Protestware On the Rise: Why Developers Are Sabotaging Their Own Code (techcrunch.com) 149
"If combating attacks and hijackings of legitimate software on open source registries like npm weren't challenging enough, app makers are increasingly experiencing the consequences of software self-sabotage," writes security researcher and reporter Ax Sharma via TechCrunch. "A developer can, on a whim, change their mind and do whatever they want with their open source code that, most of the time anyway, comes 'as is' without any warranty. Or, as seen by a growing trend this year, developers deliberately sabotaging their own software libraries as a means of protest -- turning software into 'protestware.'"
One of the many examples Sharma mentions happened during the first week of 2022, when thousands of applications that rely on the heavily used npm projects colors and faker broke and began printing gibberish text on users' screens. "It wasn't a malicious actor hijacking and altering these legitimate libraries," writes Sharma. "It turned out the projects' developer Mark Squires had intentionally corrupted his own work to send a message of protest to big corporations..." An anonymous reader shares an excerpt from his report: Open source developers are discovering new and creative avenues that no longer limit them to implementing new features for their projects, but to actively express their views on larger social matters by modifying their projects for a cause. And, unlike proprietary code that has to function in line with a paying customer's expectations, most open source licenses are quite permissive -- both for the consumer and the developer -- offering their code with licenses that offer no guarantees as to what a developer is not supposed to and will never do with their code, making protestware a gray area for defenders. In fact, as a security researcher at Sonatype, I observed how protestware posed a challenge for us in the early stages and how we would tweak our automated malware detection algorithms to now catch self-sabotages with projects like colors and faker. Traditionally, the system was designed to spot typosquatting malware uploaded to open source repositories, but cases like malicious hijacks or developers modifying their own libraries without warning required a deeper understanding of the intricacies of how protestware works.
The theme has also put major open source registries like npm -- owned by GitHub, a Microsoft subsidiary -- at a crossroads when having to deal with these edge cases. Socket's founder Feross Aboukhadijeh told TechCrunch that registries like GitHub are in a difficult position. "On the one hand, they want to support maintainers' right to freedom of expression and the ability to use their platform to support the causes they believe in. But on the other hand, GitHub has a responsibility to npm users to ensure that malicious code isn't served from npm servers. It's sometimes a difficult balancing act," said Aboukhadijeh. A simple solution to ensuring you are getting only vetted versions of a component in your build is to pin your npm dependency versions. That way, even if future versions of a project are sabotaged or hijacked, your build continues to use the "pinned" version as opposed to fetching the latest, tainted one. But this may not always be an effective strategy for all ecosystems, like PyPI, where existing versions of a component can be republished -- as we saw in the case of the hijacking of the ctx PyPI project.
"The conversation around 'protestware' is really a conversation about software supply chain security. You can't trust what you can't verify," Dan Lorenc, the co-founder and chief executive at Chainguard, a startup that specializes in software supply chain security, told TechCrunch. Lorenc's advice against preventing protestware is to follow good open source security hygiene and best practices that can help developers develop protestware more easily and early on. "Knowing and understanding your dependencies, conducting regular scans and audits of open source code you are using in your environments are a start." But Lorenc warns the debate about protestware could draw in copycats who would contribute to the problem and detract open source software defenders from focusing on tackling what's truly important -- keeping malicious actors at bay. And with protestware there remain unknown unknowns. What issue is too small -- or too big -- for protestware? While no one can practically dictate what an open source developer can do with their code -- it is a power developers have always possessed, but are now just beginning to harness.
