On Thu, Sep 22, 2011 at 4:13 PM, David Narvaez
<david.narv...@computer.org> wrote:
> Hi, just wanted to add this link with an interesting (and valid?) point of
> view
>
> http://threatpost.com/en_us/blogs/how-bug-bounties-are-rat-farming-092011
Yes, allowing uncontrolled personal bug bounties would
a) open the door to various moral hazards:
- incentive for "rat farming" (as you mentioned)
- incentive for working alone (or even in secret) rather that
collaborating
- etc., and
b) introduce lots of destructive petty conflicts of interest into an
environment otherwise based on mutual constructive collaboration:
- Who gets the money, the one who completes the last 1% of the work?
- How are disagreements handled about by whom, when or if a
bug was fixed?
- etc.
To handle all those possible issues, lots of bureaucracy and
conflict-management would be needed, which would probably do the
project more harm than good.
However, I still wouldn't discard the concept of allowing users to
invest money into bug fixes completely.
It could potentially work if the bounties are not paid to any
individual developer, but go to towards a common cause that benefits
KDE (or the individual project the bug belongs to) as a whole, like
for example:
- money is donated to KDE ev.
- money goes towards providing free beer (or food or whatever) at
the next developer sprint
- money goes towards financing a new automatic unit testing server
for the project
- money goes towards financing Nnvidia cards for testing purposes
(in the case of the KWin team ;-)
And even bounties paid to individual developers could *possibly* be
made to work in a very *controlled* (semi-automated) environment, like
such:
- The project maintainer must explicitly mark a bug as "yes, this
seems to be a nasty, not-so-fun bug to solve and motivation to do so
is low among our team" before bounties may be placed on it
(maintainers have to be trusted not to abuse this).
- A developer wishing to collect the bounty for a specific bug must
announce his/her commitment to do so *beforehand*, and is then obliged
to fix it within a specified time frame (within which no other
developer can collect the bounty).
- Each developer may only take on *one* "bounty bug" at a time.
- Failing to complete a "bounty bug" as promised within the
specified time frame bans the developer from the bounty system for a
month, and opens up the bug again for other developers to take it.
But even then, the principal problems I listed at the top of this mail
would only be reduced, not eliminated completely. So before serious
discussion is even possible, I guess a thoroughly worked-out proposal
that addresses all those issues (and probably many others) would be
needed.
>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<
