how come the retort is always "if you don't want companies using your code, don't release it as free" and never "if you don't want your code to break, don't pull code from an internet rando"

@trickster "if you don't want your code to break, don't pull code from an internet rando"

And without even reading it. I cannot fathom how people can do reviews of every line their colleagues write before merging, but trust internet randos without even a glance at the code.

@trickster the guy demanding a "six-figure salary" really strikes the worst possible balance between "open source devs shouldn't have their labor exploited by corporations" and "paying people ridiculous amounts of money for programming is bad"

@operand Oh yeah, the guy is an absolute 100% crank. The faker.js Readme file has also been changed to “What really happened with Aaron Swartz?”. There was also some weird ranting about Ghislaine Maxwell.

I would not be shocked to hear if he was mentally unwell.

@trickster Yes, if you are responsible, you should be checking all of your dependencies and update carefully. That does not excuse pushing malicious code. That's like saying scammers aren't guilty because the people they scammed didn't do due diligence.

@Gargron Yeah, Marak Squires is a scoundrel for going out like this, at the very least he could have made his point by removing his libraries which would have led to mostly the same effect.

A lot of people were burned by this stunt. Yet out of all of them, Amazon didn't check if aws-cdk was running OK before publishing a new version?

What if Marak didn't push the code equivalent of a whoopie cushion (I'm sorry, I disagree that an infinite loop is anything more than a schoolboy prank) ...

@Gargron ... and pushed malicious code with material consequences, like mining cryptocurrencies, installing hidden backdoors on servers and so on. What then, is Marak fully to blame? Or does Amazon also have something to do with it?

I'm not saying that Marak is blameless here. As the instigating agent he's obviously at fault. I'm very angry that we allow people like him to be able to do a lot of damage very easily and then turn around and act surprised when this keeps happening.

@trickster @Gargron exactly.

Big Tech has the gall to constantly brag how amazing their tech is, and how unsafe/insecure FLOSS is, and then Log4shell happens or this shit happens, and suddenly it turns out that:
1. they run the same FLOSS code as anyone else;
2. they do not actually do any due diligence nor contribute back.

This is not some "scammer" that scammed some innocent people. This is a shitty prick combined with downstream projects not doing due diligence on dependencies.

@rysiek @trickster @Gargron

The #openweb and internet are built from trust, then the #dotcons are built on top of this "trust" think the guy lost his trust in the #dotcons and in a fit pulled the plug, understandable but bad also for "trust" ideas?

@trickster @Gargron and while I strongly sympathize with smaller projects that got hit by this, and I am in no way defending the developer in question, Amazon et al are in no way the victims here.

They've been freeloading on FLOSS for decades *while badmouthing it at the same time*.

@rysiek @trickster @Gargron

often, less directly talking about how unsafe, rather insinuating it, to raise the usual Fear, Uncertainty, & Doubt nattering on about "sustainability"

this grafts together really well 2 otherwise discordant notions, 1) that an oligopoly of the wealthiest companies on the planet should direct these technologies & control this industry all the while 2) depending on things created, built & maintained by chancers, students, & company employees in their 'free' time.

@deejoe @trickster @Gargron and an example of just that from Ars Technica:

The ability of a single developer to throw a wrench into such a large base of apps underscores a fundamental weakness of the current free and open source software structure. Add to that the havoc wreaked by overlooked security vulnerabilities in widely used open source apps—(...) Log4j fiasco or the devastating Heartbleed zero-days (...)—and you have a recipe for potential disaster.

@rysiek @trickster @Gargron when we sold open source, we didn't just sell it as free labour to Big companies.

We also sold it as: Due diligence included!
remember: given enough eyes, all bugs are shallow.?

@meena @trickster @Gargron note the "given enough eyes" though. there is barely enough eyes on most FLOSS code.

The whole mainstream software supply chain and dependency management infrastructure is just completely bonkers.

My point is that Big Tech uses the same tools, is just as vulnerable, and yet claims they're so much better and safer. And demand payment (in cash or in data) for services built off of stuff built for free by FLOSS developers.

@meena @trickster @Gargron and so perhaps this is when a bunch of non-copyleft license proponents see the benefits of copyleft: using AGPL would at least mean they probably won't get tagged, like OpenSSL developers or Log4j developers, for Big Tech's failure to secure their shit.

And perhaps we can try to find better ways to manage dependencies. Contract-Based Dependency Management is one idea worth exploring:

Finally, perhaps we will stop "micro-packaging" stuff, like left-pad. 🤷‍♀️

@deejoe @rysiek @trickster @Gargron i'm an ASF member, so i feel some sort of responsibility.
If only for having bought into the messaging.

@meena @rysiek @trickster @Gargron

I understand.

Even now we tend to ellide "free software" together with "open source" because very often we are talking about the same set of artifacts.

My resistance to that and attempts successfully to navigate through it have been ... uneven.

