
The Ant Design Christmas Egg That Went Wrong - druml
http://blog.shunliang.io/frontend/2018/12/25/the-ant-design-xmas-egg-that-went-wrong.html
======
DoreenMichele
I have really mixed feelings about this. To my mind, the larger outrage is
that people were _fired_ over this.

I'm aware of the tendency to try to focus on what it seems like we can control
rather than on actual justice. In this case, I'm so far only seeing outrage
about the Easter Egg. I'm not seeing outrage about "They fired people over
this???!!! People whose only crime was using Ant??!"

I'm not a fan of what Christmas has mostly turned into these days. I'm
ambivalent about leaving a remark that could easily be wildly misinterpreted
as supporting and encouraging cultural insensitivity by Americans/Westerners.

Anyway, I may seriously regret commenting at all. This seems like a can of
worms for various reasons. I just dislike the idea of standing idly by while
the developers get lambasted, as if they should have known ahead of time that
people would be fired over this because of stuff happening in China. I'm also
leery of the possibility that the other answer will be to ignore the
seriousness of the situation for some people and act like "not my problem."

So there's my 2 cents.

~~~
nomel
Imagine working for the state. Your non technical boss comes in and asked why
you have a holiday theme on the page when policy is to not show celebration on
state websites.

He asks you why you put this code in. You tell him you didn’t write the code.
He asks who did. You tell him it’s open source, many people contributed and
someone put this in without telling anyone. At this point, you’ve lost all
credibility to you non technical boss and all of his non technical execs. You
put a strangers code on the state run website, without reviewing it and
without knowing what’s in it.

~~~
LeifCarrotson
If your boss can't sell which things are part of their output and which are
external, they're not doing a very good job. A default Chrome install might
have a Christmas-themed homepage, an ISP might MITM HTTP traffic with a
greeting, an OS/hardware manufacturer/ad network/other 3rd-party might do
something...

The days where the state run website only runs code written by the guy in the
department who knows how to spell HTML are long gone. Everyone is working on a
very small subset of the huge stack of complexity that makes someone else's
browser on someone else's device made by someone else on someone else's
network linked by someone else's CDN to someone else's datacenter that hold
someone else's server hardware which runs someone else's OS which hosts
someone else's server stack and uses someone else's framework to show the data
you actually wrote. If your non-technical boss can't explain that some parts
of this chain aren't under their complete control they're just not being
honest.

~~~
TheRealPomax
This sounds like a gross over-generalisation of your personal experience. Why
would those days be "long gone" in a Chinese state-run agency?

~~~
LeifCarrotson
Because the Chinese state run website is accessible from, say, an Apple iPhone
running iOS/Safari. It is probably intended to be accessible from ISPs outside
the country. It is developed on Windows computers and hosted on Linux servers,
which probably run a server stack that's a combination of open-source modules
and proprietary glue.

Granted, your Chinese state-run website is probably more control-oriented than
a hypothetical SV startup which consists entirely of connecting VC money to
external microservices with a little copy added in by machine-parsing a slide
deck...

------
seabird
I don't know what possesses people to implement moronic surprises like this in
software that people use to actually get things done. I remember just about
shitting my pants when trying to boot a computer using Super GRUB Disk on
April 1st and getting a prompt claiming that my hard drive was being formatted
[1], or something along those lines. After wasting over a day with a non-
booting machine verifying that I didn't catch something, I did some Googling
and found out what my issue was. It is this exact kind of stupid bullshit that
convinces people that open-source software is a joke that can't be taken
seriously, and in some cases (such as this one), they're right.

