Open Source Developers, Who Work for Free, Are Discovering They Have Power (techcrunch.com) 193
Owen Williams, writing for TechCrunch: [...] As a result, it shouldn't be a surprise that some open source developers are beginning to realize they wield outsized power, despite the lack of compensation they receive for their work, because their projects are used by some of the largest, most profitable companies in the world. In early January, for example, Marak Squires, the developer of two popular NPM packages, 'colors' and 'faker,' intentionally introduced changes to their code that broke their functionality for anyone using them, outputting "LIBERTY LIBERTY LIBERTY" followed by gibberish and an infinite loop when used. While Squires didn't comment on the reason for making the changes, he had previously said on GitHub that "I am no longer going to support Fortune 500s ( and other smaller sized companies ) with my free work." Squires' changes broke other popular projects, including Amazon's Cloud Development Kit, as his libraries were installed almost 20 million times per week on npm, with thousands of projects directly depending on them. Within a few hours, NPM had rolled back the rogue release and GitHub suspended the developer's account in response.
While NPM's response was to be expected after previous incidents in which malicious code was added to libraries and was ultimately rolled back to limit damage, GitHub's was a new one: the code hosting platform took down Squires' entire account, even though he was the owner of the code and was his rights to change it as he pleased. This isn't the first time a developer has pulled their code in protest, either. The developer of 'left-pad' pulled his code from NPM in 2016, breaking tens of thousands of websites that depended on it following a fight with the Kik messenger over the naming of another open source project he owned. What's astonishing is that despite the occasional high-profile libraries protesting the way the industry works, these types of incidents aren't all that common: open source developers continue to work for free, maintaining their projects as best they can, even though multi-million dollar products being created off of the back of their work.
While NPM's response was to be expected after previous incidents in which malicious code was added to libraries and was ultimately rolled back to limit damage, GitHub's was a new one: the code hosting platform took down Squires' entire account, even though he was the owner of the code and was his rights to change it as he pleased. This isn't the first time a developer has pulled their code in protest, either. The developer of 'left-pad' pulled his code from NPM in 2016, breaking tens of thousands of websites that depended on it following a fight with the Kik messenger over the naming of another open source project he owned. What's astonishing is that despite the occasional high-profile libraries protesting the way the industry works, these types of incidents aren't all that common: open source developers continue to work for free, maintaining their projects as best they can, even though multi-million dollar products being created off of the back of their work.
Open Source Users Have Power Too (Score:5, Insightful)
Re:Open Source Users Have Power Too (Score:5, Interesting)
However if a project runner decides to go rogue, and make the code to dump a user because they just don't like them. Will create a problem where now said unliked individual will need to transition to a different product.
The thing with software freedom, is people/organizations who you may not like may use your product. You just need to accept that when you make a product and create it under an open source license. If you don't want billionaires to profit off of your work, then you will need to put your product with a less free license.
For a company if a product is under GPL they know they could use all the software in that category the same way following the rules of the GPL, the same as with Apache, BSD or MIT license. If you are going to go rogue and say your product follows this license, however make exceptions for those who you dislike. That is an entirely new license, and if you say it is GPL, then you are lying to the users.
Re:Open Source Users Have Power Too (Score:5, Insightful)
I suspect this particular issue with NPM is different from the classical problem of using open source in commercial products. Right now, if I use an open source product I can integrate and test it long before a customer sees it. I can inspect it thoroughly, nothing should be a suprise.
However with the web style of development where a library or file is used from a third party site as-is, there's a lot of problems. I think web sites screw up badly if they are taking third party products and not inspecting them; any change in the third party file normally should require a review before integrating it. But think many web sites don't do this. It's easier to just include some .js file from some random location and cross fingers and hope it won't change. It's kind of a flimsy foundation when something vital to your product isn't under your control. At the very least, do periodic snapshots of third party tools on your local site instead of cross site scripting.
Re:Open Source Users Have Power Too (Score:5, Insightful)
Yeah, that's the crux of the problem here - and the fact that Amazon got bit by it just goes to show how poorly the process of releasing software is understood across the entirety of IT.
If you're blindly pulling a dependency via NPM and not even bother testing the final result, the burden is on you. Not the OSS project whose code you're freeloading from - code which, for very good reasons, is always licensed as-is.
Re: (Score:2)
While you are responsible for what you put on your computer. However if Open Source software programmers get in a habit of putting hooks to change its software because they don't like you. They will avoid using that toxic license.
