Open Source Developer Intentionally Corrupts His Own Widely-Used Libraries

"Users of popular open-source libraries 'colors' and 'faker' were left stunned after they saw their applications, using these libraries, printing gibberish data and breaking.." reports BleepingComputer.

"The developer of these libraries intentionally introduced an infinite loop that bricked thousands of projects that depend on 'colors and 'faker'." The colors library receives over 20 million weekly downloads on npm alone, and has almost 19,000 projects depending on it. Whereas, faker receives over 2.8 million weekly downloads on npm, and has over 2,500 dependents....

Yesterday, users of popular open-source projects, such as Amazon's Cloud Development Kit were left stunned on seeing their applications print gibberish messages on their console. These messages included the text 'LIBERTY LIBERTY LIBERTY' followed by a sequence of non-ASCII characters... The developer, named Marak Squires added a "new American flag module" to colors.js library yesterday in version v1.4.44-liberty-2 that he then pushed to GitHub and npm. The infinite loop introduced in the code will keep running indefinitely; printing the gibberish non-ASCII character sequence endlessly on the console for any applications that use 'colors.' Likewise, a sabotaged version '6.6.6' of faker was published to GitHub and npm....

The reason behind this mischief on the developer's part appears to be retaliation — against mega-corporations and commercial consumers of open-source projects who extensively rely on cost-free and community-powered software but do not, according to the developer, give back to the community. In November 2020, Marak had warned that he will no longer be supporting the big corporations with his "free work" and that commercial entities should consider either forking the projects or compensating the dev with a yearly "six figure" salary....

Some dubbed this an instance of "yet another OSS developer going rogue," whereas InfoSec expert VessOnSecurity called the action "irresponsible," stating: "If you have problems with business using your free code for free, don't publish free code. By sabotaging your own widely used stuff, you hurt not only big business but anyone using it. This trains people not to update, 'coz stuff might break."

GitHub has reportedly suspended the developer's account. And, that too, has caused mixed reactions... "Removing your own code from [GitHub] is a violation of their Terms of Service? WTF? This is a kidnapping. We need to start decentralizing the hosting of free software source code," responded software engineer Sergio Gómez.
"While it looks like color.js has been updated to a working version, faker.js still appears to be affected, but the issue can be worked around by downgrading to a previous version (5.5.3)," reports the Verge: Even more curiously, the faker.js Readme file has also been changed to "What really happened with Aaron Swartz...?"

Squires' bold move draws attention to the moral — and financial — dilemma of open-source development, which was likely the goal of his actions.

what a C**T

[bloodhawk]

What an arsehole. If you don't want commercial entities to use your libraries then make sure the license prevents that, don't have a tantrum and harm millions of users because you feel people aren't giving you enough money. Fucking whiny bastard, this hurts all open source.

Re:

[ozmartian]

100% Can't really put it in any other way right!? Numerous licenses exist, all with varying levels of developer control etc. Pick one that works and shut up.

Re:

[DaHat]

Absolutely.

At least in the case of nuking his own repo and not working on the project again, that's the authors right... but after the code is released under a permissive license, it's no longer up to them who uses it so long as the adhere to the license.

It's been interesting seeing the arguments defending this behavior "it's his code, he can do what he wants", "Companies are responsible for reviewing all of their dependencies, and if they don't, it's on them!", etc.

I think of this like someone giving away

Re:

[Ichijo]

I think of this like someone giving away apples on the street (not unlike Amazon and bananas in Seattle)... they start coating the apples with a laxative...

Not unlike how sellers on Amazon provide a high quality product at a low price point, then after they get enough 5-star reviews they raise the price or replace the product with something inferior while keeping the old, glowing reviews.

And then there are the popular browser extensions that get bought up and turned into adware [slashdot.org] or malware [slashdot.org].

I'd say these ar

Re:

[DaHat]

The fact that you started your 'question' with a 'so' suggests you don't actually care about my answer, you seem to want to justify bad behavior you disagree with, while pointing to other bad behavior (which isn't actually equivalent).

do you favor a law

No.

that prevents software authors from making changes to said code that may behave in ways users do not like, or which may break functionality?

Laws don't work that way. Laws don't 'prevent' anything, they can however disincentivize certain behaviors.

Even if t

Re:

[AuMatar]

And this is why you should make your dependency go to a specific version that you've checked out yourself. If you take the latest, you're an idiot and opening yourself up to risk of these types of things.

