At the tail-end of 2013 I was building and optimising websites. I had a somewhat short-sighted view that placed more emphasis on website speed than its content and/or usability. Call it a phase, I picked up on it pretty quickly and took steps to knock the habit on the head.
I was using various CDNs to load a bunch of files for my websites, I have a vague memory that I was using 4 different providers at one point. I stumbled on cdnjs and it had all the libraries that I wanted to use in one place, but they were out-of-date.
This wasn’t a big deal as the nature of cdnjs is that it’s maintained by its users. The basic premise is that if there’s an existing library which is out of date (i.e., there’s a more recent version of it available to download), it can be added by way of a pull request. A pull request is essentially a proposed change from what’s currently in a given software repository.
Priming the ol’ noggin
Back in November, I had no clue what to do with version control software, let alone the intricacies of a pull request. For all my years of gathered and dispensed technical knowhow, I am not a software developer outside of websites. In the case of cdnjs, it uses
git and lives on GitHub. I read some primers on how to use
git, getting my head around the terminology and botching my way through some test code that, thankfully, never saw the light of day. It was ugly, and I was confused. I was, however, learning. Slowly.
I still wasn’t confident that I knew what to do, but I figured my usual approach of learning by doing was the best way of finding out. On November 21st, 2013 I raised a pull request to add ZURB Foundation 5.0.0 to cdnjs. About 24 hours later, it was merged. That was my first contribution to an open source project outside of sundry presentational changes I’ve put forward to Textpattern CMS over the years.
And so, it begins
November 21st was a big day. I made a change, and now people could start using the software that I uploaded to cdnjs. I had no part in writing the software, nor did I have any knowledge of that software library itself, either. A few days previously, I had decided that I was changing my go-to CSS and JS framework for websites from Bootstrap to Foundation, mostly because of reasons. It wasn’t that I didn’t like Bootstrap, it was just that Foundation was ticking more boxes for me.
November 21st was a big day for ZURB, too, because they released Foundation 5. They made it, I added it to cdnjs, and then I started using it from cdnjs on my own websites. In turn, many thousands of people also started using it from cdnjs. This felt good. Really good, actually.
In late January, I received an email from cdnjs co-founder Thomas Davis. In his words, he was debating giving me direct access to the cdnjs repository to update libraries. I figured that I’d either proven myself as competent or had become enough of a nuisance that it was easier for everyone concerned to give me a copy of the keys to the kingdom.
My reply was cautious; remember, I was still very new to this and really wasn’t ready for responsibility. What if I broke something? What if thousands of sites went down because I set off a chain reaction that I couldn’t fix? How long would it take Brisbane, Australia-based Thomas to fix an error that Cornwall, UK-based Pete has caused out of a hole in his knowledge?
Welcome aboard, Cooper
My tentative acceptance email reply explained my tricky work situation (no guaranteed time to commit, might disappear at short notice and be off-grid, etc). I resolved to only add libraries myself and not process any pull requests from other people. That way, it was low risk and I wasn’t letting anyone down by over-committing. Good. I joined cdnjs as a maintainer/collaborator on or around January 27th, 2014.
My me-only resolution lasted precisely two days. On January 29th, 2014 I merged and closed for the first time. I was working through some very heavy winter depression and for the first time in months I found a spark. I could marry my data management skills with something that gave hundreds of thousands of people a mysterious, intangible benefit: increased website speed and decreased load times.
The ball starts rolling
I don’t have concrete statistics for how much disk space cdnjs took when I joined — I have a very hazy memory of it being 1.somethingGB, remember I was learning as I went — but I can tell you that it currently runs to over 3.3GB of files. A large chunk of that is due to me, rightly or wrongly. I don’t believe anything I’ve added is a flippant use of space, or a waste of time. Related to this, I don’t have any metrics for what was and wasn’t used. The sheer volume of log file data across the cdnjs servers is prohibitively large to analyse, so any usage charts would be conjecture on my part.
