FindBugs project in its current form is dead(mailman.cs.umd.edu) |
FindBugs project in its current form is dead(mailman.cs.umd.edu) |
I’ve been juggling far too many projects, but I’m now working to move FindBugs back into the active rotation.
I also want announce I'll be working with GrammaTech as part of the Swamp Project, and they will be helping with rebooting the FindBugs project. This has been in the works for a long time (almost a year), and although I’ve known that GrammaTech was likely to win an award, this hasn’t been official and something I could talk about until recently. Was hoping to have something a little more concrete to talk about as far as that goes; but I don’t yet have the information I wanted to share.
Thanks to all the FindBugs fans and supporters who lobbied for me to return to active maintenance of FindBugs. Give me a week to get up to speed on current project needs.
Bill Pugh
I don't mean to denigrate you, but I must be candid here: hoarding admin rights so that only you have them and no one else can get any work done is simply not acceptable in a team environment.
Going forward, I would recommend taking a look through other projects you may be involved with, and make sure that you are not the only person with admin access. If nothing else, it would increase the "bus factor" to greater than 1: https://en.wikipedia.org/wiki/Bus_factor
Good luck.
https://github.com/google/error-prone
http://errorprone.info/bugpatterns
Pros:
* has faster cycle times and integrates into compilation workflow
* emits fewer false positives
* active maintainers fix issues
* releases several times per year
* FindBugs has a greater breadth of checks
* current error-prone releases only work with Java 8This turns out to be really quite relevant if you're building domain-specific static analysis checks, as opposed to just running standard analyses.
Can you provide more information on how this is achieved? As far as I know there is no official, supported, portable API for Java compilers. The only thing I'm aware of is APT and anything beyond that would require significant rearchitecture of the existing compilers.
I'm assuming that means it will only run on the JVM8, but it can analyze any version of Java code?
[1] https://mailman.cs.umd.edu/pipermail/findbugs-discuss/2016-N...
A previous response in the thread [1] also contains "hard fork", which is probably why I and possibly others have repeated it here.
It could be a trend, but my differentiation (here at least) is that a "hard" fork means that the maintainers themselves are splitting from the original project while also forking the original code base.
It would probably make more sense to just call it a "fork" :).
[1]: https://mailman.cs.umd.edu/pipermail/findbugs-discuss/2016-N...
While Coverity does incorporate Findbugs results, it also has its own analyzer that does much more interprocedural analysis and tends to be tuned better for fewer false positives and more accurate error messages. Historically at least, part of the reason for incorporating Findbugs was to make it easier to directly compare what Findbugs found with what Coverity's analyzer found. Because every customer wanted to know that.
I have no idea of current figures but historically Java was not a big business for Coverity. Other vendors had much more Java business (and incidentally also incorporated Findbugs results).
Finally, as you can see from the message the Findbugs leadership does not seem unified and easy to collaborate with.
So forgive me but I find your comment and its tone a bit unfair.
It might seem unfair, but you stated that "every customer wanted to know that". So that project has value to you.
I hope they can get a new project off the ground and can start rebuilding. We're approaching a time where JVM static analysis tools are going to have to start making some big changes to support upcoming features, and it will be a pity if some version of FB or a successor isn't there.
Once setup though, the quality of analysis is absolutely outstanding.
Why not just create a twitter account and do it yourself? WTF?
edit: presumably one of the downvoters is working right this minute to contact Bill Pugh via Twitter and put him in touch with the author, because that totally makes sense
https://twitter.com/search?f=tweets&vertical=default&q=%22%4...
One of the reasons is that the code is hard to maintain with most open source contributions being small improvements. How have other open source projects handled large scale refactors? Is it as simple as someone creating something new from scratch and then duplicating functionality? Are there examples of large open source projects that have had ground up rewrites?
Just for ad-hoc analysis in Java IntelliJ's code inspector IMO works quite well. It's also available in the community edition, so all of that code is open source: https://www.jetbrains.com/help/idea/2016.2/code-inspection.h...
well, netscape navigator turned into firefox. it cost them dearly (in terms of market share), but there wasn't much of an alternative (joel spolsky might not agree on that).
http://stackoverflow.com/questions/4297014/what-are-the-diff...