Yeah, people shouldn't pull this type of shit. Unfortunately they do. This isn't the first time, we all remember leftpad. And there have been times that vulnerabilities have been purposely patched in like that. Don't blindly trust code is the only answer.

Re:what a C**T

[gweihir]

I disagree. This guy did something he had very right to. And he did it to point out a fundamental problem: Why should a FOSS developer be motivated to play nice? Now, he just did a bit of harmless activism. Anybody that got hit in production by this did it to themselves because they have no working testing and release processes. But what would have happened if the guy had actually been malicious and, say, installed a backdoor? Right. Probably not even criminal unless he uses it himself as FOSS generally comes with no warranty. Or lets say, more subtle sabotage.

Too many people are mindlessly pulling in dependencies all over the place are _not_ aware how dangerous what they are doing is. We need to thank this person for making that severe problem more obvious.

Re:what a C**T

[OzPeter]

Too many people are mindlessly pulling in dependencies all over the place are _not_ aware how dangerous what they are doing is. We need to thank this person for making that severe problem more obvious.

People have already been warned

Dependency [xkcd.com]

Re:

[gweihir]

People get warned time and again. Many people continue to ignore that warning. Sometimes there is a price to pay for that. In the instance at hand, that price is very, very small compared to what it could have been.

This clueless messing around has to stop. Any engineer needs insurance and if he/she screws up badly enough they may even go to jail. Software development? (Which clearly is engineering, albeit much more difficult than most other fields because things are in flux...) Not even any qualification ne

Re:what a C**T

[vadim_t]

Yeah, no. This is "I'm 12 and this is deep" material. You've just discovered that the world operates on a lot of trust.

What else is new? Yeah, we don't have systems to protect ourselves from arbitrary malicious actors to a huge extent, especially if said malicious actors decide they don't care about consequences. Eg, in the US any person with a gun could just randomly shoot somebody. Or anybody could overturn a trash bin, or set something on fire. Society to a large extent only exists in some degree of order because people choose not to be dicks even when nothing is stopping them. We have consequences after the fact, but malicious actions are extremely hard to stop from happening.

It's exactly the same thing in the commercial world, by the way. A company going out of business could pull a similar stunt with their product to the same effect.

Re: what a C**T

[Entrope]

A company trying the same thing would find themselves sued, with a likelihood that courts would find a way to transfer liability to anyone who helped the sabotage.

On the other hand, a company probably would have already gotten what this guy says he wants: support, either monetary or in labor, from the downstream users.

This guy forgot the basic premise of free/open source software: users are not locked in. He could have chosen a different license, or switched halfway through his code's lifecycle. He didn't

Re: what a C**T

[getuid()]

Yeah, no. This is "I'm 12 and this is deep" material. You've just discovered that the world operates on a lot of trust.

Not the IT world.

We literally have sunk millions of man-hours in inventing cryptography, passwords, signatures, steganography, wiretapping and... wait for it... automatic updates (!) simply because we cannot and should not trust a computer program. Ever.

Now this doesn't absolve the author of being a cunt, but... that's the nice part with blame and fault: it's not a zero-sum game, there's plenty to go around for everybody.

Everyone whose commercial product got hurt by this had it coming. They skipped due diligence. Of nobody had written that code, they would've had to write it themselves and properly test it before putting it into production. A free software author did the writing for free - ok. But the 2nd part, making sure it's fit for a particular purpose, is always the business's business. There's no outsourcing that, that's literally what they receive their money for when they're selling software developed for free by somebody else.

Re:

[Malc]

True story: My software security students asked me a few weeks back how to secure external dependencies, and all I could tell them was to keep them as minimal as possible and carefully verify and monitor the remaining ones and be prepared for them to go rogue or break or simply become unmaintained and to be prepared to replace them if that happens. That this is basically impossible in practice today was lost on no one.

The answer is: invest in time and resources.

We don't allow external references in our buil

Re:

[vadim_t]

No, an Ad Hominem would be "you're wrong because you're 12". What I'm saying is that it's a trivial point that most everyone should be already aware of, to the point that demonstrating it serves no actual benefit. Just like we'd disagree with somebody splashing random people on the street to demonstrate that water is wet. We already know, and the demonstration is just obnoxious and serves no practical purpose.

In any case, this person doesn't seem to be trying to make any kind of point as a public service. I

Re: what a C**T

[TuballoyThunder]

Sounds like he wants to get paid to write software. Too bad there isn't a business model like that...

