Hi, as it’s come up a few times in the comments: Tea completely unrelated to Homebrew other than happening to have the same creator. Homebrew has zero connection to anything related to Tea and Max hasn’t been involved with Homebrew for the best part of a decade.
Mike McQuaid, Homebrew Project Leader and Homebrew maintainer for the last 15 years.
Hi Mike, Thank you for the clarification. To avoid future confusion, could you please suggest that the author of Tea removes the following information from their website?
> Led by the creator of Homebrew Max Howell, tea is Homebrew’s spiritual successor.
That's up to the community to ask, not me. It's not up to me what Max or Tea says on the internet, sorry.
It's worth noting the opposite direction: generally when an open-source project considers another to succeed it, it is noted on their homepage/GitHub repository. We (Homebrew) do not state Tea is a successor because, from our perspective, it is not.
Cryptocurrency has basically completely inverted the trust issue it's meant to solve (at least for many developers).
In theory, a decentralized ledger of project contributions / owners is a good idea for distributing sponsorship dollars without a middleman controlling things.
In practice, the brand of crypto has gotten so bad that developers are far more likely to trust centralized mechanisms like GitHub's funding.yaml and associated partners.
Of course you need a trust anchor. How would would it work otherwise?!
If you can come up with a system where we could just all imagine up the same blockchain code, parameters, and have the code magically appear on our machines to run, that would be cool, but seems not really possible to me?
OTOH, what you can do with bitcoin and other cryptocurrencies, is download the code, review it, see if you agree to the rules laid out in the code, and if so, run it, and participate.
If you don't have the technical knowledge to do this, like 99.99% of people, you can delegate that trust of verifying and explaining it, to someone of your choosing.
No-one is expecting on-chain ledgers to solve off-chain trust. What they can do is make the process more transperant, more decentralized, and give people a much wider choice. You might look at this as competition. Alternatively you might sit on hn and hope to get a job in ad-tech.
Counterfeits exist in real life too, bit crypto has the benefit that you can actually prove who created something where in real life a good counterfeit could remain undetected.
It allows you to show what key signed a record. It doesn’t tell you what person used that key, whether they were acting in good faith, or whether they had the right information. If you want to know any of those things you have to pay real auditors to check real world status, and at that point you’re going to ask why you need to pay so much more to use a slow database which requires always-on internet connectivity when you’d get the same value from a Yubikey or iPhone’s builtin cryptographic primitives.
In real life, counterfeiting is dealt with at multiple levels: legal, communal, technological. Laws are written to deter the act with punitive measures. Communities share information about how to spot counterfeits. Technology is used to make the act of copying harder.
The folly of NFTs, energy footprint aside, is thinking that a well-written smart contract is all that's needed to stop counterfeits.
Yeah but the crypto is outside of the object of desire. I too can give you a signed paper that tells you that you now own the Mona Lisa. You can even formally verify that the signature is real and by me!
Notice anything?
The important questions for you remain unanswered:
- Do I actually have the rights to sell you the thing I try to sell you?
- What do I actually sell you?
- Am I who I claim I am?
- etc.
NFTs are not answering any of these questions, they are the equivalent of an elaborate signature on the contract of the guy trying to sell you a bridge.
Yep… I can totally prove this random pseudonym/anonnym is definitely the same one that has… never been used before because due to social incentives you want zero links between identities and thus the web of trust is just a sea of filaments floating loose in an ocean
An ocean filled with fish poop…
It’s so great I can definitively verify that this ID is something… but that’s absolutely fucking pointless if I have no way to judge if the entity or entities controlling it, connected to it, supporting it, or even associated with it (to consider potential future actions)… the goal was noble but the implementation completely failed because to succeed would have required the participants to build anchors in the real world of verifiable identities… and for all the value people get from day to day use of cryptocurrencies… the biggest value of crypto was in staying as far away from the real world as possible allowing such things as drug purchases and international money laundering and illegal gambling at a level low enough to evade legal enforcement services coming after the players (since obviously if they could come after the casino/house they would since that’s where all the money is)
Let's repeat the basic fact: every crypto which uses a transaction fee is inherently a scam because it's a negative sum game. Everything else is bait to get you involved in the scam. There's nothing else.
Consider a team of people building a house. They have all sorts of things that need focus and work - planning the build, assembling resources, coordinating specialists and doing the actual construction.
Now, add a second team who don't understand anything about what the first team is doing, who the first team have to talk to every time they want to buy a pencil or screw.
How it is that anyone thinks this is a good way to do business is completely beyond me, and yet we have entire schools devoted to training people to do this.
You have to admit, most open source projects suffer from a lack of funding. I don't like this particular solution but something like it could work. It's supposed to be opt-in for project owners, and that's ok as far as I'm concerned.