Which you may say "Good, let those freeloaders use their billions of dollars to buy a replacement" However these freeloaders may be freeloading that project, however they may be more supportive to others, which they may have dropped supporting because the company changed its poli
Re: (Score:2)
Re:Open Source Users Have Power Too (Score:4, Insightful)
You don't need to run anything unpatched. What you need to do is a) test what you release and b) don't blindly sync code from public GitHubs assuming it never breaks. So c) when it does, you have processes in place to deal with it.
The fact that you have enterprise software using NPM just happily syncing code at head, without any kind of release process behind, is scary.
Re: (Score:2)
Running from head with NPM is just asking for trouble. You need to specify a version, otherwise you're going to get burned, and not infrequently.
Re: (Score:2)
and the fact that Amazon got bit by it just goes to show how poorly the process of releasing software is understood across the entirety of IT.
Worth mentioning that Amazon is huge and not all coding groups in Amazon have the same standards.
Re: (Score:2)
The thing with software freedom, is people/organizations who you may not like may use your product. You just need to accept that when you make a product and create it under an open source license...
That's a bit of a slippery slope. Remember the phrase "Free as in free speech, not as in free beer"? Putting something to GPL doesn't void all responsibility/control over it. This article, as redundant as it is, has a point. Can it be forked? Yes. Can anyone use it? Yes. But you don't need to "just accept" it. If you don't want billionaires to profit off your project, you can apply to the company and go "you realized you already hire me, right?" You can not fix bugs from people that are within that company
Is that power? (Score:5, Insightful)
So... this guy had his fifteen minutes of warholian fame, his access to github removed, and everything propmtly back to normal.
If that's power, I think I prefer the oldfashioned way power of billionaires.
Re:Is that power? (Score:5, Insightful)
Today's world is all about individual rights, never about individual responsibilities, or consequences of one's actions.
Re: (Score:2)
Re: (Score:2)
And now has a reputation that will follow him for the rest of his career.
Unlikely. I read the summary 2 minutes ago, and I have already forgotten his name. He caused an insignificant tech blip that was quickly fixed. This isn't like the Morris worm.
Re: (Score:2)
I'm afraid to ask what you think of people who use PHP.
Wait, GitHub *suspended his account*?! (Score:5, Insightful)
For what, exactly? It is his project to run!
Re:Wait, GitHub *suspended his account*?! (Score:4, Insightful)
And it's their site to run
Re: (Score:3, Insightful)
Very cute. Exactly which TOS is his project breaking again?
The overall point is his work is being distributed as-is, under (IIRC) a MIT open source license. Meaning, if you blindly trust NPM to sync dependencies which will never ever fail, you suck at releasing software.
Re:Wait, GitHub *suspended his account*?! (Score:5, Insightful)
And the owner of the files can demand that microsofthub removes the files
He gave up that right when he posted them under MIT licence. Seriously, WTF is wrong with people? First you post code under terms of "everyone is free to use it", then get pissy when they actually do. If there's a way to be more stupid I don't know what that is.
Re:Wait, GitHub *suspended his account*?! (Score:5, Insightful)
Sounds like a good way to convince people open source is more trouble than it's worth. It was concern about these kinds of antics that made corporations reluctant to get involved with things like Linux when it was in it's early days. Looks like their concerns were justified.
Re: (Score:2)
Re: (Score:2)
Using open source can save a lot of time and money, but it does require some knowledge and skills, a healthy balance of trust and distrust, and a certain kind of attitude or approach to working with others and handling issues that is different from buying a product with a warranty.
Nobody is forcing companies to develop with open source. If a company develops a commercial product and there are concerns about using open source components, that company is free to build its own or pay someone else to use theirs
Re: (Score:2, Informative)
Re: (Score:3)
We stopped using term "Indian giver" in the 80s because it is factually dishonest, not because of woke-ness.
My take on this is that "Indian giver" refers to North American colonists who gave promises and concessions to native North Americans and then broke the promises and clawed back the concessions. I've never regarded the term as insulting to native Indians, but rather as a factually descriptive pejorative description of the European and British colonists who so abused the aboriginal people on this continent.
Re: (Score:2)
For starters... distributing ACTIVELY a bug WITH THE INTENTION to DISRUPT?
That, if there were not the "as-is", would made him end up in jail.