Re:

[Pseudonym]

This is everyone's 10,000th reminder that nobody disputes that you have a right to be an arsehole and throw a tantrum.

Re:

[joe_frisch]

He had the legal right to do it, but the effect is to damage trust in all open source. It may not have occurred to many users that this could happen. Now they have to think about the risks of using software developed by individuals who in practice can't be sued for damages caused by intentionally malicious code.

If his intent was to discredit the idea of open-source, then he has succeeded

Re:what a C**T

[gweihir]

If you do not do careful regression testing, you are asking to get hit. No excuses. This already applies for regular software development. If you do not do careful regression testing while pulling in _external_ dependencies, well. There are no words in the human language to adequately describe the level of foolishness that indicates. This is not even amateur level. This is "incompetent cretin without any clue at all" level.

Re:

[Dirk Becher]

The deceptive one is always the worst. Stop pretending this serves any greater good.

Re:what a C**T

[ArmoredDragon]

Well, you may not have any professional ethics. I do.

No, you really don't. If you did, you wouldn't be going around arguing that a deliberate act of sabotage is something that somebody has the right to do.

Re:

[Jack9]

The author made a code change that someone else was using at their own discretion. If any user doesn't like the functionality, they don't have to use it. Taking in updates that assume backward compatibility is self-sabotage. At the same time, if they aren't looking when crossing the street, there is no guarantee of safety. That's the ethical world.

Re:

[gweihir]

No. Not even close. What is more like it is that somebody fucked some random stranger without any due Diligence and is now complaining they got an STD.

Re:

[znrt]

avoiding that "harm" from a random guy is easy: don't import random dependencies willy-nilly, and control the updates. breaking news: that's actually your responsibility as a professional software developer. anyone hit by this just isn't, simple as that. crying rivers is both optional and irrelevant, and blaming the guy is both laughable and despicable.

Re:what a C**T

[gweihir]

I completely agree. Anybody hit by this in production does not even have working testing and deployment processes. That is below amateur level.

I was shocked to learn that apparently these days it is quite common to advise people to pull in random dependencies over the Internet at compile time. As in they do not even have a local copy. That is not professional. That is just asking to get hit.

Re: what a C**T

[Z00L00K]

Even worse sometimes, some pull in random crap runtime.
Just look at all ad services pulling from third party or even more remote parties runtime and at random.

Re:

[Kisai]

If you don't want corporations using your code, release it as Creative-Commons-Non-Commercial (CC-BY-NC), then nobody can use it except for their personal projects that they don't publish.

But here's the thing. We, don't make a big enough distinction between "Non-Commercial" and "Commercial" use.

We need a word for "commercial use by individuals permitted" (eg indie games, indie software) where the people who don't have time to write their own libraries and don't have the skill or legal knowledge of how licen

Re:

[kick6]

What an arsehole. If you don't want commercial entities to use your libraries then make sure the license prevents that, don't have a tantrum and harm millions of users because you feel people aren't giving you enough money. Fucking whiny bastard, this hurts all open source.

...and then they use it anyway assuming that their lawyers are better than your lawyers and already pre-paid so you won't take them to court to challenge them. The EFF can only take on so much.

Re:

[Bert64]

Exactly this... Many of the users harmed will not be commercial entities, just individual users. Those commercial entities will have the budget for review processes and preprod environments so they will catch this sabotage and roll it back while an individual operating on their own might not.

Also why should they pay him a 6 figure salary for his projects? Sure there are some companies that just leech from open source work, but there are many more who contribute in various ways. Just because they don't contr

Re:what a C**T

[quonset]

If you don't want commercial entities to use your libraries then make sure the license prevents that

Because people (including you) abide by the license attached to movies, music, and software, right?

Mod me down all you want, but if you're not going to abide by someone else's license, you can't complain when someone doesn't abide by your license.

Re:

[GuB-42]

Yes, he is an asshole, but it shows how fragile systems like npm are if an asshole is all what it takes to break thousands of projects. It could have been a backdoor from a compromised account. For such a wildly used dependency, we could at least expect an independent maintainer who make sure everything works together, like in most linux distributions.

As for the license, I think permissive licenses like MIT, BSD, etc... are used way too much by people who don't understand what it means. It is an invitation

Re:

[Aighearach]

Exactly.