One of the many examples Sharma mentions happened during the first week of 2022, when thousands of applications that rely on the heavily used npm projects colors and faker broke and began printing gibberish text on users' screens. "It wasn't a malicious actor hijacking and altering these legitimate libraries," writes Sharma. "It turned out the projects' developer Mark Squires had intentionally corrupted his own work to send a message of protest to big corporations..." An anonymous reader shares an excerpt from his report: Open source developers are discovering new and creative avenues that no longer limit them to implementing new features for their projects, but to actively express their views on larger social matters by modifying their projects for a cause. And, unlike proprietary code that has to function in line with a paying customer's expectations, most open source licenses are quite permissive -- both for the consumer and the developer -- offering their code with licenses that offer no guarantees as to what a developer is not supposed to and will never do with their code, making protestware a gray area for defenders. In fact, as a security researcher at Sonatype, I observed how protestware posed a challenge for us in the early stages and how we would tweak our automated malware detection algorithms to now catch self-sabotages with projects like colors and faker. Traditionally, the system was designed to spot typosquatting malware uploaded to open source repositories, but cases like malicious hijacks or developers modifying their own libraries without warning required a deeper understanding of the intricacies of how protestware works.
The theme has also put major open source registries like npm -- owned by GitHub, a Microsoft subsidiary -- at a crossroads when having to deal with these edge cases. Socket's founder Feross Aboukhadijeh told TechCrunch that registries like GitHub are in a difficult position. "On the one hand, they want to support maintainers' right to freedom of expression and the ability to use their platform to support the causes they believe in. But on the other hand, GitHub has a responsibility to npm users to ensure that malicious code isn't served from npm servers. It's sometimes a difficult balancing act," said Aboukhadijeh. A simple solution to ensuring you are getting only vetted versions of a component in your build is to pin your npm dependency versions. That way, even if future versions of a project are sabotaged or hijacked, your build continues to use the "pinned" version as opposed to fetching the latest, tainted one. But this may not always be an effective strategy for all ecosystems, like PyPI, where existing versions of a component can be republished -- as we saw in the case of the hijacking of the ctx PyPI project.
"The conversation around 'protestware' is really a conversation about software supply chain security. You can't trust what you can't verify," Dan Lorenc, the co-founder and chief executive at Chainguard, a startup that specializes in software supply chain security, told TechCrunch. Lorenc's advice against preventing protestware is to follow good open source security hygiene and best practices that can help developers develop protestware more easily and early on. "Knowing and understanding your dependencies, conducting regular scans and audits of open source code you are using in your environments are a start." But Lorenc warns the debate about protestware could draw in copycats who would contribute to the problem and detract open source software defenders from focusing on tackling what's truly important -- keeping malicious actors at bay. And with protestware there remain unknown unknowns. What issue is too small -- or too big -- for protestware? While no one can practically dictate what an open source developer can do with their code -- it is a power developers have always possessed, but are now just beginning to harness.
How to destroy your reputation 101 (Score:4, Insightful)
Quite frankly, 99.9something% of the people using your software don't give a flying fuck about whatever important issue you're protesting. They do care about your software and how it works.
Take a wild guess what you will accomplish with your protest. Hint: Yes, they will be pissed and outraged. But probably not at the thing you're protesting against.
Re: (Score:2)
No publicity is bad publicity. It's a way to be heard by people who won't read whatever blog your idiotic manifesto is on.
Re:How to destroy your reputation 101 (Score:5, Insightful)
But what remains is that he's the idiot that made me rewrite my whole code because I had to switch to a different library. Right after rolling back the update that broke functionality.
Nobody remembers what issue he was protesting. Because to remember something, you first of all have to care enough to actually learn about it.
Re: (Score:3, Insightful)
Wait, somebody gave you something for free, updated it in a way you didn't like, and you're mad because you had to choose between a) don't update; b) use something else and c) write your own?
Muffin, you're so hard done by!
There's a pretty simple solution to this issue. If you're getting significant value out of somebody else's work, license it from them with whatever guarantees you desire. If you can't agree on a license then maintain your own fork.
Re:How to destroy your reputation 101 (Score:5, Insightful)
Or SAP I suppose, but they're German so they might be Communists.
Re:How to destroy your reputation 101 (Score:4, Funny)
The point of the article being "oh shit we thought we were getting all this work done for free, but it turns out we might have to have one of our employees spend some time testing and integrating updates instead of blindly merging any changes into our production servers!"
Re:How to destroy your reputation 101 (Score:5, Insightful)
Wait, somebody gave you something for free
The cost of using a free software library is not zero. It takes time and effort to learn an API, change my app to use it, and test every change.
