Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Open Source Programming

Open Source Developers, Who Work for Free, Are Discovering They Have Power (techcrunch.com) 193

Owen Williams, writing for TechCrunch: [...] As a result, it shouldn't be a surprise that some open source developers are beginning to realize they wield outsized power, despite the lack of compensation they receive for their work, because their projects are used by some of the largest, most profitable companies in the world. In early January, for example, Marak Squires, the developer of two popular NPM packages, 'colors' and 'faker,' intentionally introduced changes to their code that broke their functionality for anyone using them, outputting "LIBERTY LIBERTY LIBERTY" followed by gibberish and an infinite loop when used. While Squires didn't comment on the reason for making the changes, he had previously said on GitHub that "I am no longer going to support Fortune 500s ( and other smaller sized companies ) with my free work." Squires' changes broke other popular projects, including Amazon's Cloud Development Kit, as his libraries were installed almost 20 million times per week on npm, with thousands of projects directly depending on them. Within a few hours, NPM had rolled back the rogue release and GitHub suspended the developer's account in response.

While NPM's response was to be expected after previous incidents in which malicious code was added to libraries and was ultimately rolled back to limit damage, GitHub's was a new one: the code hosting platform took down Squires' entire account, even though he was the owner of the code and was his rights to change it as he pleased. This isn't the first time a developer has pulled their code in protest, either. The developer of 'left-pad' pulled his code from NPM in 2016, breaking tens of thousands of websites that depended on it following a fight with the Kik messenger over the naming of another open source project he owned. What's astonishing is that despite the occasional high-profile libraries protesting the way the industry works, these types of incidents aren't all that common: open source developers continue to work for free, maintaining their projects as best they can, even though multi-million dollar products being created off of the back of their work.

This discussion has been archived. No new comments can be posted.

Open Source Developers, Who Work for Free, Are Discovering They Have Power

Comments Filter:
  • by BeerFartMoron ( 624900 ) on Tuesday January 18, 2022 @01:51PM (#62185083)
    Users of open source projects have the power to pick and choose exactly which open source projects they use. Or don't use. Or better yet, which to fork or not fork.
    • by jellomizer ( 103300 ) on Tuesday January 18, 2022 @02:05PM (#62185145)

      However if a project runner decides to go rogue, and make the code to dump a user because they just don't like them. Will create a problem where now said unliked individual will need to transition to a different product.

      The thing with software freedom, is people/organizations who you may not like may use your product. You just need to accept that when you make a product and create it under an open source license. If you don't want billionaires to profit off of your work, then you will need to put your product with a less free license.

      For a company if a product is under GPL they know they could use all the software in that category the same way following the rules of the GPL, the same as with Apache, BSD or MIT license. If you are going to go rogue and say your product follows this license, however make exceptions for those who you dislike. That is an entirely new license, and if you say it is GPL, then you are lying to the users.

      • by Darinbob ( 1142669 ) on Tuesday January 18, 2022 @02:36PM (#62185263)

        I suspect this particular issue with NPM is different from the classical problem of using open source in commercial products. Right now, if I use an open source product I can integrate and test it long before a customer sees it. I can inspect it thoroughly, nothing should be a suprise.

        However with the web style of development where a library or file is used from a third party site as-is, there's a lot of problems. I think web sites screw up badly if they are taking third party products and not inspecting them; any change in the third party file normally should require a review before integrating it. But think many web sites don't do this. It's easier to just include some .js file from some random location and cross fingers and hope it won't change. It's kind of a flimsy foundation when something vital to your product isn't under your control. At the very least, do periodic snapshots of third party tools on your local site instead of cross site scripting.

        • by Lisandro ( 799651 ) on Tuesday January 18, 2022 @02:39PM (#62185273)

          Yeah, that's the crux of the problem here - and the fact that Amazon got bit by it just goes to show how poorly the process of releasing software is understood across the entirety of IT.

