GitHub Restores Account of Developer Who Intentionally Corrupted His Libraries (thenewstack.io) 193
What happened after a developer intentionally corrupted two of their libraries which collectively had more than 20 million weekly downloads and thousands of dependent projects?
Mike Melanson's "This Week in Programming" column reports: In response to the corrupted libraries, Microsoft quickly suspended his GitHub access and reverted the projects on npm.... While this might seem like an open and shut case to some — the developer committed malicious code and GitHub and npm did what it had to do to protect its users — a debate broke out around a developer's rights to do what they wish with their code, no matter how many projects and dependencies it may have.
"GitHub suspending someone's account for modifying their own code in a project they own however they want spooks me a lot more than NPM reverting a package," [tweeted one company's Director of Engineering & Technology]. "I kind of love what Marak did to make a point and protest to be honest."
An article on iProgrammer further outlines the dilemma present in what might otherwise seem like a clear-cut case.... "Yes, it is open source in that you can fork it and can contribute to it but does this mean that GitHub is justified in denying you the right to change or even destroy your own code?"
As of last night, however, it would appear that the entire affair is merely one for intellectual debate, as GitHub has indeed lived up to what some might view as its end of the bargain: the developer's account is active, he has been allowed to remove his faker.js library on GitHub (depended upon as it might be), and has since offered an update that he does "not have Donkey Brains".
Mike Melanson's "This Week in Programming" column reports: In response to the corrupted libraries, Microsoft quickly suspended his GitHub access and reverted the projects on npm.... While this might seem like an open and shut case to some — the developer committed malicious code and GitHub and npm did what it had to do to protect its users — a debate broke out around a developer's rights to do what they wish with their code, no matter how many projects and dependencies it may have.
"GitHub suspending someone's account for modifying their own code in a project they own however they want spooks me a lot more than NPM reverting a package," [tweeted one company's Director of Engineering & Technology]. "I kind of love what Marak did to make a point and protest to be honest."
An article on iProgrammer further outlines the dilemma present in what might otherwise seem like a clear-cut case.... "Yes, it is open source in that you can fork it and can contribute to it but does this mean that GitHub is justified in denying you the right to change or even destroy your own code?"
As of last night, however, it would appear that the entire affair is merely one for intellectual debate, as GitHub has indeed lived up to what some might view as its end of the bargain: the developer's account is active, he has been allowed to remove his faker.js library on GitHub (depended upon as it might be), and has since offered an update that he does "not have Donkey Brains".
Nope (Score:4, Interesting)
"GitHub suspending someone's account for modifying their own code in a project they own however they want spooks me a lot more than NPM reverting a package," [tweeted one company's Director of Engineering & Technology]. "I kind of love what Marak did to make a point and protest to be honest."
He used GitHub's infrastructure to distribute a malicious update to users. That should e a ToS violation if it isn't already.
Re: (Score:3)
"GitHub suspending someone's account for modifying their own code in a project they own however they want spooks me a lot more than NPM reverting a package," [tweeted one company's Director of Engineering & Technology]. "I kind of love what Marak did to make a point and protest to be honest."
He used GitHub's infrastructure to distribute a malicious update to users. That should e a ToS violation if it isn't already.
If the ToS already prohibits what he did then your spot on that he should be banned, but there is still the question of whether GitHub had the right/justification to "reset" the owners work without their permission.
The main issue is the question of if the code is actually "malicious" in the true sense. The code in question didn't damage anyone's hardware or files so no direct or permanent harm was done was done to any of the down loaders. But there was probable financial impact to those corporations. Tho
Re: Nope (Score:2, Insightful)
Can you imagine if someone in ANY other field of engineering decided to willfully sabotage a part and folks got upset because he was giving the parts out for free? I'm actually all for civil disobedience when something is broken, but to question harm mitigation by folks who detected the harm because the guy had a "right" to ship broken/faulty parts?
Like making friction brakes on elevators and saying, "I just made the current batch not automatically arrest on free fall to prove a point."
This right here is wh
Re: Nope (Score:4, Insightful)
If Otis was just picking up the brakes that some rando brake enthusiast regularly left in a pile on the side of the highway, I'd expect that to happen.