Releasing free software and then sabotaging it is sorta like shitting in a public park.
Re: (Score:3)
But again, someone released their hobby project for free and you decided to build it into your business. It's not their fault you invested your own money in it, and didn't see fit to pay them to maintain it in a way that suits you, or fork it and maintain your own version.
The only contract between the two of you is the licence they put on it, which usually says they owe you nothing, use at your own risk, but if you want to maintain your own version go ahead.
Re: (Score:3)
You are making the case on why free software software should not be used since you have no right to expect the free software developer not to change their code and sink your system.
These developers doing this, cause more damage to the free software movement then help they provide whatever their cause is. In fact, it will probably have the alternative effect of people assicoating their cause with software terrorism (that's a loaded word but I couldn't think of another one.)
Re: (Score:2)
software terrorism (that's a loaded word but I couldn't think of another one.)
Industrial Sabotage.
Re: (Score:2)
lol troll (Score:2)
Deliberately causing damage to people who trusted you is deliberately causing damage. It doesn't matter what your reasons were. People will only remember that you fucked them over, and that's all they should remember. Hurting the people you claim you want to help always proves hypocrisy.
Re: (Score:2)
Do you always switch to a different library whenever an update breaks things?
It would be nice if incompatible API changes were indicated by a new major version number [semver.org], but people would probably continue to bitch and moan anyway.
Re: (Score:3)
Nah, what happens more often than not is stepping back a version, then remain there 'til the heat death of the universe. Hell, people couldn't even be assed to use log4j's new version that would have fixed the problem ages ago and stayed with a decades-old, buggy version.
Re: (Score:3)
he's the idiot that made me rewrite my whole code
I'd say it's mostly the fault of whoever selected that library. I've warned against this bizarre trend of including countless third-party libraries. I've also warned against the baffling decision so many people make to just blindly download the latest version of whatever it is they've included as part of the build process. (Some people have tried to justify that in the name of security. Really.)
Using a library does not absolve you of any of the responsibility of maintaining that code. If the author make
Re: (Score:3, Insightful)
From a security point of view, using libraries is the sensible way to go. Today, very, very few programmers can actually write secure code. Show me your implementation of a cryptography algorithm and I show you one that I can break due to an implementation error. It's not that easy.
Libraries offer a solution to that problem because they are a sensible way to outsource that problem. Not to mention a sensible way to avoid reinventing the wheel over and over.
Re: (Score:2)
Before I post a long rant, I need to point out that one of the libraries in the article is one called left-pad that ... does exactly what it sounds like. This is the single most unnecessary use of a library that I've ever seen. It is, or was, dramatically over-complicated and doesn't even perform as well as the obvious solution!
Have We Forgotten How To Program? [davidhaney.io]
That article points out something very interesting. A library [github.com], with 880,000 downloads per day, that 72 other libraries are dependent on, that cons
Re: (Score:2)
Please look who you're talking about. You want the average node.js dev to fork a project and maintain it.
Re: (Score:2)
If we never reinvented the wheel, cars would have a top speed of 2mph. Quite frankly, a lot of the crap library code that people are blindly including could stand to be rewritten by someone with at least minimal competence. Then again, it probably doesn't need to be a library at all.
You don't need a third-party library to left-pad a string. You don't need a library to tell you if a number is a positive integer. (Especially not one that has three additional dependencies! See my other reply.) You don't ne
Re: (Score:2)
But what remains is that he's the idiot that made me rewrite my whole code because I had to switch to a different library
ooooohh, having to write your own code? outrageous! what's next?!
jokes aside, if you got bitten by this then you were being the idiot who was profiting from the other idiot's free code without taking proper care of dependencies.
it really boils down to "know your own stuff and don't update without supervision", and all the idiots in the world can have all the fun in the world without you being affected (it's actually a bit more nuanced but since you write your own code i assume you know the basic process).
Re: (Score:3)
It's mostly boiling down to being your own damn fault if you rely on the mess that node.js and its devs are.