          If you're blindly pulling a dependency via NPM and not even bother testing the final result, the burden is on you. Not the OSS project whose code you're freeloading from - code which, for very good reasons, is always licensed as-is.

          • While you are responsible for what you put on your computer. However if Open Source software programmers get in a habit of putting hooks to change its software because they don't like you. They will avoid using that toxic license.

            Which you may say "Good, let those freeloaders use their billions of dollars to buy a replacement" However these freeloaders may be freeloading that project, however they may be more supportive to others, which they may have dropped supporting because the company changed its poli

          • OK but running an un-patched system until you re-check everything from the ground up is just not very workable. Part of the value proposition with e.g. Microsoft is that they have internal controls so this sort of thing won't happen. And say what you will but I don't think it ever has.
            • by Lisandro ( 799651 ) on Tuesday January 18, 2022 @03:06PM (#62185413)

              You don't need to run anything unpatched. What you need to do is a) test what you release and b) don't blindly sync code from public GitHubs assuming it never breaks. So c) when it does, you have processes in place to deal with it.

              The fact that you have enterprise software using NPM just happily syncing code at head, without any kind of release process behind, is scary.

              • Running from head with NPM is just asking for trouble. You need to specify a version, otherwise you're going to get burned, and not infrequently.

          • and the fact that Amazon got bit by it just goes to show how poorly the process of releasing software is understood across the entirety of IT.

            Worth mentioning that Amazon is huge and not all coding groups in Amazon have the same standards.

      • The thing with software freedom, is people/organizations who you may not like may use your product. You just need to accept that when you make a product and create it under an open source license...

        That's a bit of a slippery slope. Remember the phrase "Free as in free speech, not as in free beer"? Putting something to GPL doesn't void all responsibility/control over it. This article, as redundant as it is, has a point. Can it be forked? Yes. Can anyone use it? Yes. But you don't need to "just accept" it. If you don't want billionaires to profit off your project, you can apply to the company and go "you realized you already hire me, right?" You can not fix bugs from people that are within that company

  • Is that power? (Score:5, Insightful)

    by turbidostato ( 878842 ) on Tuesday January 18, 2022 @01:53PM (#62185095)

    So... this guy had his fifteen minutes of warholian fame, his access to github removed, and everything propmtly back to normal.

    If that's power, I think I prefer the oldfashioned way power of billionaires.

  • by Lisandro ( 799651 ) on Tuesday January 18, 2022 @01:54PM (#62185097)

    For what, exactly? It is his project to run!

    • by OverlordQ ( 264228 ) on Tuesday January 18, 2022 @01:55PM (#62185103) Journal

      And it's their site to run

      • Re: (Score:3, Insightful)

        by Lisandro ( 799651 )

        Very cute. Exactly which TOS is his project breaking again?

        The overall point is his work is being distributed as-is, under (IIRC) a MIT open source license. Meaning, if you blindly trust NPM to sync dependencies which will never ever fail, you suck at releasing software.

    • For starters... distributing ACTIVELY a bug WITH THE INTENTION to DISRUPT?

      That, if there were not the "as-is", would made him end up in jail.

      • by Lisandro ( 799651 ) on Tuesday January 18, 2022 @02:20PM (#62185197)

        Ah, but the thing is, like all open source code, this *IS* being distributed as-is. So why is this guy getting his account shut down is beyond me.

        Sounds like the real problem here is people, including large corporations, just blindly relying on NPM to pull in dependencies without freezing them, nor properly testing the result.

        • Time to market means that businesses don't want to waste time testing. Think of the profits!

    • by narcc ( 412956 )

      Not really. Both Colors used the MIT license, and Faker a very similar license. Github is well within their rights to continue to host that code after suspending the author.

      That's the thing about open source. Just about every license is designed to set the code free. Once you distribute it under one of those licenses, it's out of your control.

      For some strange reason, a surprising number of people don't understand this and complain when people abide by the terms of the license they selected!

