Follow

FLOSS developer intentionally corrupts his libraries and has multiple depending applications print out garbage, stating that "I am no longer going to support Fortune 500s [...] with my free work."

bleepingcomputer.com/news/secu

@fcr The most telling part is that GitHub suspended him.

No FLOSS developer should be on Github after this.

@dualhammers @fcr just use #agpl already ffs!!

you can still do floss and be in github... you just better not rely on it.

the most telling part about github is that itself was never open sourced. ever. and, somehow, nobody seem to even question this fact.

@fcr fascinating to watch a disobedience strategy to negotiate with big capital. However, the demand for 6 figure salary is individual and lacks solidarity & collective action. The debate whether such act is justified or not avoids the topic of copyleft, used as a collective, systemic solution to corporate exploitation.

@fcr
I have a lot of respect to BSD license/software, but BSD developers were badass enough and had institution support to just let go of their work. The new wave of contributors of NPM ecosystem swallowed the pill of MIT/Apache default. No headache with viral license right? Also better for companies right? And there you have it.

@fcr I wouldn't say NPM ecosystem has a lot in common with community or concept like "software as a garden". It's an environment of harsh competition where old bundlers and frameworks are not taken care of but depreciated and replaced by new, better and faster, every year. An ecosystem of multiple innovation - perhaps - but vulnerable to corporate cherry picking of projects and of spitting out burnt out developers.

@rysiek

@movonw @fcr also, a way better strategy is to release stuff under the AGPL. Big Tech is allergic to it.

@Gulfie @fcr It wasn't really, the platforms reverted the change and blocked his access :/

@errant @Gulfie @fcr so i mean they have basically just stolen his code

long, possibly not very well thought-out 

@PsyChuan @Gulfie @fcr I must point out that calling this stealing is the exact same oversimplification that I myself would oppose, on the topic of software "piracy". We cannot use simple words from before, to describe the new issues of ephemeral digital items. The code was freely shared with all, thus how could it be stolen? It is in some way darkly humorous that he/we thought we are immune to the well known fact that nothing can truly be taken off the internet once it's out there
And yet, it IS infuriating that github says "no take-backs". This has apparently been their official policy the entire time, and we (or at least I) just ignored it when it surely happened before, it was just not as high profile as this case or the other recent one. Of course, no one starts out a github project expecting it to become so important that giant corporations (as well as smaller ones, of course) latch on to it

I currently lean towards the idea that this SHOULD be considered a failing of the companies in question. They decided to reap the benefits of free code, apparently without contributing too, and now they get shielded from the consequences of this choice? They should consider themselves lucky that this is all that happened, and not another log4shell (that the github maintainer(s?) had to fix!)

long, possibly not very well thought-out 

@errant @Gulfie @fcr i mean i'm explicitly only calling it theft because it was committed by a multi billion dollar corporation.

re: long, possibly not very well thought-out 

@PsyChuan @Gulfie @fcr In that case I find you guilty of Excessive Leniency, multi billion dollar corporations deserve their own word far more severe than mere theft :P

re: long, possibly not very well thought-out 

@errant @Gulfie @fcr valid, i accept my punishment :blobsadleft:

re: long, possibly not very well thought-out 

@PsyChuan @Gulfie @fcr 10 days in the quarry, smashing big corpos into small corpos with a hammer

@fcr If you don't want to support fortune 500s with your free work, don't publish your work under the MIT license

I can't fathom people in this thread are siding with him. This is a breach of trust in the open source world. The updates were purposefully malicious.

He was allegedly also making a bomb and set his house on fire:

https://abc7ny.com/suspicious-package-queens-astoria-fire/6425363/

@Gargron @fcr yeah, I am not siding with the developer. His actions were shitty.

I am underlining the fact that:
1. Microsoft GitHub will block your account if it doesn't like the changes you make to your own code;
2. AGPL is a way better choice of license if one doesn't want to support Big Tech.

@rysiek @fcr Regardless of if it's your code or not, if you upload malware into a widely used software package you deserve to have your account blocked.

@Gargron @fcr I do not see them as *malicious*. these were not cryptominers, no data stealing code, it just rendered the libraries unusable.

"Mischievous" is the word used in the original story, and I think that's a way more accurate description.

@rysiek @fcr It didn't just make the library output the wrong value, it introduced an infinite loop, which in my view constitutes a denial of service attack.

@Gargron @fcr I can see why you feel that way. Personally, to me it does not cross the "malicious" line -- partly because this is something that should be trivially caught in any pre-deployment testing.