Re: (Score:2)
it is a pretty messy ecosystem indeed. the thing is, it has also considerable value and it would be very hard to do much for the web nowadays without relying on that mess. it just has to be done safely. dependencies are a critical issue anyway, regardless of origin, and you don't really need to piss off a hipster for stuff to suddenly break spectacularly if you don't have strict control over the dependency graph.
Re: (Score:3)
Relying on libraries isn't lazy, it's actually a good practice. The more custom code you use, the more bugs you're likely to introduce, and the less other people have vetted your code. Writing your own cryptography code for instance is an incredibly stupid thing to do. Even if you get the algorithm right, which for good encryption is no small task, there can be all kinds of problems with your implementation that will allow it to be broken. Whereas if you use an off the shelf library, you're more likely to b
Re: How to destroy your reputation 101 (Score:3)
Re: (Score:2)
Most code is. Why, you wrote your own OpenGL or DirectX replacement for your graphics engine? Or did you just go to Unity or Unreal for that job?
Re: (Score:2)
Sure you can. And then what? You want to trust that he comes to his senses with the next version? Because one thing is certain, and twice so with node.js: There will be bugs in the library. Some of them will be severe security issues, and again, twice so with node.js. What then? Sit there and hope that nobody reads snyk.io and digs through metasploit for a ready-to-use exploit for your ancient library?
Re: (Score:2)
Fork it and maintain it yourself. Good idea. You tell your boss that, can I come with the camera, that reaction needs to be on YouTube.
We're still talking node.js here where the blind leads the blind. Most of the libraries are a Frankenstein mess of copy/pasted stackexchange answers. And they are used because the people using them know even less about coding, let alone coding securely.
Re: (Score:2)
We're still talking node.js here where the blind leads the blind.
Oh you're a web developer, I'm so sorry. That explains it though.
I don't know if he is, but the story is mainly about node.js so his example is more releavent then the non-example you gave.
Re: (Score:2)
No publicity is bad publicity.
At your next job interview when they ask you "Why did you leave your previous job?" tell them "I got upset one day and took a shit on my bosses desk." Let's see how good you "not bad publicity" is for you.
Re:How to destroy your reputation 101 (Score:5, Insightful)
This won't simply destroy the reputation of one open source developer. This has the potential of destroying the entire open source movement.
Re:How to destroy your reputation 101 (Score:4, Insightful)
they will be pissed and outraged. But probably not at the thing you're protesting against
Indeed. Hard to imagine a better way to ensure that a.) everyone avoids your work going forward and b.) ensure any prospective employers clearly know what sort of a whack job they're looking at.
This calls for a github repo to document every case of this with links to the actual commits and the names of the perpetrators.
Re: (Score:3)
b.) ensure any prospective employers clearly know what sort of a whack job they're looking at.
Yeah like what you see with management types, they can run a {team|business unit|company} in the ground and they never get another job!
/sarcasm off
Re: (Score:2)
Yeah like what you see with management types, they can run a {team|business unit|company} in the ground and they never get another job!
/sarcasm off
They don't usually intentionally destroy the team for an outside political cause and then proudly announce they intentionally destroyed the team for said cause.
Re: (Score:2)
Many people don't think about consequences. In fact, the current trend is to forgive people for past bad acts. So; get caught. Act contrite. Beg for the mercy of others. Get another job. Rinse, repeat.
Your outrage at their past bad acts is your problem and you have to fix it (according to current social philosophy).
Re: (Score:2)
Nah, we only do that with corporations. We still hang individuals, if only figuratively by now.
Re: How to destroy your reputation 101 (Score:2)
Who has been completely destroyed by a simple joke?
Re: (Score:3, Informative)
Re: (Score:2)
If you think the "woke mob" is bad, you should see what happens on the right. They like to use more than their voice and their wallets when they "cancel" something -- they use the power of government.
As for your youtube video -- I smell bullshit. Try a news source.
Re: (Score:2)
Yep. A private company responding to market forces. Why do you hate capitalism?
Contrast this with "conservative" efforts to ban books [thedailybeast.com] that contain ideas they don't like from schools and libraries.
Re: (Score:2)
Yep. A private company responding to market forces. Why do you hate capitalism?