I go the other way and use Apache 2 license. If somebody wants to use and not even give me credit, good for them! At least they didn't choose something buggy. That's the whole reason I ever give code away!

Code is worthless. If you want to get paid, either be an employee, or start a business. And it won't be the code that makes the money, but the managing of the business, advertising to potential customers, putting the code into a useful product in such a way that it doesn't require configuration, et

Re:

[gweihir]

Rofl what happened to Many Eyes? Epic level trolling. Bravo sir *golf clap*

Are you stupid? The "many eyes" did quite clearly see what was happening at the earliest time this was possible.

Regression testing?

[Lik]

Do projects really just blindly change version decencies without regression testing and push to production?

Re:

[Sebby]

Do projects really just blindly change version decencies without regression testing and push to production?

Normally aren't most of the tests part of the project/package, which could've been changed along with the rest of the code?

I think this clearly highlights the need to vet the versions rather than doing an automatic update, even though they try to berate the developer for essentially bringing this to light:

"This trains people not to update, 'coz stuff might break."

Re:Regression testing?

[Ichijo]

By the rules of Semantic Versioning [semver.org], "v1.4.44-liberty-2" would be just a bug fix with no new functionality, so it should be safe to use with little or no testing. But if you want to introduce an infinite loop or anything else that breaks existing projects, it should be tagged V2.0.

Re: Regression testing?

[MemeRot]

The - also indicates that it's a pre-production version (-alpha, -beta) and shouldn't be used

Re:

[gweihir]

Hehehe, nice!
Would give it a "+1, Funny" if I had not already commented.

Re:Regression testing?

[morcego]

Do projects really just blindly change version decencies without regression testing and push to production?

A lot do, yeah. Maybe even most.
It is the culture of "auto update to keep it secure" fostered by Microsoft (in particular, but others as well). AV companies and (ironically) security companies also do it.
It is, as far as I'm concerned, not much better than security through obscurity.

Very few people still have testing environments where they test every and all updates.

Re:

[gweihir]

Do projects really just blindly change version decencies without regression testing and push to production?

A lot do, yeah. Maybe even most.
It is the culture of "auto update to keep it secure" fostered by Microsoft (in particular, but others as well). AV companies and (ironically) security companies also do it.
It is, as far as I'm concerned, not much better than security through obscurity.

Very few people still have testing environments where they test every and all updates.

I would say it is worse, because automatic updates are an attack-path. It cuts out the time you may otherwise have to notice that your supplier got hacked and that a supply-chain attack is in progress. I am still waiting for the day that MS is pushing malware via auto-update. They are shoddy enough in their practices that this is quite likely to happen eventually. Of course, they are already pushing broken or insecure code that way regularly and they even try hard to prevent people from blocking that attack

Re:

[gweihir]

So just rename the package. Problem solved. I did that in a banking environment several times. Of course that was for stupid license scans and the code was tools that were not intended for production and never went there _and_ the license was actually not a problem. But still.

Re:

[_xeno_]

It's Node.js - so historically yes. But more recently no. Node.js has only supported having a "lock" file indicating what exact versions were being used within the last few years. I can't remember the exact version, but it didn't use to be a thing - the way it used to work was it would always pull whatever the latest version that matched the specified version range for any given dependency.

Granted this shouldn't have hit anyone using proper version semantics since the version of "fakers" he pushed was "6.6.

Re:

[gweihir]

Do projects really just blindly change version decencies without regression testing and push to production?

In regulated industries: No. For example it is common in banks that they are only allowed to pull FOSS from internal repos and anything new needs to go through a review process. I learned that way that "This software is free do be used by anybody for any purpose." is apparently not a "license" as far as lawyers are concerned.

But in the rest of the industry? Sure. We have rampart incompetence and cluelessness with people writing mission-critical software not even beginning to understand what they are doing o

Re:

[Bert64]

And how much time did he save by using open source code provided to him by other people for free?

Re:Regression testing?

[Sebby]

They have no obligation whatsoever to contribute back to him

And he has no obligation to them of ensuring it works in a future update (either from a benign typo or intentional sabotage).

Re:

[Sebby]

either way he has certainly sabotaged any trust anyone can ever have in anything he contributes too.

Agreed - I wouldn't trust him now, and would definitively verify all the work first (and fork the repo).

Re:

[gweihir]

They have no obligation whatsoever to contribute back to him

And he has no obligation to them of ensuring it works in a future update (either from a benign typo or intentional sabotage).

