The Dark Side of Open Source: A Personal Account of Online Harassment, Entitlement, and Unethical Practices

[yogeshojha]

Last Edited On: September 13, 2024

As the creator and maintainer of reNgine, I feel compelled to share my recent encounters with online harassment, entitlement, and unethical practices. This statement aims to provide a comprehensive view of how individuals with sense of entitlement go on to harass me behind the anonymity of online interactions.

The Journey of reNgine and Community Appreciation

reNgine started as a mere hobby project, born out of personal interest and a desire to contribute to the security community. From its humble beginnings with zero stars, it has grown to a project with over 7,400+ stars on GitHub. This growth has been possible only because of the amazing open-source community that has supported, used, and contributed to reNgine.

There are times when I've made silly mistakes, and community members like @ncharron have stepped in to fix them. Other times, brilliant developers like @ocervell, @null-ref-0000, @ErdemOzgen, @jxdv have submitted substantial pull requests that have significantly improved reNgine's capabilities. These contributions, big and small, are what make open source truly special. I am incredibly grateful for every contributor that has helped shape reNgine.

As a maintainer, I'm constantly learning. I don't claim to be the smartest person in the room - I am far from it. The beauty of open source is that it allows us to learn from each other, to collaborate, and to create something greater than what any individual could achieve alone.

The Importance of Maintainer Control in Open Source

Before speaking about my most recent experience with this individual it's crucial to understand the role of a project maintainer in open source. it is true that open source thrives on collaboration but it's not a free-for-all where anyone can merge anything they like. If that were the case, projects would quickly become unusable.

As a maintainer, my role is to guide the project's direction, ensure that the feature submitted are needed for user nor merely a PR on github, and make decisions that benefit the project and its users in the long term. This sometimes means saying no to contributions, even if they're well-intentioned. It's about finding a balance between encouraging participation and maintaining the project's integrity and vision.

Timeline of Events

Note: Indented quotes throughout this document are excerpts from email conversations unless otherwise specified.

1. Prior to October, 2023: Two individuals Raynald Coupé (https://github.com/psyray) and AnonymousWP (https://github.com/anonymouswp) were actively fixing bugs on reNgine 2.0. This was their own personal effort and were not employed by me or promised for anything to them. During this period, both individuals contributed actively to the project, fixing several issues and bugs. Their contributions were valuable and appreciated and is evident from the release notes. https://github.com/yogeshojha/rengine/releases

2. October 24, 2023: These two individuals requested to be added as maintainers of reNgine on GitHub.

3. November 16, 2023: Based on their contributions, I granted both individuals a maintainer access to the reNgine repo on Github.

4. December 03, 2023: AnonymousWP asked if I am open to create an organization for reNgine.

From AnonymousWP: Also, what do you think about creating an org for reNgine?

I took this very lightly, and this was my first attempt to tell them my clear intentions for the future of reNgine

Replied by me: Regarding creating an organization for reNgine, I appreciate both of your enthusiasm and commitment to reNgine. I want to be transparent about my intentions. reNgine has always been and will continue to be a hobby project for me. I value the contributions and efforts of the maintainers, and I'm grateful for your support, but I'm not ready to turn reNgine into a formal organization or commit to a more serious level of involvement. My personal and professional commitments make it challenging for me to take on additional responsibilities and be answerable to the community. [...] I haven't taken any sponsorships because I have looked at reNgine as a hobby project and want to maintain/release without any added responsibilities and I want to maintain the project on my own terms without additional obligations and without being answerable to anyone. [...] Last 3 years, I have spent countless hours, weekends and pulling all-nighters because I felt better at the time.

Anonymous WP Responded on December 6 with this

From AnonymousWP: Thanks for your transparent stand in this - I really appreciate it when people are transparent about their thoughts and actions.

It is clear that both of them have understood my intentions for reNgine and I had hoped that this conversation would end here.

4. February 2024: On Feb I was getting married, and I was largely unavailable due to the new start of my life, unless for urgent bug fixes there were no releases planned. The most recent release had just happened 2.0.3! The above mentioned two individuals took this oppurtunity to takeover reNgine and began the series of pressure emails, only to continue for next few months.

5. April 20, 2024: I received an email from Raynald Coupé that marked as a turning point. This was only the begining of entitlement and pressure to takeover control of rengine. This was also the beginning of a series of harassments that followed for the next few months.

From Raynald Coupe aka psyray: "Hi Yogesh, We've decided to fork the reNgine project under an organisation. This gives us more control and removes the issue where only one user is in charge. [...] We don't want the community to depend on one person. [...] But now we think it's time to collaborate more and bring reNgine to another level. We know you told us it's a hobby project, a wedding, or life events. [...] We think you should be maintainer instead of owner, due to your inactivity, but let us know if you think otherwise. [...] Archive the reNgine legacy project"

These statements reveal a profound sense of entitlement and a complete disregard for my role as the project creator. The implication that a project can't depend on one person fundamentally misunderstands how many open-source projects operate. This ignores the fact that many successful open-source projects are led by single maintainers. It's not about dependency, but about vision, dedication, and the right of creators to guide their projects as they wish and should not be dictated by anybody else.

