RV_ Posted March 26, 2022 Report Share Posted March 26, 2022 Excerpt: "From ethical concerns, a desire for more money, and simple obnoxiousness, a handful of developers are ruining open-source for everyone One of the most amazing things about open-source isn't that it produces great software. It's that so many developers put their egos aside to create great programs with the help of others. Now, however, a handful of programmers are putting their own concerns ahead of the good of the many and potentially wrecking open-source software for everyone For example, JavaScript's package manager maintainer RIAEvangelist, Brandon Nozaki Miller, wrote and published an open-code npm source-code package called peacenotwar. It did little but print a message for peace to desktops. So far, so harmless. Miller then inserted malicious code into the package to overwrite users' filesystems if their computer had a Russia or Belarus IP address. He then added it as a dependency to his popular node-ipc program and instant chaos! Numerous servers and PCs went down as they updated to the newest code and then their systems had their drives erased. Miller's defense, "This is all public, documented, licensed and open source," doesn't hold up. Liran Tal, the Snyk researcher who uncovered the problem said, "Even if the deliberate and dangerous act [is] perceived by some as a legitimate act of protest, how does that reflect on the maintainer's future reputation and stake in the developer community? Would this maintainer ever be trusted again to not follow up on future acts in such or even more aggressive actions for any projects they participate in?" Miller is not a random crank. He's produced a lot of good code, such as node-ipc, and Node HTTP Server. But, can you trust any of his code to not be malicious? While he describes it as "not malware, [but] protestware which is fully documented," others venomously disagree. As one GitHub programmer wrote, "What's going to happen with this is that security teams in Western corporations that have absolutely nothing to do with Russia or politics are going to start seeing free and open-source software as an avenue for supply chain attacks (which this totally is) and simply start banning free and open-source software -- all free and open-source software -- within their companies." As another GitHub developer with the handle nm17 wrote, "The trust factor of open source, which was based on the good will of the developers is now practically gone, and now, more and more people are realizing that one day, their library/application can possibly be exploited to do/say whatever some random dev on the internet thought 'was the right thing they to do.'" Both make valid points. When you can't use source code unless you agree with the political stance of its maker, how can you use it with confidence? Miller's heart may be in the right place -- Slava Ukraini! -- but is open-source software infected with a malicious payload the right way to protect Russia's invasion of Ukraine? No, it's not. The open-source method only works because we trust each other. When that trust is broken, no matter for what cause, then open-source's fundamental framework is broken. As Greg Kroah-Hartman, the Linux kernel maintainer for the stable branch, said when students from the University of Minnesota deliberately tried to insert bad code in the Linux kernel for an experiment in 2021 said, "What they are doing is intentional malicious behavior and is not acceptable and totally unethical." Much more in the article here: https://www.zdnet.com/article/some-developers-are-fouling-up-open-source-software/?ftag=TRE-03-10aaa6b&bhid={%24external_id}&mid={%24MESSAGE_ID}&cid={%24contact_id}&eh={%24CF_emailHash} Quote RV/Derekhttp://www.rvroadie.com Email on the bottom of my website page.Retired AF 1971-1998 When you see a worthy man, endeavor to emulate him. When you see an unworthy man, look inside yourself. - Confucius “Those who can make you believe absurdities, can make you commit atrocities.” ... Voltaire Link to comment Share on other sites More sharing options...
Jim & Alice Posted March 27, 2022 Report Share Posted March 27, 2022 Thanks for sharing, Derek. Quote 2007 Dolphin Safe-T-Plus Steering Bar Our Blog: Click Here Link to comment Share on other sites More sharing options...
Ray,IN Posted March 28, 2022 Report Share Posted March 28, 2022 SAD. Quote 2000 Winnebago Ultimate Freedom USQ40JD, ISC 8.3 Cummins 350, Spartan MM Chassis. USA IN 1SG retired;Good Sam Life member,FMCA ." And so, my fellow Americans: ask not what your country can do for you--ask what you can do for your country. John F. Kennedy 20 Jan 1961 Link to comment Share on other sites More sharing options...
RV_ Posted March 29, 2022 Author Report Share Posted March 29, 2022 YW Jim. Ray, it is. Quote RV/Derekhttp://www.rvroadie.com Email on the bottom of my website page.Retired AF 1971-1998 When you see a worthy man, endeavor to emulate him. When you see an unworthy man, look inside yourself. - Confucius “Those who can make you believe absurdities, can make you commit atrocities.” ... Voltaire Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.