As far as the forking issue, nothing really stops zero-effort forks from seeking compensation. Anyone could fork a project and replace all the donation links in the docs with their own. So if you do want to donate to a project, do a little research.
Financialization is why nice things can be done at scale. Without finanialization the nice things would be smaller and less common. Expecting people to do high quality work for free is not sustainable.
Profit motives don't create quality. Passion and pride create quality. Unfortunately, passion and pride are unreliable, and products and services that rely on them are inconsistent. Profit motives create consistency, but produce products and services that are adequate at best.
So then, reserve profit motives for things that need to be done, and for which you can tolerate mere adequacy. I want my garbageman to be motivated by profit, because society would collapse in a week without garbage collection. For things that need to be done well, there's no alternative other than finding someone who actually gives a shit regardless of the profit involved (which isn't to say that they must live in poverty, but rather that profit must be a secondary motivation rather than a primary one; find someone who wants to be doing the work even if they weren't getting paid).
On the margin, there may be many people working in, for example, finance who would make highly valuable contributions to open source projects if they were financially incentivized.
What is effectively being argued here is that we should oppose grass roots subsidy of important public work just because there was a specific incentive issue in a specific initiative. The code doesn't care why you wrote it. Maybe some bad code gets subsidized. That's ok - don't use it.
Very similar: some guy created a video and a lot of people submit useless PRs, except for a T-shirt instead of crypto.
EDIT: Except, Hacktoberfest ran since 2014 and there was never an issue before the video, which (unintentionally) brought it a lot more attention and gave a bad example of an “improvement”. Incentives can be good if designed and explained carefully.
Hah! I was a contributor in the past, have 3-4 T-shirts and a bunch of stickers, and then last year in October I wondered what happened to Hacktoberfest, why it didn't have the coverage like it had in the past.
And since all of crypto/"web3" is about manufacturing monetary incentives (for the duration of a pump-and-dump anyway), there's no reason to allow crypto in public spaces like open source.
EDIT: if you're reading my comment, please see the response from Mike McQuaid, who's the _current_ project leader for Homebrew. It's good to know Max isn't involved over there anymore! Gonna leave my original comment below this line, so that the context still makes sense:
----
That fact paired with the fact that the guy behind Tea.xyz is the same as the guy behind Homebrew makes me _really_ distrust Homebrew going forward.
He's taking money from known crypto scammers to launch AI-generated nonsense (the pkgx nonsense from HN the other day) and abusive crypto-monetization patterns (this tea.xyz thing).
His biggest claim to fame was...a ripoff of the Arch User Repository, which is useful, sure, but not something that instills a lot of confidence in the "wants to promote himself off the back of others' work" aspect of his résumé thus far.
It’s completely unrelated to Homebrew. We have zero connection to anything related to Tea and Max hasn’t been involved with Homebrew for the best part of a decade.
Mike McQuaid, Homebrew Project Leader and Homebrew maintainer for the last 15 years.
Hey, thanks for responding! That's reassuring, but...how much input would Max still have to Homebrew if he chose to "return"? Like, if tomorrow Max decides that Homebrew is a great vector for another crypto scam, will the existing group of maintainers be able (and willing) to reject any changes in that direction?
Yes. Max would have to have all his PRs reviewed until he contributes enough to be a maintainer and then would have to run for any/all committees or the Project Leader role in elections. He has the same chances anyone else on the internet does.
The idea of creating a bounty system for open source projects is one that has been tried many times over the last decade+. These bounty systems never gain much traction because the incentive structure/economics don't work. The closest we'll get to these bounty systems are for-profit open source software companies, which is pretty good considering that there's a VC-backed open source company for almost any software category you can imagine.
I find your leap from "they haven't gotten the economics right yet" to "the status quo is the only way" concerning.
Being VC backed means accepting an additional constraint: it has to be remotely controllable by a third party, and if the user revokes trust in that third party, it has to become useless. Otherwise there's nothing to own, nothing to leverage for a return on your investment.
That places some pretty severe limits on how trustworthy such a piece of software can be. There's tremendous value in getting the economics right, even if we haven't yet.
Thanks for doing the research. My repo getgauge/taiko (listed on the screenshot) was affected by this. I reported these as phishing attacks as I had no idea what it was about.
> So much like Keybase got spammed with an influx of garbage users when they announced their Stellar token - GitHub is getting an influx of garbage users taking time and energy from me and others for this tea stuff.
Kinda off-topic but when this happened it was the beginning of the end for my use of Keybase. Stopped using it entirely after the Zoom acquisition, and I'd used their chat very heavily early on -- but trust was lost.
I think an inherent problem is that donors need to be continuously buying the tokens that developers are selling or the project goes to zero. So the the protocol should be built for the donors.
They could say "People can contribute to a project by just staking tokens against a project" but staking tokens isn't a stream of new money. New money needs to be coming from somewhere.
