Developer Who Intentionally Corrupted His Libraries Wants NPM To Restore His Publishing Rights (twitter.com) 251
Remember that developer who intentionally corrupted his two libraries which collectively had over 20 million weekly downloads and thousands of dependent projects? In the immediate aftermath he'd complained on Twitter that NPM "has reverted to a previous version of the faker.js package and Github has suspended my access to all public and private projects. I have 100s of projects. #AaronSwartz."
That was January 6th, and within about a week GitHub had restored his access, while one of his two libraries (faker-js) was forked by its community to create a community-driven project. But Thursday the developer announced on his Twitter account: What's up @Github? Ten days since you removed my ability to publish to NPM and fix the Infinity Zalgo bug in colors.js
Never responded to my support emails.
I have 100s of packages I need to maintain.
Everyone makes programming mistakes from time to time. Nobody is perfect.
It hasn't been confirmed that NPM has actually blocked his ability to publish — but the tweet already appears to be attracting reactions from other developers on social media.
That was January 6th, and within about a week GitHub had restored his access, while one of his two libraries (faker-js) was forked by its community to create a community-driven project. But Thursday the developer announced on his Twitter account: What's up @Github? Ten days since you removed my ability to publish to NPM and fix the Infinity Zalgo bug in colors.js
Never responded to my support emails.
I have 100s of packages I need to maintain.
Everyone makes programming mistakes from time to time. Nobody is perfect.
It hasn't been confirmed that NPM has actually blocked his ability to publish — but the tweet already appears to be attracting reactions from other developers on social media.
Oh well (Score:5, Insightful)
Re: (Score:2)
Well, a butt-hurt moderator is not a moderator that does a good job. No surprise, given what this is about. Incompetence of a person is usually not limited to only the professional skills.
"Programming mistakes"? (Score:5, Insightful)
"Everyone makes programming mistakes from time to time. Nobody is perfect."
No, the vast majority of coders never intentionally add malicious code to their projects.
Re: (Score:2)
No, the vast majority of coders never intentionally add malicious code to their projects.
Indeed. Most developers in this space are incompetent and stupid enough to do that involuntarily and they do not have the minimal skill needed to catch such things early.
Re:"Programming mistakes"? (Score:5, Insightful)
Re:"Programming mistakes"? (Score:5, Insightful)
Re: (Score:3)
People trust npm to provide reliable software libraries. Probably they shouldn't, but if npm wants people to continue to trust them in this way, it is very much in their interests to block people who abuse that trust.
Re: (Score:3)
His actions did damage their platforms, right or wrong people depended on software from NPM and GitHub not suddenly maliciously breaking their systems.
Sorry, if this actually "damaged" anything, it means those things' development and or deployment processes were so bad, they deserved the wake-up call.
If you're using code you downloaded from some project on the internet in anything important, you'd better have known-good copies you use for deployment/distribution, and the sabotaged version shouldn't have gone further than a dev or two being irritated at the inconvenience when they started testing the new version prior to QA.
Re: (Score:3)
Re: (Score:3)
Re:"Programming mistakes"? (Score:5, Informative)
Remember - open source software is provided for use purely at your own risk
That means less than you think; basically i dont have standing to sue you for delivering bad code. If you look at proprietary software its pretty much EULA'd as 'use at your own risk' too.
In any case, being open source doesn't mean there aren't going to be consequences if you take a shit in the community hosting your code.
It's a helluva stretch to say other people screwing up their own projects somehow means this guy damaged Github.
Nope. github and npm had to respond, someone had to investigate the situation and take action, meetings were held, lawyers were consulted, press responses written... all that costs money. That's pretty much the textbook definition of 'causing damage' from a legal perspective.
Re: (Score:3)
You're quite right; it's a company. As such it will protect it's profits and not host code it thinks is bad for it's profits. — This move is in the interest of it's profits.
Re: (Score:2, Insightful)
Microsoft is probably wrestling with this one.
Because of what he did, he's given the ultimate gift to Microsoft's marketing department - open source code can break your stuff at any time. It was potentially FUD, but no longer because Microsoft marketing can point to all the websites and such that broke because of "a random open sou
Re: (Score:3)
Because of what he did, he's given the ultimate gift to Microsoft's marketing department - open source code can break your stuff at any time.
It would look that way at first glance, but the OSS code was being distributed from one of Microsoft's websites, so sounding too happy about it will only make them look suspicious. They want OSS to look unsafe, but they also want themselves to look like a responsible steward of OSS.