That will be an interesting test case. Whether intentional sabotage is ok or not is yet to be decided, either way he has certainly sabotaged any trust anyone can ever have in anything he contributes too.

It is not sabotage if he has not in assured a certain functionality in a legally binding way. In that case it is just changed functionality without notice, and I guess his customers can ask for their money back and maybe damages that are a multiple of what they paid in addition.

Cool suicide note

[thegarbz]

Yet another open source developer didn't understand what license he was using and what the implications are for others. Normally though we only have some public spats about it e.g. Elasticsearch. But it's quite impressive to see a developer commit professional suicide like this.

What I'm curious about is if he had a hard-on for sticking it to corporations, why did he take all those open source and community projects down with him. I can only conclude he had a stroke.

Re:

[DaHat]

why did he take all those open source and community projects down with him

Do you mean *didn't*?

After the lpad incident [theregister.com], npm made some changes that published projects are much harder to remove to avoid chaos like what happened in 2016. I don't think we'll see enough eyes on changes to prevent something like this again though.

If it bothers you

[phantomfive]

The reason behind this mischief on the developer's part appears to be retaliation — against mega-corporations and commercial consumers of open-source projects who extensively rely on cost-free and community-powered software but do not, according to the developer, give back to the community.

If it bothers you, then use the GPL. That is the license that forces companies to give back. You can even dual-license it, so corporations have to pay (if they don't want to open-source their stuff) and other people can give back by open-sourcing their changes.

Re:

[Sebby]

If it bothers you, then use the GPL. That is the license that forces companies to give back.

But it only "gives back" if you made changes in something you end up distributing - changes made for in-house (non-distribution) deployment aren't required to be "given back" to the community.

Re:

[phantomfive]

There's a whole range of options. You can use the AGPL, or a non-commercial license.

Re:

[exomondo]

Right because that wouldn't be Free Software because that is a restriction on usage, that is called non-free software. But lucky for you that precendent has been set with an Open Source license just like what you're talking about:

The Open Watcom [wikipedia.org] license:
The Free Software Foundation has stated that the license is not "free" as it requires the source to be published when you "deploy" the software for private use only. In contrast, FSF's GPL does not require that modified source code has to be made public wh

Re:

[fuzzyfuzzyfungus]

Even the GPL, except AGPL which was explicitly designed in an attempt to close this particular loophole, is mediocre protection against commercial free-riding: it was very much written under the assumption that commercial software would be distributed, rather than being sold as-a-service by cloud vendors, so it doesn't actually kick in if (not at all hypothetically, the most prominent case being ElasticSearch) a piece of software ends up getting sucked into AWS or similar and massively used but technically

Re:

[GigaplexNZ]

These libraries are client side code that run in the browser. They're distributing their front end code to every user of the service.

Re:

[phantomfive]

Unless they use a JS Minifier, which they probably do.

Re:

[exomondo]

Even the GPL, except AGPL which was explicitly designed in an attempt to close this particular loophole, is mediocre protection against commercial free-riding

Nothing they are doing here would violate the AGPL, the whole reason it broke things is because they aren't using their own modified version of his code and are instead using the exact one as distributed freely by the author. They are free to use it as they wish just like anybody else.

it was very much written under the assumption that commercial software would be distributed, rather than being sold as-a-service by cloud vendors, so it doesn't actually kick in if (not at all hypothetically, the most prominent case being ElasticSearch) a piece of software ends up getting sucked into AWS or similar and massively used but technically never distributed.

But even if it were licensed under the AGPL (which he could do) and consumers like AWS made changes to it before they used it in their services then he would get code contributions, not the "6 figure salary" he is asking for.

Re:

[exomondo]

If it bothers you, then use the GPL. That is the license that forces companies to give back. You can even dual-license it, so corporations have to pay (if they don't want to open-source their stuff) and other people can give back by open-sourcing their changes.

But if that were applied in this case why would corporations have to pay? The issue here doesn't appear to be about distributing/using modified versions, it's about using freely available code freely.

What a great idea

[phantomfive]

"We need to start decentralizing the hosting of free software source code,"

While we're at it, maybe people will realize that walled gardens and closed source are bad ideas, too.

Re:

[Antique Geekmeister]

Decentralizing makes the problem even worse. There's even less opportunity to evaluate the repositories for abusive versions.

Re:

[GigaplexNZ]

Git uses hashes for a reason. If the hash is the same on both repositories, it's the same version.

