Oh, but hijacking developer subgroups for almost anything is totally kosher in Github. They do it themselves. That's how you get into some of their private betas.
> I have no idea why the user is even being mentioned in this headline. I haven't used GitHub in a while, and am unfamiliar with orgs and subgroups, but tagging a developer subgroup on a PR seems...a reasonable thing for a new contributor to do? How is it their fault that the developer subgroup has been hijacked by this organization to mean "Anyone who has ever signed the Terms of Service To View Our Code"?
At mentioning all admins and developers in general on a PR is bad etiquette. Look at the title of the PR here as well. "Merge ASAP"? What kind of attitude is that? Github should have some controls on notifications as should Epic games in how they manage their groups, but this highlights bad etiquette.
> At mentioning all admins and developers in general on a PR is bad etiquette. Look at the title of the PR here as well. "Merge ASAP"?
I think this is highly dependent on your org. Usually you should look at previously merged PRs and follow what they were doing, if they mention admins/developers then it should be fine to do so.
I agree that with the admins ping and "merge ASAP" it seems that this particular PR is kind of terrible from an etiquette and usefulness perspective, but PRs with little usefulness and bad etiquette don't make it to the top of HN every day.
I am merely saying that the "sending notifications to 400k" people is a side effect that is entirely Epic Games' fault, not the author's.
>mentioning all admins and developers in general on a PR is bad etiquette.
I'm not trying to be argumentative, but why even is this? If you're trying to perform a pull request, is it not logical to ping the people who approve those requests?
Also, can you give an example of how one would perform a PR and follow this unwritten etiquette? I have only made a total of something like to PRs in GitHub, but I would like to stay on peoples good sides, if I can help it. I had no idea this was seen as some kind of obscenity.
I assume you work in tech. Let's say you work at Netflix, are you pinging anyone and everyone to review each PR you make or are you assigning a few reviewers (or better yet, does it just auto assign owners based on CODEOWNERS)? Are you titling your PRs this way? How do you describe the changes?
Now imagine, everyone at Netflix made PRs the same way this author did. How do we make sure there is not a lot of noise? How do we collaborate well together?
I don't think you are being argumentative. I definitely think Epic games is at fault here, and that this points to issues in how they've setup teams and lack of guard rails on Github's part in terms of spam protection. But separate to this, the author's behaviour is not what I would want at a workplace I am at.
The kid is barely 18. The emotion and stress resulting from mistakenly sending a notification to 400,000 is likely overwhelming. Now his real name is going to stay at the center of the internet for a while thanks to being 1st on HN. I would definitely not have coped well with that much internet attention at his age. Some Github replies are more immature than the initial action and I hope he does not receive any threat.
I hope the Epic developers reach out to him nicely with constructive feedback and maybe a thanks for his well-meaning PR.
> The kid is barely 18. The emotion and stress resulting from mistakenly sending a notification to 400,000 is likely overwhelming.
Huh? I don't think it's "the kid"'s fault that some random organization is using GitHub orgs as a proxy to get people to sign their Terms of Service. If the org or group is on GitHub, it's only a matter of time before someone is going to mention it.
The emotion and stress should be on the org admins who thought that asking every user who signs their ToS to a group called `developers` would be a good idea.
I don't think the parent commenter was arguing that the creator of the PR is to blame. But even they're not to blame, it's probably not a pleasant experience.
I disagree, the PR is some pointless wordsmithing and then to comment "Verify the pull request and merge asap" is a bit ridiculous. Also, no one is going to care in a day.
> An email requesting system access went out to all employees . It triggered a reply to all frenzy that resulted in my blackberry pinging constantly for over an hour with people replying-to-all asking to be removed from the distribution list. Even Mike Lazaridis replied to all asking this to be stopped. Then as different parts of the globe started work, they would reply to all. Classic evening. I think system admins eventually shut down the frenzy at server level. Some of the replies were hilarious though. I think I still have some screenshots somewhere.
> Verify the pull request and merge asap" is a bit ridiculous
I see you're not familiar with Indian-English. What he said sounds quite "reasonable" (if not a bit unnecessarily, but understandably urgent) to someone like me (am Indian).
It is not reasonable at all for "non-Indian" English -- still that would perhaps be a reasonable explanation, just he should learn it is not reasonable.
The patch itself is indeed worse than useless, it's the kind of rephrasing just to say "I did something", but which actually makes it worse (adds useless words and English mistakes). If the "kid" is ready to send this kind of useless "contribution" (which takes some deliberate effort), they surely are ready for being reprimanded (or, more likely, they will be actually proud of it).