Tokens can be created out of thin air, but money can't be.
It doesn't look good to me through a "game theory lens".
I thought we have learned from the crypto hype that stuff like tea.xyz and others in the crypto / blockchain nonsense space are setup for investors to dump tokens on others trying to make money out of it.
It is unfortunate that this is now targeting open source developers and it is even more disappointing that this is made from the creator of Homebrew.
Who is the customer of this and why?, there is still no use case at all. A solution in a perpetual search of a non existent problem.
Tea is from the same person who was using AI generated descriptions in their package manager the other day. Probably best to put your old grift to bed before starting your new one?
Ironically it’s also the same guy who did Homebrew!
pkgx looks great on paper (did not try), but why oh why does Max want to put crypto and AI everywhere?
How much money did he make from Homebrew relative to its value to companies around the world? My impression of this was that he was tired of other people making money off of his work and that probably lead to some wishful thinking that things would be different this time around. The cryptocurrency space has relied heavily on FOMO as a way to get people to think it might not be a scam this time, or at least one which will last long enough for them to cash out. I’m very sympathetic to the plight of unfunded open source developers but this is a mirage.
Some of the supposed selling points on the pkgx the website are that they "build new releases almost immediately" and "add everything that people want without qualms", which seems to imply pretty lax quality control. Given that they apparently consider AI-generated garbage appropriate in package descriptions and issue comments, I would be even more wary. Is anyone checking that packages don't include malware?
AI is a fun toy. Of course people want to play with it. It's like the <blink> era of html. It's not an appropriate use of the technology, it doesn't add value... but... it's fun.
I would say the opposite. Homebrew isn't a broadly well-respected project from a purely engineering perspective (i.e. by anyone who's engaged with it in earnest) - it gets contributions because it has user-capture / network effect, but there's a lot of contributors would would prefer to be publishing packages on a more nicely stewarded platform.
You're a user - I'm purely referring to contributors.
It's clearly gained popularity for good reasons - it's an API that is very user-oriented, with reasonably good UX for most people. The downsides are mainly related to issues users don't see (i.e. security).
Homebrew adds a location to your $PATH that is writable by unprivileged users. This means any non-root process has privileges to mask any binary on your system. They do this in the name of "convenience" - so that the Homebrew process can install apps without the user entering their password every time.
I recently switched from MacPorts to Homebrew & from previous trials of Nix, MacPorts support is well ahead of Nix.
I used MacPorts for many years without many issues - only recently just started to get a little too frustrated with some new utils that were Homebrew-only & finally capitulated. So you can get very far with MacPorts (& it's a far better system than brew).
Be great to see something gain traction over Homebrew but I have a feeling many devs out there will only ever bother publishing on a single distribution platform for MacOS (whatever happens to be most popular).
Isn’t it best if the application developers just release their application on GitHub or similar, then package maintaners can package the software for their specific package manager? That’s how it works for many Linux distros, e.g. Debian etc etc.
> That’s how it works for many Linux distros, e.g. Debian etc etc.
Yes and no. It's certainly true of most packages but the smaller the package, the more likely it is that the distro package maintainer will be [a/the] maintainer of the original project, even with Debian.
The same is true of Homebrew, etc. - most of the package maintainers aren't the original project maintainers, which is ultimately why MacPorts support is so comprehensive despite not having anywhere near the same user capture as Homebrew. But the places you see frustrating gaps will always be at the edges, where it may be the original project creator creating a Homebrew package & no-one packaging it for anything else.
Pretty good, but you might still want to defer to Homebrew to install some software. Nix-Darwin _can_ drive Homebrew and basically manage its packages declaratively.
If anything this makes me seriously rethink my use of homebrew. I already had security-related concerns around it, but the fact that he launched this weird crypto thing that's going to cause a lot of spam on GitHub is pushing me even further away.
It’s completely unrelated to Homebrew. We have zero connection to anything related to Tea and Max hasn’t been involved with Homebrew for the best part of a decade.
Mike McQuaid, Homebrew Project Leader and Homebrew maintainer for the last 15 years.
OK Great Leader. People are noting that the “Homebrew guy” is behind two back-to-back stupid ideas (that package thing and this). You can’t deny that he was involved with Homebrew and that’s all that’s being said.
The OSS CV thing can be a double-edged sword for all involved parties.
> You can’t deny that he was involved with Homebrew and that’s all that’s being said.
Unfortunately, this isn’t true. The comment you’re replying to was in response to someone saying they’d reconsider using Homebrew now over this, and that sentiment has been common in social media.
Did you read the article? Abusing open source projects and wasting maintainer time as part of your crypto-scam startup business model is super unethical.
Mike McQuaid, Homebrew Project Leader and Homebrew maintainer for the last 15 years.