Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Programming Open Source

Open Source Developer Intentionally Corrupts His Own Widely-Used Libraries (bleepingcomputer.com) 419

"Users of popular open-source libraries 'colors' and 'faker' were left stunned after they saw their applications, using these libraries, printing gibberish data and breaking.." reports BleepingComputer.

"The developer of these libraries intentionally introduced an infinite loop that bricked thousands of projects that depend on 'colors and 'faker'." The colors library receives over 20 million weekly downloads on npm alone, and has almost 19,000 projects depending on it. Whereas, faker receives over 2.8 million weekly downloads on npm, and has over 2,500 dependents....

Yesterday, users of popular open-source projects, such as Amazon's Cloud Development Kit were left stunned on seeing their applications print gibberish messages on their console. These messages included the text 'LIBERTY LIBERTY LIBERTY' followed by a sequence of non-ASCII characters... The developer, named Marak Squires added a "new American flag module" to colors.js library yesterday in version v1.4.44-liberty-2 that he then pushed to GitHub and npm. The infinite loop introduced in the code will keep running indefinitely; printing the gibberish non-ASCII character sequence endlessly on the console for any applications that use 'colors.' Likewise, a sabotaged version '6.6.6' of faker was published to GitHub and npm....

The reason behind this mischief on the developer's part appears to be retaliation — against mega-corporations and commercial consumers of open-source projects who extensively rely on cost-free and community-powered software but do not, according to the developer, give back to the community. In November 2020, Marak had warned that he will no longer be supporting the big corporations with his "free work" and that commercial entities should consider either forking the projects or compensating the dev with a yearly "six figure" salary....

Some dubbed this an instance of "yet another OSS developer going rogue," whereas InfoSec expert VessOnSecurity called the action "irresponsible," stating: "If you have problems with business using your free code for free, don't publish free code. By sabotaging your own widely used stuff, you hurt not only big business but anyone using it. This trains people not to update, 'coz stuff might break."

GitHub has reportedly suspended the developer's account. And, that too, has caused mixed reactions... "Removing your own code from [GitHub] is a violation of their Terms of Service? WTF? This is a kidnapping. We need to start decentralizing the hosting of free software source code," responded software engineer Sergio Gómez.

"While it looks like color.js has been updated to a working version, faker.js still appears to be affected, but the issue can be worked around by downgrading to a previous version (5.5.3)," reports the Verge: Even more curiously, the faker.js Readme file has also been changed to "What really happened with Aaron Swartz...?"

Squires' bold move draws attention to the moral — and financial — dilemma of open-source development, which was likely the goal of his actions.

This discussion has been archived. No new comments can be posted.

Open Source Developer Intentionally Corrupts His Own Widely-Used Libraries

Comments Filter:
  • what a C**T (Score:5, Insightful)

    by bloodhawk ( 813939 ) on Sunday January 09, 2022 @06:42PM (#62158049)
    What an arsehole. If you don't want commercial entities to use your libraries then make sure the license prevents that, don't have a tantrum and harm millions of users because you feel people aren't giving you enough money. Fucking whiny bastard, this hurts all open source.
    • 100% Can't really put it in any other way right!? Numerous licenses exist, all with varying levels of developer control etc. Pick one that works and shut up.
    • Re: (Score:3, Insightful)

      by DaHat ( 247651 )

      Absolutely.

      At least in the case of nuking his own repo and not working on the project again, that's the authors right... but after the code is released under a permissive license, it's no longer up to them who uses it so long as the adhere to the license.

      It's been interesting seeing the arguments defending this behavior "it's his code, he can do what he wants", "Companies are responsible for reviewing all of their dependencies, and if they don't, it's on them!", etc.

      I think of this like someone giving away

      • by Ichijo ( 607641 )

        I think of this like someone giving away apples on the street (not unlike Amazon and bananas in Seattle)... they start coating the apples with a laxative...

        Not unlike how sellers on Amazon provide a high quality product at a low price point, then after they get enough 5-star reviews they raise the price or replace the product with something inferior while keeping the old, glowing reviews.

        And then there are the popular browser extensions that get bought up and turned into adware [slashdot.org] or malware [slashdot.org].