[1] [https://www.supergrubdisk.org/2012/04/02/happy-2012-april-
fo...](https://www.supergrubdisk.org/2012/04/02/happy-2012-april-fools-day/)

~~~
franciscop
Fun (autonomy + mastery + purpose)! Don't forget that most OSS is still
developed for fun, and adding things like this are totally fine in that
context. Now, if you want to use thousands (millions?) of hours of development
from hundreds of developers for free, you might have to put up with them
having a bit of fun. The alternatives are to pay them to make very serious
software [tm], use proprietary software or review the code yourself (not
viable most times).

And I'm not being ironic or anything, really, literally the thing pushing a
LOT of OSS is doing it for fun. If people keep complaining and blaming those
OSS devs and it stops being fun then they will stop doing OSS, as many have
done. Or it will be delegated to big companies like FB, Google, etc. where
they get paid for the OSS they make, which is a whooole different can of
worms.

(there is a thread saying something about a political stance, but I'm not
qualified to have an opinion there and most easter eggs are for fun anyway)

~~~
smel
Even if I'm pissed off with this particular incident since I was working on a
project using this great library and I was scared by the little snowy button
:) ... but I agree with you those people are doing it for fun. I used too but
lost interrest in working for free. A lot of companies are making a ton of
money using (among many others) my OSS project. Even my current employer (big
if not biggest European software vendor) is using it on a major product
they're selling for millions the funny thing is that they don't even know and
prohabiting employees to work on open source even in their own free time.

This particular experience make me understand that working for free on open
source is really a foolish idea. I was tempted by changing the license but
since there are many others using it to build their business I thought it's
better to just keep it as it is by respect to early adopters and users which
any project is nothing without them.

For a healthy open source project the work needed it's not fun at least for
me, it's not just about hacking/problem solving/design, you need actually to
do issues triage, answer questions, documentation, extensive testing (with
whole infrastructure for builds/releases/communication) those are not fun
activities and in most cases done better than paid softwares (because people
are passionate about their projects) and in addition to that I need to work
fulltime on different (shitty) things to pay the bills and have time for
familly ...

------
CJefferson
I am increasingly of the opinion that free open source software should include
fun things like this. It is an easy way to remind people just what "free, but
with no warranty" means.

~~~
tokyodude
App yes, Library no?

IIRC VLC's icon has a Christmas tree on Christmas. That's cool. Some library
having a Christmas day Easter egg, not so cool.

That said the lesson here is probably that if you're doing any serious dev you
really should be reading the source before putting the library in your app
and, you should be forking the library into your repo or into your own package
manager server and only taking updates you've reviewed.

~~~
killaken2000
I'm not a fan of the VLC icon change but I use something else because of it.
It's their choice to include it an my choice not to use it.

Disabling it is easy enough but I have other things to do.

~~~
bayindirh
I wonder why a small icon change is so bothering. Care to elaborate?

~~~
zimpenfish
"What other hidden surprises are in the code?" would be one thought. If you
can't trust them to leave the icon alone, what else can't you trust them with?

(Note that I don't necessarily agree with this but it's an obvious path.)

~~~
bayindirh
From my perspective, it's the opposite. I think that "If they're smart and fun
to implement a Christmas hat on the icon, they're possibly nice guys, and
won't do something sinister".

This is coming from my 20+ years of experience with computers and
applications. I've seen that programs with easter eggs may have some stupid
bugs, but won't have something sinister inside them. OTOH, applications with
some very serious and no-nonsense attitude has the most advanced "phone home"
mechanisms.

This is my experience though. I'd happily stand corrected if I'm wrong.

~~~
zimpenfish
> This is my experience though. I'd happily stand corrected if I'm wrong.

I don't think anyone can call your own experience "wrong" per se. I'd point to
the Google logograms as a "smart and fun [easter egg]" per your definition but
they are definitely one of the more sinister corporations.

~~~
bayindirh
> I'd point to the Google logograms as a "smart and fun [easter egg]" per your
> definition but they are definitely one of the more sinister corporations.

That's a fair angle :)

------
alangpierce
I wonder if it's reasonable in the long run for third-party libraries to run
under a restricted permissions model with explicitly-granted capabilities.
Just like how it's unreasonable to expect an end-user to audit the code of a
phone app they install, it seems almost as unreasonable for a developer to
need to audit the code of every third-party library they use.

For example, if a library can't access the clock, then it wouldn't be able to
implement this sort of "time bomb" behavior. You could also of course limit
cookies, XHRs, etc. Certainly a bit hard to know how it would work from a
technical standpoint, but I think if done well it would make diligence a lot
more manageable.