Re: (Score:2)
Re:"Programming mistakes"? (Score:4, Insightful)
Yes that did. Otherwise they suffer reputational damage. You can try and dice this down any way you want. Regardless of whatever justification you use Github had to do *something* and that something resulted in some form of undue expense.
They are not obligated to serve a damaging customer, especially one that takes a shit in the middle of their restaurant. There's no obligation to be neutral, not as a company, not as a community.
Re:"Programming mistakes"? (Score:5, Insightful)
Nope. He didn't damage their platforms.
Oh yes he did. NPM and Github rely very heavily on trust. That trust was violated and their users were harmed as a result. Are you really going to claim that doesn't hurt NPM and Github?
Re: (Score:3)
NPM and Github rely very heavily on trust.
Are you saying that there's someone somewhere who trusts NPM?
Re:"Programming mistakes"? (Score:5, Insightful)
There very clearly are. Thousands of them, at the very least.
It's how we've been teaching kids to "code". Just include anything and everything an let the tools keep everything up-to-date. It's why software is so awful these days. What once fit on a floppy is now multiple-gigabytes in size and requires more RAM than my computer had 15 years ago.
People actually defend this practice. It's madness. It's like we actively discourage people from writing their own code.
CTAN and CPAN trained too many of us old-timers to trust repositories. For the kids, it might have been app stores.
Whatever it was, things really need to change. Maybe we could all try writing our own code now and then? Wouldn't that be nice?
Re: (Score:2)
There very clearly are. Thousands of them, at the very least.
I'm honestly amazed. NPM is a sewer.
Re: (Score:3)
Re: (Score:3)
Re: (Score:2)
Re:"Programming mistakes"? (Score:4, Insightful)
Remember - open source software is provided for use purely at your own risk - those other projects damaged themselves.
such agreements are not as ironclad as you might think. If I offer a man a free drink, but say that I do not guarantee anything about the contents, and deliberately put poison in it, in almost any jurisdiction I will still be held liable for murder regardless of the lack of guarantees I offered.
Re:"Programming mistakes"? (Score:4, Insightful)
From a business standpoint, reputation is a critical part of a platform. For a business model that's based on distributing *open source* software, reputation probably the most critical resource the business has. Would *you* use a software repository that has a reputation for turning a blind eye to malware? That's why services make you agree to a Terms of Service agreement.
GitHub's and npm's ToS and use policies are pretty simple and non-technical; there's no excuse not to read them. This guy intentionally violated those AuPs; even if he hadn't read them common sense should have told him he was in violation. He also agreed to allow them to take the whatever remedies outlined in the ToS to AuP. In the case of npm they can remove his software or revert it to the last sound version and continue serving it if other packages in the repository depend on it. It's right there in plain, non-legalese on their policy page.
This guy screwed himself. The only option he has is to promise he's learned his lesson and argue that it would be better for everyone if he's allowed to continue updating the repositories on the service. Freedom doesn't include freedom to ignore your contractual obligations, or to impose your bullshit on others without consequence.
Re: (Score:3)
Re:"Programming mistakes"? (Score:4, Insightful)
"I only stole his watch! It's not like I killed him or something."
You can't be serious. Why defend this scumbag?
Re:"Programming mistakes"? (Score:4, Insightful)
Still playing dumb? Ugh...
The argument is that the harm he caused could have been worse, so it's okay. The argument I offered was equivalent to yours.
Why are you so hot to defend this scumbag? Do you actually think this kind of behavior is acceptable?
Re: (Score:2)
Making his own code non-functional is allowed as per the agreement that the people that used this as GPL software, agreed to.
He deliberately and knowingly caused actions to happen on other people's computers that they did not want or consent to. He represented his software as doing one thing and then made it do another thing. He is likely guilty, in a criminal sense, of misuse of a computer through abuse of privileges granted for one reason. There have been multiple cases which set clear precedents where it has been shown that access for one reason does not permit another. He really should not be pushing this shit and should be
Re: (Score:2)
Making his own code non-functional is allowed as per the agreement that the people that used this as GPL software, agreed to. We may not like what he did. But it's his freedom. Unless you're anti-freedom. Are you anti-freedom?
Thats fine. He can change his code however he wants. Thats his freedom. He was always able to do that.
Is he allowed to change a copy of his code hosted on someone else's machine? Not if the owner of that machine (in this case github) don't want him to. Thats their freedom.