        I'd say these ar

    • Re:what a C**T (Score:4, Insightful)

      by gweihir ( 88907 ) on Sunday January 09, 2022 @07:08PM (#62158161)

      I disagree. This guy did something he had very right to. And he did it to point out a fundamental problem: Why should a FOSS developer be motivated to play nice? Now, he just did a bit of harmless activism. Anybody that got hit in production by this did it to themselves because they have no working testing and release processes. But what would have happened if the guy had actually been malicious and, say, installed a backdoor? Right. Probably not even criminal unless he uses it himself as FOSS generally comes with no warranty. Or lets say, more subtle sabotage.

      Too many people are mindlessly pulling in dependencies all over the place are _not_ aware how dangerous what they are doing is. We need to thank this person for making that severe problem more obvious.

      • by OzPeter ( 195038 ) on Sunday January 09, 2022 @07:21PM (#62158217)

        Too many people are mindlessly pulling in dependencies all over the place are _not_ aware how dangerous what they are doing is. We need to thank this person for making that severe problem more obvious.

        People have already been warned

        Dependency [xkcd.com]

        • by gweihir ( 88907 )

          People get warned time and again. Many people continue to ignore that warning. Sometimes there is a price to pay for that. In the instance at hand, that price is very, very small compared to what it could have been.

          This clueless messing around has to stop. Any engineer needs insurance and if he/she screws up badly enough they may even go to jail. Software development? (Which clearly is engineering, albeit much more difficult than most other fields because things are in flux...) Not even any qualification ne

      • Re:what a C**T (Score:5, Insightful)

        by vadim_t ( 324782 ) on Sunday January 09, 2022 @07:29PM (#62158243) Homepage

        Yeah, no. This is "I'm 12 and this is deep" material. You've just discovered that the world operates on a lot of trust.

        What else is new? Yeah, we don't have systems to protect ourselves from arbitrary malicious actors to a huge extent, especially if said malicious actors decide they don't care about consequences. Eg, in the US any person with a gun could just randomly shoot somebody. Or anybody could overturn a trash bin, or set something on fire. Society to a large extent only exists in some degree of order because people choose not to be dicks even when nothing is stopping them. We have consequences after the fact, but malicious actions are extremely hard to stop from happening.

        It's exactly the same thing in the commercial world, by the way. A company going out of business could pull a similar stunt with their product to the same effect.

        • A company trying the same thing would find themselves sued, with a likelihood that courts would find a way to transfer liability to anyone who helped the sabotage.

          On the other hand, a company probably would have already gotten what this guy says he wants: support, either monetary or in labor, from the downstream users.

          This guy forgot the basic premise of free/open source software: users are not locked in. He could have chosen a different license, or switched halfway through his code's lifecycle. He didn't

        • Re: what a C**T (Score:5, Informative)

          by getuid() ( 1305889 ) on Monday January 10, 2022 @07:12AM (#62159719)

          Yeah, no. This is "I'm 12 and this is deep" material. You've just discovered that the world operates on a lot of trust.

          Not the IT world.

          We literally have sunk millions of man-hours in inventing cryptography, passwords, signatures, steganography, wiretapping and... wait for it... automatic updates (!) simply because we cannot and should not trust a computer program. Ever.

          Now this doesn't absolve the author of being a cunt, but... that's the nice part with blame and fault: it's not a zero-sum game, there's plenty to go around for everybody.

          Everyone whose commercial product got hurt by this had it coming. They skipped due diligence. Of nobody had written that code, they would've had to write it themselves and properly test it before putting it into production. A free software author did the writing for free - ok. But the 2nd part, making sure it's fit for a particular purpose, is always the business's business. There's no outsourcing that, that's literally what they receive their money for when they're selling software developed for free by somebody else.

      • Sounds like he wants to get paid to write software. Too bad there isn't a business model like that...
      • This is everyone's 10,000th reminder that nobody disputes that you have a right to be an arsehole and throw a tantrum.

      • He had the legal right to do it, but the effect is to damage trust in all open source. It may not have occurred to many users that this could happen. Now they have to think about the risks of using software developed by individuals who in practice can't be sued for damages caused by intentionally malicious code.

        If his intent was to discredit the idea of open-source, then he has succeeded
    • by znrt ( 2424692 )

      avoiding that "harm" from a random guy is easy: don't import random dependencies willy-nilly, and control the updates. breaking news: that's actually your responsibility as a professional software developer. anyone hit by this just isn't, simple as that. crying rivers is both optional and irrelevant, and blaming the guy is both laughable and despicable.