~~~
Something1234
I really like this idea. Although permissions will have to become a lot more
granular. There may be a little bit of call overhead, but this kind of context
level permissions would be amazing.

------
songco
The framework mark itself as enterprise level Used by many small companies in
china, and those companies delivers products to many different customers,
include chinese gov/military, and maybe some the middle east customers.

So the problem is that: 1\. Chinese gov/military don't allow celebration of
Christmas in their office.(CCP members not allowed to have religious belief)
2\. It's a critical thing for some customers like The Middle east 3\. If it's
a hidden Easter Egg hard to trigger, it's ok; but it's not.

~~~
songco
Comments from the dev of the Easter Egg: 1\. He commented it's a small thing,
don't need to include in changelog. So nearly all users don't known this 2\.
Another his comment: "I have already prepared for the complains"

------
molszanski
They could've at least limited it to a DEV environment or a whitelist of Ant
Project related domains. I hope they've learned the lesson.

------
jlg23
I call that Darwinism at work: The author of this surprise disqualified itself
for any job that requires trust or at least a minimum of cultural sensitivity
[1]; the users of this disqualified themselves from any work that requires
attention to detail (like actually reading the code of libraries used or at
least checking the issue tracker).

[1] I live in a country that is 97% Muslims. For most here, Christmas means at
most the beginning of "white, European tourist season". My SO thought until 2
days ago that Europeans simply have a week long warmup to the new year
celebrations...

------
EamonnMR
Pipenv did this for Halloween.

[https://github.com/pypa/pipenv/issues/786](https://github.com/pypa/pipenv/issues/786)

------
zorpner
This is a long-standing feature of VLC which I enjoy (the santa hat on the
icon), but is similarly not enjoyed by everyone:
[https://forum.videolan.org/viewtopic.php?t=96539](https://forum.videolan.org/viewtopic.php?t=96539)

My opinion about people who demand professional perfection from software they
neither pay for nor can be bothered to review the source of are probably well-
indicated by the tone of this sentence.

~~~
saghm
I think there's a difference between putting a cosmetic thing like this in an
application rather than a library; if you put it in your application, you're
not going to change the experience of anything other than your own product,
but by putting it in a library, you're changing the experience of other
people's applications. From reading other comments here though, it seems like
this isn't a universal opinion though.

~~~
djsumdog
Yea, and VLC is really just a media player. Sure someone might be using it in
production at a Kiosk, but that little icon change literally doesn't affect
production use at all.

------
marcus_holmes
Another reminder that dependencies are bad. Introducing someone else's code
into your production environment without auditing it is a security breach.

This "undocumented code change" could easily have grabbed any login
details/session cookies/personal data from the page and sent them somewhere,
instead of drawing snowflakes. I doubt anyone would have noticed for a
while... clearly there were a large number of people who weren't auditing the
latest version of the code to see what changed, and only noticed the change
because of the visual effects.

Sorry, but if you deploy a random chunk of third-party code into your
production environment without knowing exactly what it does, you deserve to be
sacked.

~~~
cyphar
> Sorry, but if you deploy a random chunk of third-party code into your
> production environment without knowing exactly what it does, you deserve to
> be sacked.

Have you reviewed all of Linux, glibc, nginx/Apache, bash, all several
thousand node dependencies, and so on? Do you do such a review each time you
have to update a package?

Don't get me wrong, I think there's a serious problem with the micro-
dependency insanity, but every single person on the planet depends on others.
"We stand on the shoulders of giants" is more of a truism today than it has
ever been. It's not a sacking offense to trust people (because you wouldn't be
able to do your job if you spent all of it reviewing other people's work).

Most people have a reasonable expectation that maintainers of a project are
reasonable people -- which is why the micro-package insanity is particularly
problematic. I trust most kernel maintainers and so I don't check each Linux
release to see whether a backdoor was added (I only check if I've noticed a
problem). The blame should be on the maintainers here -- it isn't acceptable
to add Easter eggs like this to a library used by many people (especially if
it's being used for Serious Business™).