Moreover, the dismissive attitude towards my personal life events, including my wedding, is deeply concerning and disrespectful. Not only concerning but Raynald shows a lack of respect for my personal life and priorities. I find it particularly disheartening to see my personal life events, including my wedding, dismissed so casually.

It's important to emphasize: Why should I be expected to archive a project that I am actively maintaining? reNgine 2.0.3 had very recently released. Why should the preferences of these two individuals take precedence over my own vision for the project I created?

I have every right to prioritize my personal life over project maintenance. The implication that reNgine needs to be taken "to another level" despite mentioning multiple times to both of them about it being a hobby project is both presumptuous and disrespectful. Open-source maintenance is often a labor of love, not a full-time job, and that should be respected. Often personal boundaries set by project maintainers should be respected and not taken for granted.

Most alarmingly, the call to "Archive the reNgine legacy project" shows a complete disregard for my ongoing work and future plans for reNgine. This project is not "legacy" – it's actively maintained and being actively developed.

The begining of entitlement and disrespect to the work by project creators and contributors

The following statement, made by a Raynald, reveals a shocking level of entitlement in open-source collaboration. On a email dated April 20, 2024:

From Raynald Coupe aka psyray: "Archive the reNgine legacy project and redirect things like docs and the website to the new project called reNgine-ng. See issues for plans, but we're still working on it. We'll add you to the organisation to maintain the project. We think this should be maintainer instead of owner, due to your inactivity, but let us know if you think otherwise"

I mean come on! Every single words in this response is fundamentally wrong and the delusion Raynald is living is deeply concerning. This single sentence is more than enough to know their level of a profound misunderstanding of open-source principles and an alarming sense of entitlement.

The audacity to demand that an active project be archived is astounding. This shows a complete disregard for the creator's rights and the existing user base. By referring to the original reNgine as a "legacy" project, Raynald wants to justify his takeover. This is very disrespectful to the years of work put into the project and its current active status.

His suggestion to redirect documentation and the website to their new fork is a blatant attempt to co-opt the entire project ecosystem. This is not how things work! This goes way beyond just the code and tries to claim the project's identity and user base. This is not only disrespect to the project creator rather disrespect to all the contributors and the entire ecosystem reNgine is thriving on!

The level of entitlement displayed here by Raynald is is staggering. His understanding that contributing to an open-source project somehow grants the right to command it entirely is totally wrong. This attitude undermines the very foundations of open-source collaboration, which are built on respect, attribution, and the understanding that while anyone can fork a project, the original maintainer has the right to continue their work.

I responded, clearly stating my intention to continue maintaining reNgine as a hobby project while supporting their right to create a fork:

My Response: I mentioned this time and again, I will continue to maintain reNgine as a hobby project and unfortunately, I am not archiving the project to any organization. I have been very clear since the beginning of this project that this is a hobby for me. I had proposed this in the past, you can create the fork of reNgine, I do not have any issues, and since the licensing is GPL 3.0 you're free to modify or even commercialize the fork as you see fit. There are already organizations that have modified versions of reNgine as their commercial products, some with small logo changes to some major feature changes. I have never had any issues with anyone maintaining a fork. [...] I would like to once again clarify that I am not interested in archiving the original project or transforming it into a formal organizational structure. My vision for reNgine is to continue enjoying it as a personal project without the pressures of organizational commitments or added answers to anyone. [...] If you or anyone else believes that creating a fork of reNgine to an organization where you can bring in more features, and more frequent updates, why not, feel free to do so, but not at the cost of archiving the original project where I continue to enjoy my hobby.

Despite my clear communication that reNgine was my hobby project and that I had no intention of archiving it, the pressure only continued from two individuals:

In one of the emails sent by AnonymousWp, the following statements were made:

From Raynald: "And we ask you to archive projet as it could be confusing for the users to have 2 reNgine versions."

What is wrong with these individuals was beyond my comprehension, I still hadn't found the reason why they are asking me to archive my own project!

From AnonymousWP: "Cause if there'll exist two projects, users wouldn't benefit from it at all (unless they can find our fork). You trying to push a commit once in a while, with no pressure (which we can understand, because it's a hobby), only negatively influences the users and the entire community. [...] Or do you only do the project for your own benefit?

Okay, so somebody created a fork of any project, the original creator has to archive so that the forks can be visible? What is their level of understanding that I should give them visibility? My frustration with these two individuals had already crossed the limits. To this date, I do not understand why am I expected to please these both individuals?

Anyways, This criticism is unwarranted and fails to understand the nature of hobby projects in open source. The frequency of commits does not necessarily correlate with the project's value or the maintainer's commitment. Commits alone are not the true face of how active the project is. Period!