      • I'm not arguing about whether GitHub is allowed to host MIT-licenced code without the author's approval - that part is quite clear in the licence's text. My question is, why was his account suspended to begin with?

        • by narcc ( 412956 )

          I can only guess why, but it seems reasonable to me, given that his changes intentionally broke a lot of other projects. I'm surprised they reinstated his account. I figured they'd have banned him after a stunt like that.

    • He said: "I am no longer going to support Fortune 500s ( and other smaller sized companies ) with my free work."

      Deleting his account was just Github's (Microsoft's) way of helping him do that.

    • Comment removed (Score:5, Informative)

      by account_deleted ( 4530225 ) on Tuesday January 18, 2022 @03:25PM (#62185481)
      Comment removed based on user account deletion
  • by OverlordQ ( 264228 ) on Tuesday January 18, 2022 @01:54PM (#62185101) Journal

    It's open source, they'll just pull what Amazon did to Elastic and fork

    • by higuita ( 129722 )

      forking is easy... commitment and evolve the code is another story... lets check in 2 years to see the state of both elasticsearch and opensearch.
      AWS didn't want to pay for elasticsearch, so lets see if they really want to pay developers instead or it is just talk and want to just profit from other people work

      • lets check in 2 years to see the state of both elasticsearch and opensearch.

        I'll bite. I expect in 2 years elasticsearch will be dead and opensearch will be largely popular. That's how it works when your project is popularised by the largest cloud provider on the planet.

        AWS didn't want to pay for elasticsearch

        Where do you get that idea? Do you often get offered free stuff in the street and turnaround and say "No sireee, I'm giving you $5 for this even though you didn't ask for it!" Of course not. You're not stupid. Accepting and using free stuff does not imply an unwillingness to pay. That's no different here.

        • by higuita ( 129722 )

          > I expect in 2 years elasticsearch will be dead and opensearch will be largely popular.

          I would like both alive and collaborating. Yes, elasticsearch closed plugins and some limited features are a pain, but building alternative open plugins (like https://readonlyrest.com/ [readonlyrest.com]) is a good path. The fork will probably make both worse in the long term than collaborating
          Too much control from elasticsearch was bad, but also aws not entering in cloud agreement contacts like azure or google pressured them to some r

  • Github's reaction proves that things are still the way they should be in a world ruled by money. Only those with money have also power, and can end any such hallucinations of power within hours.

  • People have always contributed toward the common wealth of their communities, or of the world, for nothing because it makes the world a better place. Some people will contribute toward, say, social services such as care for the needy or destitute for nothing other than satisfaction or due to a sense of duty. Then other people will at least sometimes honour their contribution by the occasional public award. Those who benefit most from open source need to do at least something comparable. Unfortunately the be
  • by Xylantiel ( 177496 ) on Tuesday January 18, 2022 @02:12PM (#62185167)
    Open source practice is, in some ways, a solution to the Free-rider Problem [wikipedia.org], largely by just accepting that there are free riders. If it is worth it to me to update something, then that is enough even if multi-billion dollar corporations benefit as well and don't "pay" for it. That's just reality.
    • Kind of funny seeing open source dealing with piracy as well. Even the issue of compensation is the same.

    • Because the purely digital world - which the world of software is - is a world in which one market mode that utterly fails IRL actually works: Marxism. It works so well, that any corporation trying to sell software these days basically have to turn their proprietary software into a religion and even then success isn't sure. If all it takes is a miniscule amount of electrical current to dublicate goods and wares millionfold, capitalism pretty much loses out to marxism, epic style.

      That's why IT megacorps thes

      • by godrik ( 1287354 )

        Yeah, I understand what GP was trying to say. But I don't think FOSS has the classic free-rider problem.
        The problem in free rider is not just that the "free-rider" do not pay. It is also that they are having a cost on the system. If you use a swing that you don't pay for, you cause wear and tear on the swing. And eventually it will break and will have to be replaced.