Are you anti-freedom?
Re: (Score:2)
He deliberately and knowingly caused actions to happen on other people's computers that they did not want or consent to. He represented his software as doing one thing and then made it do another thing.
*points back to GPL warranty.* You know that with NPM, you can't *force* an update, right? You have to run the command and then say yes to the update. They had to download and update and (most likely) compile then run, often times push to content caching servers. And you also know that these source code are often on repo's that can be rolled back, right? So this was a minor inconvenience, let alone harm. What I don't get is why your vitriol for this guy is so deep. It's like someone controlling something th
Re: (Score:2)
Is he allowed to change a copy of his code hosted on someone else's machine?
Yes, if they let him. That's what a login to a server is for.
Not if the owner of that machine (in this case github) don't want him to. Thats their freedom.
Correct. Noticed I didn't say anything about that. So, what freedom am I against?
But you... you didn't answer my question. I'm for his freedom to change his code. I'm also for the freedom for github and/or npm to not restore his account and/or prevent him from publishing.
So, yes. I'm for that freedom. Now your turn. Are you anti-freedom? But that's how it works. Either both gets freedom or neither do. So, are you anti-freedom?
Re: (Score:2)
You're right, that's off base. When you negatively (and financially) affect one person it's a simple robbery. What this guy did is far worse.
Re: (Score:3)
Did he pay for access to the platform? No? In that case the platform provider does not have any obligation toward him and can do whatever it wants with its own systems, provided it's not outright theft or other illegal activity.
Same goes both ways.
If he had the right to intentionally break the code and, in turn, break the programs of people who
1. Did not pay him to use the code
2. ignored the part of the license that says "no warranty"
3. and still foolishly used his code in their own systems without checking
Re: (Score:2)
Even if he paid for service the terms of use would probably include a prohibition of malicious behavior, and deliberately modifying his libraries in this fashion would absolutely qualify as it constitutes a DoS attack on users, and would likely constitute grounds for termination of service.
Re: (Score:2)
While certainly possible, it is a bit more difficult to terminate a paid service. For one, the provider does not want to lose the income, also, if the service is pre-paid, then the provider may need to refund part of the payment Everything can be written into the contract, or course, but it is still more hassle. In addition, there would be less justification for the host to keep the code.
For example, if he hosted it on his personal web site, then even if the host decided to terminate the service, it would
Re: (Score:2)
While certainly possible, it is a bit more difficult to terminate a paid service.
No, it is not.
For one, the provider does not want to lose the income
At the point at which they have decided to terminate the service, they have already decided it's worth the money. So no.
also, if the service is pre-paid, then the provider may need to refund part of the payment
They might. That's not a big impediment, though. Refunding a payment is not difficult. So no.
Everything can be written into the contract, or course, but it is still more hassle. In addition, there would be less justification for the host to keep the code.
Also wrong. The code is licensed such that anyone can distribute it. So, three strikes, and also no.
Personally, I dislike his actions and like the actions of Github in this case. However, I think that it would be hard to justify his actions using "freedom" and "license" as arguments without, at the same time, justifying the actions of Github.
I don't think it's clear that his actions were justified. He deliberately did harm to users of the software. That isn't justified just because he wasn't charging them. The license that
Re: (Score:2)
I don't think it's clear that his actions were justified.
I think they were not.
My argument was that if someone were to justify his actions (as quite a few people do), it would be difficult to do so without also, at the same time, justifying the actions of Github. If he's free to break the code deliberately and all users are at fault for using the code and not considering the "no-warranty" clause, so then Github is free to restore the code after banning him and he is at fault for using Github and not considering the TOS.
Re: (Score:3)
IMO, in this case its either wrong for both of them to do what they did or it was their right to do it.
The developer has published his code with a license that 1) allows anyone to use, modify and distribute the code for free (as long as credit is given to the original developer) and 2) disclaims any warranty, even allowing the developer to break the code intentionally if he so wishes.
Anyone could have just forked the code, tested updates before deploying them etc. If they didn't and their stuff got broken,
Re: (Score:3)
Github sadly do have the legal ability to do as they please right now - as wrong as that is.
Sorry, why is that wrong? He abused those services and caused harm to other users. It's better for everyone else if he's not allowed on those platforms.
BTW, Github restored his account. Maybe if you knew more about the incident, you wouldn't be so quick to defend this scumbag.
