Why does "low barriers" have to mean "no screening"?
Surely most contributors would be OK with a delay before their code was published, while it gets screened for known malware
Yet another NPM library has turned up infected with malware. Security firm Sonatype on Wednesday said it had spotted two related malicious NPM libraries that were named so they might be mistaken for a popular legitimate module that serves as a Roblox API wrapper. The two poisoned libraries – noblox.js-proxy and noblox.js - …
I can therefor create a package called noblox.js.jackpotnow and nobody is going to bat an eyelid until somebody actually wonders why that exists.
Somehow that does not strike me as "anyone can contribute", so much as "anyone can fuck it up".
I've got a feeling that the ease-of-contribution culture is going to get a healthy dose of reality check in the coming years. It's not because it's open source that it has to be a free-for-all. I'm sure developers are going to welcome a bit of verification if it means that their code can be kept from the dregs of the Intarwubs.
After all, what's the real cost of having to sign in to a project before being able to contribute ? It's just a few emails and an identifier for your contributions.
Identifier that can be banned if you screw up, of course.
I'm inclined to agree. I've published game mods myself, and for me that included signing in. And yes, there was a delay while the code was screened before it was published.
But that wasn't Roblox. The target market for that platform is schoolkids. I can believe they view things differently. The question is, whether a slightly higher hurdle would discourage people who might otherwise go on to make valuable contributions. My instincts say probably not, but they also say the publisher probably has better data on that question than I do.