Some developers are fouling up open-source software

RV_ · March 26, 2022

Excerpt:

"From ethical concerns, a desire for more money, and simple obnoxiousness, a handful of developers are ruining open-source for everyone

One of the most amazing things about open-source isn't that it produces great software. It's that so many developers put their egos aside to create great programs with the help of others. Now, however, a handful of programmers are putting their own concerns ahead of the good of the many and potentially wrecking open-source software for everyone

For example, JavaScript's package manager maintainer RIAEvangelist, Brandon Nozaki Miller, wrote and published an open-code npm source-code package called peacenotwar. It did little but print a message for peace to desktops. So far, so harmless.

Miller then inserted malicious code into the package to overwrite users' filesystems if their computer had a Russia or Belarus IP address. He then added it as a dependency to his popular node-ipc program and instant chaos! Numerous servers and PCs went down as they updated to the newest code and then their systems had their drives erased.

Miller's defense, "This is all public, documented, licensed and open source," doesn't hold up.

Liran Tal, the Snyk researcher who uncovered the problem said, "Even if the deliberate and dangerous act [is] perceived by some as a legitimate act of protest, how does that reflect on the maintainer's future reputation and stake in the developer community? Would this maintainer ever be trusted again to not follow up on future acts in such or even more aggressive actions for any projects they participate in?"

Miller is not a random crank. He's produced a lot of good code, such as node-ipc, and Node HTTP Server. But, can you trust any of his code to not be malicious? While he describes it as "not malware, [but] protestware which is fully documented," others venomously disagree.

As one GitHub programmer wrote, "What's going to happen with this is that security teams in Western corporations that have absolutely nothing to do with Russia or politics are going to start seeing free and open-source software as an avenue for supply chain attacks (which this totally is) and simply start banning free and open-source software -- all free and open-source software -- within their companies."

As another GitHub developer with the handle nm17 wrote, "The trust factor of open source, which was based on the good will of the developers is now practically gone, and now, more and more people are realizing that one day, their library/application can possibly be exploited to do/say whatever some random dev on the internet thought 'was the right thing they to do.'"

Both make valid points. When you can't use source code unless you agree with the political stance of its maker, how can you use it with confidence?

Miller's heart may be in the right place -- Slava Ukraini! -- but is open-source software infected with a malicious payload the right way to protect Russia's invasion of Ukraine? No, it's not.

The open-source method only works because we trust each other. When that trust is broken, no matter for what cause, then open-source's fundamental framework is broken. As Greg Kroah-Hartman, the Linux kernel maintainer for the stable branch, said when students from the University of Minnesota deliberately tried to insert bad code in the Linux kernel for an experiment in 2021 said, "What they are doing is intentional malicious behavior and is not acceptable and totally unethical."

Much more in the article here:

https://www.zdnet.com/article/some-developers-are-fouling-up-open-source-software/?ftag=TRE-03-10aaa6b&bhid={%24external_id}&mid={%24MESSAGE_ID}&cid={%24contact_id}&eh={%24CF_emailHash}