Either way, it's pointless to "reprimand" the perpetrator. This could have just as well been a deliberate spam attack eg. someone using the @-mention to promote their scam-coin or penis enlargement product (and some people in the thread seem to have already used the opportunity to promote their band etc.) Telling a spammer they are doing an evil thing is obviously useless as they are well aware of it. This should be viewed and handled as a security / access control failing on Epic's part - that this was ever possible was a mistake and only a question of timing when someone would stumble upon the vulnerability. Whether their purposes for exploiting it are nefarious, sincere or even accidental is irrelevant.
On the one hand, I agree that paying attention to the spammer is bad; on the other, I do believe there might be some use in publicly stating that such PRs will never be merged and are frowned upon; hopefully other people reading (many of them likely beginner programmers) will get the message.
But there's likely a better way to do the "teaching" without drawing any attention to the perpetrator.
Some have speculated based on the changes that it was not a well-meaning PR, that it was just an attempt to game the system (similar to what hordes of people do on Hacktoberfest). Of course it's hard to know
Does it actually matter? Like even if the PR is bad / the request to merge was demanding, I don’t think that justifies the response, which I guess was roughly the expected response to a the PR times 400k (plus network effects). I’m not convinced that the people responding can use the same excuse for their immaturity but maybe they should not be expected to be mature given the trivial requirements for becoming members of that org.
Speculating or repeating speculations on why he did this is not moving the ball forward at this point. It has been a harmless event so far. Github is now aware of an issue that would have come up eventually anyway and they can add future warnings when notifying >10,000 people, Epic can update the structure/permissions of their Github org, and the kid can keep his passion for tech intact. Win-win-win.
But also, this is a random comment thread on an unrelated site, no one here needs to "move the ball forward". Let people speculate, it makes no fucking difference.
> The kid is barely 18. The emotion and stress resulting from mistakenly sending...
Look at the actual contents of the PR. This wasn't an attempt to contribute anything remotely meaningful. It's not quite vandalism yet either, but only because it didn't do any harm.
Seems like he is trying to increase his reputation with minimal effort, see all the badges collected in his profile. It's the usual social network effect, and the same reason HN doesn't have notifications or actually relevant karma. Microsoft wanted a new social network, there they have their community of naive gamblers.
Yeah I’m sure they’ll institute some kind of control to make this sort of thing harder, but honestly I’ve never understood why people get so worked up about this sort of thing. It makes me chuckle. The person looks like a dummy or a shit-stirrer and a lot of people have to delete HUNDREDS (oh my) of messages and have LITERAL MINUTES of their time wasted. The megacorp I work for wastes more of my time with silly self-congratulatory org-wide emails about business deals and fake benefits like seminars on retirement planning for dummies.
I love me a good bedlam drama. One of the commenters on the PR had the best take: “I just wasted 2 minutes of my life I'll never get back.” The ones with the scorched earth PUNISH HIM attitude need to chill the hell out.
Yeah. Also their real names and them being immature and getting angry also went out to 400k people and is now effectively part of history. That's probably even worse than being the kid who did this, what if a future employer comes across this?
friendly reminder: 400k is an apertif for a competently configured production postfix server. its about 14 seconds of mail, and about 8 seconds optimized at hw and filesystem level.
the real issue here is shitty projects from shitty companies.
Yes but that’s on top of what GitHub is already sending, plus it must be multiplied by the number of comments left on top of that. It feels like 35 straight minutes of 100% usage isn’t great on any system. It presumably sent 61 million emails.
> Yes but that’s on top of what GitHub is already sending
When you send at the volume someone like GitHub sends, you will always see peaks and valleys in your sending patterns that are much larger than 400k. It might cause an issue if they were already under peak load, but even then it would just take a bit longer.
There was a thundering herd e-mail at Amazon about 10 years ago that I’ve heard stories about. It went on for days. There’s a funny internal talk with lots of data about it, maybe it’s on YouTube by now…
Looking around, everyone has a story like this, so I don't want to just pile on with my similar experience at Verizon. But what stood out at me there was the low quality responses from low-level managers in far parts of the world, demanding, by the power vested in them, to be taken off the email chain... you know... IMMEDIATELY!
Yeah that is one thing that I remember from one or two that I was copied into in roughly 2000s with more than 200,000 CCed. Mini-kings and also people with enough technical skills to know better keeping the threads alive and flooding the Exchange servers woldwide for days.
This happened at all my previous employers at one point or another. Most famously a thread about unsubscribing from a mailing list that nobody really knew about but had everyone in the company on it. For weeks there'd be some random field sales guy or a marketing person in random parts of the world replying all.