The implication that maintaining a project as a hobby somehow negatively impacts the community is not only false but also discourages individuals from sharing their work.

Moreover, these statements demonstrate a disgusting pattern of persistent pressure despite mentioning them my intentions multiple times atleast 5 times prior to this that it is a hobby project. It also shows unwarranted criticism, and a fundamental misunderstanding of open-source principles. This statement is problematic on multiple levels. It fails to recognize that many successful open-source projects start as personal endeavors, driven by the creator's interests and needs. The question subtly suggests that project maintainers have an obligation to prioritize community desires over their own vision, which is not a tenet of open source. It overlooks the significant time, effort, and resources that maintainers invest in their projects, almost always without compensation. This is also an attempt to guilt tripping which is inappropiate and manipulative tactic. What I still don't understand is that how can somebody dictate the vision of project, guilt trip me for not being actively involved while I am involved in my personal events? The community that uses had no complaints, no issues whatsoever!

This statement reflects a broader issue in some parts of the open-source community where contributors may feel entitled to dictate the direction of projects they didn't create.

It's important to remember that open source is built on generosity - the willingness of individuals creators to share their work freely. Questioning the motivations behind this generosity is not only ungrateful but also counterproductive to fostering a healthy open-source ecosystem.

Maintainers have every right to derive personal benefit from their projects while also sharing them with the community though most of the time creators/maintainers get nothing out of maintaining a open source project except for a fact the sense of happiness that I created, that is all!

I did not respond to their emails any further. My last email to them was on April 20, 2024 mentioning I am not archiving the project.

Unethical Practices: Verbatim Copying and Misrepresentation

On August 25, one of the community member reported to me about the verbatim copying of code, word-by-word and authoring as their own work. I then emailed Raynald asking to stop copying verbatim, and give attributions to the original authors of those commits or remove them in 24 hours if they dont want to.

It is important to know that AnonymousWP was not involved in any of further conversations. Since it was PRs of Raynald in concern, I did not involve him in any way.

The word by word copying included

• Pull requests sent to reNgine, some created by me and some created by community members
• Security Vulnerability reports submitted to reNgine by community members
• Github Issues, Feature requests, etc

These were some of the few of the PR in question:

1. This PR https://github.com/Security-Tools-Alliance/rengine-ng/pull/164/files copies code verbatim word-by-word from original reNgine pull request https://github.com/yogeshojha/rengine/pull/1306/files

2. https://github.com/Security-Tools-Alliance/rengine-ng/pull/147/files This pull request copies code verbatim from the original reNgine pull request: https://github.com/yogeshojha/rengine/pull/1340/files

3. https://github.com/Security-Tools-Alliance/rengine-ng/pull/141/files This pull request copies code verbatim from a contribution by our contributor @pbehnke to the original reNgine project: Fix importing CIDR blocks #1205

4. https://github.com/Security-Tools-Alliance/rengine-ng/pull/182/files This is again word-by-word copy of the PR from reNgine https://github.com/yogeshojha/rengine/pull/1313/files and https://github.com/yogeshojha/rengine/pull/1328/files

5. https://github.com/Security-Tools-Alliance/rengine-ng/pull/180/files is a word-by-word copy of the PR https://github.com/yogeshojha/rengine/pull/1296/files

6. Security Report bug(ui): stored xss Security-Tools-Alliance/rengine-ng#179 which was originally submitted by one of our community member to reNgine Stored XSS On Rengine #1185. This is a work of @mufazmi and yet again no attribution to the original author. This violates not only GPL-3.0 but also infringes on individual contributors' intellectual property rights.

7. This security fix https://github.com/Security-Tools-Alliance/rengine-ng/pull/2/files is yet again word-by-word copy of the original fix by @0xtejas https://github.com/yogeshojha/rengine/pull/1227/files

This unethical practice extended not only to my work but also to contributions made by other individuals like @mufazmi, @0xtejas, @pbehnke who had trusted and submitted their work to reNgine.

Example:

My email to Raynald on August 27, 2024 included

From me to Raynald: You have not only copied my code but have also actively been copying PRs sent to reNgine. What makes you think it was okay to copy the code verbatim? Looking at these side by side, not even a single line changes, and yet, you authored these commits as if they were originally developed by you. I am sure there are many more such instances that I don't even want to go through. These are just a few examples that have been brought to my attention. The level of similarity is not coincidental - it's a clear pattern of systematic code theft and misrepresentation. [...] Not just this, I feel compelled to address your past disrespectful and entirely inappropriate demand that I archive my own project, reNgine, and hand over maintenance to you guys. And now you have been copying features/codes/issues as-it-is. I am unequivocally clear on these kinds of things: your suggestion that I should abandon my own actively maintained project for your benefit was not only absurd but deeply offensive. More than anything I find it very offensive that you copy someone's work and claim it yours! [...] Remember that my work is my work, and the contributions that authors have submitted to reNgine in the form of code, issues, and fixes are their work - not yours or anyone else's. You just cant copy verbatim and claim it to be yours. I want to be be crystal clear: 1. This behavior is unacceptable and must stop immediately 2. Your actions are in direct violation of the GPL 3.0 license under which reNgine is distributed 3. Presenting others' work as your own is beyond ethical [...] If you fail to remove all the verbatim code within 24 hours I will be forced to publicly disclose these unethical practices and your past misconduct to the broader open source security community. Be advised that I have thoroughly documented all the instances of code copying verbatim and your past misconduct. I am fully prepared to use this documentation to support any necessary actions to protect reNgine.