If you insist on this sort of "ethics" or duty existing, you'll kill open source dead. One of the reasons it works, despite the users not paying the developers, is that the developers have no obligation to the users.
Re: (Score:2, Redundant)
the developers have no obligation to the users.
Just the opposite. The only obligation they have to the users is the ethical obligation to produce, to the best of their ability, a product that is fit for use. There are no deep pockets or boards of directors' benefits packages to go after should they fail to live up to this.
And more often than not, it's the reputation of the individual developers that is on the line. The OSS management hierarchy is pretty flat, unlike that of for-profit software houses. Where the devs might be sitting anonymously in cubi
By law, duty of reasonable care. Throwing rocks (Score:5, Interesting)
In common law jurisdictions, the developer has either a duty of "reasonable care" or "slight care", depending on the jurisdiction.
Their legal obligation is to exercise either slight care or reasonable care to avoid actions that bring harm to others. In California, for example, it's "reasonable care". Some jurisdictions apply the lesser standard. Let's look at the definition of the lesser standard:
Slight care - The care a reasonable person exercises in unimportant matters, or the care used by a careless person in a similar situation.
Throwing rocks off an overpass would violate the duty of slight care.
The developer's legal duty is to be at least a little bit careful not to do things that cause harm. Instead, they actively, intentionally, caused harm. That's an actionable tort anywhere.
One might think "it's his code, he can change it in the wants to". That's true, the dev is allowed to change their code. In a similar way, if it's your rock you can throw it.
If I throw a rock as my way if trying to hurt you, your complaint isn't that I'm not allowed to throw that particular rock. You'd sue me for INTENTIONALLY HURTING YOU. My rock is just the tool I used to hurt you with.
Note, btw, you can sue me for throwing my rock off an overpass without looking to see if anyone was below. Even if I wasn't TRYING to hit anyone, I'd be liable for recklessly creating a situation that's likely to bring harm.
Same here. He intentionally took actions that he knew (and even intended) to cause harm. It makes no difference whether he used his rock or his code to try to bring harm. He or she is liable for intentional harm.
One might then ask "what about situations where you have a legitimate reason to harm, like business competition?" The law recognizes specific situations in which there is a sufficient public policy interest in allowing the harm. These specific instances are exceptions to the general duty of reasonable care.
One class of exceptions is that certain relationships have a higher standard of care. For example doctor-patient, parent-child. In a few jurisdictions, a lower standard is applied for trespassers vs invitees and licensees, so the dev would have an argument (though not a very good one) if the people were stealing the code.
If you're still thinking "but it's their code!"
Remember, it's my rock!
Because the rock is mine, I can throw it. I still have to be somewhat careful not to hurt others when I throw my rock.
Re: (Score:2)
I agree, and I ran my career under those ethics. It was often hard to do with idiot, politically appointed, politically motivated, and completely none technical project managers (schedule jockeys) standing behind me using stacked ranking as a stick.
Re: (Score:2)
Sorry, but legally this isn't going to fly. Yes, the default standard is what you cite but, because of first amendment issues (and the CA constitution equivalent) it does not apply to speech. That's why it's not illegal to post a video or report of someone behaving in an atrocious fashion (even though it's reasonably foreseeable that someone might decide to go beat them up for it). This is incredibly important otherwise it would be way way too easy to block important but very controversial causes (as the
Bad analogy (Score:2)
Re: (Score:2)
Stringing together random curse words doesn't change the law.
Re: Nope (Score:4, Informative)
OTOH, if someone is giving away elevator friction brakes and disclaiming all certification, guarantee, fitness for purpose or that any sort of formal testing has taken place, what does it say if some company installs them without testing and QC of their own?
Re: Nope (Score:3)
Can you imagine if someone in ANY other field of engineering ...
No, you can't, and you shouldn't, because no other field of engineering makes duplicates of your "brakes" like they were and MP3s. And more importantly, no other fiels of engineering autos upgrades their "brakes" to millions of cars using your blueprints of last night.
Using an anogy here would not bring you closer to any kind of truth.