So one of the two active contributors left to start his own rewrite of the project, and this post is the other active contributor saying he definitely doesn't have enough time to keep doing this on his own.
If there's no association with the old project's name or references from it to the new project, then whatever came from it would probably not use the name "FindBugs", and either way, the original project ends up dead.
Many of our checks are essentially working around problems with the language or API design. For example, our ForOverride checker (http://errorprone.info/bugpattern/ForOverride) addresses the fact that existing Java visibility modifiers are not expressive enough for some things the Guava team wanted to do. Our HashtableContains checker (http://errorprone.info/bugpattern/HashtableContains) addresses an issue with a poorly-named method in the old Hashtable API, which really should be deprecated but is infeasible given the old code that uses it.
In all the companies I have worked through my career thus far, not a single one has contributed back in any form to the pile of FOSS libraries that they were using.
My team at EvilCorp contributes fixes to several open-source libraries. The reason this happens, though, is that two of our stronger devs said "the correct thing to do is to take the time to get these fixes into mainline," which they did. The answer to the question of "why" we do it isn't "because it increases our team velocity," but because we're software engineers, and that's what good software engineers do whenever possible.
5 of them are over a year old. Most of them had no review by the development team, and many of those that did, got stuck on Bill, for instance, trying to get Travis enabled: https://github.com/findbugsproject/findbugs/pull/48#issuecom...
There is no incentive to contribute to a project in such poor shape.
SonarQube abandoned FindBugs mainly because it was low on activity:
"FindBugs project activity: The activity on the project is quite low and thus the value coming out of it does not come fast enough to satisfy our users."
http://www.sonarqube.org/sonarqube-java-analyzer-the-only-ru...
Most successful projects in FOSS with many downloads get virtually no contributions or financial support back. Even the largest ones have an enormous user to contributor ratio with almost all benefits going to the users. Therefore, it's the status quo for open-source in general. Those getting tons of contributions and development without a company behind them are extremely rare.
I had a great article on this before my crashed HD deleted newer bookmarks. It was a woman that surveyed many popular projects to ask about their status. Most complained they were barely getting by, the developer(s) stretched thin, tons of requests without accompanying payment/support, and mostly no contributors. I'd like a link to that article if any readers know which one I'm talking about.
There weren't all that many such customers though (again, historically). A more typical customer was developing in C/C++.
On my case that would be the path to be fired.
In none of the companies I worked for, doing that would work without going though legal and all the necessary layers to green light it.
Not sure I can comment on the results on your own code, but I will say that volume of results is not always correlated with value in static analysis. There are plenty of noisy rules that basically have negative utility if you factor in the time it takes to review each issue. It's a complex balancing act between finding more issues, having fewer false positives, analysis time, understandability of results, and other factors.
On that very email chain, once the sitution was stated and as Bill kept on ignoring everyone as he did over the last year and a half, the community hard forked FindBugs and started aligning behind https://github.com/spotbugs/spotbugs
Bill's reappearance is now puzzling. To abandon the fork to go back to FindBugs would require major leadership changes, as confidence on Bill has been shattered. Keeping the fork leaves the project on the same point people tried to avoid in the first place.
Sounds like quite a few precautionary tales in this one.
She never ended up finding a solution to the problem and instead ended up joining GitHub as a opensource developer advocate (or something similar to that).
I've written checks in both error-prone and Findbugs and error-prone is simply more natural. Part of that is the Findbugs API, for want of a better word, is godawful, but the AST is simply the best representation of the program for analysis.
If you're going to analyse the AST, you then have a further two choices: build your own AST, or hook into the compiler. Building it yourself is dangerous here: firstly, it's repeating a lot of work that's already been done, but more importantly you want to be absolutely sure that what you're analysing is what you're actually building. Either way you have to do updates when the language changes, as any static analysis tool needs to.
Are there costs to this decision? Yep. Is it going to be the right tool for every job? Nope. But that doesn't mean that these decisions don't have reasoning behind them, and compelling reasons to go this way.
Google has done similar things several times in the past (GWT, GAE/J, Android) and every time updates to the latest Java required a lot of effort, were therefore late and eventually abandoned.
1) You have to execute your compiler on JDK >=8.