Re:Wait, GitHub *suspended his account*?! (Score:5, Insightful)
Ah, but the thing is, like all open source code, this *IS* being distributed as-is. So why is this guy getting his account shut down is beyond me.
Sounds like the real problem here is people, including large corporations, just blindly relying on NPM to pull in dependencies without freezing them, nor properly testing the result.
Re: (Score:2)
Time to market means that businesses don't want to waste time testing. Think of the profits!
Re: (Score:3)
Bullshit. If you're relying on OSS code, the burden is on YOU to properly test what you build using it. The "as-is" part of all open source licenses is there for a very good reason. I'm not bound to your needs and whims when i release free code on GitHub.
And just to be 100% clear, i'm not condoning the guy's actions. But there's a serious misunderstanding of the issue at hand here. Is his code to modify at whim, whether you like it or not.
Re: (Score:2)
There is a difference - actually a not so fine one, but chasm - between *AS IS* and
a) malware
b) sabotage
etc.
The court suits will show up soon. Obviously you block such an a**h*le from access to github, even if it is "his own project*
The damage he caused: he is liable for not some one "who did not test". For what the funk would one test such a thing? How? Hu?
Re: (Score:2)
> Is his code to modify at whim, whether you like it or not.
Yes, in the same way a car you've bought or built is yours to do with as you want on a whim, until it isn't; like, when you break the speed limit, or use a phone whilst driving, or run a red light, or run someone over.
Wow. I was just about to answer in a serious manner, but this comparison is just bananas.
Re: (Score:2)
Except that the software really is released "as is". Also, his code didn't harm any systems, it just stopped his specific code from functioning properly. He has no real obligation to maintain the code either.
It's basically a hobby that he decided to blow up for some reason. That others are taking his "as is" freely offered code and not at least testing it before rolling it out isn't really his problem.
It was a total dick move to make but he didn't break any laws in doing it. No one is liable for the code. T
Re:Wait, GitHub *suspended his account*?! (Score:5, Informative)
No no, Github is still bound by their own TOS.
True, but pretty trivially useless. The main bit that talks about how github is bound is
3. GitHub May Terminate
GitHub has the right to suspend or terminate your access to all or any part of the Website at any time, with or without cause, with or without notice, effective immediately. GitHub reserves the right to refuse service to anyone for any reason at any time.
and
O. Limitation of Liability
Short version: We will not be liable for damages or losses arising from your use or inability to use the service or otherwise arising under this agreement. Please read this section carefully; it limits our obligations to you.
I checked, and i'm not sure how uploading a code change to the code you fucking own, and available for free to the public, should be an issue to begin with.
So it seems that Github just decided to pull the plug because of [reasons]. That should make everyone think twice about using their service ever again.
Their community guidelines, which are included by reference in their Terms of Service have a bunch of things thisc could fall under. "Misinformation and disinformation", "active malware or exploits", "Disrupting the experience of other users". Any one of those could be interpreted as sufficient to justify their actions.
Re: (Score:2)
As noted in a separate post, the only relevant item here is the section regarding malware and exploits - which, any way you slice it, this change is not. Both "Misinformation and disinformation" and "Disrupting the experience of other users" section covers interactions with other users within GitHub (comments et al), not repo contents, nor how people who clone one interact with it.
The problem here is not the project repos themselves, but how people are (stupidly) using them. GitHub suspending accounts over
Re: (Score:3)
I get where you are coming from, however, given the future actions on the repo, I'd consider the pre-existing descriptions of each repo as misinformation. There should have been a clear statement that they might be deliberately disrupted in future. Generally the precedents are worrying.
Re: (Score:3)
Not really. Both Colors used the MIT license, and Faker a very similar license. Github is well within their rights to continue to host that code after suspending the author.
That's the thing about open source. Just about every license is designed to set the code free. Once you distribute it under one of those licenses, it's out of your control.
For some strange reason, a surprising number of people don't understand this and complain when people abide by the terms of the license they selected!
Re: (Score:2)
I'm not arguing about whether GitHub is allowed to host MIT-licenced code without the author's approval - that part is quite clear in the licence's text. My question is, why was his account suspended to begin with?
Re: (Score:2)
I can only guess why, but it seems reasonable to me, given that his changes intentionally broke a lot of other projects. I'm surprised they reinstated his account. I figured they'd have banned him after a stunt like that.
Re: (Score:2)
He said: "I am no longer going to support Fortune 500s ( and other smaller sized companies ) with my free work."
