Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Programming Open Source

Developer Who Intentionally Corrupted His Libraries Wants NPM To Restore His Publishing Rights (twitter.com) 251

Remember that developer who intentionally corrupted his two libraries which collectively had over 20 million weekly downloads and thousands of dependent projects? In the immediate aftermath he'd complained on Twitter that NPM "has reverted to a previous version of the faker.js package and Github has suspended my access to all public and private projects. I have 100s of projects. #AaronSwartz."

That was January 6th, and within about a week GitHub had restored his access, while one of his two libraries (faker-js) was forked by its community to create a community-driven project. But Thursday the developer announced on his Twitter account: What's up @Github? Ten days since you removed my ability to publish to NPM and fix the Infinity Zalgo bug in colors.js

Never responded to my support emails.

I have 100s of packages I need to maintain.

Everyone makes programming mistakes from time to time. Nobody is perfect.

It hasn't been confirmed that NPM has actually blocked his ability to publish — but the tweet already appears to be attracting reactions from other developers on social media.
This discussion has been archived. No new comments can be posted.

Developer Who Intentionally Corrupted His Libraries Wants NPM To Restore His Publishing Rights

Comments Filter:
  • Oh well (Score:5, Insightful)

    by divide overflow ( 599608 ) on Monday January 24, 2022 @12:38AM (#62201247)
    After all that is he surprised?
  • by 93 Escort Wagon ( 326346 ) on Monday January 24, 2022 @12:40AM (#62201251)

    "Everyone makes programming mistakes from time to time. Nobody is perfect."

    No, the vast majority of coders never intentionally add malicious code to their projects.

    • by gweihir ( 88907 )

      No, the vast majority of coders never intentionally add malicious code to their projects.

      Indeed. Most developers in this space are incompetent and stupid enough to do that involuntarily and they do not have the minimal skill needed to catch such things early.

  • You don't need GitHub to publish to NPM. You can authenticate and publish using the npm command, directly from your workstation or server to the repository.
    • by xalqor ( 6762950 )
      By the way, GitHub bought NPM so maybe he was referring to the parent company that controls both. If that's the case, why not call out Microsoft, since they bought GitHub? Regardless of the parent company, I was referring to the actual web services.
  • by SeaFox ( 739806 ) on Monday January 24, 2022 @12:48AM (#62201267)

    Everyone makes programming mistakes from time to time. Nobody is perfect.

    This wasn't a mistake in programming. It was a lapse of judgement -- which is also a "mistake" by the dictionary definition, but putting something malicious in code on purpose isn't the same thing as making accidental typos or forgetting to finish something in what you write.

  • Mental Health (Score:5, Informative)

    by Some Guy ( 21271 ) on Monday January 24, 2022 @12:55AM (#62201279)
    If this is the same Marak Squires [abc7ny.com], it seems like this is the tip of the iceberg and he's got some mental health issues to work through,
  • Pool's Closed. (Score:5, Insightful)

    by suss ( 158993 ) on Monday January 24, 2022 @01:23AM (#62201331)

    Kid poops in the pool, gets kicked out.

    Hey, why am i banned from the pool?

  • by ArchieBunker ( 132337 ) on Monday January 24, 2022 @01:31AM (#62201345)

    The real question is why anyone allows npm to pull in random code. Open source talks a good game but this is a disaster waiting to happen.

    • Re:Love it (Score:4, Insightful)

      by phantomfive ( 622387 ) on Monday January 24, 2022 @03:04AM (#62201475) Journal

      NPM has been a disaster since it was released, and the problems were widely discussed, and have happened before.

      The reason it's popular is because it has a really nice UI (for a developer perspective).

    • by AmiMoJo ( 196126 )

      That's how most open source repos work. Same with the various package managers like apt, same with open source app stores like FDroid, same with open code repos like Github.

      Most people don't think twice when they apt upgrade.

      • That's how most open source repos work. Same with the various package managers like apt, [...] Most people don't think twice when they apt upgrade.