2) You cannot target bytecode <= Java 5.
See https://github.com/google/error-prone/blob/master/core/src/m... for the entry-point.
I'm very close to getting out of my depth here though :)
I also don't see how it is "very much akin to APT". APT is an API where the A stands for abstract and the I stands for interface. APT therefore is portable across compilers and supported. error-prone seems to be tied to the current implementation of javac.
It is as if words don't have a meaning anymore, all that matters is how you feel.
I am very reluctant to use such a tool because to me it looks likely that it's going to have similar problems to tools by Google relying on the implementation internal APIs in the past (eg. Android or GAE/J). Supporting new versions of Java is going to require serious amounts of effort and therefore going to be very late if it happens at all.
It does require a lot of effort to keep up with OpenJDK updates, but that's my team's job, and we have to do the work anyway to keep Error Prone running inside Google. We tie Error Prone to a specific version of javac, which matches the one we are currently using inside Google (https://github.com/google/error-prone-javac), so we don't have to support multiple different internal APIs. We are currently using a version of javac 9 from about a year ago, and we're planning a bump to something close to head maybe in Q1.
Eclipse integration would be a pain but would look a lot like what the Checker Framework does.
Error-prone is a compiler plugin _mechanism_ - once you have an error-prone compiler, the checks are arguments to the compiler just like APT annotation processors are.
It's built on a standard API - the JavaCompiler mechanism built into the Java SDK - but yes, the code does have further dependencies on com.sun packages. This is a little confusing because why expose the compiler for invocation and extension when extensions have to rely on unsupported code?
So, yes, there are ways where the distinction is important, but they're orthogonal to the point I was trying to make.
People who are passionate about a project, as a user or contributor, do tend to ask what the status/roadmap of a project is. At least in open source projects I contribute to, that's not considered as demanding something from the project leaders, just because no one has paid for the project.
IMO, there are times where it's valid to state that no one has paid for the project so aren't entitled to anything, but I don't think this case is a valid one. I've seen this statement being used many times with open source projects and such project usually tend to lose sight that users are a central part of open source projects.
However, "There is absolutely no reason to not be answering emails" gave me the impression that at least one person is demanding replies to emails. I still feel it's okay to tell the quoted person that if he doesn't pay someone he can't demand from that person to answer emails.
Last but not least, if someone hasn't answered emails for some time, who seemingly had enough trust before to be important in a software project, then it may be wise, even for people with legit demands, to see whether or not that person had good reasons for his absense or not.
I for one have lost all trust on his ability to lead the project after such long absence, and the fact that he only reappeared after this hit HN, and only to respond here, to me is an indication he cares more about what people may be thinking / saying of him, than the well being of FindBugs.
I fear, the only way for FindBugs to stay alive, is for Bill to do what he probably should have done a long time ago: step down.
https://github.com/jimbaker/talks/blob/master/jython-talk-py...
I don't mean to denigrate you, but I must be candid here: demanding work from others without putting in the hard yards yourself is simply not acceptable.
Going forward, I would recommend taking a look at your written communication, and make sure that you are being fair and kind.
Good luck.
- If you are the sole maintainer of a project, putting up a note in the README asking for a co-maintainer or someone to take over the project entirely.
- Responding to emails with, "I'm swamped/I don't think I can do this right now, can you help/would you be willing take on this role?" Totally acceptable. There are lots of eager developers out there who would be willing to contribute to an open source project if they could.
- Posting on HN asking if anyone is willing to help out. :-)
I get that sometimes stuff happens in real life--illness, working long hours, taking care of children or family members--these are all perfectly valid reasons for not being able to put in the time needed to work on an open source project. However, the developer community cannot offer its help if said help is not asked for.
This is ridiculous. Expecting the maintainer who hasn't contributed for over a year (hasn't given any life signs or shown any interest) to give admin rights to someone who genuinely cares about the project isn't entitlement. It's the absolute minimum he could do to keep the project alive at the expense of other peoples time and effort.
Sometimes there is.
You can express your disappointment in how a project is managed without implying that someone else isn't living their life properly.
Or are you implying the author is so thin skinned he cannot take a bit of judgement?
"Thank you for your email. This is an automated reply to let you know that active development of this project is currently on hold. If you have any questions, please email bob@project.com, who is the current maintainer."