Re:

[test321]

He does not even have a point asking for decentralization, it is already the case. There are plenty of free online code hosting services to choose from (can choose what walled garden is prettiest), and he can host an instance of a free-software forge on a domain he registers.

Is this guy "China"?

[rbrander]

If his code is replaceable by some alternative, everybody will switch to it, because he's just not reliable and trustworthy.

But he may have concluded, that in his particular software niche, people will put up with him, because his solution rocks, and the others are a bigger pain than putting up with his shit.

China has been realizing this for years about most other nations that have become dependent on it for supply.

Not nice; who cares?

[smkndrkn]

How about these developers implement some testing to ensure the freswh version they pulled is working correctly? This is basic stuff in software.

Re: Not nice; who cares?

[AcidFnTonic]

umm, no you look at the diff and simply merge or not the "new updates".

I do this for some dependencies in my projects. I added major features I didnt wish to share, but its MIT/BSD so I still merge their updates.

Onus is on me to share upstream to prevent the need for merging but I definitely dont complain about it.

Important Missing Information

[Kohenkatz]

It is pretty clear that this individual had other serious problems leading up to this:

First, in September 2020, he was injured and charged with reckless endangerment for allegedly working on bomb-making - https://abc7ny.com/suspicious-... [abc7ny.com]

Then, in October 2020, he posted on Twitter that he needed donations because his apartment "had a fire" - https://web.archive.org/web/20... [archive.org]

Finally, in November 2020, he posted a now-deleted request for "sponsorship" from big companies - https://web.archive.org/web/20... [archive.org]

Re:

[Sebby]

To me, kind of shows that perhaps individuals/corporations relying on that code might have been better to vet the source and its author.

Yes, do the actual work of doing that, lest you get burned later one (as in this case). Otherwise, find something else, or write your own code and not depend on others'.

How to be an entitled baby.....

[King_TJ]

I mean, as well as the obvious statement that it's ridiculous to write free, open-source code if you're angry you're not getting financially compensated for it? It devalues open source on the whole, pulling stunts like this.

I mean, right now, I work in I.T. for a medium-sized business that's finally really focusing on investing in technology. (Relatively new guy hired as the head of I.T. has done an amazing job explaining to the higher-ups what value can be brought to the business if they're willing to spend the money on various initiatives he's proposed.) I've had to put up a bit of a fight to convince the I.T. security guy and some of the developers to allow us to maintain apps like the FireFox browser in our "Company Portal" of authorized apps people can optionally install on their workstations without having to have "local admin" creds first.

There seemed to be a lot of push-back, to eliminate as many open-source packages as possible from the list of tools we rely on, because "there's really no accountability for those if something goes wrong with one". I've always said there's little to no historical precedence for that argument, because the open source software that's in wide use always finds interested developers to continue working on it, and the source code being available for review prevents "security through obscurity". But THIS is exactly the sort of thing that will turn them away from it.

Re:

[test321]

"there's really no accountability for those if something goes wrong with one".

The status of code being open or closed does not change anything in regard to accountability, what matters is if you have a support contract, and who is providing it.

If your company pays for e.g. Microsoft product, Microsoft is theoretically accountable. But your company does not have the slightest chance to win in court against Microsoft or Oracle, so in practice they are not accountable. Experience shows they also do not issue refunds when a problem or bug affects their product, so there is no point in th

Perl, CPAN, and Python all have the same issue

[Antique Geekmeister]

Running "build and install" with any of these systems has the same problem. This is why tagging, setting requirements, and bundling software after smoke tests and regression testing are solutions we pay for from our open source vendors.

Re: Perl, CPAN, and Python all have the same issue

[Z00L00K]

Many more do too.

Some years ago we also did see Truecrypt releasing a bombed version and remove all previous. Veracrypt became the continuation of that.

This reminds me of a blocklist sabotage

[Sebby]

I use to work in web development (early 2000s), where we used one of the black list service (similar to Spamhaus) for blocking email spammers, etc. One of the services was part of an aggregated list being used.

One day, the maintainer of that specific service decided he'd call it quits, and set up his service to return all queries for identifying spamming IPs as "YES", meaning any emails being sent/verified were all being flagged as spam, even if legitimate (where other services were still reporting them app

Re:

[gweihir]

You may also want to make sure anybody you depend on has a stake in the game, like, for example, donating to the projects and developers that are behind them. No? Well, people that have no or not enough of a stake in your stuff continuing to work will not really care about your stuff continuing to work, now will they?