The invisible hand is only good if it's punching someone else in the nuts.
Re: (Score:2)
to name a few
You literally didn't name any, and this far no mentions of anybody in the video (I admit the I'm not far into the 1 hour video, but it's a pretty inefficient way to deliver information, and I'm giving up on it now).
Re: (Score:2)
The actor that played Elastic Man in the flash was fired for almost decades old jokes on twitter. And that only came out because he supported BLM and people called him out for things he said years prior.
It didn't matter that he was up to date on social norms, his past jokes did not pass today's standards and he was fired. Which is funny comming from a show where ever villian is entiled to a 2nd chance of redemtion.
https://www.cinemablend.com/te... [cinemablend.com]
Re: (Score:2)
The current trend is to attack anyone who isn't absolutely pure
That's true for thoughtcrime. But heaven help anyone who does a background check for a bank loan or apartment rental, unearths a black hat hack or maybe a pot shop armed robbery and holds it against the applicant.
Re: (Score:2)
They do care about your software and how it works.
...but not enough to open their wallet and pay, because this is about open source software. You get what you pay for. If you want vetted code, pay the going market rates for it.
Re: (Score:2)
They do care about your software and how it works.
...but not enough to open their wallet and pay, because this is about open source software. You get what you pay for. If you want vetted code, pay the going market rates for it.
Honestly? If that's true and opensource developers belive that enough to excuse this, then we should all ditch our home Ubuntu and Debian servers and desktops and switch to Windows.
Re: (Score:2)
Well, yes. But one good thing about this is that people will reduce their dependency on external libraries of questionable reputation and maintenance. So these people are at least to be thanked for pointing out _that_ problem.
Re: (Score:2)
We're talking node.js here. If people gave half a shit about not using questionable reputation and maintenance, it wouldn't even exist anymore.
Re: (Score:2)
I am aware. Some people will take notice though ans identify the real problem here, which is not a developer doing a stupid stunt.
Re: (Score:2)
You still have more faith in humanity, or Javascript-developers more specifically, than I do.
Re: (Score:2)
Well, yes and no. Among other things, I teach IT Security and Software Security. You cannot do honest teaching without at least some faith in people. One thing this teaching gives me is some insight into how many people actually have some clue. I would say about 50% of my students have that. Of course, these are 5th and 7th semester students and the really incapable ones are long gone. Also, my faith regularly diminishes when grading exams.
But still, while most so-called IT experts are pretty clueless, ther
Re: (Score:2)
50% of the students that actually have an interest in security have a clue about it? That gives you faith? Sounds a bit disheartening, doesn't it? 50% of the people who are interested in a subject in the first place know something about it. How much do you think can be expected from people who aren't even intrested in it?
I still stand by my hypothesis that node.js was brought into existence when after the dot.com bust we were stuck with a ton of webdevelopers that had no marketable skill and we realized we
Re: (Score:2)
It is much more in Software Security (an elective) and probably quite a bit less in IT Security (a mandatory course). But yes, these are _bad_ numbers. What is worse is that these are two different academic institutions and at the one were I teach Software Security, there are no mandatory security lectures at all in the CS and IT program. But when teaching, you always teach for those that are interested or you go insane. At least that is my experience.
You are probably right on the mark as to the origins of
Re: (Score:2)
As I like to say, break his fingers and retrain him as a consultant, he does less damage that way.
But hey, why should I complain. As a pentester and consultant, these people are essentially perfect job security for me. I remember when I chose this career with the ideal that I could make the world of software a little bit more secure... you kinda get jaded after a decade or two.
Re: (Score:2)
Well, if the goal was to make people using the lib not like the maintainer and still not give a fuck about whatever cause he tried to point to, mission accomplished.
And if you think anyone is going to tell their boss why that library broke, the reason given will usually be something along the lines "'cause he went nuts". Provided they even care enough to know that it's a protest, rest assured that the boss will not even give half that much of a shit that it was one.
People are selfish. Twice so in a professi
Re: (Score:2)
Mass protests at least serve one purpose: Showing others who may think the same way that they're not alone in their position. That there are many others who share it. A protest of one just means that there's one more person who thinks that way who may or may not be a crackpot.