Raynald did not respond to this concern for 13 days! He went on to present this copied work at a conference, even continued to copy verbatim another fix after I sent the email.

For example this: Security-Tools-Alliance/rengine-ng#179 work of @mufazmi was copied word by word, without any attribution to him after I had sent the email to him asking to stop doing so further.

I waited for a week and since I had not received any response from Raynald, I filed a DMCA complaint with github.

On September 9, 2024, After 13 days He finally responded but with dishonesty and hostality:

From Raynald: "I think you misunderstood our work on reNgine-ng or you pretend to do so. [...] I've taken other PRs from your repository that were buggy, I've fixed and published them. Feel free to find them and do a diff. [...] Do Your Things, We Do Ours"

This statement is particularly concerning because it's a blatant misrepresentation of facts. The code in question was copied word-for-word, with no changes or bug fixes. This kind of dishonesty undermines the trust that's crucial in open-source communities. Anyone can verify any of the commits, PRs and issues mentioned above, they were copied word by word with no changes and no attribution to any of our community members. Thankfully github history doesn't lie like Raynald!

The Toxicity: "Do Your Things, We Do Ours"

This seemingly simple response from Raynald is deeply problematic attitude. This statement completely dismisses the fact that they are working with code and ideas that originate from someone else's hard work and vision. It's not just "their things" – it's built upon the foundation of the original project.

This was his response about my legitimate concerns about code usage and attribution, this phrase dismisses those concerns outright, showing a lack of respect for ethical standards in open-source development. If this happens everywhere, we do not need ethics, we dont need morals, everybody can say "Do your things, We Do ours". But that is not how world revolves!

In one of the responses, I mentioned to him

Your suggestion to "do your things, we do ours" ignores the fact that you are using my code and the contributions of others without proper attribution. And yet very shamelessly you use such words "do your things, we do ours". You have been super unprofessional since the beginning and yet another example of how unprofessional you are. Your response is very disappointing. There is no misunderstanding on my part. The issues I've raised are based on concrete evidence of code copying without proper attribution. You are the one that copied the PRs and code word by word man. When everything is so clear, why are you even arguing rather than accepting what you have done? Your claim that I am "credited everywhere in the code" is very false. I have multiple examples of verbatim code copying without any attribution.

In the open-source world, we are all building on each other's work. The appropriate response to concerns from the original creator should be engagement, not dismissal. "Do your things, we do ours" may sound neutral on the surface, but in practice, it's a rejection of the collaborative and respectful ethos that makes open source powerful and innovative. And to the fact that his entire work is based on my work, and I am only raising ethical question of what it is wrong!

From Raynald: "And please stop threatening us with some 24 hours delay..., we are not bad guys"

This response from Raynald is a clear attempt to deflect responsibility and mischaracterize legitimate concerns as threats. He fails to understand that setting a deadline for addressing serious ethical violations is not a threat; it's a reasonable response to protect one's work and the integrity of the project. By framing himself as victims of threats, he's attempting to shift the narrative away from his own actions and his dishonesty.

I then responded:

From me: implying that I'm treating you as "bad guys" is unprofessional and does not address the seriousness of the violations you have done man. You can not simply put your words in my mouth, I have not characterized anyone here either good or bad."

As DMCA process was ongoing and he didnt want to admit that we was wrong, I further pressed on this issue, his response was even more troubling:

From Raynald: "I didn't say I've not done copy pasting of PRs from your repository, I've said that according to the GPL v3 license, I've the right to copy PRs word by word."

This statement shows a fundamental misunderstanding or willful misinterpretation of open-source licensing. The GPL v3 requires proper attribution, which was not provided in any of the word by word copy of PR, issues, and security reports.

His response reveals a dangerous misunderstanding of open-source licensing and ethics. While GPL v3 does allow for code reuse and modification, it doesn't grant the right to copy without attribution or to misrepresent authorship. This interpretation ignores the core principles of open source: transparency, attribution, and respect for original creators. By claiming the right to copy "word by word" without proper credit, Raynald not only misinterprets the license but also violates the trust and collaborative spirit of the open-source community.