At least the guy in your case made sure to use the security best practice of "fail closed", i.e. securely.

Decentralize?

[GigaplexNZ]

GitHub has reportedly suspended the developer's account. And, that too, has caused mixed reactions... "Removing your own code from [GitHub] is a violation of their Terms of Service? WTF? This is a kidnapping. We need to start decentralizing the hosting of free software source code," responded software engineer Sergio Gómez.

Git is decentralized by design. There's nothing stopping you from pushing to multiple remotes.

Re: Decentralize?

[ScienceMan]

Correct.

Re:

[Junta]

True, though most git devs don't even realize the possibility of multiple remotes. Further, they think git == github.

Of course, if you use LFS with git, you effectively have a centralized repository again, though thankfully I rarely see that used except for some poorly managed projects that do weird things like stick big archives of content as a compressed tar and manage the result instead of managing the content more directly.

What's your business model?

[istartedi]

Being an unpaid intern is valid. You do it because it gets you a leg-up on being a permanent hire and/or a good entry on your resume. In fact, these internships have been a bone of contention insofar as minorities can't afford to take them, and some companies have moved away from that model and actually started paying interns to avoid that problem; but I digress.

Giving things away *can* be a valid kind of business model, and by "business model" I mean that in the sense of your own personal business. At o

Re: What's your business model?

[Z00L00K]

Unpaid internship isn't valid everywhere.

Git is already decentralized

[ScienceMan]

The idea that somehow we need to develop a new decentralized repository tool ignores that git is already intrinsically decentralized. Itâ(TM)s only by treating some copies of the repository as the single source of truth, such as GitHub, that we land in the predicament illustrated here.

Sounds like the same beef the Open BSD project has

[plazman30]

Open BSD has complained for well over decade, maybe two, that every *nix and BSD OS, including MacOS all user openSSL and openssh, but no one has ever contributed one line of code to either project or offered a donation to the Open BSB Project. But they've never deliberately hosed their own code to make a point. Honestly, would it kill these companies to throw this guy a few dollars. every once in a while?

Re:

[jmccue]

This, but it also seems he was having some issues, who know why ? Maybe tough financial issues drove him over the edge ? So that is no excuse for for what these large companies seem to do, take without giving back.

Some companies do donate to OpenBSD, based based upon their use of its software. You can see who donates what to OpenBSD here:

https://www.openbsdfoundation.org/contributors.html

I am a bit disappointed in Microsoft seeing they now ship openssh with Windows, but they did give a good amount. My b

Control your dependencies!

[Pseudonym]

Not that node.js devs will get the message, but this open source dev has blown wide open the culture of mindlessly importing dependencies, particularly trivial ones like this.

Every dependency that you import is a risk to your system. Never include an unknown version of any dependency into production. Never use a dependency that imports uncontrolled versions of other dependencies in production. That npm doesn't have an option to enforce this speaks to whether or not you should ever rely on node.js in production.

It's your fault

[The Evil Atheist]

For not choosing GPL.

Relavant xkcd

[PinkyGigglebrain]

https://xkcd.com/2347/ [xkcd.com]

Just my opinion but I think everyone effected by this needs to look in the mirror first when they want to start assigning blame.

When you choose to have your code depend on a third party over which you have no control or authority you are the one who should also be held responsible if the other guy has a breakdown and makes your code go FUBAR,

Just remember this guy could have had his code royally screw things up, deleting files, launching DDOS attacks against who knows where, whatever they wanted to. And since OSS doesn't have any guarantee attached to it no one could do anything about it.

OSS is still better than closed, but its a user beware situation.

Force a fork.

[sugar and acid]

He has effectively quit the project in spectacular style. The upshot will hopefully will be to force the commercial companies that rely on it to fork the project and pay for its development now. They just won't be paying him.

The fact that there is this option open to companies and individuals that rely on the software is what is good about open source licenses. In the closed source world the equivalent is when the company behind it goes belly up or they just decide to cut support. Then there are no options open to maintain the software going forward, and much pain ensues.

Re:

[DaHat]

In a sick way, I'm actually happy the author was this petty, vs being more malicious.

We've long known that 3rd party libraries pose a risk, doubly so if the management of it changes to someone willing to put badness in.