Would you blame every glibc user (which is all Linux users) if they decided to
make all math functions return 25 on Christmas? Of course you wouldn't --
you'd blame the maintainers for having lost their minds.

~~~
marcus_holmes
I do deliberately try to limit what goes into my production machines, yes. I
choose to trust some things, carefully, and choose not to trust others. No, I
can't review everything out there. But technically, I should. And if it goes
wrong and there's a problem with some code that I put on the production
machine, then that's my problem.

I don't really understand why we have "reasonable expectations that
maintainers of a project are reasonable people". We absolutely know for a fact
that a not-insignificant percentage of our users are malicious. Why do we
assume that zero percent of package maintainers are malicious?

The only qualification someone has to be a maintainer is to have written
something that someone else wants to use, and to publish that thing on a
package repository. Or that they volunteered to take over maintenance of a
thing that other people want to use. There's nothing in there about not being
malicious.

And yes, I would absolutely blame every glibc user for trusting the glibc
maintainers. Glibc is a gift. I don't have any contract with the maintainers
of glibc that says they have to act in my interests. I choose to use their
work because it saves me time. If that stops being the case, I'll find an
alternative (together with everyone else), or roll back to the last known good
version of their work that they let me use. If the glibc maintainers really
want to make it Christmas Day every day, then that is entirely their right. I
do not have the right to demand anything from them or their code. I don't have
to use their code, and they don't have to take my needs into consideration
when writing it.

~~~
cyphar
> And if it goes wrong and there's a problem with some code that I put on the
> production machine, then that's my problem.

While I understand this sentiment, it's not practically possible -- and if
every business did audits of _all_ code on their production machines (do we
include firmware?) they would never get any work done or update anything.
Which would lead to objectively worse outcomes (outdated/insecure software or
no software developed at all) -- so there needs to be a middle-ground
somewhere. In fact, you've already picked one (which is reasonable -- I think
limiting dependencies is a _good thing_ ):

> I do deliberately try to limit what goes into my production machines, yes. I
> choose to trust some things, carefully, and choose not to trust others.

I would expect NASA/JPL to audit everything they run in production on a space
telescope or shuttle. I wouldn't expect the same from the next "Uber for
Dogs", nor would I think it a reasonable standard.

> I don't really understand why we have "reasonable expectations that
> maintainers of a project are reasonable people".

For a variety of reasons. Maintainers are public entities, so they know if
anything they do is malicious they will feel immense backlash (such as is
happening here over a somewhat minor issue compared to exfiltrating user
data). People have pride in their work -- this is a known psychological effect
-- and this is especially true in the free software world, so it's much less
likely they'd sabotage something they'd put their time into. Developers that
contribute to a project (likely for work or something like that) can become
maintainers and thus the most motivated users usually become maintainers (and
given that it takes time to become a maintainer of most large projects, doing
it to sabotage the project is a long-haul gig).

> And yes, I would absolutely blame every glibc user for trusting the glibc
> maintainers.

I think this is far from reasonable -- you are talking about literally every
single user of any program built on any Linux distribution for the past 30
years. Would you level more blame on the glibc maintainers for betraying their
users in this manner? Do you blame websites for CVEs like Heartbleed -- even
if they fix them as soon as they can?

> I don't have any contract with the maintainers of glibc that says they have
> to act in my interests.

Not a legal contract, but a social one. People who are in positions of power
have an ethical duty to our society. Those who don't, don't deserve to be in
such positions.

------
qwerty456127
> The timing is sensitive and unfortunate as local governments in China are
> cracking down Christmas celebrations.

I'd say this is the perfect time then. Governments cracking down Christmas
celebrations should be fought back and ridiculed.

------
stickfigure
I actually use Ant in my product. I had no idea this would happen. And I think
this is... pretty awesome?