        In FOSS, the cost of having user that do not pay for the software is zero, or at least it could be zero. You develop the software and if people

  • They have the power to throw a tantrum and sabotage or take down their own code. Meanwhile, large corporations have the power to fork the previous safe and correct version and continue using it.

    • That's the point of the notice the author left, acknowledge the work effort, support it at least. Companies can/will fork and use what they now consider a safer source. At least now maybe there's some awareness. The original author though may not maintain a new fork, the ecosystem will diverge.

  • by darkain ( 749283 ) on Tuesday January 18, 2022 @02:15PM (#62185175) Homepage

    The scarier thing here is not this particular incident, but instead the possibility of supply chain attacks. It would have been just as easy to slip in some backdoor exploit into code and had that deployed on millions of computers all over the world before anyone realized. In fact, this has probably ALREADY happened in a number of codebases undetected so far.

  • He demonstrated he had the power... to shoot himself in the foot.

    Although that sounds more like the BSD license than GPL.

  • The NPM and Colors examples aren't very good demonstrations of open source developers having "power," as the projects were immediately forked.
  • by DeplorableCodeMonkey ( 4828467 ) on Tuesday January 18, 2022 @02:43PM (#62185303)

    Implicit in the argument "it's his repository and project" is the legal fact that he cannot lawfully introduce changes that are aimed at causing harm to the people who are using it.

    This little temper tantrum cost a lot of people a lot of time which also means many businesses spent money they didn't need to spend over this.

    There are plenty of ways to do a protest without getting into legally dangerous areas such as putting logger statements dump profane messages about freeloaders and stuff like that. Deliberately setting out to break teams' build systems is not acceptable.

    • by Lisandro ( 799651 ) on Tuesday January 18, 2022 @02:46PM (#62185325)

      No, he totally can. It is his project, and it is being distributed as-is under a MIT license.

      Not that his "little temper tantrum" isn't costing people a shitton of time and money - that's not being argued here. The question is, why is he not able to do the fuck he wants with his own code? And why is everyone blindly relying on it, without even testing?

      • The question is, why is he not able to do the fuck he wants with his own code?

        Oh he is able. So is everyone else who has a copy of the code (as per the license). Github is also able to do whatever the fuck they want with the repos on their site. Host it yourself if you want complete autonomy.

      • No, he totally can. It is his project, and it is being distributed as-is under a MIT license.

        Tort law does not seek to stop you from harming others, it simply seeks to help them recover their losses.

        This "he... can" argument is as stupid as when Bill Clinton said, "it depends on what the meaning of the word 'is' is."

      • by tlhIngan ( 30335 )

        Not that his "little temper tantrum" isn't costing people a shitton of time and money - that's not being argued here. The question is, why is he not able to do the fuck he wants with his own code? And why is everyone blindly relying on it, without even testing?

        He can do whatever he wants, it's his code. No one's saying he couldn't.

        What everyone refers to though is the impact it has on open source in general. You can bet companies like Oracle and Microsoft were screaming for joy Steve Ballmer style when it h

      • No, he totally can. It is his project, and it is being distributed as-is under a MIT license.

        You fucking neckbeards keep missing a salient fact: he hooked his repo into NPM so that his malicious changes would be quietly bundled and distributed to users with intent to break their build pipelines.

        He didn't just update his repo, he configured his repo so that it would feed that code quietly to all of his users.

        I hate Node and avoid it, but I know just about NPM to know all he had to do was increment the versio

        • Sounds like a massive security issue with NPM. Why are people allowing it to pull in random code and then execute it?

          • This. So, so much this.

            I haven't even looked, but i wouldn't be surprised to find out NPM was used as an attack vector to actually distribute malware in the past.

      • No, he totally can. It is his project, and it is being distributed as-is under a MIT license.