Deleting his account was just Github's (Microsoft's) way of helping him do that.
Comment removed (Score:5, Informative)
What power? (Score:3)
It's open source, they'll just pull what Amazon did to Elastic and fork
Re: (Score:2)
forking is easy... commitment and evolve the code is another story... lets check in 2 years to see the state of both elasticsearch and opensearch.
AWS didn't want to pay for elasticsearch, so lets see if they really want to pay developers instead or it is just talk and want to just profit from other people work
Re: (Score:2)
lets check in 2 years to see the state of both elasticsearch and opensearch.
I'll bite. I expect in 2 years elasticsearch will be dead and opensearch will be largely popular. That's how it works when your project is popularised by the largest cloud provider on the planet.
AWS didn't want to pay for elasticsearch
Where do you get that idea? Do you often get offered free stuff in the street and turnaround and say "No sireee, I'm giving you $5 for this even though you didn't ask for it!" Of course not. You're not stupid. Accepting and using free stuff does not imply an unwillingness to pay. That's no different here.
Re: (Score:2)
> I expect in 2 years elasticsearch will be dead and opensearch will be largely popular.
I would like both alive and collaborating. Yes, elasticsearch closed plugins and some limited features are a pain, but building alternative open plugins (like https://readonlyrest.com/ [readonlyrest.com]) is a good path. The fork will probably make both worse in the long term than collaborating
Too much control from elasticsearch was bad, but also aws not entering in cloud agreement contacts like azure or google pressured them to some r
On the contrary (Score:2)
Github's reaction proves that things are still the way they should be in a world ruled by money. Only those with money have also power, and can end any such hallucinations of power within hours.
Open source is part of the 'commons' (Score:2)
Free rider problem (Score:3)
Re: (Score:2)
Kind of funny seeing open source dealing with piracy as well. Even the issue of compensation is the same.
FOSS has no real free rider problem. (Score:2)
Because the purely digital world - which the world of software is - is a world in which one market mode that utterly fails IRL actually works: Marxism. It works so well, that any corporation trying to sell software these days basically have to turn their proprietary software into a religion and even then success isn't sure. If all it takes is a miniscule amount of electrical current to dublicate goods and wares millionfold, capitalism pretty much loses out to marxism, epic style.
That's why IT megacorps thes
Re: (Score:2)
Yeah, I understand what GP was trying to say. But I don't think FOSS has the classic free-rider problem.
The problem in free rider is not just that the "free-rider" do not pay. It is also that they are having a cost on the system. If you use a swing that you don't pay for, you cause wear and tear on the swing. And eventually it will break and will have to be replaced.
In FOSS, the cost of having user that do not pay for the software is zero, or at least it could be zero. You develop the software and if people
Power? (Score:2)
They have the power to throw a tantrum and sabotage or take down their own code. Meanwhile, large corporations have the power to fork the previous safe and correct version and continue using it.
Re: (Score:2)
That's the point of the notice the author left, acknowledge the work effort, support it at least. Companies can/will fork and use what they now consider a safer source. At least now maybe there's some awareness. The original author though may not maintain a new fork, the ecosystem will diverge.
Supply Chain Attacks (Score:3)
The scarier thing here is not this particular incident, but instead the possibility of supply chain attacks. It would have been just as easy to slip in some backdoor exploit into code and had that deployed on millions of computers all over the world before anyone realized. In fact, this has probably ALREADY happened in a number of codebases undetected so far.
What Marak Squires really demonstrated (Score:2)
He demonstrated he had the power... to shoot himself in the foot.
Although that sounds more like the BSD license than GPL.
The two examples aren't very good (Score:2)
Disconcerting to see many defending his behavior (Score:4, Interesting)
Implicit in the argument "it's his repository and project" is the legal fact that he cannot lawfully introduce changes that are aimed at causing harm to the people who are using it.
This little temper tantrum cost a lot of people a lot of time which also means many businesses spent money they didn't need to spend over this.
There are plenty of ways to do a protest without getting into legally dangerous areas such as putting logger statements dump profane messages about freeloaders and stuff like that. Deliberately setting out to break teams' build systems is not acceptable.
Re:Disconcerting to see many defending his behavio (Score:5, Insightful)
No, he totally can. It is his project, and it is being distributed as-is under a MIT license.