Re: (Score:2)
How did he abuse services? He used them to host a version-controlled repository of his own code, as they were intended and in the manner those services were intended. It was in line with the specific requirements of the ToS. Only the vaguer "we do what we want" provisions allowed what happened.
Why are you defending a corporation excercising excessive control over users?
Re: (Score:2)
How did he abuse services?
He used their service to intentionally break thousands of other projects. That is in no way "in the manner those services were intended". You know this.
This "play dumb" act of yours is tedious. Grow up.
Re: "Programming mistakes"? (Score:2)
Re: (Score:2)
They should be neutral to a user deliberately breaking the code they host? No
Re: (Score:2)
No, it’s a problem for the site hosting the code. Obviously. Think about it for half a second.
Re: (Score:2)
If I upload code to Github that happens to work for a given purpose when used in a certain way, github is not harmed.
If I upload code to Github that happens to not work for the same purpose when used in the same way, github is not harmed.
If I upload code to Github that happens to work for a given purpose when used in a certain way, then change it so it no longer works for that purpose when used in that way, github is not harmed.
Any possible harm only exists when other people decide to use it for their own p
Re: (Score:3)
You really don't understand the concept of "community", do you? Like it or not, publishing his code the way he did does obligate him.
But you want to conflate what is right with what is legal, yeah? Well, then the licenses he used means that those services are well-within their rights to lock out this user and continue to distribute the last non-malicious release. But I'll bet you don't like that, do you?
For some reason, you seem to want this guy to be able to do whatever rotten thing he wants and face n
Re: (Score:2)
companies should not have the freedom to act as they have here.
To do what? To distribute code under the terms of the license they were granted or to ban malicious users who openly violate the terms of service? I don't think you've thought this through.
There is no community here.
You are deeply confused.
short of outright breaking criminal law or similar,
I'm not convinced that his little stunt wasn't criminal. IANAL but it seems to me that he ought to be charged under the computer fraud and abuse act or for criminal negligence or something along those lines.
without what you consider "consequences".
Actions have consequences. Each and every one. That's a lesson you're supposed to learn
Re: (Score:2)
short of full on outright theft or other illegal activity.
If he intentionally caused damage, then what he did might very well be illegal. That does not mean he is liable for every mistake in his code, nor does it mean he cannot stop working on his project, or pull it off GitHub, or take it in a different direction.
I don't think that's the case here, but it does mean that you cannot do anything to your code you want, once it is being used by others.
Re: (Score:3)
He definitely caused harm intentionally. He even explained why he did it. He's a scumbag.
Re: (Score:2)
You're confusing what is legal with what is ethical. The two are very different.
Like it or not, publish his code the way he did does carry with it certain social obligations. He violated that trust and caused harm to a lot of people, as was his intention.
What he did was wrong and I'm shocked that the consequences of his actions weren't more severe. He should count himself lucky that the only thing he lost was his ability to publish on NPM.
Re: "Programming mistakes"? (Score:2)
Re: (Score:2)
That doesn't matter. It's his account, it's his code, it's his project, he can do whatever he wants with it
Yes, except compel others to host it; Or, given the use of a license which permits them to redistribute without express permission, except compel others to permit him to modify the copy they are distributing.
If he wanted to prevent them from distributing it without giving him access to modify it, he should have chosen a different language. But if he'd done that, then no one would have used it, and then he never could have pulled his little attention-whoring stunt, and then no one would be discussing this at
Re:"Programming mistakes"? (Score:5, Informative)
> You never know. He might have only made the changes on his local test copy and didn't intend to publish and published it by accident when he was pushing out some other fix.
He literally posted to say he did it on purpose. He's only backtracking now because he's clearly been given legal advice that doing something like that wilfully could land him in legal bother.
Re: (Score:2)
Plus anyone familiar with GIT knows you have to add the revision to your local copy and then push it back to the cloud. It's two steps, neither of which you would do if you were not intending to push it back/
I know you can use SVN to checkout github projects which makes commiting back a one step process but I don't know if SVN support is read/write or readonly.
Whatever (Score:2)
Re: (Score:2)
"It's just a joke, bro." (Score:5, Insightful)
Everyone makes programming mistakes from time to time. Nobody is perfect.
This wasn't a mistake in programming. It was a lapse of judgement -- which is also a "mistake" by the dictionary definition, but putting something malicious in code on purpose isn't the same thing as making accidental typos or forgetting to finish something in what you write.