        Not that his "little temper tantrum" isn't costing people a shitton of time and money - that's not being argued here. The question is, why is he not able to do the fuck he wants with his own code? And why is everyone blindly relying on it, without even testing?

        I think it comes down to his intent to cause harm. A real world analogy to this situation might be a right of way. You and your neighbours have property that is accessible via a right of way which crosses this fellow's land. He doesn't have an obligation to maintain a road or the property along the right of way; you're right that in that way he can do whatever he likes. But he isn't allowed to alter it in a way to intentionally cause harm, such as putting spikes along it. (There are actual laws and pre

    • by kunwon1 ( 795332 )
      Which law did he break? Can you cite an instance of someone being successfully prosecuted for introducing malicious changes in code that they own?
      They might exist, I'm genuinely curious. I can't think of any
      • by xalqor ( 6762950 )

        There are federal laws, and also laws in all 50 states for computer crimes, some of which include disrupting normal operation and denial of service. Whether it's entirely new malware, or a malicious change to existing software, if you're interested in consequences you can look up "computer crime statutes" or similar phrases to find it.

        Even if there weren't any relevant laws, the natural consequence of Marak trashing his own code is that people will stop using it. GitHub and NPM are free to stop hosting it,

      • by xalqor ( 6762950 )

        I forgot to mention an example. Look up the Sony rootkit scandal. There's a summary on Wikipedia. That ended with a lawsuit.

        A more recent example that doesn't involve a lawsuit, but has more similarities to what happened here, is a barcode scanner app in Google Play. The developer uploaded their own code to a repository hosted by someone else (Google), it started legitimate, then in late 2020 uploaded a change that users generally agreed were an abuse of some kind (adware), and the app got removed. There ar

        • by kunwon1 ( 795332 )
          I don't think the Sony rootkit scandal is comparable, they were secretly installing malware on PCs without your permission, in a product you paid for. I think that's a very different area, legally. This guy didn't secretly install anything, he modified his own code under his own control, and third parties pulled it in and deployed it of their own volition
          I don't know enough about the barcode scanner to comment. Did the developer lose all access to the google play store, or just have this one app removed?
          • by xalqor ( 6762950 )

            There are some open source cases where someone made a clone of a popular project and added malware, but I don't know if they ended in prosecution.

            The Sony case has some differences, but did end up in court. Marak got some donations for his work -- everyone had a chance to get the malicious update, including people who donated. But you're right that they are not so similar.

            There was also the story from last year of the University of Minnesota people submitting known malicious patches to the Linux kernel to s

  • The power to have platforms kick you off and take over your work. That is some real power right there.

  • If an open source developer goes rogue, the most that happens is someone does a rollback to a previous version and forks from there. If it's a company, maybe they could do a free/enterprise split.

    There's 5 minutes of fame, plenty of other open source developers available, and perhaps a reason to not explicitly depend on esoteric libraries that should instead be core. (Like really, if a package manager can output coloured text in the console, then that should be exposed through the API.)

  • ...perhaps any system, open or closed source, that allows a single person to inject trusted code into the servers of half the world is broken, and should review its security model.
  • Sounds like an opportunity for someone to have a central repository of libraries they manage and release.

    Could be an interesting business model for some open source projects.

    If you are building software and just blindly using libraries from the internet, you are a nimrod.

  • The Linux kernel and most well-known GPL products have way too many copyrights attached, to allow spontaneous, rogue licence changes. Additionally, from a coding standpoint, most open source projects are distributed as part of a distribution and are frozen as part of an extensive (and often automated) testing process. Whether that's as part of a Linux distribution (e.g. Debian) or an end-user application (e.g. Google Chrome), the upstream projects involved usually aren't used in their latest, raw, unadulter
  • Thanks for ruining it for the rest of us. This will further the move to "app stores", where the developer must have someone else sign off on any and all updates. Only automatically pull in "Github verified updates" to protect yourself from rogue developers. No more self-publishing. With great power comes great responsibility and you just chose a different profession, dumbass.