As for people kneeling through the national anthem, let's face it, the goal was to piss someone off. We're talking about celebrities here, if they just want their voice heard, they have other and better means to do it. The goal was to
ban them (Score:2)
Re: (Score:2)
It's fine, as long as they don't overwrite the old code. The snag is not with stuff that's basic C/C++ code on github, because you can just get a prior version. The snag seems to be when a developer self-hosts the code intended for dynamic use on the web; one bad upload screws up a whole lot of people. Of course, blame the people for relying on such a shaky foundation, even a minor untested change can screw things up just as badly. But I'm sure there are web reasons for that, probably involving startups
Re: ban them (Score:2)
I assume it's for caching.
If you hit a large library from a common (to everyone) URL and there's any popularity to it, there's a very high chance it's already cached.
That way your first page load can be fast even on mobile.
Of course now that even mobile speeds are 2 digit Mbps it's probably pointless.
Though I still come across mobile sites that seem to think I'm on 3 or even 2g, with charts and images replaced with low res versions even though my phone has equivalent resolution (1080p) and faster internet (
Re: (Score:2)
Hmm... If they care about performance, wouldn't it be better to, I don't know, not include 6mb of JavaScript?
Crazy idea, I know. I mean, how else would they get a textbox with slightly rounded corners? Surely, this is the only way.
Open source (Score:3)
That's why the CIA considers the best kind of spy the one who is in it for the money.
Understand the rules (Score:5, Informative)
You have a license. If you can host it yourself, or rely on NPM or Google or whatever, you're delegating custodianship. You don't know what you are running on your customers' computers.
Test with a specific version and make sure users can only get that version.
There, that's $200k worth of advice, pay me.
Re: (Score:2)
Always get a contract before doing the work. That's a $200k lesson.
Re: (Score:2)
Well, shit. I guess I don't get the ridiculously overpriced service fee I just made up. However, if you turn to page 38 (when saved as pdf) I think you'll find our terms and conditions, to which you agreed upon first encountering a letter or number typed by us, as explained in our terms and conditions.
Re: (Score:2)
On that note, self-sabotage is nothing new.
Oracle, Microsoft, and even Google have sabotaged their own products and APIs.
It's nothing new. If you depend on the goodwill of others, don't be surprised when they decide that providing that service/library isn't worth their while anymore.
thankless maintainers speaking out (Score:5, Funny)
https://xkcd.com/2347/ [xkcd.com]
Re: (Score:2)
Spot on. If I had mod points!!!
Re: (Score:2)
Indeed. Greed and stupidity. Why give back to a community if you can just take? FOSS is the tragedy of the commons all over again, because too many people are greedy assholes.
Solution worse than the problem (Score:5, Interesting)
> A simple solution to ensuring you are getting only vetted versions of a component in your build is to pin your npm dependency versions
That would be a "solution" worse than the problem.
EVERY DAY components are updated to address security problems. When that's done, the security problems become very public. The bad guys can and do look at exactly what was changed to fix it, in order to understand exactly what the vulnerability is in older versions. They then publish exploits.
If you're running an older version, you're likely running a version that has known, publicly available exploits. Bad guys use a search engine like Shodan to find sites running the vulnerable version. You may as well just publish your creds on your front page if you're going to use old, vulnerable versions of components forever.
Once a year some dev makes their component print gibberish as a misguided and ineffective "protest". Every day, many times a day, companies are breached because they left old, vulnerable versions rather than updating to the patched version.
Re: (Score:2)
Or, you could take security seriously and test with a new version ASAP and release a patch.
Re: (Score:2)
Or, you could take security seriously and test with a new version ASAP and release a patch.
Please tell us how one can possibly test for a *deliberate sabotage* attempt? E.g. a time bomb could not have been discovered through any usual regression testing.
A level of trust is required for things to work. If Open Source devs are breaking that trust, it will eventually be the end of Open Source.
Re: (Score:2)
Please tell us how one can possibly test for a *deliberate sabotage* attempt?