Not that his "little temper tantrum" isn't costing people a shitton of time and money - that's not being argued here. The question is, why is he not able to do the fuck he wants with his own code? And why is everyone blindly relying on it, without even testing?
Re: (Score:2)
The question is, why is he not able to do the fuck he wants with his own code?
Oh he is able. So is everyone else who has a copy of the code (as per the license). Github is also able to do whatever the fuck they want with the repos on their site. Host it yourself if you want complete autonomy.
Re: (Score:2)
No, he totally can. It is his project, and it is being distributed as-is under a MIT license.
Tort law does not seek to stop you from harming others, it simply seeks to help them recover their losses.
This "he... can" argument is as stupid as when Bill Clinton said, "it depends on what the meaning of the word 'is' is."
Re: (Score:2)
He can do whatever he wants, it's his code. No one's saying he couldn't.
What everyone refers to though is the impact it has on open source in general. You can bet companies like Oracle and Microsoft were screaming for joy Steve Ballmer style when it h
This isn't about ownership of the code! (Score:2)
You fucking neckbeards keep missing a salient fact: he hooked his repo into NPM so that his malicious changes would be quietly bundled and distributed to users with intent to break their build pipelines.
He didn't just update his repo, he configured his repo so that it would feed that code quietly to all of his users.
I hate Node and avoid it, but I know just about NPM to know all he had to do was increment the versio
Re: (Score:3)
Sounds like a massive security issue with NPM. Why are people allowing it to pull in random code and then execute it?
Re: (Score:2)
This. So, so much this.
I haven't even looked, but i wouldn't be surprised to find out NPM was used as an attack vector to actually distribute malware in the past.
Re: (Score:2)
No, he totally can. It is his project, and it is being distributed as-is under a MIT license.
Not that his "little temper tantrum" isn't costing people a shitton of time and money - that's not being argued here. The question is, why is he not able to do the fuck he wants with his own code? And why is everyone blindly relying on it, without even testing?
I think it comes down to his intent to cause harm. A real world analogy to this situation might be a right of way. You and your neighbours have property that is accessible via a right of way which crosses this fellow's land. He doesn't have an obligation to maintain a road or the property along the right of way; you're right that in that way he can do whatever he likes. But he isn't allowed to alter it in a way to intentionally cause harm, such as putting spikes along it. (There are actual laws and pre
Re: (Score:3)
They might exist, I'm genuinely curious. I can't think of any
Re: (Score:2)
There are federal laws, and also laws in all 50 states for computer crimes, some of which include disrupting normal operation and denial of service. Whether it's entirely new malware, or a malicious change to existing software, if you're interested in consequences you can look up "computer crime statutes" or similar phrases to find it.
Even if there weren't any relevant laws, the natural consequence of Marak trashing his own code is that people will stop using it. GitHub and NPM are free to stop hosting it,
Re: (Score:2)
I forgot to mention an example. Look up the Sony rootkit scandal. There's a summary on Wikipedia. That ended with a lawsuit.
A more recent example that doesn't involve a lawsuit, but has more similarities to what happened here, is a barcode scanner app in Google Play. The developer uploaded their own code to a repository hosted by someone else (Google), it started legitimate, then in late 2020 uploaded a change that users generally agreed were an abuse of some kind (adware), and the app got removed. There ar
Re: (Score:2)
I don't know enough about the barcode scanner to comment. Did the developer lose all access to the google play store, or just have this one app removed?
Re: (Score:2)
There are some open source cases where someone made a clone of a popular project and added malware, but I don't know if they ended in prosecution.
The Sony case has some differences, but did end up in court. Marak got some donations for his work -- everyone had a chance to get the malicious update, including people who donated. But you're right that they are not so similar.
There was also the story from last year of the University of Minnesota people submitting known malicious patches to the Linux kernel to s
Re: (Score:2)
power (Score:2)
The power to have platforms kick you off and take over your work. That is some real power right there.
Not too much power (Score:2)
If an open source developer goes rogue, the most that happens is someone does a rollback to a previous version and forks from there. If it's a company, maybe they could do a free/enterprise split.
There's 5 minutes of fame, plenty of other open source developers available, and perhaps a reason to not explicitly depend on esoteric libraries that should instead be core. (Like really, if a package manager can output coloured text in the console, then that should be exposed through the API.)
Yes but... (Score:2)
business model to manage and release libraries (Score:2)
Sounds like an opportunity for someone to have a central repository of libraries they manage and release.