Re:"It's just a joke, bro." (Score:4, Insightful)
It was intentionally broken. But, I'm not sure I'd call it malicious.
It caused software projects dependent on it to stop working, and the reason they stopped working wasn't accidental. The author made changes they knew would cause the software to stop working as originally designed to draw attention to their personal gripe. It doesn't have to do something illegal to be malicious.
Re: (Score:2, Insightful)
> It caused software projects dependent on it to stop working, and the reason they stopped working wasn't accidental
So it's a QA problem of those projects. Sorry, if they always just pull master with no vetting what so ever, its on them.
I'm trying to imagine what would happen if a glibc or curl developer threw a fit like this... I think it wouldn't get into release streams.
Yes, I am advocating a technical solution to a social problem, but also separation of concerns: distribution vs development.
Re: (Score:3)
The fact that those projects should have had a better CI has nothing to do with the fact that this dev did harm purposefully thousands of projects.
Yes, the npm dependencies and toolchains are inherently fragile to this type of attacks, as of today. Sure.
But if you *intentionally* break thousands of projects, well, you better be ready to face the consequences. Being banned from a platform that clearly expects you "to work in good faith" (according to their TOS) is an obvious consequence.
Re: (Score:2)
> It caused software projects dependent on it to stop working, and the reason they stopped working wasn't accidental
So it's a QA problem of those projects.
That's like saying that it's a QA problem for a fab that it depends on a flow of water, and if you cut off the flow of water production will be impacted. They had a reasonable expectation that a resource would be available, and it was deliberately and willfully withheld.
Re: (Score:3)
If this causes your project to stop working, then there is a massive problem on your side. The guy may have triggered that, but the root cause is insane development practices.
Re: (Score:2)
It was intentionally broken. But, I'm not sure I'd call it malicious.
It's not like the eslint hack which was posting people's npm credentials to a public google analytics account.
It should be a bit of a wake-up of how to deal with testing and QA, but it wasn't worse than a wake-up calll.
It was not malicious. It was annoying, sure, and it demonstrated to a lot of people that their development practices are completely insane and that they are incompetent. That is impolite, but "malicious" is something very, very different. All those morons that got hit have been incredibly lucky that this was not malicious.
Re: (Score:3)
It was not malicious.
The legal definition of malice is with "wrongful intention", and his intent was to do harm. That's malicious in the only sense which matters, legally.
All those morons that got hit have been incredibly lucky that this was not malicious.
No, just lucky that his intent was not do to more harm.
Re: (Score:2)
You're absolutely right and you should totally get a refund.
Just as the dude should get a full refund from GitHub for his oustanding account payments .. . oh? free account? My point entirely.
Dude was making a statement with his code in a way that you didn't like.
Let me ask you something, how many people do you think thanked dude for his years free code? More or less than the number of people who shit on him?
Dude was almost certainly using some few lines of my code. He never thanked me. Of course, given how many thousands of times more code from people like Linus, Stallman, De Raat, DeHaan and thousands of others, each of us has used, asking for that would be silly. If you want praise and workship, there are proprietary licenses that require that. There's a reason they aren't allo
Mental Health (Score:5, Informative)
Pool's Closed. (Score:5, Insightful)
Kid poops in the pool, gets kicked out.
Hey, why am i banned from the pool?
Re: (Score:3)
Oh it's worse than that. They will ban you if you are and adult too.
I miss the pool.
Love it (Score:3)
The real question is why anyone allows npm to pull in random code. Open source talks a good game but this is a disaster waiting to happen.
Re:Love it (Score:4, Insightful)
NPM has been a disaster since it was released, and the problems were widely discussed, and have happened before.
The reason it's popular is because it has a really nice UI (for a developer perspective).
Re: (Score:3)
That's how most open source repos work. Same with the various package managers like apt, same with open source app stores like FDroid, same with open code repos like Github.
Most people don't think twice when they apt upgrade.
Re: (Score:3)
That's how most open source repos work. Same with the various package managers like apt, [...] Most people don't think twice when they apt upgrade.
Debian packages have maintainers who are responsible for packaging. This middleman stands between the developer and the distributor and is personally responsible for ensuring that software is correctly packaged. If you were installing these libraries via debian package, the package maintainer would be expected to have caught the malicious activity and elected NOT to package the "updated" version. Debian's reputation is on the line in such cases, and rightly so.