Re: (Score:2)
Github, understandably, does not want to take on any legal responsibility for developers' code or for its public usage. That's a potentially tremendous morass of liability. But if they start telling developers what they can, and cannot, publish in their git repos to prevent this sort of malicious abuse, they have much deeper pockets to sue for liability for the next malware or the next ransomware embedded project. So it makes sense that they'd not react quickly or firmly to the discovery of such abuse.
Re: Nope (Score:2, Insightful)
You're right. Software developers shouldn't be called engineers but instead miracle workers. Name any other science field that has virtually reduced the costs of its output to zero. Oh that's right, you can't.
I am all for ethics but you just stepped out of your domain and have no fucking clue what you are talking about. In fact the whole reason this came up is because those ethical engineers always get a pay check and this guy doesn't.
Re: (Score:2)
You're right. Software developers shouldn't be called engineers but instead miracle workers. Name any other science field that has virtually reduced the costs of its output to zero. Oh that's right, you can't.
Basically ALL of them.
https://asapbio.org/preprint-s... [asapbio.org]
I am all for ethics but you just stepped out of your domain and have no fucking clue what you are talking about. In fact the whole reason this came up is because those ethical engineers always get a pay check and this guy doesn't.
I just don't understand this perspective. How does one slap an MIT license on something and have no idea what this means? It would be one thing to be mad if people were ignoring the terms of your license yet here that clearly isn't happening.
Re: Nope (Score:2)
Which is why there is a difference between ethics and legality. Legally he is owed nothing. Ethically, considering how widespread his code is used, it's fair to compensate him for his consistent hard work and to further support it. This cost would be miniscule for large entities like those involved but it's not the culture.
It's kind of like being invited over for a dinner with a friend, but you bring a plastic container, put the food in that, and leave. It's rude, unethical, and will cost you a friend.
This
Re: (Score:3)
This is a bit much. Programmers aren't engineers by any stretch, that's true. Neither are they scientists. The aren't mathematicians or logicians either, though many fancy themselves to be.
Of course, there are many engineers, scientists, and mathematicians that are also programmers. It's a handy skill to have in many different professions. But that's all it really is.
Programming is just a skill, and not a terribly difficult one to learn. Children can, and very often do, teach themselves. In the 80's
Re: (Score:2)
Re: (Score:2)
You know I am not one to brag and honestly there is no way to be humble about this brag -- transitions are the quickest, large scope, and most everyday impactful revolution that has ever happened on the earth.
Sure sanitation is nice but it didn't take the world by such a storm and there are places even in China where they don't have modern sanitation much less India and virtual all the 3rd world.
Yeah, the industrial revolution was big to with factories and cars but again not everyone in the world has a car.
Re: (Score:2)
You know I am not one to brag and honestly there is no way to be humble about this brag
It's only a brag if you want to take credit for the invention, and I'm fairly certain that you don't want to take credit for the development of the transistor!
transitions are the quickest, large scope, and most everyday impactful revolution that has ever happened on the earth.
I'd argue that things like writing and agriculture have undoubtedly had more more impact.
I should probably also point out that programmers had absolutely nothing to do with the development of the transistor. This really minimizes the important contributions of the actual scientists and engineers that made the modern digital computer possible.
Really, w
Re: (Score:2)
There are many fundamental technologies, and social changes, that are of similar impact. The invention of the bucket, and of the screw, and of the yoke for oxen had similar worldchanging results. The horse yoke improved thw work capacity of draft animals, making horses and oxen more efficient than human slaves, and overturned millennia of human society. The transistor is among such changes, as is the electric generator and the battery.
Re: (Score:2)
Zeroing out the repo would have been far safer than "resetting" it.
Re: Nope (Score:2)
The main issue is the question of if the code is actually "malicious" in the true sense. The code in question didn't damage anyone's hardware or files so no direct or permanent harm was done was done to any of the down loaders.
One of the libraries changed to do an infinite loop, logging to the console endlessly. That's a denial of service attack, both in terms of using up the cpu, and possibly disk space (depending on if that was logged and how/if log rotation was configured)
Re: (Score:2)
You're fucking retarded, infinite loops are in code... EVERYWHERE
ANY and EVERY server and daemon is actually running in an "infinite loop" that's how you turn a normal program into a service daemon.