Could be an interesting business model for some open source projects.
If you are building software and just blindly using libraries from the internet, you are a nimrod.
That's how Red Hat makes their money after all... (Score:2)
Downstream stupidity is not upstream power! (Score:2)
The guy is a puerile asshole (Score:2)
Thanks for ruining it for the rest of us. This will further the move to "app stores", where the developer must have someone else sign off on any and all updates. Only automatically pull in "Github verified updates" to protect yourself from rogue developers. No more self-publishing. With great power comes great responsibility and you just chose a different profession, dumbass.
Not sure why this is surprising (Score:2)
Submitter expressed surprise that trouble like this type described is actually rare. This shouldn't be since most open source programmers are proud of their work and have little interest in defacing it. Although most often our projects are not in themselves paying us, the reputation enhancements we get often gets us more and better work opportunities so it sorta evens out over the life of one's career. And its nice to have some projects where I get to make all the calls about what features are added, ho
Name recognition is the real power of open source (Score:2)
The real power of open source is that the author can walk into an interview, and say, "You know that library you depend on? I wrote it. So you already know you can rely on my code; let's talk price."
Someone else quipped when Alan Cox (the kernel developer) was looking for a job that his resume was one line: his name and contact information. Anyone who needed a Linux kernel developer would know who he was. So that simplifies the interview process quite a bit.
I have interviewed developers who contrib
Open Source, or just NPM Repos? (Score:3)
Open Source does not have a problem as the article puts it.
The issue is NPM's repository governance. Time and time again, we see issues where a single person can render tens of thousands of sites inoperable because of a tantrum or something like it.
Examples:
- Open Source Developer Intentionally Corrupts His Own Widely-Used Libraries [slashdot.org] /. [slashdot.org]
- Malicious npm Packages Caught Installing Remote Access Trojans [slashdot.org]
- Npm Team Warns of New 'Binary Planting' Bug [slashdot.org]
- Hacking 20 High-Profile Dev Accounts Could Compromise Half of the NPM Ecosystem [slashdot.org]
- Standard, a Javascript Style Guide Library With 3M Downloads Per Month, Now Showing Ads When Installed Via NPM [slashdot.org]
- More headlines from
If NPM has better governance when it comes to the repositories, then there would be nothing to discuss here.
Case in point: Debian's repositories.
Yes, it is more labour intensive, requiring a maintainer who owns every package, and it also makes versions a bit late, instead of instantaneous.
But the end result is having stable software than is immune from exactly what we are seeing here.
Unemployable (Score:2)
As an open source developer I would never hire someone who pulled a stunt such as what Marak Squires did because it indicates they don't have a shred of professionalism and there's no way you can reasonably work with them.
If you are upset that big companies are using your code you need to realise that you are the one that chose to license your work as open source and own that decision. Just post a notice that the library is no-longer maintained, walk away, and find an employment/lifestyle arrangement that w
astonishing? (Score:2)
What's astonishing is that despite the occasional high-profile libraries protesting the way the industry works, these types of incidents aren't all that common: open source developers continue to work for free, maintaining their projects as best they can, even though multi-million dollar products being created off of the back of their work.
Why is that astonishing? One of the core tenants of free software is that anybody can use your work. The point of the licensing is literally to empower the user and give him freedom.
If you don't want that, then ... don't license your work that way?
How many other times have APIs changed... (Score:3)
Nobody says you have to support OLD APIs forever. Sometimes the changes are good, other times they are not.
In this case, the owner of the code decided to change the purpose of his code from providing the previous functionality to doing something vastly unlike what it did before.
Were his old version still hosted on GitHub? Yes. Which means that any competent developer who built their stuff against a tagged version would not have any issues. Their code would continue to work.
This wasn't an attack against fortune 500 companies, it was an attack against sloppy ones.
What if he'd changed function B to do something differently, and instead of updating function A to use the new function B, just removed it because it was no longer supported? Would many people who had been using function A complain? Yes. Are they justified? No. Version 1.0 of function A and B are still there, and still work as before. Version 2.0 of function B does different stuff, and there is no version 2.0 of function A.
Nothing says a functioning API needs to live forever at the head. And hopefully this has helped to hammer that home with everyone who got smacked by this.
Re: (Score:2)
That's a good question. Why was his account suspended over this?