It is my right and responsibility to protect not only my work but also the work of others who have contributed to reNgine. The complete disregard for intellectual property and the contributions of the community is unacceptable.

He furtner responded,

From Raynald: "And for your information, you are credited everywhere in the code, and we have no intention of removing your name, and PR authors, that you said we have "stolen code", will be mentioned when the release containing their modifications will be out"

This is deeply problematic. It attempts to justify unethical behavior by promising future attribution. Proper attribution in open source should be immediate and clear, not a future promise.

By delaying credit to PR authors until an undefined future release, they're effectively using others' work without proper acknowledgment in the interim.

I believe is is not just about eventual credit; there will be no change in one's life with these credit but it's about respecting the work and rights of all contributors throughout the development process.

Also, Raynald is dishonest yet again. Lets look at this one PR: Security-Tools-Alliance/rengine-ng#147. The PR was copied word by word 3 weeks ago, and there was no credit to the original author. It was edited 3 days ago and credit given only after github took action of DMCA complaint.

The Dark Side of Online Interactions: Persistent Harassment and Disrespect

The ease with which individuals like Raynald can engage in harassment and bullying behind a screen is a serious issue in the open-source community. Statements and personal attacks made by Raynald like:

From Raynald: "Do what you wanna do with the security community, I don't care about that." This was response to my original email where I said if this continued I will be forced to publish these things to wider security community. [...] You can't do nothing with that, take apart change your license.

From Raynald: "This is my last email to you, I will never respond to you, never. [...] Unprofessional, let me laugh 😂 From a guy that release buggy code, it's just so fun. Nice coding."

From Raynald: "We just think, according to the "not well tested" functionalities published with release 2.0 that your project is too big for only one person."

demonstrate a complete disregard for community values and an attempt to intimidate me into silence. This behavior, hidden behind the anonymity of online interactions, should not be tolerated. It creates a toxic environment that discourages innovation, collaboration, and the sharing of knowledge that is at the heart of open-source development. These comments are clear attempts to undermine my competence and professionalism. Instead of engaging in a factual discussion about the ethical concerns raised, the individuals chose to attack me personally. This kind of behavior has no place in professional discourse or the open-source community. The question was simple, the PRs, issues and security report were copied word by word, instead of admitting that it was done deliberetly, he engages in personal attacks and it is not at all acceptable.

The Emotional Toll and Broader Implications

The constant pressure, disrespect, and bullying took a toll on me personally. I somehow tried to ignore this and focus on the most recent release 2.2.0. Initially I thought to ignore this and move on, but individuals like them will only continue to engage is such toxic behaviour with other creators like me.

This experience highlights a darker side of open source that is often overlooked.

When individuals like them feel entitled to others' work, when they pressure creators to abandon their projects, and when they engage in harassment and bullying, it creates an environment that discourages participation and innovation.

The emotional impact of such behavior cannot be understated. It affects not just the project but the mental well-being of the developers who pour their time and passion into these projects. It's crucial that we as a community recognize and address these issues to create a more positive and supportive open-source ecosystem.

DMCA Complaint

On September 2, 2024 I submitted the DMCA complaint. Github took swift action and asked them to make changes for not complying. All the PR, and issues description have now been edited by both individual Github is yet to take final decision as I publish this. I will update the DMCA complaint URL as in when the decision from github is final.

Despite the fact that now Github has asked them to comply with GPL v3 and they had to make changes, both individuals haven't made any apologies for their wrongdoings, neither to me, nor to the members that their work was copied verbatim.

My Stand and Moving Forward

I remain committed to reNgine and the principles of open-source development. I do it not because I expect anything but because I have fun doing this. The fun sometimes quickly turn into stressful situation due to the silly mistakes or bugs I introduce, the other times it becomes a joy with exciting features I and community publish. I want to continue enjoying this stress and joy of opensource.

After the Github Action on DMCA complaint, while this is a step in the right direction, it don't erase the impact of their actions or the emotional distress caused by months of constant pressure, harassment and bullying, undermining my competence and professionalism.

A Call to the Open-Source Community

To the open-source community:

1. Be vigilant against harassment, bullying, and unethical practices, especially in online interactions where it's easy to hide behind a screen.
2. Respect the work and decisions of project maintainers, including their right to maintain projects as hobbies.
3. Respect the personal boundaries set by project maintainers, often most of these maintainers do it for nothing.
4. Remember that behind every project is a person who deserves respect and professional treatment and no one should be trolled, or questioned about their competence.
5. Speak out against toxic behavior when you encounter it.
6. Understand and respect open-source licensing, including proper attribution of work.
7. Recognize that maintaining an open-source project is often a personal commitment.

reNgine will continue as an open-source project, driven by passion and supported by a respectful community. By sharing this experience, I hope nothing but to shed light on the darker aspects of open-source development and contribute to a more respectful and ethical open-source ecosystem for all developers. Let this serve as a reminder that online harassment is real, damaging, and has no place in our community.