Something similar happened at Cisco something like maybe 5 years ago? Someone sent the Bay Area employees or whatever list (probably at least some tens of thousands of employees) an ask for a cook/chef they could hire to make meals for their family, IIRC. I think the reply-all's happened all week.
And Apple in 1991 [1]. It's a very fun story actually, good read if you're in the business of writing "reliable" or "recoverable" software (aka pretty much everyone). A bad design choice in sendmail caused a cascading explosion of emails. I also highly recommend reading the rest of the book (?), the Unix Hater's Handbook is a wonderful bit of history and discussion of the design issues of the NIXs we all know and love/hate today.
Compaq in the mid 90s on banyan vines a friend leaving the company sent a company wide email listing his house. It wasn't supposed to be possible to email *
When i worked at the NIH, a couple times an entire institute was accidentally cc'd instead of bcc'd on an email, and for weeks after the chain would continue, consisting only of people writing "please stop responding to this chain". I don't know what you do for that...
Would that happen to be the "wallet" incident? It was slightly before my time, but I also heard legends of it. During my time there, any email thread that looked headed for another reply-all storm had people replying-all to it with simply the word "wallet", apparently in an attempt to deliberately cause chaos.
> notifications are going to be scrutinized more in the future, from this point on.
This already happened with github & epic & unreal when it first did this organisation setup.
So, given no solution appeared after exact same incident, I wouldn't hold my breath
Something like this happened at my university a number of years ago. There was a side entrance that was ostensibly for usage by people with bikes (as it was part of the bike storage area), but it was much more convenient than the main entrance and all you had to do to get access was ask at the security desk. So anyway basically everyone on this campus with 10k+ students and more staff had access to the side entrance.
What everyone didn't know was that when you were granted access to this entrance, you were also added to the "bike storage mailing list". Long story short, at some point someone accidentally sent a message to the entire mailing list of ~100k people, which kicked off a long string off people reply-all'ing asking to be taken off said mailing list ("I don't even own a bike why am I on this mailing list"), which caused even more people to reply ("stop reply-all'ing for the love of god!"). I think there were 500 emails in my inbox from that by the end of the day.
Anyone could have done this by mistake, all it'd take is being a bit tired and @ing the wrong group.
The question is - why doesn't the platform warn you that you're going to send notifications to a large number of people in the same way that many email clients do?
Regardless of the mass notification or a bad quality PR - you don't just remove someone from a major internet platform like this, it's an inhumane response to someone making a mistake.
Not to mention it's just a notification, who really cares unless it happens all the time which is just more of an argument to fix the platform behaviour. Some people are so high and mighty.
If it's possible for somebody to unintentionally piss off hundreds of thousands of people, that's not the person's fault. It's the system's. The internet allows proliferation of information at scale and speeds that can be disasterous if left unchecked
I was 'removed from an internet platform' when I was a kid inadvertently breaking the rules by posting off-topic threads in the wrong Sci-Fi community subforum. So apparently we do just do it.
Totally excessive. In my opinion, people should treat this incident with the "blameless post mortem" mentality in mind.
Don't blame the individual for an innocent mistake (we don't know if he knew that it would trigger 400k notifications). He is young and might be inexperienced, so we should be forgiving.
Think about why the system is set up in a way that an untrusted contributor can trigger so many notifications with a PR that is of little value.
That is a much harder problem to solve, so that is why some people go to the easy solution ("ban him, he is an evil bad person, gross social misconduct").
The people who call for his ban in that thread should at least be consistent and call for banning themselves as well, because with their reply they just did the same thing.
Some people just want to be outraged for the sake of being outraged. Looking at the persons who wants the kid to be banned GH profile - I would not expect any other reaction.
Or in the way that `rn` used to do when posting to Usenet:
> This program posts news to thousands of machines throughout the entire civilized world. Your message will cost the net hundreds if not thousands of dollars to send everywhere. Please be sure you know what you are doing.
> The question is - why doesn't the platform warn you that you're going to send notifications to a large number of people in the same way that many email clients do?
The real question is why is it allowed to send at all? Depending on human judgment to stop spamming is a poor decision because bad actors don't care. I discovered this and GitHub s hilariously terrible setup a week ago when another large repository became a spam source and GitHub offered no easy way to unsubscribe.
They require you to acknowledge some terms that grant you access to the Unreal Engine source code. They grant it by adding you to their GitHub org which has the engine source code as a private repo.
Is it? How else do you selectively grant access to a repo? Orgs are the normal way, it's just not normal to have a project which is proprietary and somewhat private but available to 400k people.
Github just needs to rethink how tagging all users works and a way to prevent this.