@deejoe @meena @trickster @Gargron I would like a good term to refer specifically to copyleft-licensed free software, just as open-source can and often is used to refer to non-copyleft-licensed free software.

(using the term "free software" here in the four-freedoms sense, which technically includes open-source software)

@deejoe @rysiek @trickster @Gargron btw, i think i would have held the banner, or believe in Open Source much longer, if i had ever gotten paid.

But i came from Ops, and people in Ops barely get hired for anything let alone farting around writing code for other people / companies, because Ops has always been just a cost centre. DevOps changed almost nothing in that regard, except to stretch the last mile for what "sys admins" (now, DevOps engineers) have to know and do.


Sure. I was more on the ops side too (computing support for academics) for most of my time.

This is where some of the things done around "open source" are ... ok, at the very least? Which is to say, to recognize that healthy support for people's computing requires folks in a wide variety of roles, & that those people should be treated with at least a business-level minimum of respect. Organizers, managers, writers, legal & financial help, codes-of-conduct, & so on.

@rysiek @trickster @Gargron

@meena @deejoe @trickster @Gargron see, I still buy into the messaging. It remains true that having the code available for inspection, modification, and improvement is can be a boon to security.

But also, infrastructures were built that *assume* there are no jerks or malicious actors churning out that code, and that decent people churning out that code now will not change and become jerks or malicious.

And that's just silly.

@rysiek @meena @trickster @Gargron

by all means, I think being free and open is a *necessary* precondition to confidence and verification and correction and many good things I may forget or all of us have yet to anticipate (there are those in infosec who seem to think fuzzing is all we need, that source does no good).

But it is not *sufficient* for those things.

@deejoe @meena @trickster @Gargron on this point, come to think of it:

- code being free and open is a decent (if imperfect) control for malicious intent and for gross incompetence;

- fuzzing is a decent (if imperfect) control for honest programming errors.

I do believe we need both, as each will have a harder time catching certain classes of problems that the other will catch more easily.

This is just a half-formed thought right now, mind you. I think it is worth exploring a bit though.

@deejoe @meena @trickster @Gargron by "malicious intent and gross incompetence" I am specifically thinking of, for example, all the "secure chat apps" that if you look at the code, turns out they roll their own crypto and it's just complete crap.

That's not something fuzzing is likely to catch. Code audit can catch it pretty easily though.

historical RMS GNU project materiality 

@rysiek @meena @trickster @Gargron

Going all the way back, free software was mean to be funded by donations, including donated labor from those we now tend to describe using the overloaded term "volunteer"

"I am asking computer manufacturers for donations of machines and money. I'm asking individuals for donations of programs and work."


historical RMS GNU project materiality 

@rysiek @meena @trickster @Gargron

but even then there was also talk about paying people

"I view this as a way of enabling dedicated people to devote their full energies to working on GNU by sparing them the need to make a living in another way."

(circa 1983, this is the first version held at the current URL by iA )

historical RMS GNU project materiality 

@deejoe @meena @trickster @Gargron 💯

After Heartbleed I gave a few talks on PL FLOSS conferences stressing how "not free as in beer" should be taken more seriously, not just as a statement of differentiation, but also as a statement of intent and a call for funding.

@meena @rysiek @trickster @Gargron

In regards to who sold what, how, I expect many folks in this discussion are familiar with this essay, but for newcomers out there, consider please:

"It’s easy to forget this today, but there was no such idea as open source software before 1998; the concept’s seeming contemporary coherence is the result of clever manipulation and marketing. "

@trickster @Gargron NPM removed the ability to delete libraries that are being used by other projects after the leftpad incident. That's probably why he decided to modify them to make his point instead.

@josias @trickster @Gargron interesting, got a source on that?

(that is, that npm removed the ability to remove a package)

@rysiek @trickster @Gargron

> Regardless of how long ago a package was published, you can unpublish a package that:
*no other packages in the npm Public Registry depend on*

@trickster @gargron

> Marak Squires is a scoundrel for going out like this, at the very least he could have made his point by removing his libraries which would have led to mostly the same effect.

AFAIK since the left-pad disaster this would lead to NPM hosting the last known version.

big companies push malicious code onto users' computers all the time
alt-facebook. google. amazon. microsoft. apple.

spyware is malware

@trickster legit this is the only reason I still respect the PLDT book / Racket functional programming curriculum

The bane of libraries is one of the core lessons

@trickster the #openweb and internet are built from trust, then the #dotcons are built on top of this "trust" think the guy lost his trust in the #dotcobs and in a fit pulled the plug, understandable but bad also for "trust" ideas?

@trickster I think way more people need to be reminded that... "if you don't want your code to break, don't pull code from an internet rando"

Unfortunately it's very common and even recommended to include hundreds of dependencies with zero auditing. because everyone that really knows, knows that the solution is "if you dont want your code to break, dont write it"

Sign in to participate in the conversation
Mastodon for Tech Folks

This Mastodon instance is for people interested in technology. Discussions aren't limited to technology, because tech folks shouldn't be limited to technology either!