      • Re:what a C**T (Score:4, Informative)

        by gweihir ( 88907 ) on Sunday January 09, 2022 @08:15PM (#62158361)

        I completely agree. Anybody hit by this in production does not even have working testing and deployment processes. That is below amateur level.

        I was shocked to learn that apparently these days it is quite common to advise people to pull in random dependencies over the Internet at compile time. As in they do not even have a local copy. That is not professional. That is just asking to get hit.

        • Even worse sometimes, some pull in random crap runtime.
          Just look at all ad services pulling from third party or even more remote parties runtime and at random.

    • by Kisai ( 213879 )

      If you don't want corporations using your code, release it as Creative-Commons-Non-Commercial (CC-BY-NC), then nobody can use it except for their personal projects that they don't publish.

      But here's the thing. We, don't make a big enough distinction between "Non-Commercial" and "Commercial" use.

      We need a word for "commercial use by individuals permitted" (eg indie games, indie software) where the people who don't have time to write their own libraries and don't have the skill or legal knowledge of how licen

    • by kick6 ( 1081615 )

      What an arsehole. If you don't want commercial entities to use your libraries then make sure the license prevents that, don't have a tantrum and harm millions of users because you feel people aren't giving you enough money. Fucking whiny bastard, this hurts all open source.

      ...and then they use it anyway assuming that their lawyers are better than your lawyers and already pre-paid so you won't take them to court to challenge them. The EFF can only take on so much.

    • by Bert64 ( 520050 )

      Exactly this... Many of the users harmed will not be commercial entities, just individual users. Those commercial entities will have the budget for review processes and preprod environments so they will catch this sabotage and roll it back while an individual operating on their own might not.

      Also why should they pay him a 6 figure salary for his projects? Sure there are some companies that just leech from open source work, but there are many more who contribute in various ways. Just because they don't contr

    • Re:what a C**T (Score:4, Interesting)

      by quonset ( 4839537 ) on Sunday January 09, 2022 @08:56PM (#62158457)

      If you don't want commercial entities to use your libraries then make sure the license prevents that

      Because people (including you) abide by the license attached to movies, music, and software, right?

      Mod me down all you want, but if you're not going to abide by someone else's license, you can't complain when someone doesn't abide by your license.

    • by GuB-42 ( 2483988 )

      Yes, he is an asshole, but it shows how fragile systems like npm are if an asshole is all what it takes to break thousands of projects. It could have been a backdoor from a compromised account. For such a wildly used dependency, we could at least expect an independent maintainer who make sure everything works together, like in most linux distributions.

      As for the license, I think permissive licenses like MIT, BSD, etc... are used way too much by people who don't understand what it means. It is an invitation

    • Exactly.

      I go the other way and use Apache 2 license. If somebody wants to use and not even give me credit, good for them! At least they didn't choose something buggy. That's the whole reason I ever give code away!

      Code is worthless. If you want to get paid, either be an employee, or start a business. And it won't be the code that makes the money, but the managing of the business, advertising to potential customers, putting the code into a useful product in such a way that it doesn't require configuration, et

  • Do projects really just blindly change version decencies without regression testing and push to production?

    • by Sebby ( 238625 )

      Do projects really just blindly change version decencies without regression testing and push to production?

      Normally aren't most of the tests part of the project/package, which could've been changed along with the rest of the code?

      I think this clearly highlights the need to vet the versions rather than doing an automatic update, even though they try to berate the developer for essentially bringing this to light:

      "This trains people not to update, 'coz stuff might break."

    • by morcego ( 260031 ) on Sunday January 09, 2022 @06:58PM (#62158101)

      Do projects really just blindly change version decencies without regression testing and push to production?

      A lot do, yeah. Maybe even most.
      It is the culture of "auto update to keep it secure" fostered by Microsoft (in particular, but others as well). AV companies and (ironically) security companies also do it.
      It is, as far as I'm concerned, not much better than security through obscurity.

      Very few people still have testing environments where they test every and all updates.

      • by gweihir ( 88907 )

        Do projects really just blindly change version decencies without regression testing and push to production?

        A lot do, yeah. Maybe even most.
        It is the culture of "auto update to keep it secure" fostered by Microsoft (in particular, but others as well). AV companies and (ironically) security companies also do it.
        It is, as far as I'm concerned, not much better than security through obscurity.

        Very few people still have testing environments where they test every and all updates.