By performing literally any level of regular testing. If the damn thing is deliberately sabotaged, chances are it's not doing what it's supposed to do at all. Especially in cases of protest. Where grabbing attention is the *entire* point.
A more disguised attempt is typically a targeted attack, which only most strict means of auditing would pick up on. Means that wouldn't have ever allowed you to randomly pull code from a server you don't control.
As far as the developer goes, this boils down to knowing
Re: (Score:2)
It's a strange strange world where web development lives. Get a trusted third party developer, arrange a contract with that company (never an individual), have a set of suppliers with redundant parts that you can switch to when there's a supply problem etc. Anythng is better than relying upon "TBaggins3000" who lives in his mom's basement as the sole supplier for a component that any intern could rewrite from scratch anyway (seriously, hold the entire internet hostage to a freeking logging package???).
Re: (Score:2)
Once a year some dev makes their component print gibberish as a misguided and ineffective "protest". Every day, many times a day, companies are breached because they left old, vulnerable versions rather than updating to the patched version.
Maybe the person who compiled the gibberish code should have read it beforehand. Isn’t that the entire point of open source? As the license clearly states as is no warranty implied.
Re: (Score:2)
Maybe the person who compiled the gibberish code should have read it beforehand. Isnâ(TM)t that the entire point of open source?
No. The point of Open Source is to share code. Period. It has no other meaning than that you can get the source code, a meaning it has had literally since the 1980s. Specific Open Source licenses may have other points. The point of Free Software is also not that you can read it beforehand. The point of Free Software is that you can make changes if you want to. So in summary, no, and also no.
Re: (Score:2)
EVERY DAY components are updated to address security problems.
No, they aren't.
Today's software market revolves around being connected to the Internet 24/7, constantly collecting and mining user data and telemetry. All these products are insecure by default, and always will be. All the patches in the world won't do squat, as we are constantly adding more vulnerabilities than we are patching. That's just a consequence of a market that lives in "the cloud."
People need to stop this nonsense that you must always have the latest version for security reasons. The truth is
Nice Slashvertisment Sonatype! (Score:2)
For those who don't know - they are a shit company that don't use their own software because it is shit
Re: (Score:2)
Other than a full disclosure employment reveal, it's a Tech crunch article. Who's slashvertising what?
Re: (Score:3)
"Hey here is some bad stuff, but whaddya know - anti-bad stuff by Sonatype"... when you click through some seemingly legit stuff
A more accurate name for it (Score:5, Insightful)
Rather than calling it "protestware," let's call it was it is: "sabotageware".
And what they're sabotaging mainly is their own career and reputation.
I certainly wouldn't - ever - do business with someone who pulled a stunt like that.
A protest bothers the people who are responsible for the problem you object to. This just screws over people who had nothing to do with it. The point of it isn't "x is bad," it's "You need to be punished because you don't care about the same things I care about." Which means even the person doing it doesn't actually care about what they're protesting, they just want to force other people to do as they're told.
Re: (Score:3)
Exactly! I made a similar comment last time Slashdot talked about the issue.
It makes pretty much NO sense to sabotage your own work. If you're truly upset with a lot of the companies or individuals using your code, then just stop developing it and leave them stuck on whatever revision you did last.
When you started publishing code as open source, you knew what it was about. It promises it's free for everyone to use; not just the people or companies you personally judge as "acceptable". Releasing broken upda
Re: (Score:2)
If you're truly upset with a lot of the companies or individuals using your code [...]
... then don't release your code under a permissive open source license.
I really don't get this. "Oh, no! People are using my code in exactly the way I said that they could!" I mean, what did they expect?
On occasion, I've been asked (out of courtesy, I guess?) for permission to use code that I've released under an open source license. My answer is always the same: As long as their use is consistent with the license under which the code was released, I don't really have a say in the matter. Other deve
Re: (Score:2)
Rather than calling it "protestware," let's call it was it is: "sabotageware".
Or more simply, "malware".
It is software intended to break things, that is malevolent intention, no need to sugar coat it.