STFU about Shit you're ignorant about!
Your tone seems very much like that of a 10 year old who beat his friend at chess and now thinks he's a grandmaster. "You're fucking retarded!! Why'd you put your knight there? I can take it! What?! Checkmate? Fucker, you cheated!!!"
Your arguments aren't wrong, for the most part, but you'd come off with a lot more credibility if you started by saying "I'm the developer of App X that you use all the time," or "I have Top-10 apps in 3 categories on the Play Store," or "I write systems code for a major h
Re: (Score:2)
Check the license. I suspect they had the right to do it.
Re: Nope (Score:2)
"The main issue is the question of if the code is actually "malicious" in the true sense. The code in question didn't damage anyone's hardware or files"
THIS TIME. But what about the next time?
This guy clearly demonstrated that he is willing to sabotage his own code, and release it on an unsuspecting public. Though files/hardware weren't damaged, there is still damage in the form of downtime and other kinds of loss related to his actions.
He needs to be banned without question.
Re: (Score:2)
That question can be easily answered by looking at what license he chose. Did grant permission for other people to make derived works, or not?
Re: (Score:2)
He used GitHub's infrastructure to distribute a malicious update to users. That should e a ToS violation if it isn't already.
If the dev's going to be a big baby about them not liking the world and cause a mass disruption by breaking his stuff, then I think Github's perfectly justified in responding by breaking or disabling his account, repository and/or freezing the last safe version.
I mean... What permutation of Rights and Freedom would Infer that a developer have a right to break their code, but thei
Re: Nope (Score:2)
" I think Github's perfectly justified in responding by breaking or disabling his account, repository and/or freezing the last safe version"
Are they sure it's "safe"? Just because it works and appears it does what it's supposed to does not mean it's safe.
I hope they are at least scrubbing everything that he contributed up and down for logic bombs and other nasty surprises.
I for one would not trust any of his stuff.
Re: (Score:2)
The update was not malicious. You have no clue what "malicious" in this context means and what he could actually have done. Github has much better grasp of the legal angle than you do.
Re: (Score:2)
You have no clue what "malicious" in this context means and what he could actually have done.
How is replacing whatever it used to do with an infinite loop not malicious? Sure, it could have been worse, but that doesn't make this any less shitty. If someone punches you in the face the fact that they could have stabbed you instead doesn't make it any less rotten.
The Elephant in the Room... (Score:5, Interesting)
What I haven't seen discussed widely is the elephant in the room - what if this developer wanted to be far more malicious, instead of making a blatantly obvious point?
What if he had have committed some changes that individually didn't look like much, but combined over a few months or more added up to putting a backdoor into the code, or a crypto miner or something that would otherwise be classified as malware?
It's clear that people were blindly pulling changes from his repo without even glancing at the changelog. This could have been a far more severe problem, assuming it hasn't already happened in any other popular library.
Just because it's open source, and just because you _can_ read the code, does it mean that you have personally checked over the code of every library you're pulling into your project? No, of course you haven't - you're too busy working on your project. You trust the libraries will do what they say on the box, and you trust that if they are popular and widely used then _someone_else_ has looked over the code and found it to be OK.
Re:The Elephant in the Room... (Score:5, Funny)
The same way you assume that if a lot of people are using something, then it must mean it's at least good enough. And then you use Windows 10/11 and you wonder WTF is wrong with people.
Re: (Score:2)
The same way you assume that if a lot of people are using something, then it must mean it's at least good enough. And then you use Windows 10/11 and you wonder WTF is wrong with people.
Every day. And MS Office is worse.
Re: (Score:3)
The original saying was "many eyes make all bugs shallow" - not that stuff was good, but if there was a known problem it could/would be found quickly. Unfortunately people started assuming that if there wasn't a known problem it was because all the bugs had been found, which is at best silly...
Re: The Elephant in the Room... (Score:3)
Yes, the act of civil disobedience can be useful to highlight flaws in process or organization. I just can't believe the folks that think the harm mitigation put forth by GitHub and npm were unreasonable and infringing on the dev's "rights".