We can agree that this is not an acceptable behavior for a FLOSS developer, and it is in fact irresponsible.

That said, I do think focusing on the developer's (shitty) action is less useful than focusing on the bigger problem of open-source software developers doing free work for Big Tech.

@rysiek it is malicious because the intent of the action was to harm whoever uses the project by affectively causing a DoS. There is no question in that. The motivation is what makes it malicious, it could have been a bug, if it was unintentional, but it wasn't.

@Gargron @fcr

@rysiek @Gargron @fcr

Maybe it's not about the silo -- Big Tech or FLOSS -- but who's the project manager.

@rysiek @Gargron @fcr, the problem isn't even big tech using the free work of others, the average JS developers don't even realize that the ecosystem is fragile, not even the managers of Big Tech projects:

https://github.com/facebook/react/issues/18871

They brush over these issues as if they were a "misunderstanding" on the part of people reporting them.

I'm afraid that the Unix philosophy doesn't really work these days. You can't trust hundreds of developers and their code for the most basic JS project.

@walter @rysiek @Gargron @fcr NPM has little to do with Unix philosophy. Unix/Linux is maintained in distributions where the quality of the toolset is taken care by the core teams. See projects like Gnome or KDE. Nothing like this in NPM which resembles more a laissez-faire market.

@movonw,
True, but you do have big ecosystems that looks like de facto distributions. A default Angular project comes with 25+988 dependencies, where you get the basics, like: "zypper install-pattern foobar-desktop foobar-devel". With that you install many projects that "do one thing and do it well", including the "colors" package.

And this doesn't count projects that embed (i.e. statically link) their dependencies. And yes, strict versions are a thing and[...]
[1/2]

cc: @rysiek @Gargron @fcr

@movonw,
[...] it's not a perfect analogy, but on NPM you just get more flexibility. They don't lock you into their "repos", think DEB/RPM repos, not CVS repos. Thus, you get to have code from all other "repos", think of PackageKit+Alien, but for Angular and React "repos".

If one really wants, the per-distro repo approach can be achieved here; and things don't even have to change much. Then you're on your own if you want to "zypper addrepo" or add a new PPA.
[2/2]

cc: @rysiek @Gargron @fcr

@walter @movonw @Gargron @fcr this has nothing to do with distributions. In Debian or Fedora, or Arch, or any other Linux distro, the *packagers* are responsible for quality of the packages that are published in the distribution-specific repository.

In your example the Angular people just pull random crap from Teh Intertubes and hope for the best.

It's not even comparing apples to oranges, it's comparing apples to the number three. 🤷‍♀️

@rysiek,
yes, it has nothing to do with distros, but there could have been a resemblance.

It's wishful thinking on my part, but even NPM has the notion of registries, so it's not a long way from here to adding to packagers to the mix. The problem is that there doesn't seem to be much demand for this, and then there's npm Inc. in the mix.

https://deno.land is changing things, but they went with "install from src" + bigger StdLib. So... no packagers yet.

@movonw @Gargron @fcr

@walter @rysiek @Gargron @fcr completely agree that npm culture is: build awesome things! Don't care! Be careless!

@walter @rysiek @Gargron @fcr

*Wow*

It would take maybe a couple of hours to fork the repo and/or import the code into the React sources and they don't even seem to have thought of the idea.

I continue to fail to regret never getting into React.

@rysiek @Gargron @fcr i suspect many FOSS developers have been caught off guard when some Fortune 500 company starts using their code: “oh, so i didn’t actually want it to be free for everyone. i just wanted it to be free for hobbyists and small cutesy mom and pop shops. if you’re making millions, i want my fair cut, but i didn’t realise that until it happened to me.”

@thor @Gargron @fcr yup. Hence the sudden rise in weird "anti-capitalist" licenses that actually make the situation worse by fracturing the FLOSS ecosystem.

@rysiek @Gargron @fcr

I can't say I'm surprised about nr 1. GitHub, like most of these big companies, have a "We can close your account and remove your content at any time for any reason" in their TOS. The code is still his but GitHub is not obligated to host it.

@espen @Gargron @fcr oh I agree and have recognized that for years.

My feeling, however, is that a lot of people miss that fact. And then act surprised.

@Gargron @fcr

IMO, it's not a matter of supporting or rejecting him.

It is about un(der)paid work and about King Ludd: the common misconception that Luddites were "technophobic" and against "the inevitable progress" whereas they were using sophisticated tools and attacked industrial machines to collectively bargain for better salaries.