  • Submitter expressed surprise that trouble like this type described is actually rare. This shouldn't be since most open source programmers are proud of their work and have little interest in defacing it. Although most often our projects are not in themselves paying us, the reputation enhancements we get often gets us more and better work opportunities so it sorta evens out over the life of one's career. And its nice to have some projects where I get to make all the calls about what features are added, ho

  • The real power of open source is that the author can walk into an interview, and say, "You know that library you depend on? I wrote it. So you already know you can rely on my code; let's talk price."

    Someone else quipped when Alan Cox (the kernel developer) was looking for a job that his resume was one line: his name and contact information. Anyone who needed a Linux kernel developer would know who he was. So that simplifies the interview process quite a bit.

    I have interviewed developers who contrib

  • by kbahey ( 102895 ) on Tuesday January 18, 2022 @05:25PM (#62185935) Homepage

    Open Source does not have a problem as the article puts it.

    The issue is NPM's repository governance. Time and time again, we see issues where a single person can render tens of thousands of sites inoperable because of a tantrum or something like it.

    Examples:

    - Open Source Developer Intentionally Corrupts His Own Widely-Used Libraries [slashdot.org]
    - Malicious npm Packages Caught Installing Remote Access Trojans [slashdot.org]
    - Npm Team Warns of New 'Binary Planting' Bug [slashdot.org]
    - Hacking 20 High-Profile Dev Accounts Could Compromise Half of the NPM Ecosystem [slashdot.org]
    - Standard, a Javascript Style Guide Library With 3M Downloads Per Month, Now Showing Ads When Installed Via NPM [slashdot.org]
    - More headlines from /. [slashdot.org]

    If NPM has better governance when it comes to the repositories, then there would be nothing to discuss here.

    Case in point: Debian's repositories.
    Yes, it is more labour intensive, requiring a maintainer who owns every package, and it also makes versions a bit late, instead of instantaneous.

    But the end result is having stable software than is immune from exactly what we are seeing here.

  • As an open source developer I would never hire someone who pulled a stunt such as what Marak Squires did because it indicates they don't have a shred of professionalism and there's no way you can reasonably work with them.

    If you are upset that big companies are using your code you need to realise that you are the one that chose to license your work as open source and own that decision. Just post a notice that the library is no-longer maintained, walk away, and find an employment/lifestyle arrangement that w

  • What's astonishing is that despite the occasional high-profile libraries protesting the way the industry works, these types of incidents aren't all that common: open source developers continue to work for free, maintaining their projects as best they can, even though multi-million dollar products being created off of the back of their work.

    Why is that astonishing? One of the core tenants of free software is that anybody can use your work. The point of the licensing is literally to empower the user and give him freedom.

    If you don't want that, then ... don't license your work that way?

  • by dlingman ( 1757250 ) on Tuesday January 18, 2022 @11:38PM (#62186771)

    Nobody says you have to support OLD APIs forever. Sometimes the changes are good, other times they are not.
    In this case, the owner of the code decided to change the purpose of his code from providing the previous functionality to doing something vastly unlike what it did before.

    Were his old version still hosted on GitHub? Yes. Which means that any competent developer who built their stuff against a tagged version would not have any issues. Their code would continue to work.

    This wasn't an attack against fortune 500 companies, it was an attack against sloppy ones.

    What if he'd changed function B to do something differently, and instead of updating function A to use the new function B, just removed it because it was no longer supported? Would many people who had been using function A complain? Yes. Are they justified? No. Version 1.0 of function A and B are still there, and still work as before. Version 2.0 of function B does different stuff, and there is no version 2.0 of function A.

    Nothing says a functioning API needs to live forever at the head. And hopefully this has helped to hammer that home with everyone who got smacked by this.

A complex system that works is invariably found to have evolved from a simple system that works.

Working...