Both could be good things. The first is arguable, but the second is akin to self defense and unambiguously good. If the code change were actually malicious, I sure as hell want anyone to put the brakes on as soon as it's detected on their networks/storage devices.
Re: (Score:2)
No, it's objectively malicious code. Why lie about something this obvious?
Re: (Score:3)
I applaud his epic level of trolling. He just killed the many eyes argument.
Re: (Score:2)
I'm pretty sure that Log4J killed the many eyes argument first.
Re: (Score:2)
Re: (Score:2)
Not before being exploited, which is where many eyes failed - before exploitation.
Re: (Score:2)
You wouldn't know, you only know it is "something-something about many eyes?"
Look up what it is, and you'll notice it is not in any way relevant here. It doesn't say, "Dude, like, if there are a lot of eyes, there no bugs, maaaan!"
Re:The Elephant in the Room... (Score:4, Interesting)
I applaud his epic level of trolling. He just killed the many eyes argument.
That he actually did not. There is a delay to the eyes working and they did work nicely within that delay.
Re: (Score:2)
You still buy the "many eyes" myth? Why?
-3 weeks is pretty quick. How we fixed shellshock (Score:2)
Three weeks before seems pretty quick to me.
You have no idea whatsoever what the sentence is that contains the phrase "enough eyeballs", do you?
I guess you think somebody said something like "with a lot of users, there are never any bugs"? That idea came from your head, nobody else's. I'll tell you a story that illustrates what he WAS talking about, the story of how we fixed shellshock.
First, understand the section with the eyeballs phrase is discussing how and why Linus got a large number of developers w
Re: (Score:2)
No, it's happened a number of times already the past few years. From Apple's "goto fail", to heartbleed, shellshock, and Log4j, it's pretty much blown the many eyes argument out of the water.
What this developer has done is far worse than any of that - it's basically given ammunition to open-source detractors on why to never trust open source. You think Oracle and Microsoft aren't secretly jumping for joy? One developer managed to ta
Re: (Score:2)
Indeed. This small and harmless bit of activism nicely shows the extreme incompetence and sheer insanity of most developers.
Re: (Score:2)
no i do not "trust" them
i test them
Re: (Score:2)
For production I audit libraries line by line and do not blindly install crap that people I don't know put onto github. I make guarantees to my clients that I do so and am not throwin in the kitchen sink. Obviously there is a limit to recursively checking libraries so it would be useful for "some trusted parties" to do that diligence and then put their name on it ("no malicious code / phoning home / exfiltration / tracking / crypto miners as far as we know"). That kind of service would be worth money and th
Re: (Score:2)
On a side note (Score:4, Insightful)
I take it this guy doesn't want to be a developer? Because it's hard to see a reason anyone would trust anything he releases, going forward - or why any hiring manager isn't going to just toss an application from him straight into the circular file.
Re: (Score:2)
Re: (Score:2)
I take it this guy doesn't want to be a developer?
I am inclined to think that the "invisible hand" of the free market will take care of this, even though no money changed hands. Basically, this guy has signalled that his code can't be trusted, probably not ever again. I would be reluctant to employ him to write code, no matter how good it is, for fear that he might pull a childish stunt like this again. Foot, meet bullet.
Re: (Score:2)
So stop writing software. Do something else. We don't mind.
Will this change behavior? (Score:2)
Re: (Score:2)
I think I'd add a step that tests all the stuff, OSS or otherwise, before it got incorporated in a new release.
Re: (Score:2)
Re: (Score:2)
That's not quite the issue. These are a case of dependencies that you pull in, rather than a platform that you run on which might be updated and deployed independently of your software. However, some dependency management and deployment systems (imo, foolishly) allow for a version range rather than fixed version (e.g. "latest 2.x" rather than "2.1.3.4"). This means that while you might test against 2.1.3.4, as soon as 2.1.3.5 is released, any new deployments would grab the new version despite the fact that
He doesn't have donkey brains. (Score:2)
Nope. Just shit.
And yes, some dumbasses will go crawling back.
