FLOSS developer intentionally corrupts his libraries and has multiple depending applications print out garbage, stating that "I am no longer going to support Fortune 500s [...] with my free work."

bleepingcomputer.com/news/secu

#FLOSS #labor

@fcr If you don't want to support fortune 500s with your free work, don't publish your work under the MIT license

I can't fathom people in this thread are siding with him. This is a breach of trust in the open source world. The updates were purposefully malicious.

He was allegedly also making a bomb and set his house on fire:

abc7ny.com/suspicious-package-

@Gargron @fcr yeah, I am not siding with the developer. His actions were shitty.

I am underlining the fact that:
1. Microsoft GitHub will block your account if it doesn't like the changes you make to your own code;
2. AGPL is a way better choice of license if one doesn't want to support Big Tech.

@rysiek @fcr Regardless of if it's your code or not, if you upload malware into a widely used software package you deserve to have your account blocked.

@Gargron @fcr I do not see them as *malicious*. these were not cryptominers, no data stealing code, it just rendered the libraries unusable.

"Mischievous" is the word used in the original story, and I think that's a way more accurate description.

@rysiek @fcr It didn't just make the library output the wrong value, it introduced an infinite loop, which in my view constitutes a denial of service attack.

@Gargron @fcr I can see why you feel that way. Personally, to me it does not cross the "malicious" line -- partly because this is something that should be trivially caught in any pre-deployment testing.

We can agree that this is not an acceptable behavior for a FLOSS developer, and it is in fact irresponsible.

That said, I do think focusing on the developer's (shitty) action is less useful than focusing on the bigger problem of open-source software developers doing free work for Big Tech.

@rysiek @Gargron @fcr, the problem isn't even big tech using the free work of others, the average JS developers don't even realize that the ecosystem is fragile, not even the managers of Big Tech projects:

github.com/facebook/react/issu

They brush over these issues as if they were a "misunderstanding" on the part of people reporting them.

I'm afraid that the Unix philosophy doesn't really work these days. You can't trust hundreds of developers and their code for the most basic JS project.

Follow

@walter @rysiek @Gargron @fcr

*Wow*

It would take maybe a couple of hours to fork the repo and/or import the code into the React sources and they don't even seem to have thought of the idea.

I continue to fail to regret never getting into React.

· · Web · 0 · 0 · 1
Sign in to participate in the conversation
Mastodon for Tech Folks

This Mastodon instance is for people interested in technology. Discussions aren't limited to technology, because tech folks shouldn't be limited to technology either!