Dear anonymous internet user, dear corporate employee hiding behind a
<a href="http://gmail.com" rel="nofollow">gmail.com</a> address, dear “GitHub account with a single issue”,
Thank you for your interest in my free software,
my project or the documentation
I wrote for you. I am happy to hear you want to ask a question, have a
problem, or perhaps even inform me of a new requirement you have.
But with some small exceptions (do read on), I’m afraid I will not be able
to help you.
You see, our community and I have done a lot of work to get these projects
to where they are today. But your first step in asking for help was deciding
that I should not know who you are or where you intend to use my stuff.
This way we got off to a really bad start.
Some of you go so far as to create a custom email address for contacting me
(‘firstname.lastname@example.org’), others even have the gall to send email
from addresses like <a href="mailto:email@example.com">firstname.lastname@example.org</a>. A recent trend is the ‘single
issue GitHub account’.
Of particular note are employees from large corporations using my open
source software, but not wanting anyone to know that. I get email from
random gmail accounts asking questions you’d only ask if you operate a fleet
of satellites in space.
So why do I care?
First, I just consider it rude. You come at me hiding who you are but still
expect me to do free work for you. Try doing that in real life. What were
you thinking? Not introducing yourself AND using a fake identity?
Second, I have found that this anonymity also means respondents feel free to
simply walk away with no damage to their reputation. You report a
complicated bug, I spend some time investigating, ask about details, and I
get no response. Some weeks later a very similar question comes in from a
fresh email address, likely the same person, still not wanting to do the
work to get help.
Third, my software and other products can be used for good or evil. If I
don’t know who you are, am I enabling you to build the new Turkish
censorship infrastructure, or helping you implement the Роскомнадзор block
efficiently? These are two examples that actually happened by the way.
What’s next, send a copy of photo ID?
Of course not. But I do care that the people asking for help have not
obviously gone out of their way to hide who they are. I am fine for example
with Github issues coming from accounts that are clearly working with many
open source projects, even if I don’t know who they are. But I can see they
work well in getting issues solved.
Similarly, many internet users are pseudonymous - we may not
know exactly who they are, but they have developed a reputation by being
part of the community. I love to work with them.
As a case in point consider
@SwiftOnSecurity. We don’t know who
they are, but their contribution is such that “Swift” is able to get a CEO
phoned out of bed at 2AM in the morning with a single tweet. Be like Tay.
“Our corporate policy does not allow us to disclose our use of open source software”
While I have sympathy for the pain this will cause you individually, my open
source policy does not allow me to offer free help to corporations who do
not even have the decency to admit that they use my software.
I understand it is not easy for (large) corporations to support open source
software, with procurement not understanding why you are paying for free
software. I really get that.
But one of the few things you CAN do as a corporation is lend a project
credibility by admitting that you use it. If your organization decides to
even withhold that minimum contribution, please understand I can’t help you.
As an aside, keeping your identity secret can make open source projects
overlook the weight of your problem, as happened to Cloudflare in
when they complained anonymously about PowerDNS, and we therefore did not
have the context to appreciate the scale of their issue.
“But I found a bug in your software”
While I am grateful for your report, I have no moral obligation to fix your
every bug. Life is short, many things need to be done. If you truly want to
upset an open source developer, tell them what they “should” be doing -
safely behind your anonymous email address or single use GitHub account.
“You write free software so you must provide free support”
I don’t even.
What if I privately tell you who we are, but you keep it secret?
To a certain extent that helps, but not when providing support for open
We wrote words on this earlier for PowerDNS. In short, it does not scale to
provide free software support to the whole world but not have a record of that.
As noted in
Open Source Support: out in the open:
By providing support in the open, other people can learn, search engines pick up our answers, the community can pitch in with solutions or suggestions.
Doing free support this way provides a true public benefit.
If you have a domain that does not resolve, we need the actual name of that domain. Not ‘example.com’. If we cannot query your nameservers because you won’t tell us their IP address, we can’t help you.
What about people that really need anonymity
These exist, and I help them. I have extended family living in oppressive
regimes. And you know, I can tell if the need for secrecy derives from
worries about personal safety. But the vast majority of anonymous
users have no such worries - not sharing who they are is mere convenience for
them, allowing them to forego the risk of looking stupid under their real
name, while making my life harder.
If you contact me for help while taking efforts to stay anonymous, and your
anonymous identity has no visible track record, please know that in general
there is little I can do for you.