Re: (Score:3)
Github terms of use:
GitHub Acceptable Use Policies
2. Content Restrictions
Under no circumstances will Users upload, post, host, execute, or transmit any Content that: ... ... ...
directly supports unlawful active attack or malware campaigns that are causing technical harms — such as using our platform to deliver malicious executables or as attack infrastructure, for example by organizing denial of service attacks
You could construe that the changes did "denial of service" to projects "downstream", and/or
Re: (Score:2)
That's quite a stretch though. I don't see how one could defend his (stupid) change can be read as "directly supporting unlawful active attack or malware campaigns that are causing technical harms". This is a MIT-licensed, one-man project offering zero guarantees to any downstream projects that might be relying on it; it just happened to bite most NPM users out there because no one bothers to check the code that's automatically downloaded by it, nor implementing release freeze policies.
What we have here is
Re: (Score:2)
"directly supporting unlawful active attack ... that are causing technical harms"
Yes, it's more of "being the active attack that is causing technical harm"...
No idea what repercussions on GitHub will be, good and bad... If doing something is better than not doing anything, and if suspending account was better than any other action (or inaction).
In the end, it's a done thing. Water under the bridge - and even if courts would be involved, basically nothing will change.
Re: (Score:2)
It's not a stretch. This wasn't an accidental bug that he accidentally released. We would all excuse him for that in a second. He intentionally broke his software in order to make every downstream project fail because he wanted revenge on big companies that weren't paying him.
He's lost the trust of everyone for his projects and has put a bad view on using OpenSource libraries in general. The community needs to strongly say that this was not acceptable.
Re: (Score:2)
Sorry, that's not true. It is a stretch because his project offers no guarantees to any downstream project choosing to sync and rely on it. Again, this is quite explicit in the licence text.
This is not malware, nor an attack. It's many dumb things, yes, but not the ones GitHub lists as a cause of account termination.
Re: (Score:2)
It is a stretch because his project offers no guarantees to any downstream project choosing to sync and rely on it.
So just because I did not shoot you yesterday, you won't complain when I do it today?
Sorry, do you have mental problems? Or no clue about good versus evil or ethic versus morally right?
He broke intentionally software. Made other people suffer. And most likely will be end up in court for that.
No idea what your intellectual problem is with that. If he had done that to me: I would sue him for sure
Re: (Score:2)
That's quite a stretch though. I don't see how one could defend his (stupid) change can be read as "directly supporting unlawful active attack or malware campaigns that are causing technical harms". /.
Then perhaps you should read the article.
Or at least the summary here on
Re: (Score:2)
Look, i'm very stupid. Can you point me to the paragraph in the article explaining this?
Re: (Score:2)
How, exactly? Remember, this is MIT-licensed code. It's distributed with zero guarantees.
Re: (Score:2)
How, exactly? Remember, this is MIT-licensed code. It's distributed with zero guarantees.
Because that's the part in the EULA
I guess you'd agree that if I intentionally swing my fists and hit you, it's not battery, since there's no guarantee I wouldn't do it and really it's just your fault for being there at the time.
Re: (Score:2)
Re: (Score:2)
That sounds a lot like running closed software as well. Why hasn't Microsoft been sued into the ground for negligence by this point?
Go read the various open source and closes sourced licenses. None of them take any responsibility for anything and it's always as-is. I can understand total free to use software to come with no warranty. That makes sense. I don't see why closed source software made by a company and sold for profit doesn't come with a warranty though. Can't think of any other product made that d
Re: (Score:2)
Optics.
Sad upvote :(
Re: (Score:2)
Not that i'm aware of. You can't retroactively cancel OSS licenses. Saying "everything past this new release is bound by a new license" is fine though, if you own the code.
Re: (Score:2)
The only way you could 'revoke' a previously granted license would be to show (legally) that the terms of the license have been violated. And that would be om a license-by-license basis, not some 'all licenses are now revoked' thing.
If it were possible to revoke existing licenses 'just because', FOSS would vanish in an instant.
Re: (Score:2)
Once licensed under GPL, it stays forever under GPL. ...
However, one can take code over which it has ownership ("copyright") and re-release it under any other license. Apparently it's useful when a company uses GPL code inside its product (not LGPL code in separate libraries) and doesn't want to release its product as GPL - they get the code from the copyright owner under a different license (and presumably pays accordingly) - MySQL, Qt,
So, once version 5.2.1 is released under GPL on - let's say - GitHub, t
Re: (Score:2)
JFrog makes that kind of easy in an enterprise setting.