There is no factory here -but the software industry- and no collective action. However, it is a story about "who controls technology" and about social inequality.

@Gargron The open source world could use more breaches of trust in that case, because it could just as well have been actively malicious instead, like the last three times, instead of just causing an infinite loop.

@Gargron @fcr
It reads more to me like another victim of the pandemic-induced mental health crisis. Also Eugene, nice avatar, you look good!

@Gargron @fcr It was obviously a desperate move, but the developer was treated like a modern-day slave by github - something that would never happen if he had code in his private repo (gitlab, gitea, etc...). A strong argument to NOT keep your code on corporate servers.
@Gargron @fcr It's always our responsibility to audit the code. Always. No excuses.

Open source does not mean safe, it means auditable.

Also, unless you audit the code AND compile from source, it's not different to closed source.

@ColinTheMathmo

Your chart is ready, and can be found here:

https://www.solipsys.co.uk/Chartodon/107597912216722591.svg

Things may have changed since I started compiling that, and some things may have been inaccessible.

The chart will eventually be deleted, so if you'd like to keep it, make sure you download a copy.

Sign in to participate in the conversation
post.lurk.org

Welcome to post.lurk.org, an instance for discussions around cultural freedom, experimental, new media art, net and computational culture, and things like that.

<svg xmlns="http://www.w3.org/2000/svg" id="hometownlogo" x="0px" y="0px" viewBox="25 40 50 20" width="100%" height="100%"><g><path d="M55.9,53.9H35.3c-0.7,0-1.3,0.6-1.3,1.3s0.6,1.3,1.3,1.3h20.6c0.7,0,1.3-0.6,1.3-1.3S56.6,53.9,55.9,53.9z"/><path d="M55.9,58.2H35.3c-0.7,0-1.3,0.6-1.3,1.3s0.6,1.3,1.3,1.3h20.6c0.7,0,1.3-0.6,1.3-1.3S56.6,58.2,55.9,58.2z"/><path d="M55.9,62.6H35.3c-0.7,0-1.3,0.6-1.3,1.3s0.6,1.3,1.3,1.3h20.6c0.7,0,1.3-0.6,1.3-1.3S56.6,62.6,55.9,62.6z"/><path d="M64.8,53.9c-0.7,0-1.3,0.6-1.3,1.3v8.8c0,0.7,0.6,1.3,1.3,1.3s1.3-0.6,1.3-1.3v-8.8C66,54.4,65.4,53.9,64.8,53.9z"/><path d="M60.4,53.9c-0.7,0-1.3,0.6-1.3,1.3v8.8c0,0.7,0.6,1.3,1.3,1.3s1.3-0.6,1.3-1.3v-8.8C61.6,54.4,61.1,53.9,60.4,53.9z"/><path d="M63.7,48.3c1.3-0.7,2-2.5,2-5.6c0-3.6-0.9-7.8-3.3-7.8s-3.3,4.2-3.3,7.8c0,3.1,0.7,4.9,2,5.6v2.4c0,0.7,0.6,1.3,1.3,1.3 s1.3-0.6,1.3-1.3V48.3z M62.4,37.8c0.4,0.8,0.8,2.5,0.8,4.9c0,2.5-0.5,3.4-0.8,3.4s-0.8-0.9-0.8-3.4C61.7,40.3,62.1,38.6,62.4,37.8 z"/><path d="M57,42.7c0-0.1-0.1-0.1-0.1-0.2l-3.2-4.1c-0.2-0.3-0.6-0.5-1-0.5h-1.6v-1.9c0-0.7-0.6-1.3-1.3-1.3s-1.3,0.6-1.3,1.3V38 h-3.9h-1.1h-5.2c-0.4,0-0.7,0.2-1,0.5l-3.2,4.1c0,0.1-0.1,0.1-0.1,0.2c0,0-0.1,0.1-0.1,0.1C34,43,34,43.2,34,43.3v7.4 c0,0.7,0.6,1.3,1.3,1.3h5.2h7.4h8c0.7,0,1.3-0.6,1.3-1.3v-7.4c0-0.2,0-0.3-0.1-0.4C57,42.8,57,42.8,57,42.7z M41.7,49.5h-5.2v-4.9 h10.2v4.9H41.7z M48.5,42.1l-1.2-1.6h4.8l1.2,1.6H48.5z M44.1,40.5l1.2,1.6h-7.5l1.2-1.6H44.1z M49.2,44.6h5.5v4.9h-5.5V44.6z"/></g></svg>