Thank you
Yogesh

No part of the email response I have shared from either sides has been modified or changed in any way

[AdkSrijan]

have been a big fan of reNgine since a long time, and what these two have done is beyond the ethics, shocking details, more power to you Yogesh and reNgine

[V35HR4J]

Their actions are unethical and disappointing. Wishing strength to reNgine moving forward.

[psyray]

Hi @yogeshojha
You could tell what you want it was not our intention.

We do not want to takeover anything.
We don't want to rob anyone.

We want a reNgine that just works.

All the rest is purely imagination and paranoia from yours

We just want to help you, you don't want, ok, right.
We ask you if we can do a fork, you were agree.
So we did it.

For archiving, it was just to not confuse users, not to steal your project

There are numerous of open source project that have been forked and developed differently.
I don't understand why this could not be done with yours.

Have a look at this

Perfect example of why we did this, nothing more

And also the case of CrackMapExec forked to be NetExec, more in concern with the security community.

But I don't want to spread my life like you do, I have no problem with my conscience.

Let the DMCA process go and we will see.

You are doing underhand maneuvers to stop us, by picking on the elements that we were going to deal with.
Anyway, giving our name, email and sharing personal communications is not a good way to act.

Regards

For those who wants to know why we create reNgine-ng @AnonymousWP and me
Here is the reason
Security-Tools-Alliance/rengine-ng#136

[yogeshojha]

Once again, you're deflecting from the main concern. I have never had any issues with forking - we discussed this, and I agreed. The GPL v3 license allows forking regardless of my personal agreement. The real issue here is your unethical practices, verbatim copying without attribution, and your behaviour towards me as the original project maintainer. Not a single line I have said "the fork is not legitimate", or have I?

All the rest is purely imagination and paranoia from yours

Let me be absolutely clear:

1. Your harassment are very real
2. Your verbatim code copying are real
3. Your constant pressure to archive my work work is real

I am tired of your delusion and your constant harassment. For a second accept what you have done and move on!

not a single word in my public statement is imaginary or modified. Do not lie in public. Every detail, including the quotes from our communications, is factual and documented. If you truly believe that my statement contains any fabrication or imagination, I urge you to point out a single word or sentence that is modified, false, or imaginary. Take this opportunity in a public space to show what is imagination from this entire public statement.

There are numerous of open source projects that have been forked and developed differently.

The same way you miss to agree the existence of reNgine by asking archiving and calling it legacy, fun fact you are still referencing the so called "legacy project" to maintain your "next generation" project!

Anyways, like always you miss the point entirely. The issue is not the fork itself, when was it? but your repeated pressure on me to archive my own work and hand over control. How many times did you ask me to archive my project? How many times did you pressure me despite my clear communications? This behaviour is not justifiable. Why couldn't you accept the existence of reNgine? My email on Aug 27th had links to PR that you had copied word by word and authored those commits, the real problem lies on those.

For archiving, it was just to not confuse users, not to steal your project

Why am I supposed to archive my work? You want to work? yes go ahead but why should I archive? When the project is constantly updated, what is that you keep pushing me to archive? Why am I supposed to please you? So tomorrow you want to fork another project, you want to mail the project creator and archive that? No sane mind would think it is okay to ask the actively maintained project to archive the project.

Let the DMCA process go and we will see

The DMCA process has already begun and GitHub required you to make changes, which you have done. In all the PRs and issues that were in question, didn't you make changes? What more is there to "see"? If you had simply provided proper attribution when I first raised this issue on August 27th, we could have avoided this entire DMCA process. Your reluctance to acknowledge the attribution issue and take appropriate action immediately is what led to this situation. Still you think the issue is with fork, despite mentioning you on email, "this is not an issue with fork" rather your lack of respect for original creator, existence of original reNgine and verbatim copying of PR and other related stuffs without any acknowledgement. Rather you argued that you have every "rights to copy word by word". and asked me to change my license in return.

You are forgetting the fact that I tried to resolve this privately, in return you only made personal remarks on me. Arent these your exact words? I gave you more than 2 weeks to resolve this in private!

From Raynald: "Do what you wanna do with the security community, I don't care about that." This was response to my original email where I said if this continued I will be forced to publish these things to wider security community. [...] You can't do nothing with that, take apart change your license.

From Raynald: "This is my last email to you, I will never respond to you, never. [...] Unprofessional, let me laugh 😂 From a guy that release buggy code, it's just so fun. Nice coding."

You continue to harass me privately and you expect me to be silent?
If the statements I have put are false, have the guts to say no these were not my replies.

Dont change the narratives, and deflect from the actual concern.

[yogeshojha]

Exactly you are still pushing your agenda, let everybody know.

By referencing to your announcement,

Open-source projects should never depend on [only that one person if you know what I mean.