        Debian packages have maintainers who are responsible for packaging. This middleman stands between the developer and the distributor and is personally responsible for ensuring that software is correctly packaged. If you were installing these libraries via debian package, the package maintainer would be expected to have caught the malicious activity and elected NOT to package the "updated" version. Debian's reputation is on the line in such cases, and rightly so.

    • Open source talks a good game but this is a disaster waiting to happen.

      Open source as evidenced by this example is self regulating. You think pulling random code is bad, imagine running *gasp* a closed source binary where you have no access to the code at all.

      Risk is about liklihood and consequence. While the consequence here is high, the likelihood can be judged based on past performance, and that past performance has shown the actual risk to be rather low. But don't take my word for it. Just go to a site like Slashdot and look at how many stories we have about a rogue npm li

  • Act like a spoilt entitled child, get treated like one.
  • Just create a new account and fork your projects.
    Sure, you need to rebuild the trust you had on your old projects.

  • You've rage-quit software development. Good luck in your new profession or hobby, whatever it may be.

  • Ban for willful negligence or ban for malice. Banned either way, but you get a nicer toned ban notification if you were negligent. Also, a negligence ban ought to have an easier redemption path, maybe if you do some courses and tests and have improved enough you can be unbanned. Malice redemption path ought to be orders of magnitude more difficult.

  • Developers have the ultimate right to do whatever they want with their code, just as artists have the right to do what they want with their work.

    Don't like it, don't use it. Make your own version/fork or pay for it and get a supported version.
    • by Pentium100 ( 1240090 ) on Monday January 24, 2022 @03:05AM (#62201479)

      Don't like it, don't use it. Make your own version/fork or pay for it and get a supported version.

      And GitHub did just that. Made its own version (which was just the version without the intentional breaking) and banned a user from accessing its own systems.
      Don't like it - don't use it. Self-host your code.

  • This isn't about the person. Yes, Marak Squires' action could be considered malicious. But the facts that 1. it made a valid point with regard to unpaid work in open source prevalently being used by affluent corporate entites and that 2. github shouldn't be allowed to suspend someone's account for what someone does to their own code as long as that doesn't obviously break the law are just as true. We neither need to take his side nor have to see him as a nice person to acknowledge that. Also, while the fire

  • Quote: "Everyone makes programming mistakes from time to time. Nobody is perfect."

    And he wants his rights back.

    Let's rephrase it: "I'm a fireman but yesterday I started a fire in London that burnt half of it to ashes. They removed my rights as worker, but I want them back!"

    My polite guess is they will answer a stunning "No, sire."

  • NPMs fault (Score:4, Insightful)

    by Tom ( 822 ) on Monday January 24, 2022 @03:21AM (#62201507) Homepage Journal

    That this goes on the guy instead of highlighting what an insanely stupid idea NPM is, speaks for the hubris of the coding community.

    NPM is like walking through a forest and eating everything that looks interesting when you don't have an immune system. It's basically asking for trouble.

    The idea is neat - a vast collection fo small modules you can put together and don't need to re-invent the wheel. Brilliant. Excellent. Very modular, flexible, powerful.

    The problem is that it only works in a perfect world. In the real world, modules get abandoned, corrupted, disappear, and tracking a bug through ten layers of indirection is hell.

    • And yet with the thousands upon thousands of libraries, and the even larger number of projects using them problems which occur are rare enough to actively make the news.

      The world is built on a level of trust. At all times. How is trying npm any different to trusting any other code with by someone else? Sure a developer can ruin your project, but do can malware, a fucked up system update, or any number of things.

      Npm is a bad idea for highly critical systems, but it's no where near as bad as you make it out t

      • by Tom ( 822 )

        And yet with the thousands upon thousands of libraries, and the even larger number of projects using them problems which occur are rare enough to actively make the news.

        How much, do you think, of that fact is the result of "the news" not caring about the root cause of a software bug, but only the effects? Only a few specialized sites like this one would even open the hood to look for what's going on. The rest of "the news" will write "Software bug causes $4 mio. in losses to online shop"

        How is trying npm any different to trusting any other code with by someone else?