Had this person chosen, they could have done significant harm, slowly introducing vulnerabilities or explicitly malicious code which could then do evil in the name of the chosen cause.

Re:

[Sebby]

Had this person chosen, they could have done significant harm, slowly introducing vulnerabilities or explicitly malicious code which could then do evil in the name of the chosen cause.

Or, their dev account might have gotten hacked without their knowledge, or sold/transferred, and some malicious entity might have done so. Seems to happen a lot (new "ownership") with browser extensions which then go rogue on its users.

Re:

[fuzzyfuzzyfungus]

I'm sure that there are plenty of broadly written and elastic laws that could be bludgeoned into service; but it seems a bit dramatic to go for the claim that the dev deliberately broke people's systems when only those who blindly pulled the most recent version were affected. Especially when the breakage was deliberately blatant and obvious, rather than some sort of backdoor or a cryptominer or similarly overtly malicious payloads. He certainly deliberately broke his own libraries good and hard; but the not

Re:

[gardyloo]

He intentionally inserted broken code in other peoples systems [...]

Nope.

Re:

[AleRunner]

In the end he is intentionally trying to damage peoples systems, he doesn't deserve any respect or sympathy

If true that would be seriously problematic and potentially criminal. Let's, however, leave it a bit before we start drawing conclusions. He may have had a breakdown. He may not have understood what he was doing properly. He definitely had some financial and life problems and so judging him before we know all 'ain't the best thing.

Re:

[gweihir]

Kind of a lose-lose for the dev.

Indeed. I can understand the guy. Not saying I necessarily agree, but what he points out is the "Tragedy of the Commons" all over, i.e. too many people taking and taking but never giving back. That will not work and cannot work.

The other thing this nicely demonstrates is how bad it is to have external and possibly unreliable dependencies. This guy did a bit of harmless activism. Well, harmless to anybody that actually tests their software. I have absolutely not compassion for anybody that got hit in product

Re:

[exomondo]

The problem I see with this type of statement is that it berates the developer that wants to provide code freely for all, but doesn't mean s/he wants his/her work to be taken as free labor by multi-billion corporations without recognition or compensation.

Well that's a restriction on usage, if you only want it used by certain people in certain ways then inherently it isn't free software. You want the goodwill of the free software community then release the software as free software, otherwise it's non-free software.

So then people will tell them "then license under something else" which invariably lead to them either being berated for licensing under non-free licenses (due to restrictions, and thus not really being "free")

Where is all this berating of developers of non-free software occurring? The fact is you can't have it both ways. If you don't want to develop free software then don't do it, nobody is forcing you to.

Re:

[Sebby]

Where is all this berating of developers of non-free software occurring?

Look at the summary:

"This trains people not to update, 'coz stuff might break."

Is it really this dev's fault for those that use his code as a dependency to blindly update it in their use without checking? What about Log4J stuff?

Re:

[Sebby]

Granted, I misread this part, so my reply makes no sense in that context:

Where is all this berating of developers of non-free software occurring?

Re:

[exomondo]

Maybe I worded my response in poor context ;)

Re:

[Sebby]

No worries.

Re:

[exomondo]

Go read again. OP said "So then people will tell them "then license under something else" which invariably lead to them either being berated for licensing under non-free licenses "

Where is all this berating of developers of non-free software for choosing non-free licenses occurring?

Re:

[gravewax]

but doesn't mean s/he wants his/her work to be taken as free labor by multi-billion corporations without recognition or compensation.

then by definition HE DID NOT want freely available for all. He wanted freely available for a subset and as such his license should have reflected that.

Re:

[AleRunner]

Freedom for some and not others? Gotcha.

Some of us believe in equal rights for all, you, and this author... apparently not.

Doesn't need to be that. If you go hard on the AGPLv3 or one of the higher protection licenses like the ones used by MongoDB etc. then everyone has the same freedom but the really big, sponging organisations that mostly take and don't give will tend to avoid your code, which is often a good thing. I'm looking at Amazon and many Chinese Cloud companies and stuff especially but also Google, Apple, Microsoft, and so on.

If you decide later that there's benefit in loosening up then you can always change to a l

Re:

[ArchieBunker]

The negligence is on you for blindly trusting things.

Re:

[GigaplexNZ]

Contracts (which a license is) can't sign away all forms of liability. The courts will deem the contract/license unenforceable if it contradicts the law. Judges will not allow the license to waive liability if the actions were intentional or malicious.