Points, points and more points
According to the cdnjs contributor graphs, I’m responsible for over 25 million line additions, more than three quarters of a million line deletions and 400 commits. In 5 months. Yikes. I look at these graphs and see a bunch of imaginary Internet points. I can’t cash them in or trade them for a tasty burrito, so what purpose do they serve? They’re a reminder that I agreed to be involved with something that I believe in, gave it my best shot and learned a lot from the whole process. I had to-and-fro conversations with Internet-famous luminaries, earned my first BitCoin fragments from adding auto-update information to a handful of libraries and helped push bytes through pipes on a grand scale. I regret nothing.
The beginning of the end
I have used jPlayer extensively in my website building career. I know how to script it, how to cajole it, how to build it into Textpattern, the works. I was also involved in uploading the most recent versions of jPlayer to cdnjs, by way of numerous pull requests. If your jPlayer was version 2.5.something and served from cdnjs, I was responsible for getting it there.
On April 21st, 2014 a jPlayer cross-site scripting vulnerability was announced. The jPlayer accompanying ShockWave Flash (SWF) file was the culprit. jPlayer was yanked from cdnjs. It wasn’t handled very well, and annoyed a lot of people in the crossfire. I am pretty sure this was the first time that any library was pulled from the repository due to a security alert, and thankfully it hasn’t happened since.
Let’s talk about igotstung
I tell you this because one of the people who was affected by this library being pulled was GitHub user igotstung. He or she has assigned blame for the cross-site scripting vulnerability to me. Not the actual removal of the files, mind — that was Terin from Cloudflare, they provide the CDN server infrastructure for cdnjs — but the coding in of the vulnerability.
When I raise a pull request or commit directly, I take existing files from a verifiable source and provide some kind of audit trail as to my actions. cdnjs is a peer-reviewed setup, so if someone does something a bit whacky, it’s right and proper to bring this up for discussion and possible action.
I didn’t write the software that had this vulnerability. I don’t know how to, frankly. My involvement was uploading the affected file to cdnjs before anyone knew it was susceptible to Bad Stuff. igotstung plunked the blame squarely on me, and called for my firing, along with some other comments in that thread that were subsequently deleted by Thomas for swearing and threats against me. I was chomping my breakfast cereal when all this kicked off, watching abuse being hurled my way and was frankly a bit bemused by the whole thing.
By late morning, I’d received an email from igotstung threatening legal action against me. I ignored it. Two more emails arrived in the afternoon, escalating to death threats. I ignored them, too. I processed a handful of cdnjs pull requests over the day, and made a few more direct commits as usual. I went to bed as normal.
When I woke the next morning, igotstung had emailed me again. A lot. Each commit I made triggered a bunch of emails to me, mostly comprising violent threats, swearing, occasional broken Spanish and each time the emails came from a different email address, usually a stream of gibberish at a Gmail address. I was even more bemused than the day before.
Back in April, each commit/change I made created about 4 emails. In May, it increased to a dozen for each change. In June, it tailed off and it’s back down to about 5 or so per change. Curiously, when I have a day off cdnjs, I don’t get any email. Odd.
Enough is enough
It’s tricky to filter out email when they can’t be pinned down to a certain identifier. I know all the email accounts were made with Gmail, and on the few occasions they weren’t sent via the Gmail browser interface, igotstung used Tor IP addresses to hide their tracks.
My well-known high tolerance streak ran out in early June 2014 when I informed Thomas and Ryan of my intention to leave the project at the end of the month, something which I announced publicly shortly afterwards. The emails stopped for a few days; perhaps I’d triggered some guilt or bad feelings with igotstung, maybe this was the end of it. Had I broken igotstung?
The emails kicked off again with a wish that I’d “been born ahundred years ago so you would’ve died in the gaschambers in ashwitz” (sic). Abnormal service had resumed, but whenever I took a day out from cdnjs, nothing was received.
…and that’s your lot
I’ve left cdnjs for new pastures. I had an amazing time, learned a lot, met some stellar people and have no regrets. I’m still not a developer, but my first serious involvement as a contributor to an open source project has resulted in so many good memories that I’m inclined to learn how to write code.