        It makes it too easy to continuously update all your stuff, without ever checking anything at all. In a traditional software update cycle, you would read the CHANGELOG, patch a test system

        • I absolutely agree with what you're saying, I just completely disagree with the tone of your original post. No, everyone isn't going and licking the forest without immune systems. Actually licking the forest with a perfectly functioning immune system would be a perfectly apt example, a few people get sick, life goes on.

          That's NPM in a nutshell. No it hasn't ended computing as we know it. No the ability to easily update everything hasn't fucked up every project ever to use it (as your forest example would).

          T

    • by Pieroxy ( 222434 )

      If you specify exact versions of all your dependencies, you are immune to this type of shit. But then again, relying on an external package for a 10 line method is also stupid in its own way.

  • by chx496 ( 6973044 ) on Monday January 24, 2022 @03:24AM (#62201511)

    I'm all for second chances, and I don't think his career should be over forever — but a second chance doesn't mean there should be no consequences at all. In order to get a second chance there should be a level of contriteness proportional to the gravity of the offense (which he doesn't appear to show here), as well as the understanding that the offender will have to rebuild the broken trust over time.

    While the NPM ecosystem has some systematic issues that made this issue a whole lot worse than it could have been otherwise (and that a lot of people have been critiquing for years), in the end he was the one that screwed over a metric ton of people with what he did deliberately, and there is no simple "let's go back to what life was before" here, rehabilitation requires effort over time.

    What really gets to me here is the tone of his tweets, they reek of entitlement, especially the #AaronSwartz, which was particularly disgusting.

  • by Chas ( 5144 ) on Monday January 24, 2022 @05:13AM (#62201707) Homepage Journal

    He's been shown to abuse his privileges and betray user trust.
    That sort of thing is a knife in the heart of trust.

    He's demonstrated he cannot be trusted.

  • 1) Do people really grow up nowadays believing that they're entitled to damaging others, and for the pettiest reasons, without suffering consequences, or is this an isolated case?
    2) Does the design of NPM offer any protection from this kind of behaviour, or is every developer who makes use of it supposed to inspect every line of code that ends up in his project before each release and after each upgrade? I know that open source software is offered without warranty, but respected repositories of open source
  • NPM is a private company. Swartz is a private individual. NPM does not owe him anything on their platform. It's no different than Twitter, Facebook, or Instagram.
  • by jd ( 1658 ) <imipakNO@SPAMyahoo.com> on Monday January 24, 2022 @10:04AM (#62202443) Homepage Journal

    It's just not the sort of mistake that goes away by saying oops. Especially when it impacts the actual lives of people. Actions have consequences, corrupting the libraries had consequences for a lot of very real people. Thousands of libraries might easily equate to millions of people having services disrupted.

    Major services have always stuck gimmicks into web pages (remember the CGI scripted webpage counters?), so something that seems incidental could easily have taken out access to something essential. In this case, the programmer got lucky and the consequences don't seem to have been devastating. He couldn't have known that in advance, that was something he found out afterwards. And, yes, as programmer he's ultimately responsible, for all the lack of warranty.

    I am not seeing any kind of real apology here for the reckless disregard of those people. I'm seeing an "oh well, maybe I shouldn't have got caught inflicting misery" but not a whole lot of "and I really shouldn't have been causing misery to others to begin with". I'm also seeing a "I sabotaged a software component over here, why am I banned from sabotaging other software components the next time I get stroppy?"

    I'm beginning to think that we should have some sort of voluntary system of either certifying or self-certifying that a given standard is reached, where the most basic standard would be that the maintainer hasn't knowingly sabotaged the code, along with short, clear, simple guidelines on who is responsible for what and when, instead of making users responsible for absolutely everything (and therefore nobody is really responsible for anything).

    It needn't be complicated, it needn't be unfair on anyone, and it needn't require anyone to have magic knowledge, magic abilities or access to a TARDIS.

The opossum is a very sophisticated animal. It doesn't even get up until 5 or 6 PM.

Working...