Basic third parrty software hygiene (Score:2)
Just say no to client side scripting (Score:4, Insightful)
Who wants to roll the dice on what a webpage will do today, or next week?
Who wants to deal with extreme latency as 40+ sites are contacted?
Personally, I toggle Javascript depending on the site. I'm not saying Javascript is bad (I'm also not saying it's good), but the "crappy" side of the web is built on Javascript.
Re: (Score:2)
It doesn't have to be bad. It's just bad developers, using bad libraries, with bad practices.
We could fix it ... if we just had the courage to admit we've been doing things wrong for a long time and it needs to change. (I don't mean just the web either.)
Personally (Score:4, Insightful)
While I think it's a dick move and there are better ways to draw attention to these matters... how difficult is it for companies to chip in some petty cash for tools they depend on? Take Microsoft, Apple, and Google, for example. If they each set aside $1m/year to divvy up amongst all the various open source projects they depend on for their day to day operations, it wouldn't even be a rounding error on their balance sheet. But, if they each gave $1,000 to say the OpenSSL project, that would be huge for OpenSSL.
Re: (Score:2)
But, if they each gave $1,000 to say the OpenSSL project, that would be huge for OpenSSL.
Yes, it may be a lot of money for OpenSSL, but does that mean the money be used to improve the quality of the code?
Just look at Firefox, with tons of money Mozilla Foundation received, what have they done to Firefox?
Developers Are Sabotaging Their Own Code (Score:2)
Would like to agree, but... (Score:3)
They're not just sabotaging their own code, they're sabotaging all open source code and, indeed, the entire open source movement. The average nerd who builds some tool for himself and some friends using an open sourced library will easily recover from such mis-aimed sabotage; he'll just use a version he downloaded and stored before the sabotage, and keep things running until after the sabotage is over and he can move to the next good version (or he'll find and eliminate the offending code, and then move for
npm ecosystem makes this vanishingly easy (Score:2)
Every so often, I raise my head above the parapet at work and ask the following question:
"Why do we insist on NOT pinning dependencies to specific versions?"
The answer is usually to do with maintenance - that the automated nature of rather allowing minor release bumps is just easier.
Not that this really solves the problem, as any developer of a package that "goes rogue", _can_ release modified code under the same version number.
So I ask:
"Shouldn't we setup an artifactory, to act as an 'insurance policy, whe
Why? (Score:2)
Because they're not developers.
They're dumbfuck activist loons who're trying to strong-arm various projects with their crapware.
NPM devs fail (Score:2)
I can't fathom people who include things from 3rd party repos. You should be able to build your software offline using your own Git servers. We clone all repos to our local build server and those repos are only updated after devs have tested the new versions work properly. Nothing is ever automatically just built into production without testing.
Never update (Score:2)
Re: (Score:2)
Not Just *Their* Code (Score:2)
"It turned out the projects' developer Mark Squires had intentionally corrupted his own work to send a message of protest to big corporations...
Except Squires wasn't protesting, but sabotaging, first of all. Secondly, Squires didn't just sabotage his own work, but the work of others who trusted his work on good faith.
This act of sabotage rarely hurts big corporations, but you know who gets hurt? The developers who are just trying to get their job done and their companies (many of them which just are small to mid-size shops trying to stay afloat and create a product or service.)
I mostly work in C++, Go and Java, but I've done some work in Node.j
Re: (Score:3)
Quite a difference between sabotaging code that you get paid nothing for and a business that pays you.
Re: Sounds about right (Score:2)
The difference would be lost on precisely the sort of people that would vandalize their own work.
Re: (Score:2)
It's amazing how the "personal responsibility" crowd would rather bleat about snowflakes than take you know, responsibility for the decisions they made like using some free shit to save money and not bothering with any kind of integrity checking, audits or even tests.
Re: Sounds about right (Score:3)
One can maintain a local copy of an oss library, not be affected by the sabotage one bit, and still think the developer is a raging retard for vandalizing his own work over $good_cause_du_jour.
Amazing how two things can be true at the same time.
Re: Sounds about right (Score:2)
Expressing an opinion (the polite term for calling out a retard) is not whining.