Re: (Score:2)
Open source talks a good game but this is a disaster waiting to happen.
Open source as evidenced by this example is self regulating. You think pulling random code is bad, imagine running *gasp* a closed source binary where you have no access to the code at all.
Risk is about liklihood and consequence. While the consequence here is high, the likelihood can be judged based on past performance, and that past performance has shown the actual risk to be rather low. But don't take my word for it. Just go to a site like Slashdot and look at how many stories we have about a rogue npm li
entitled Ahole (Score:2)
Fork them (Score:2)
Just create a new account and fork your projects.
Sure, you need to rebuild the trust you had on your old projects.
You HAD hundreds of packages to maintain (Score:2)
You've rage-quit software development. Good luck in your new profession or hobby, whatever it may be.
Re: (Score:3)
Would you really trust changes he makes to that code? If anyone keeps using any of those projects without vetting every line, they're a fool. And if you do look close enough to not have to trust him, you can fix anything yourself. Anyway, he got his wish: He is done coding for other people.
They ought to do it like this (Score:2)
Ban for willful negligence or ban for malice. Banned either way, but you get a nicer toned ban notification if you were negligent. Also, a negligence ban ought to have an easier redemption path, maybe if you do some courses and tests and have improved enough you can be unbanned. Malice redemption path ought to be orders of magnitude more difficult.
Why the double standard? (Score:2)
Don't like it, don't use it. Make your own version/fork or pay for it and get a supported version.
Re:Why the double standard? (Score:5, Insightful)
Don't like it, don't use it. Make your own version/fork or pay for it and get a supported version.
And GitHub did just that. Made its own version (which was just the version without the intentional breaking) and banned a user from accessing its own systems.
Don't like it - don't use it. Self-host your code.
Why take sides? (Score:2)
This isn't about the person. Yes, Marak Squires' action could be considered malicious. But the facts that 1. it made a valid point with regard to unpaid work in open source prevalently being used by affluent corporate entites and that 2. github shouldn't be allowed to suspend someone's account for what someone does to their own code as long as that doesn't obviously break the law are just as true. We neither need to take his side nor have to see him as a nice person to acknowledge that. Also, while the fire
Let's rephrase this... (Score:2)
Quote: "Everyone makes programming mistakes from time to time. Nobody is perfect."
And he wants his rights back.
Let's rephrase it: "I'm a fireman but yesterday I started a fire in London that burnt half of it to ashes. They removed my rights as worker, but I want them back!"
My polite guess is they will answer a stunning "No, sire."
NPMs fault (Score:4, Insightful)
That this goes on the guy instead of highlighting what an insanely stupid idea NPM is, speaks for the hubris of the coding community.
NPM is like walking through a forest and eating everything that looks interesting when you don't have an immune system. It's basically asking for trouble.
The idea is neat - a vast collection fo small modules you can put together and don't need to re-invent the wheel. Brilliant. Excellent. Very modular, flexible, powerful.
The problem is that it only works in a perfect world. In the real world, modules get abandoned, corrupted, disappear, and tracking a bug through ten layers of indirection is hell.
Re: (Score:2)
And yet with the thousands upon thousands of libraries, and the even larger number of projects using them problems which occur are rare enough to actively make the news.
The world is built on a level of trust. At all times. How is trying npm any different to trusting any other code with by someone else? Sure a developer can ruin your project, but do can malware, a fucked up system update, or any number of things.
Npm is a bad idea for highly critical systems, but it's no where near as bad as you make it out t
Re: (Score:2)
And yet with the thousands upon thousands of libraries, and the even larger number of projects using them problems which occur are rare enough to actively make the news.
How much, do you think, of that fact is the result of "the news" not caring about the root cause of a software bug, but only the effects? Only a few specialized sites like this one would even open the hood to look for what's going on. The rest of "the news" will write "Software bug causes $4 mio. in losses to online shop"
How is trying npm any different to trusting any other code with by someone else?
It makes it too easy to continuously update all your stuff, without ever checking anything at all. In a traditional software update cycle, you would read the CHANGELOG, patch a test system
Re: (Score:2)
I absolutely agree with what you're saying, I just completely disagree with the tone of your original post. No, everyone isn't going and licking the forest without immune systems. Actually licking the forest with a perfectly functioning immune system would be a perfectly apt example, a few people get sick, life goes on.
That's NPM in a nutshell. No it hasn't ended computing as we know it. No the ability to easily update everything hasn't fucked up every project ever to use it (as your forest example would).