        I would say it is worse, because automatic updates are an attack-path. It cuts out the time you may otherwise have to notice that your supplier got hacked and that a supply-chain attack is in progress. I am still waiting for the day that MS is pushing malware via auto-update. They are shoddy enough in their practices that this is quite likely to happen eventually. Of course, they are already pushing broken or insecure code that way regularly and they even try hard to prevent people from blocking that attack

    • by _xeno_ ( 155264 )

      It's Node.js - so historically yes. But more recently no. Node.js has only supported having a "lock" file indicating what exact versions were being used within the last few years. I can't remember the exact version, but it didn't use to be a thing - the way it used to work was it would always pull whatever the latest version that matched the specified version range for any given dependency.

      Granted this shouldn't have hit anyone using proper version semantics since the version of "fakers" he pushed was "6.6.

    • by gweihir ( 88907 )

      Do projects really just blindly change version decencies without regression testing and push to production?

      In regulated industries: No. For example it is common in banks that they are only allowed to pull FOSS from internal repos and anything new needs to go through a review process. I learned that way that "This software is free do be used by anybody for any purpose." is apparently not a "license" as far as lawyers are concerned.

      But in the rest of the industry? Sure. We have rampart incompetence and cluelessness with people writing mission-critical software not even beginning to understand what they are doing o

  • Cool suicide note (Score:4, Insightful)

    by thegarbz ( 1787294 ) on Sunday January 09, 2022 @06:52PM (#62158073)

    Yet another open source developer didn't understand what license he was using and what the implications are for others. Normally though we only have some public spats about it e.g. Elasticsearch. But it's quite impressive to see a developer commit professional suicide like this.

    What I'm curious about is if he had a hard-on for sticking it to corporations, why did he take all those open source and community projects down with him. I can only conclude he had a stroke.

    • by DaHat ( 247651 )

      why did he take all those open source and community projects down with him

      Do you mean *didn't*?

      After the lpad incident [theregister.com], npm made some changes that published projects are much harder to remove to avoid chaos like what happened in 2016. I don't think we'll see enough eyes on changes to prevent something like this again though.

  • If it bothers you (Score:5, Informative)

    by phantomfive ( 622387 ) on Sunday January 09, 2022 @06:54PM (#62158085) Journal

    The reason behind this mischief on the developer's part appears to be retaliation — against mega-corporations and commercial consumers of open-source projects who extensively rely on cost-free and community-powered software but do not, according to the developer, give back to the community.

    If it bothers you, then use the GPL. That is the license that forces companies to give back. You can even dual-license it, so corporations have to pay (if they don't want to open-source their stuff) and other people can give back by open-sourcing their changes.

    • by Sebby ( 238625 )

      If it bothers you, then use the GPL. That is the license that forces companies to give back.

      But it only "gives back" if you made changes in something you end up distributing - changes made for in-house (non-distribution) deployment aren't required to be "given back" to the community.

      • There's a whole range of options. You can use the AGPL, or a non-commercial license.

      • Right because that wouldn't be Free Software because that is a restriction on usage, that is called non-free software. But lucky for you that precendent has been set with an Open Source license just like what you're talking about:

        The Open Watcom [wikipedia.org] license:
        The Free Software Foundation has stated that the license is not "free" as it requires the source to be published when you "deploy" the software for private use only. In contrast, FSF's GPL does not require that modified source code has to be made public wh

    • Even the GPL, except AGPL which was explicitly designed in an attempt to close this particular loophole, is mediocre protection against commercial free-riding: it was very much written under the assumption that commercial software would be distributed, rather than being sold as-a-service by cloud vendors, so it doesn't actually kick in if (not at all hypothetically, the most prominent case being ElasticSearch) a piece of software ends up getting sucked into AWS or similar and massively used but technically
      • These libraries are client side code that run in the browser. They're distributing their front end code to every user of the service.
      • Even the GPL, except AGPL which was explicitly designed in an attempt to close this particular loophole, is mediocre protection against commercial free-riding

        Nothing they are doing here would violate the AGPL, the whole reason it broke things is because they aren't using their own modified version of his code and are instead using the exact one as distributed freely by the author. They are free to use it as they wish just like anybody else.

        it was very much written under the assumption that commercial software would be distributed, rather than being sold as-a-service by cloud vendors, so it doesn't actually kick in if (not at all hypothetically, the most prominent case being ElasticSearch) a piece of software ends up getting sucked into AWS or similar and massively used but technically never distributed.