That's it.
As such, there exists a kind of implied social contract between the project owner and users. The owner wants people to use the library[1] and improve it, and the users in turn want semi-frequent updates/fixes and to be informed about the status of the project. Projects that are regularly updated receive more users and contributors, who in turn help provide bug reports, improvement ideas and PRs.
Calling users "entitled" for asking the owners to adhere to the aforementioned social contract, which defines open-source and holds it together like glue, betrays a fundamental lack of understanding of what this ecosystem is and how it manages to be a legitimate alternative to commercial software.
[1]If the owner has other reasons for putting up the project on Github/Gitlab etc (e.g. it's their hobby project, or they want to showcase their code to potential employers), and has no intention to support it, then they should include a note in the readme that the code is not intended for production use. Problem solved.
No, there doesn't. The "reality" is this: you are using the code I have given out, and that's all you get from me.
I also very much enjoy how you talk about your own free time, and how it's not really "free" to evaluate this stuff, and thus there's a burden etc etc -- and then conveniently turn around immediately and say "but maintainers are required to give me their time, that's part of the social contract". What kind of bullshit is this? It's always the same shit -- time and money for me (I get to reap the rewards, shitpost on your bugtracker, and complain on my blog when you make me mad), none for thee (you're required to help me).
If you're so worried about your own time and your own cost savings -- go buy proprietary code. Or pay the maintainer. Then you can actually have a real contract without handwaving and appealing to non-existent "social contracts".
If you want to whine about taking on risk, maybe you should also bear the burdens of that, as well as the benefits. I'm sorry that's so unfair, but maybe it could teach you something.
> If the owner has other reasons for putting up the project on Github/Gitlab etc (e.g. it's their hobby project, or they want to showcase their code to potential employers), and has no intention to support it, then they should include a note in the readme that the code is not intended for production use. Problem solved.
So your answer is that we should always assume this "social contract" exists with every piece of code, and thus maintainers are obligated to slave away for us unless specified otherwise?
This entire post reeks of nonsense entitlement-justification. I do not owe you my free time because I posted a library on GitHub, though I may choose to give you my time. I am also free to rescind that offer at any time, and guess what -- I do not need your approval to do so (because, really, you are not that important). End of story.
It isn't the responsibility of the project owner to tell you that their project doesn't meet your needs. It is your responsibility to check how the project is run and choose whether or not to take on that risk.
People actually doing the work of evaluating the risks they are taking on is how open source actually does become a legitimate (sometimes safer) alternative to commercial software.
People not doing the work, taking on risk without doing their homework, and then whining when it bites them in the ass is, well, "the story of left-pad".
Fine, then say so on the readme file! It's not lack of updates people are worried about. It's the uncertainty that comes with not knowing whether the owner intends to continue developing it or if they have abandoned it. If you pay some attention, you'll see that's what this entire conversation is about: the owner of a popular project being the single point of failure and then going missing.
>>I do not owe you my free time because I posted a library on GitHub, though I may choose to give you my time. I am also free to rescind that offer at any time, and guess what -- I do not need your approval to do so (because, really, you are not that important). End of story.
Again, no one is asking for your free time. If you don't want to update the project or push fixes, fine, whatever. The only thing people are asking you to do is to transfer ownership of the project - or at least admin/maintainer rights - to someone else in a responsible manner if you decide to abandon it. You may call this "entitlement." I call it "being an adult."
And frankly, get over yourself. You aren't that important either. Just because you posted a piece of shitty code on Github doesn't give you the right to act like an asshole when people come to rely on that code. Try not to let it get to your head too much, mmkay?
Understanding that a project with a single maintainer may become unmaintained unexpectedly should be common sense.
> Again, no one is asking for your free time.
You literally are. Including the time and energy needed to decide whether or not to continue maintaining the project, and to hand it off in an appropriate way.
> Just because you posted a piece of shitty code on Github doesn't give you the right to act like an asshole when people come to rely on that code.
Is this normally the tone you take when asking people who helped you to keep helping you?
Just because you randomly downloaded some code from Github and chose to rely on it doesn't mean the author owes you a damn thing. Don't like it? Fork it. That actually is how open source works.