T
Re: (Score:2)
If you specify exact versions of all your dependencies, you are immune to this type of shit. But then again, relying on an external package for a 10 line method is also stupid in its own way.
I'm all for second chances (Score:5, Insightful)
I'm all for second chances, and I don't think his career should be over forever — but a second chance doesn't mean there should be no consequences at all. In order to get a second chance there should be a level of contriteness proportional to the gravity of the offense (which he doesn't appear to show here), as well as the understanding that the offender will have to rebuild the broken trust over time.
While the NPM ecosystem has some systematic issues that made this issue a whole lot worse than it could have been otherwise (and that a lot of people have been critiquing for years), in the end he was the one that screwed over a metric ton of people with what he did deliberately, and there is no simple "let's go back to what life was before" here, rehabilitation requires effort over time.
What really gets to me here is the tone of his tweets, they reek of entitlement, especially the #AaronSwartz, which was particularly disgusting.
Just tell this asshole "No". (Score:4, Insightful)
He's been shown to abuse his privileges and betray user trust.
That sort of thing is a knife in the heart of trust.
He's demonstrated he cannot be trusted.
Two questions (Score:2)
2) Does the design of NPM offer any protection from this kind of behaviour, or is every developer who makes use of it supposed to inspect every line of code that ends up in his project before each release and after each upgrade? I know that open source software is offered without warranty, but respected repositories of open source
Does NPM, a private company, owe him a platform? (Score:2)
The guy needs to own his malicious acts. (Score:5, Insightful)
It's just not the sort of mistake that goes away by saying oops. Especially when it impacts the actual lives of people. Actions have consequences, corrupting the libraries had consequences for a lot of very real people. Thousands of libraries might easily equate to millions of people having services disrupted.
Major services have always stuck gimmicks into web pages (remember the CGI scripted webpage counters?), so something that seems incidental could easily have taken out access to something essential. In this case, the programmer got lucky and the consequences don't seem to have been devastating. He couldn't have known that in advance, that was something he found out afterwards. And, yes, as programmer he's ultimately responsible, for all the lack of warranty.
I am not seeing any kind of real apology here for the reckless disregard of those people. I'm seeing an "oh well, maybe I shouldn't have got caught inflicting misery" but not a whole lot of "and I really shouldn't have been causing misery to others to begin with". I'm also seeing a "I sabotaged a software component over here, why am I banned from sabotaging other software components the next time I get stroppy?"
I'm beginning to think that we should have some sort of voluntary system of either certifying or self-certifying that a given standard is reached, where the most basic standard would be that the maintainer hasn't knowingly sabotaged the code, along with short, clear, simple guidelines on who is responsible for what and when, instead of making users responsible for absolutely everything (and therefore nobody is really responsible for anything).
It needn't be complicated, it needn't be unfair on anyone, and it needn't require anyone to have magic knowledge, magic abilities or access to a TARDIS.
Re: (Score:2, Insightful)
Sounds like a great precedent to me. You should be able to do what you like with your own project. It's the job of other people using your project to vet what they depend on.
The problem here is other projects blindly trusting external dependencies. Putting it on the guy here is simply trying to project and deflect blame
Re: (Score:3)
He can still do what he likes with his own project. He just needs to host it himself.
As for blame, there's plenty available for both him and the people who autoupdate dependencies and alpha-test in prod to receive some.
Re: (Score:2)
Re: (Score:3)
1. It's their system.
2. The project was published under a license that permits Github to modify and distribute it.
Re: (Score:2)
The raw code, yes. To perpetuate his repository as to make representations that it was his product and his hosting, no.
They should rename and rehome the project if they wanted to host independently of the original author
Re: (Score:3)
His projects continute to exist in these platforms,
Yes. The are allowed to do so because of how this shitbag licensed his code.
he's been denied access to them (unreasonably and unfairly).
Nonsense. As another poster put it, he "pooped in the pool". The only fair and reasonable thing to do was ban him.
Re: (Score:2)
You seem to not understand the difference between "shouldn't" and "don't".
Companies (at least ones with any kind of legal entity status) are legal fictions. They have only the rights we choose to give them, or none at all. Heck, such companies could even simply not exist if we decided that's how we wanted things. We could abolish LLCs and Corporations etc and leave the only allowable business structure as direct proprietorships, whether individual or partnerships.
I dont believe companies should have the ri