The world needs more random amusing-but-not-damaging surprises like this. To
the Ant team: I'm impressed.

~~~
crooked-v
> amusing-but-not-damaging

Some people got fired because they used this library in sites and this
happened.

------
mac_was
Seems to me that they’ve lost credibility by injecting these sort of ‘joke’
into open-source software used in prod in many companies. How would I use it
for a new project now?

------
mp3k
The event was certainly interesting enough so it was worth to setup a new
jekyll blog, right?

------
zenexer
Is it known whether this was a deliberate political statement in response to
recent events in China, or just a festive holiday joke intended to be
harmless?

Given the current state of affairs in China, I’m inclined to believe this was
political. If that’s true, many of the other comments here debating the need
for professionalism in FOSS may be missing the point. It could be argued that
this fits into the same category as the malicious hijacking of libraries on
NPM, although I agree with the political statement being made here.

A more appropriate debate may be whether it’s acceptable for FOSS libraries to
protest human and civil rights violations.

~~~
Ahmed90
Protest all you want, but use your own productions, not others, can you tell
me what would be your feeling getting a call on holidays from an angry client
or a manager who might not even be celebrating Christmas?

Chinese politics? alright fair enough... but what if some of these companies
got punished because of it? or lost business?

I'm Arabic, can you imagine the shit a dev will get because of this if he/she
used Ant for a political figure or party website? imagine a non-christian
religious organization finds their site publically celebrating Christmas?

at the end of the day, politics or not the only person that will get all the
shit dumped on their head is the poor developer who trusted your product and
took you as a responsible person with all the 39k GitHub stars and 692
contributors... if I can't trust that to be mature then eh... good luck
reshaping the world with FOSS.

Good luck explaining dependencies to the client/manager and how "someone from
outside the company can modify our precious little website" and how can you
prevent that in the future lol...

~~~
karmasimida
> I'm Arabic, can you imagine the shit a dev will get because of this if
> he/she used Ant for a political figure or party website?

Can you illustrate this specifically? Had this happened, will the dev
himself/herself get punished?

~~~
Ahmed90
Personally, I'm from Iraq, regular people won't care, but politics, religious
figure, government thingy with a stupid manager etc... they will give that dev
a hard time, some yelling, and might just fire him

------
crooked-v
Well, there goes any chance of me ever using this project.

~~~
matte_black
Unfortunately there’s not many sensible alternatives for what Ant design does.

~~~
ng12
What does Ant give you that Material-UI, Kendo, or Blueprint don't?

~~~
matte_black
A complete set of useful and practical components for enterprise applications.
Have you used Ant??

~~~
ng12
There are many such frameworks including the three I mentioned. I haven't used
Ant, but I've looked at it and didn't find a compelling reason to use it over
the others.

------
conanthe
What reaction someone expected by shoving their religion down the throat of
the users? This is so sad.

~~~
PhasmaFelis
Snow and "ho ho ho" is hardly a religious statement. If anything, this is the
capitalistic "buy lots and lots of presents" version of Christmas, not the
religious version.

~~~
monsieurbanana
They are one and the same.

~~~
PhasmaFelis
They overlap a lot in the West especially, but they're very different
phenomena. Look at Japan, where Christmas is hugely popular, Jesus is nowhere
to be seen, and a poll of schoolchildren a few years back showed that most of
them thought the holiday was about celebrating the birth of Santa Claus.

------
anigbrowl
For those outside the USA, I regret to inform you there is no such thing as a
'Christmas egg' and no Christmas traditions involving eggs. May I suggest you
calling it a Christmas cracker?

~~~
bdcravens
What is a Christmas cracker?

~~~
roryokane
[https://en.wikipedia.org/wiki/Christmas_cracker](https://en.wikipedia.org/wiki/Christmas_cracker)

“Christmas crackers are festive gifts that make a snapping sound when opened.”
For example, a Christmas cracker could contain a paper with jokes on it, a
paper crown, and a puzzle where you have to disconnect two linked ring-like
metal pieces.

------
ngcc_hk
Why not have a bit Christmas spirit and why not allow a bit Christmas message
is the real question.

