Shouldn't 'I am not a supplier' apply to community management?

Recently I am not a supplier | Musings about software made it rounds through FOSS circles.

In the context of the XZ discussions, it was used to highlight that we can not demand delivering security ratings from hobbyist projects, the way how orgs like OpenSSF attempted to put it.

FOSS maintainers do not owe you a security-aware pipeline, government certifications, scorecards or anything like that, we say. Bullying maintainers to give up the maintainers rights because they don’t perform up to your expectations and do not provide a clear SLA on CVE fixes is not a solution.

But then, is the situation with the Code of Conduct and communities not the same?

Writing and maintaining a Code of Conduct, or generally maintaining a healthy community in your project, if you really mean it, and are not just putting a badge on your github repo, is a lot of work. It is important, it is needed, it is a growing pain and a huge risk. Exactly like the security work.

It requires high trust levels and careful navigation through non-disclosure topics.

It goes for years unnoticed until vulnerability (a certain conflict) is discovered and then the whole world goes crazy about it.

Should we demand every FOSS enthusiast to be able to deal with it? Can we demand it?

There are a lot of open conflicts and pain points in the world right now. We are all struggling with the questions how do we make society better, do we do enough ourselves, how can we convince or force others to do their part…

And in FOSS communities we often try to compensate for things which we can not fix in the bigger world: I can not convince my government to enforce mask mandate so I go and push the local event organizer into it.

But we can not hold local volunteer accountable for everything which is wrong in the world. The organizer of a 20 people meetup in a local neighborhood can not magically solve the problem of the systemic sexism in the industry and give you a lineup of 5 professional women speakers. They also can not be your bouncer and law enforcement officer. All of their resources, as a fellow volunteer, already went into overcoming their own autistic issues and announcing the date and topic of the event.

I am worried that the ever-growing list of criteria on how to be a “proper volunteer” and a “proper community” while means well, is damaging our grass roots. Rather than setting a direction to grow into, it creates a barrier for people to enter.

And the only people who pass that barrier, are those who are ignorant to it from the start and are the least interested in growing.


The answer is that having a community is optional. I have a lot of projects where I don’t foster a community, I just put up the code, maybe I accept patches in private, but I don’t create a social context around the project.

If you set up a community you have a responsibility to moderate it. If you don’t have time to moderate it, appoint some trusted community members to do it. If you can’t do that, get rid of the community.

If I come up to your house and plant a Nazi flag on your lawn, it is your responsibility to remove the flag. If you create a community center and allow the KKK to meet there, it’s your job to kick them out.

No one is expected to magically solve patriarchy in order to have a community, though, they’re just expected not to tolerate misogynists. And it is valid to wonder if the reason some club can’t come up with 5 women to speak isn’t because they haven’t dealt with their misogyny problem.

As I see it the major difference between a CoC and an SLA (or other supplier guarantees) is that a CoC benefits you, while the supplier guarantees benefits someone else. A CoC fosters a healthy community, and makes it easier to join one, because it is meant to protect those that need protecting. If properly enforced, it gives people a reasonable assurance that this is a healthy community. It does keep some people away, yes, and I believe that’s also a great boon of it, too, and comes at no extra cost.

Both require work, care, and maintenance, yes. But the CoC directly benefits the project, and its community. There are also a lot of decent templates you can use (the Contributor Covenant, I believe, is a solid base), so you don’t necessarily need to write it either.

It’s very different from the security guarantees, which would benefit the businesses using the project, not the project itself.


Something to also note, is that it’s not specifically a project maintainer’s duty to form a community. A community may form itself around a project, initiated by someone else.

This, for me, ties into the “I am not a supplier” writing. “I am not a community leader” could be a corresponding thing to write.