Seriously? "Should never depend on?" Who are you to say this? People will create they like! They will publish their work as they like, and continue to maintain as they see fit. They don't want to maintain? fine, their call!
Wake up from this delusion Raynald, its not too late.

[yogeshojha]

Anyway, giving our name, email and sharing personal communications is not a good way to act.

I would not had you acted professionally in private. You had ample time for 2 weeks to resolve this, in return I was harassed, made fun of my competence, and asked to change my license in return! You said you will not respond to me, never! If everybody silences about such online harassment, people like you will only continue to do so. You should have thought multiple times, before sending a project creator such replies. Esp when you are actively involved in referencing the work you continued making fun of my competence. Not a single time you thought about the consequences even after warning you multiple times. Also, it is not a personal communication, it is a project related conversation.

Raynald, a good way to act is also not harassing project creators. I hope you know this. A good way to act involves mutual respect and respect to the boundaries I have clearly set, not once, not twice, on multiple occasions I have set my boundaries.

[yogeshojha]

But I don't want to spread my life like you do, I have no problem with my conscience.

Yes because for people like you its much easier to make derogatory remarks, easy to involve in harassment and importantly troll them and make fun of them. Much easier isn't it?

[AnonymousWP]

I know I have not been addressed per say from your side, but due to the mention and the DMCA, I'm feeling like I should respond. I initially wanted to respond pretty detailed about what's going on and to debunk a lot of what you've said, but upon reading I got a feeling that you're using AI for this announcement and also for your emails. Unfortunately, I got this pretty much confirmed (if I had to make a wild guess, I think about 75% of your post, and emails) are generated with or partly by AI:

If you need AI (which can hallucinate and twist words. Now I also understand why some things you've said are completely taken out of context and are also misinterpreted by the AI. Threatened? Harassed? Really??) to put us in a bad spotlight (sure, we have not credited everywhere as we forgot, and we should have, but you could have told us and we'd have fixed that immediately). Instead, you want to take it down this road by creating an immense amount of drama. Our main focus has always been: the best for reNgine(-ng) users, not for our own good or whatsoever. It's just a bad idea to let an important project depend on 1 person (who's inactive, but now became active because he notices reNgine-ng is already starting to become popular), and also to release very buggy versions (just look at the amount of reports on Discord and GitHub). But like I said earlier: I'm not planning to go into detail about your rants/posts, as it's mostly written by AI anyway, so that's not worth my time/effort. It'd have been better if we could have solved this as adults (the solutions were easy, but instead you decided to take it to high court directly lol), instead of taking it to the public for the sake of public shaming.

And oh: posting PII is just pathetic. Then telling us we're being unethical, lmao.

This is my only and last reply due to the aforementioned reason. Good luck with your hobby/standalone project nonetheless.🙂

[yogeshojha]

Exactly, thanks for making this comments in public. It only shows to everyone how you both always deflect from actual concerns. Not harassment? Oh really? For how long both of you have continued this?

All the responses made by Raynald, all the personal attacks, continous pressure to archive my work, mocking my work, this is not harassment? What's your definition of harassment? What was it supposed to happen?

High court?
Were you not cced by Raynald? For two weeks you couldn't respond privately? There was an attempt made to solve this in private.

What was the comment made? In return I was asked to change my license, told you have "rights to copy word by word". How difficult is it for both of you to think for a moment the damage you both have caused? Realization of your actions are very important.

Pathetic for publishing a PR?

Grow up buddy, its pathetic to harass someone, its pathetic to not respect one's boundaries, its pathetic to make personal remarks, its pathetic to sit behind the screen and make fun of years of hard work of someone. You will not understand this because its much easier to sit behind keyboard and its to diss someone.

There are 100s of allegations, yet you fail to respond to any! Not even one!

And rather deflecting from actual concern.

I had hoped you would do better than him since you were not directly involved in the later part of conversation. But no!

This is not for the sake of shaming! Respond to the things you have done, that is all. You are time and again failing to understand what has happened on email chain. This was there for two weeks, there was an attempt made to solve in private.

Weren't these response made in private? And you are expecting me to be silent? Everybody in sane mind knows what you both are upto

This is my last email to you, I will never respond to you, never. [...] Unprofessional, let me laugh 😂 From a guy that release buggy code, it's just so fun. Nice coding."

This is not making fun of? For a concern of copying verbatim, which actually happened, simply respond to the concern and move on! Nope you both have to create drama!

[yogeshojha]

Both of your repeated actions

It's just a bad idea to let an important project depend on 1 person (who's inactive, but now became active because he notices reNgine-ng is already starting to become popular), and also to release very buggy versions (just look at the amount of reports on Discord and GitHub).

What's wrong with you? Let me do my work alright?

See once again how you change the narratives! Didn't I mention I will be away for my personal events? Now that I was away, how disrespectfully you are active because saying notices reNgine-ng. I have been actively developing reNgine for 4 years, your "next generation" project came 2-3 months ago, there you go your statement is False! This is how you both change narratives. Always takes help of lies.