I accepted those terms, and was added to Unreal's repo, but didn't get a notification. I think the mentioned group is some subset of the repo users, but 400k is such a big number that I'm not sure who they could be.
Unreal engine is open source but in a private GitHub repo. Anyone can link their GitHub account with their epic games account which adds them to the team.
That's a misleading, obfuscating way to make the difference. I guess the OP means an OSI-approved licence.
If you write your own licence (not recommended, but some developers and especially corporations do) it could be even fully compliant, but not approved.
"open source" and "free software" are two words for the exact same thing.
Both of them are pretty poor descriptors. "open source" doesn't convey the legal freedom you are granted (as you have just found out), and "free software" makes it sound like it's just about price.
If someone lets you see source code but doesn't allow you to do anything with that code it's not what people would call "open source", you could probably call it source-available or something. "open source" has a specific legal definition that means code released with a permissive license.
If you read the page you linked more carefully, you will see that OSI does not own a valid trademark for "Open Source", only for "Open Source Initiative".
OSI in fact tried to file for a trademark on 'Open Source' in 1999 [1], but failed because the term is 'too descriptive'.
You can download it via Epic Game Store without joining the org. Github organization is for contribution from non-employees as well as source code for various projects (like engine demos).
Only for those still using Windows. The head of Epic has some bizarre complex against Linux, so they refuse to release binaries (or the Epic Game Store at all) for Linux. So the only way to install Unreal Engine is to link your Github account to their org, clone it, then build it from source. Which takes a few hours and something like 70gb of disk space while building.
Huh. And yet why is that sort of annoying forced registration not considered 'antisocial', but this accidental tagging is resulting in calls for the poster to be banned?
They sell it (access to the source for the engine) under a commercial license. They were going to have _some_ sort of registration system, so that they can make sure everyone who downloads it paid for it. They reused GitHub for both distribution and registration.
Access to the UE4 source code is free. They probably sell licenses that let you do more than the free license, but the Github thing is not used to gate purchases. I don't know why they do it like this to be honest, they could just put the free license in the repo, that's pretty common practice.
Because it's not a free license. Once you get a million dollars or so in revenue, they take a substantial cut.
The idea is that nobody is going to get a million dollars in revenue from a game without being visible enough that Epic's receivables department can bill you. So they can ignore the 99.99% who download it and never get a hit.
I'm amazed that 400,000 people have downloaded Unreal Engine, though. It's really complicated, hard to use, takes hours to compile, and is only worth the trouble if you're making an elaborate 3D game. Not that many people do that.
This is just arguing semantics. You don't have to pay anything for the initial download, so there is no legal reason for this. They could just public the repo and put their license (including the $1MM+ royalties) in a LICENSE file.
I suspect the "real" reason for the current rigamarole is to get your details for their marketing team.
Oh, interesting. I thought you could download binaries for free and source access cost extra. I’ve never used it, so I suppose whatever story I read about it was less clear than I thought.
Looking at the content of the OP and the PRs you linked, my first thought is "Is it Hacktoberfest[1] already?". I mean, seriously, what's up with the such low quality PRs? Is it common to have people spamming repos with trivial changes absent some sort of incentive?
Sometimes fixing a typo would be a new coder’s first open source commit. It’s pretty stupid to assume every new PR would be a major new feature or bug fix. It makes OSS unnecessarily hostile to get into.
Although this commit in question isn’t even that sadly.
The problem here is that they’re not even trying. How can they not know that such PR would never be merged? For this reason I don’t think public contributions are why they send the PRs
The main repo I work on for my job is open-source, and yes, it happens fairly regularly that someone opens a nonsensical PR that might randomly perturb some Markdown or YAML file, or attempt to merge commits from some other developer's in-progress branch.
I'd say we only get them about once every week or so, but then the repo is not anywhere near as high-profile as the Unreal Engine, nor as likely to be on the radar of children.
It's just very common GitHub spam/abuse. Suspect these are automated accounts trying to look legitimate by doing legitimate-ish things (e.g. cryptocurrency mining via PRs that require one-time approval).
I would suppose some video aimed at schoolchildren teaching them how to use GitHub has gone viral and they’re taking baby steps. At least that what I think is most likely.
"Thank you everyone for contributing to our shared mission. When you are done with your work today, please delete all the data from your machines. Hope we see each other again soon!"
Slack gave me a dire warning that my message would send notifications to so many people across so many time zones. This didn't surprise me because attendees came from various countries for the event. So I dismissed it.
But I had accidentally sent it to my company's Slack organization instead of the hackathon-specific one. I didn't realize it until a co-worker sent me a private message asking why I had just tried to fire everyone at our company.
reply