Fool me once, shame on you.
Fool me twice...
I have played with npm. (Score:2)
Main problem (Score:4, Interesting)
The main problem is not that he changed his code. The main problem is that he pointed out to many, many would-be emperors that they are naked, that their development practices are insane and that they are building houses of cards (or worse). Look at all the but-hurt comments here that want to place the blame solely in this guy, when shoddy, insecure and unprofessional practices made this possible in the first place. The people complaining about what he did are really the ones responsible for the problem in the first place because _they_ screwed up massively and continue to do so.
As to Github, they likely looked at the legal angle, found that this was entirely legal (came even with a major version increase) and that unless they want to police all software on their platform on this level, they better give him access back pronto.
Re: (Score:2)
The number of people who seem ready to do mental gymnastics to pardon abusive behavior is ridiculous.
Please get help for your mental health issues. Stop making excuses for people actively trying to hurt others.
Re: (Score:3)
The number of people who seem ready to do mental gymnastics to pardon abusive behavior is ridiculous.
Please get help for your mental health issues. Stop making excuses for people actively trying to hurt others.
Bullshit. The mental contortions that some people will employ (you included) to find somebody else to blame for their own screw-ups is staggering.
Incidentally, I never made any excuses for the guy and I most certainly did not "pardon" him. These are all in _your_ fantasy. What I did point out is that there is plenty of blame to go around and that most of it is certainly not on him, yet gets ignored completely by many people because they would otherwise have to look at what _they_ did wrong. Big ego-small-sk
Re: (Score:2)
He's right, you know. This guy did something mean and nasty just to be mean and nasty. Why anyone would defend his disturbingly antisocial behavior is beyond reason.
Trust is an essential part of any functioning society. It's even more important in software, where no amount of testing and preparation is sufficient to protect you against a malicious actor. (The underhanded C coding contest is proof enough of that.)
So, no, I don't put any blame on the developers for trusting what looked like a minor update
Re: (Score:2)
Github has no responsibility to police all accounts exactly the same. Indeed, that was exactly what section 230 (safe harbor provision) of the CDA established. Github can choose to moderate (i.e. delete) his update to their platform without incurring any liability or any duty to police all other software similarly. They are totally free to just delete accounts and take down whatever code they feel like (with a few limitations that don't apply here).
It's the reputation with their user base that is what co
Re: (Score:2)
And in the real world, as soon as they start to moderate outside of what Section 230 allows, they may well lose Section 230 protection.
Re: (Score:2)
Re: (Score:2)
... shoddy, insecure and unprofessional practices made this possible in the first place.
There has to be an element of trust, that people you deal with won't be stupid or malicious. Without that, scarcely any business could be conducted, and all the money would be spent checking up whether you are being screwed, rather than producing something worthwhile. I do agree, though, that you need to understand risks, and make sure your business will not be sunk because of some unexpected screwup by a supplier.
Re: (Score:2)
Re: (Score:2)
Can't Complain About The Licensce You Choose (Score:4, Insightful)
Look, I get that people have different views about the role of corporations in software development. Personally, I believe that in many cases it's beneficial to society to offer software under the MIT license because society benefits if software is cheaper to use and we adopt common standards while in other cases the GPL carrot/stick approach offers more benefit.
If this developer feels so strongly about corporations not benefiting from his work without paying he had a choice. He could have shared his code under a license that was a restrictive as he wanted. It could have been free for individual developers and small shops to use but require a paid license if a large corporation wanted to ship or even run.
But, what's not cool, is to share his code under a license that clearly gives corporations the right to use his code and then turn around and break it because, now that his code is popular, he regrets not cashing in on it. If he'd insisted on some weird restrictive license then people would have just shrugged and written an alternative.
This is the coding equivalent of quoting some cheap price to connect the big mansion on the hill to the new sewer system and then, once you've disconnected their septic system so they can't shower or shit until you finish, turning around and walking away on the grounds that rich people like that should pay plumbers more. Well, no one was forcing you to be their plumber.
Re: (Score:2)
Fool me once shame on you (Score:2)
Fool me twice shame on me.