Is that why the recent features and bug fixes have been taken word by word from reNgine because I am suddenly active?

A project maintainer will maintain the project as they see fit. Period. Your unwarranted criticism can't be any far from being dishonest like always.

What even goes into your mind when you make such statements?

[prashunbaral]

AI or no AI, you didn't respond to his concerns. It is evident that this guy was harassed and pressurised to archive the project. If its false you must respond to that. Otherwise you are at clear fault here.

And saying he became active after rengine-ng is popular is offensive. I just checked this guy's releases, there has been 6 releases so far around april till date with majot releases.
What's your disrespect to him actually for? We are assuming you are disrespectful to him because he didn't agree to your terms and conditions.

And isn't he free to create as he wishes?

Anyways for entire community its evident what has happened, with both of your responses in public, I think it's time we as community hold you accountable.

[0xtejas]

Dear @yogeshojha, @psyray, and @AnonymousWP,

It is with a heavy heart that I observe the current conflict and allegations among all of you. I understand the gravity of the issues at hand, but unfortunately, the revelation of an individual's Personally Identifiable Information (PII) during this process is deeply concerning. I kindly request that @yogeshojha extend an apology to the individual in question.

Furthermore, I urge @psyray and @AnonymousWP to consider extending apologies to @yogeshojha for not respecting his boundaries and for persistently reaching out to him despite his clear vision of the project. While I appreciate your enthusiasm for the project, we must acknowledge and respect his personal space, especially considering that the project is solely a hobby for him.

@yogeshojha urges you to address the allegations directly and with respect, instead of deflecting. Doing so would be a positive step towards rebuilding trust within the community. It is perfectly acceptable to make mistakes, given our diverse backgrounds and differing understandings. Each of us carries unique responsibilities, and acknowledging genuine mistakes can strengthen one's character and commitment to the project.

I also feel it was unnecessary to ask the OG (legacy) project to be archived and to put pressure on the owner to do so. It's important to note that he was okay with you guys forking the project and working on it at your own pace and vision. What didn't go well was copying the PR verbatim. In the end you @psyray @AnonymousWP did comply with the DMCA to properly credit our contribution.

Let's put an end to the arguments and accusations by focusing on the facts and not diverting attention elsewhere. What's wrong with using AI to generate strong, valid points? It takes the user's initial thoughts or point of view and rearranges them into an output. There are numerous logical fallacies in the way the allegations are being addressed. Either you address them professionally and without diverting the facts or you don't.

I strongly believe the project can coexist and can share the features. Thank you all for reading it patiently, and I believe I have not offended either of the parties by getting involved and if I did offend someone please accept my apologies as it was not my intention. All I'd like to see is the end of the series of quarrels and continuation of project development for the better of the community, cybersecurity enthusiasts and bug bounty hunters.

[yogeshojha]

@0xtejas

Thank you for your thoughtful and balanced response and analyzing the situation.

As I said earlier, if there's been any mistake or lapse from my side I will rectify it immediately. Regarding the PII concern, could you please tell me what specific PII was leaked during the process? If it has to do with full name and alias it is publicly available information and the individual has signed those commits with the name that I have used. The name is openly associated with the project in a public repository including ours.

https://github.com/yogeshojha/rengine/commits/master/?author=psyray

The name is publicly available in the commits that are signed and can be verified from here: https://github.com/yogeshojha/rengine/commit/72e4ef1d223ee0affc8d143f5abe1f1aa4f10547.patch

The information is willingly shared by the individual in public space, so I believe that has nothing to do with PII.

But if there is other than that, let me know and I will remove it immediately.

Blaming the usage of AI to write is only deflecting from the concern as there are no more lies individual can add up to to make their remarks. English is not my first language and I actively use Grammarly to correct my responses, edit them, and fix the tone including many others. The usage of Grammarly and LLM to articulate what I have said does not invalidate the content. By saying that I have used tools such as LLM or AI, to write this, they only want to justify their actions. Any sane person would know it's wrong.

I use AI LLMs or tools such as Grammarly actively to fix my articulation given that English is not my first language and often make mistakes and have admitted it in many contexts for example from our readme page, this has existed for a long time.

Note: Parts of this README were written or refined using AI language models.

In fact this reply I am writing, I have fixed many issues with Grammarly, I don't understand how that is a bigger issue than the actual issue.

But other than that it's nothing but deflection tactics, I have mentioned this already, if there is any fabrication in my statements, I will apologize for that in public and remove this immediately.

My goal is nothing but has always been to address the actual issues and not waste my time on back and forth.

[0xtejas]

Yes, my concern was regarding the name. If it is available online, then I'm all good. Thank you for addressing it.

I used Grammarly to rephrase and structure the text, as English is not my first language. So, in the modern era, it's an essential tool.