I think most consumer robots will be driven by centralized computing power. There's probably no need for the brain to be on the robot, just a good wifi connection.
EDIT: That is of course for robots that won't need to leave the house. Then again, I can't imagine the future won't have global high bandwidth cellular coverage with at least 5 9's availability.
I always worked for small companies early in my career for exactly this. The suspicion that large corporations are driven by egotistical sociopaths.
Now that I've worked for a large corporation I have proof that I was right (YMMV). Not only that, egos can become such a barrier to progress that projects within these companies become what I would consider criminally incompetent.
I say force the new maintainer to fork and then leave a note in your README that the currently maintained version is (here).
This way anyone who decides to trust the new maintainer will be able to act as a "canary in the coal mine", notifying others if they run into issues. This also delays the gratification to the new maintainer. If they're truly malicious they'll need to spend maybe months / years maintaining the code / fixing bugs until they'll be able to hit pay dirt. I think most malicious devs will not want to pay this price.
EDIT: This would also act as a window for (a) folks to find other alternatives for their projects, and (b) inspire folks to build alternative options.
I think the willingness to fork over access to widely used packages isn't just a reflection on your desire to move on from the project, but it also reflects your blatant disregard of the thousands, maybe millions, of people who depend on what you've built.
The problem here is that often, there's not just the github repo, but also the non-namespaced language package manager, e.g. npm, pypi. You'd have to transfer that at some point. I'm also unsure how you can notify your users... I have not looked at the readme of some dependencies for years.
I'd say force a fork there too. It's not difficult to switch to a new package once you find it and know the URL. I say force each user (whether it's end user or library maintainer) to switch manually to the new maintainer's fork of your project.
"I have not looked at the readme...". Maybe this will create a market for a new type of project. The one that lets folks know the status of the packages they use in their project.
As others have said, npm has ways of marking a package version as deprecated and npm also has scoped packages.
So if you wanted to stop maintaining your very own `right_pad`, you could mark it as deprecated so devs installing it get a warning in the CLI, and I could then publish my own `@klathmon/right_pad` and if you want you could endorse it in your readme if you wanted.
The problem is that if I mark my original right_pad as deprecated and then point to yours, we're in the exact same situation -- people who blindly follow the instructions on my repo will still download your compromised version and have their credit cards stolen.
If I mark my package as deprecated and I don't point to yours, then malicious actors flood with copycat namespaces, and you have @klathmon/right_pad, @danshumway/right_pad, @linus/right_pad, and even the occasional phished @k1athmon/right_pad. Would that extra confusion be enough to trigger an audit for a company that wasn't planning to audit the original dependency anyway? Would an overworked engineer have the presence of mind to double check that their version has the right prefix?
There are, I'm sure, people who think it's OK to upgrade a package without worrying about the security implications, but not OK to switch to another package when the original is marked as deprecated. But I don't know that those people are in the majority. Certainly, anyone who's not already using a lock file and freezing their dependencies is probably not gonna think too hard about this.
(Somewhat to my shame) I can think of several instances where I personally have found a repo marked as deprecated on Github, went to the repo that it pointed me at, and started using it without even checking to see who the new author was.
I don't think anyone would expect different behavior out of end users. But the "instant gratification" a malicious actor is seeking by asking to "maintain a package" will be delayed substantially. In fact, if you are straight up with folks telling them that you don't personally know who is now maintaining the fork, folks who do decide to trust them will know to proceed with caution and will probably watch the PRs on the repo for a period of time. So, technically not only are we delaying instant gratification of being given access to probably millions of "hits", we're forcing the malicious actor to actually maintain the package and gain the trust of the community independently before they can wreak havoc.
Then over time if it's an important enough package there will probably be discussions or blog posts about the new maintainer and what a "fantastic" or "terrible" job they're now doing.
If the economic model was different they might have spoken up. I think it might be worthwhile, in this case, to examine / contrast what a socialist society might do vs a capitalistic society.
EDIT: I'm in no way inferring this is a black and white issue. But I do think it's a worthwhile experiment for the mind.
Thefts, lies, frauds can and do happen everywhere. People follow incentives. If they can get away with it, many will do it. Be it investors trying to cash out with an IPO, or administrators of a government program.
The question is, what do you once you find out these people? To the gallows? Allow the blame to fall on the inevitable scapegoats? Inconsequential fine?
I had a similar idea a while back. The implementation I came up with (but never implemented) was to create a PHP extension that would link to a statically compiled GO module. Basically it would instantiate a network server on the GO side, and marshal the HTTP request/response data structures back and forth between PHP and Go. I imagined I would probably utilize a pthreads extension or one of the event loop extensions to handle each incoming request:
Generally speaking, if you expect the world to (as a first class principle) cater to your personal desires you will always be sad.
I didn't read the whole thing, but I'd be interested if anyone found any issue that doesn't have a workaround or can't be polyfilled to cater to this guy's expectations.
Edit: "reasonable" expectations. Requiring semicolon at end of line? smh Write your own editor plugin that inserts your semicolon (or write a preparser). PHP folks only wrote an entire language for the world to use for free. The least you could do (if it's really that big of a deal) is write a preparser.
We need to incorporate the fact that people will move on with their lives and transfer ownership of projects.
This could be solved in a few ways.
Maybe instead of signing over ownership, maybe the protocol should be to force a fork and make notes in the README that there's a new repo whose author has not been vetted and should be used with caution.
Ever since I had a run in with an extremely "motivated" team of head hunters my belief has been that resumes are almost useless.
I was responsible for hiring a team a while back and, in retrospect, believe I put way too much faith into my practice of filtering candidates by resume content.
EDIT: That is of course for robots that won't need to leave the house. Then again, I can't imagine the future won't have global high bandwidth cellular coverage with at least 5 9's availability.