Why would anybody trust him after this?
What powers did the author lose? (Score:2)
WTF? Not a single word in either of the articles even indirectly implied the author can't do whatever he wants with his fork. If the author is having problems getting his copy to work, I bet anything it'll be traceable to something he did, not something GitHub did.
I suspect the author is simply angry that not everyone wants to use the broken fork and would prefer to use a working one. I can understand t
Re: (Score:2)
Yes and github is free to block such efforts, it's their site. Don't like it, run your own servers
Re: (Score:2)
This
CDA Section 230 might be applicable here.
Re: (Score:2)
Umm... Reasonable people are on the side of Github here.
Well, in the first place, at least. They were right to block him and revert his repository. It was malicious code, after all. I think it was wrong of them to restore his account. He's a known bad actor. The site is better off without him.
Re: (Score:2)
I guess I'd see contributing code to GitHub as creating a fork on their behalf, at which point it's no longer "your" code. If you don't want "your" code out there, don't put it there, or pay for a private service to host your data.
Re: The code is his to use, break, or destroy (Score:5, Insightful)
If you provide free meals to folks then decide you don't want to do it anymore, that's your choice.
If you provide free meals to folks and then slip an emetic into the food, making folks sick, whole other bowl of wax.
The first is simply asserting autonomy. The second is a willfully malicious act. It pains me that so many folks can't tell the difference.
Re: (Score:2)
He wasn't making the food, he was writing the recipe and making small changes between versions. He slipped the emetic into the new version of the recipe and the cooks didn't notice until people started vomiting.
Re: (Score:2)
Not exactly.
He wasn't making the food himself, but he was providing an ingredient that others used in their own recipes. He also distributes the recipe along with each batch of his ready-made ingredient, but the de-facto method of using this ingredient is to just use the ready-made one, rather than making it yourself from his recipe.
Many people just use the latest batch of his ingredient in their recipe, without checking the recipe for that batch to see if he decided to slip in something nefarious.
The analo
Re: (Score:3)
Re: (Score:2)
The semver convention is by no means a widely recognized standard, and it can't be assumed unless someone explicitly promises to follow it.
Re: (Score:2)
Open source is a community, and that means you have the same sorts of responsibilities that you do in any social situation. If you don't want to obligate yourself, don't participate in open source.
Re: (Score:2)
Software is not food.
Re: The code is his to use, break, or destroy (Score:2)
Man does not live on bread alone but on every bit from the bucket...
Re: (Score:2)
So don't write free software. No one is forcing you or anyone else.
Here's what you don't get to do: complain that you're not being paid when you give your work away.
Re: (Score:2)
The author of colors.js, Marak Squires, is obviously mentally unstable. He set his apartment on fire [abc7ny.com] and apparently assaulted his girlfriend:
Re: The code is his to use, break, or destroy (Score:2)
Yes, absolutely. However neither github nor npm are in any obligation to distribute it.
Re: (Score:2)
If he does, then he doesn't have the right to destroy his code.
Are you saying that he doesn't have the legal right to delete all the copies of his code that he controls, and remove it from public distribution?
Re: (Score:2)
Re: The code is his to use, break, or destroy (Score:2)
Oh of course, he can't control whether anyone wants to fork it.
Re: (Score:2)
He's already distributed that code under a very permissive license. He can stop distributing it under that license, but he can't put the genie back in the bottle.
Github was well-within their rights to continue to distribute the older version after this guy pulled his nasty little stunt. He doesn't own github, you know.
If you want to control how your software is used, don't distribute for free under a permissive open source license.
Re: (Score:2)
Agreed, I'm just not clear on what A/C meant by "he has no right to destroy his code".
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Developers Unite! Strike Slashdot and Github!!!
You first. Set an example.
Re: (Score:2)
No deeply confused developers to complain about how they're not being paid for software they decided to give away for free? Yes, please!
Yes, the best thing to do is to carry out your threat and move on. Go make your own community with your own set of social rules. Show us all how sorry we'll be when you're gone!
The sooner the better.
Re: (Score:2)
Yeah, that's not going to happen. But feel free to remove your code! We won't mind.