        But even if it were licensed under the AGPL (which he could do) and consumers like AWS made changes to it before they used it in their services then he would get code contributions, not the "6 figure salary" he is asking for.

    • If it bothers you, then use the GPL. That is the license that forces companies to give back. You can even dual-license it, so corporations have to pay (if they don't want to open-source their stuff) and other people can give back by open-sourcing their changes.

      But if that were applied in this case why would corporations have to pay? The issue here doesn't appear to be about distributing/using modified versions, it's about using freely available code freely.

  • "We need to start decentralizing the hosting of free software source code,"

    While we're at it, maybe people will realize that walled gardens and closed source are bad ideas, too.

    • Decentralizing makes the problem even worse. There's even less opportunity to evaluate the repositories for abusive versions.

    • He does not even have a point asking for decentralization, it is already the case. There are plenty of free online code hosting services to choose from (can choose what walled garden is prettiest), and he can host an instance of a free-software forge on a domain he registers.

  • If his code is replaceable by some alternative, everybody will switch to it, because he's just not reliable and trustworthy.

    But he may have concluded, that in his particular software niche, people will put up with him, because his solution rocks, and the others are a bigger pain than putting up with his shit.

    China has been realizing this for years about most other nations that have become dependent on it for supply.

  • How about these developers implement some testing to ensure the freswh version they pulled is working correctly? This is basic stuff in software.

  • by Kohenkatz ( 1166461 ) on Sunday January 09, 2022 @07:18PM (#62158199) Journal

    It is pretty clear that this individual had other serious problems leading up to this:

    First, in September 2020, he was injured and charged with reckless endangerment for allegedly working on bomb-making - https://abc7ny.com/suspicious-... [abc7ny.com]

    Then, in October 2020, he posted on Twitter that he needed donations because his apartment "had a fire" - https://web.archive.org/web/20... [archive.org]

    Finally, in November 2020, he posted a now-deleted request for "sponsorship" from big companies - https://web.archive.org/web/20... [archive.org]

    • by Sebby ( 238625 )

      To me, kind of shows that perhaps individuals/corporations relying on that code might have been better to vet the source and its author.

      Yes, do the actual work of doing that, lest you get burned later one (as in this case). Otherwise, find something else, or write your own code and not depend on others'.

  • by King_TJ ( 85913 ) on Sunday January 09, 2022 @07:19PM (#62158205) Journal

    I mean, as well as the obvious statement that it's ridiculous to write free, open-source code if you're angry you're not getting financially compensated for it? It devalues open source on the whole, pulling stunts like this.

    I mean, right now, I work in I.T. for a medium-sized business that's finally really focusing on investing in technology. (Relatively new guy hired as the head of I.T. has done an amazing job explaining to the higher-ups what value can be brought to the business if they're willing to spend the money on various initiatives he's proposed.) I've had to put up a bit of a fight to convince the I.T. security guy and some of the developers to allow us to maintain apps like the FireFox browser in our "Company Portal" of authorized apps people can optionally install on their workstations without having to have "local admin" creds first.

    There seemed to be a lot of push-back, to eliminate as many open-source packages as possible from the list of tools we rely on, because "there's really no accountability for those if something goes wrong with one". I've always said there's little to no historical precedence for that argument, because the open source software that's in wide use always finds interested developers to continue working on it, and the source code being available for review prevents "security through obscurity". But THIS is exactly the sort of thing that will turn them away from it.

    • "there's really no accountability for those if something goes wrong with one".

      The status of code being open or closed does not change anything in regard to accountability, what matters is if you have a support contract, and who is providing it.

      If your company pays for e.g. Microsoft product, Microsoft is theoretically accountable. But your company does not have the slightest chance to win in court against Microsoft or Oracle, so in practice they are not accountable. Experience shows they also do not issue refunds when a problem or bug affects their product, so there is no point in th

  • Running "build and install" with any of these systems has the same problem. This is why tagging, setting requirements, and bundling software after smoke tests and regression testing are solutions we pay for from our open source vendors.

  • I use to work in web development (early 2000s), where we used one of the black list service (similar to Spamhaus) for blocking email spammers, etc. One of the services was part of an aggregated list being used.

    One day, the maintainer of that specific service decided he'd call it quits, and set up his service to return all queries for identifying spamming IPs as "YES", meaning any emails being sent/verified were all being flagged as spam, even if legitimate (where other services were still reporting them app

    • by gweihir ( 88907 )

      You may also want to make sure anybody you depend on has a stake in the game, like, for example, donating to the projects and developers that are behind them. No? Well, people that have no or not enough of a stake in your stuff continuing to work will not really care about your stuff continuing to work, now will they?

      At least the guy in your case made sure to use the security best practice of "fail closed", i.e. securely.

  • by GigaplexNZ ( 1233886 ) on Sunday January 09, 2022 @07:50PM (#62158315)

    GitHub has reportedly suspended the developer's account. And, that too, has caused mixed reactions... "Removing your own code from [GitHub] is a violation of their Terms of Service? WTF? This is a kidnapping. We need to start decentralizing the hosting of free software source code," responded software engineer Sergio Gómez.

    Git is decentralized by design. There's nothing stopping you from pushing to multiple remotes.

    • by Junta ( 36770 )

      True, though most git devs don't even realize the possibility of multiple remotes. Further, they think git == github.

      Of course, if you use LFS with git, you effectively have a centralized repository again, though thankfully I rarely see that used except for some poorly managed projects that do weird things like stick big archives of content as a compressed tar and manage the result instead of managing the content more directly.

  • Being an unpaid intern is valid. You do it because it gets you a leg-up on being a permanent hire and/or a good entry on your resume. In fact, these internships have been a bone of contention insofar as minorities can't afford to take them, and some companies have moved away from that model and actually started paying interns to avoid that problem; but I digress.

    Giving things away *can* be a valid kind of business model, and by "business model" I mean that in the sense of your own personal business. At o

  • The idea that somehow we need to develop a new decentralized repository tool ignores that git is already intrinsically decentralized. Itâ(TM)s only by treating some copies of the repository as the single source of truth, such as GitHub, that we land in the predicament illustrated here.
  • Open BSD has complained for well over decade, maybe two, that every *nix and BSD OS, including MacOS all user openSSL and openssh, but no one has ever contributed one line of code to either project or offered a donation to the Open BSB Project. But they've never deliberately hosed their own code to make a point. Honestly, would it kill these companies to throw this guy a few dollars. every once in a while?
    • by jmccue ( 834797 )

      This, but it also seems he was having some issues, who know why ? Maybe tough financial issues drove him over the edge ? So that is no excuse for for what these large companies seem to do, take without giving back.

      Some companies do donate to OpenBSD, based based upon their use of its software. You can see who donates what to OpenBSD here:

      https://www.openbsdfoundation.org/contributors.html

      I am a bit disappointed in Microsoft seeing they now ship openssh with Windows, but they did give a good amount. My b

  • by Pseudonym ( 62607 ) on Sunday January 09, 2022 @08:51PM (#62158443)

    Not that node.js devs will get the message, but this open source dev has blown wide open the culture of mindlessly importing dependencies, particularly trivial ones like this.

    Every dependency that you import is a risk to your system. Never include an unknown version of any dependency into production. Never use a dependency that imports uncontrolled versions of other dependencies in production. That npm doesn't have an option to enforce this speaks to whether or not you should ever rely on node.js in production.

  • For not choosing GPL.
  • by PinkyGigglebrain ( 730753 ) on Sunday January 09, 2022 @09:12PM (#62158487)

    https://xkcd.com/2347/ [xkcd.com]

    Just my opinion but I think everyone effected by this needs to look in the mirror first when they want to start assigning blame.

    When you choose to have your code depend on a third party over which you have no control or authority you are the one who should also be held responsible if the other guy has a breakdown and makes your code go FUBAR,

    Just remember this guy could have had his code royally screw things up, deleting files, launching DDOS attacks against who knows where, whatever they wanted to. And since OSS doesn't have any guarantee attached to it no one could do anything about it.

    OSS is still better than closed, but its a user beware situation.

  • by sugar and acid ( 88555 ) on Monday January 10, 2022 @04:50AM (#62159415)

    He has effectively quit the project in spectacular style. The upshot will hopefully will be to force the commercial companies that rely on it to fork the project and pay for its development now. They just won't be paying him.

    The fact that there is this option open to companies and individuals that rely on the software is what is good about open source licenses. In the closed source world the equivalent is when the company behind it goes belly up or they just decide to cut support. Then there are no options open to maintain the software going forward, and much pain ensues.

Our OS who art in CPU, UNIX be thy name. Thy programs run, thy syscalls done, In kernel as it is in user!

Working...