"Earlier today, a former Chef employee removed several Ruby Gems, impacting production systems for a number of our customers."
So the developer already had left the company but one of his own Open Source code hosted on his personal github was used in production by Chef Customers ? Really ? That is just Wow. I don't have any strong opinions on whether he did the right thing but this absolutely surprises me. Running a small company, I am very strict against any of us using any personal accounts for anything that impacts our company work especially production. This has to be a no no by default I would assume.
Yes and even though they are similar but I would still argue that npm hellhole is quite different than a direct github library being used by a company in production.
Not completely related, but the tone of the two tweets linked in the article doesn’t make sense to me. The first is a reasonable request for a comment about an issue that Shanley cares about, but it’s immediately followed by a comment a minute later screaming at Chef to take a certain action while hurling epithets at them in all-caps. How can you possibly assume good faith from the first comment after reading the second? Why didn’t she just go straight to attacking them if that was clearly her intention?
Expecting good faith from shanley given her track record is like yet another frog offering a ride across the river to the scorpion, despite the frog corpses nearly damming the flow downstream. This is just not a person who deserves to be taken seriously.
The technicals of the story are interesting around the software supply chain.
I’m put off by the statement: “I want to be clear that this decision is not about contract value—it is about maintaining a consistent and fair business approach in these volatile times,” he wrote. “I do not believe that it is appropriate, practical, or within our mission to examine specific government projects with the purpose of selecting which U.S. agencies we should or should not do business.”
I hear about practicality all the time at my office and sometimes it’s real and sometimes it’s laziness. This sounds like a little of both but also profit motivated (not saying that’s wrong for a for-profit company).
Interested in your options on code of ethics and the above.
It's definitely impractical to say you won't do business with anyone who does things you don't endorse. Imagine an electrician trying to demand a certification that the buildings he works on will host only ethical tenants. You just can't run a company that way; even people who do meet your ethical standards won't do business with you.
If you think that ICE is so uniquely bad that they specifically need to be boycotted, that makes sense. Without inviting any debate on whether it's true, it's a consistent position that can be reasonably applied.
Congrats, you have very mainstream ethics. Imagine trying to run a business that uses no fossil fuels and does no business with anyone using fossil fuels.
I'm glad to hear that you can make it work. About how frequently do you cancel contracts because you've discovered your client is doing something unethical?
I recently declined a client who appears to be a white supremacist. I have declined work in the past due to the potential client organizations working with the military, police, or other violent organizations.
We all have this responsibility to place nonviolence above profit.
I think that's a very different thing than, as Chef is being asked to do here, terminating existing clients because they got some bad press on Twitter. Both in terms of your own operations (sudden cashflow interruptions are hard) and your clients' willingness to do business (can I justify the risk of waking up one Monday to learn that our CI provider is cutting me off and all development is dead in the water?)
It's a PR statement so I wouldn't read much into it. It's designed solely to yield the least negative response possible in a polarizing situation.
But if we ignore the meaningfulness or truthfulness of the statement, let's take two hypothetical societies. In one society people agree to cooperate and trade with others when there's a mutual self interest, even if they happen to despise their partner otherwise. In the other society, people engage in a substantial degree of scrutiny and only trade and cooperate with others whom they are meaningfully aligned with. Which society do you think would have the better outcomes for whichever metrics you might imagine? I'd start with economic/technological progress, war vs peace, tribal vs unified (not to say homogeneous) society, etc.
I think there is a clear answer to my hypothetical, but perhaps people see things differently. I'd be quite curious to know how.
It does seem odd and convenient to say I’ve got no problem making money from this part of the government but I won’t sell to that part of the government. It’s the same Congress and President making decisions for all the parts. Either it’s beyond the pale or it isn’t. I mean, would you do business with ISIS so long as the particular sub-project you were providing material for was innocuous?
I don’t think this tracks. I mean, the American Government is also part of the human race. Because we object to one part of the human race should we refuse to deal with any of it?
Humans have to make moral choices about where they personally draw the line and where they draw the boundary. Around the organisation that falsely imprisons Americans and runs concentration camps seems like a starting point.
No one is in charge of making decisions for the human race. The President and Congress make decisions for all of the federal government.
If you thought the Windows division of Microsoft was acting extremely unethically would you still do business with the XBox division? It’s one CEO and one board that runs both.
Yes, because I know from experience with large organizations that there can be a lot of variance between different parts of an organization. Also, relatively little that happens is directly controlled or decided at the top.
> The President and Congress make decisions for all of the federal government.
That’s fundamentally not true. Appropriations and appointments are not the same as “making decisions”, but even if they were, the judiciary still exists.
Let’s circle back to the core issue here: are you or anyone else really claiming that the policies ICE is pursuing under Acting Director Matthew Albence, which so many people object to, are against the wishes of Acting United States Secretary of Homeland Security Kevin McAleenan or President Donald Trump? Or even that those two haven’t had a direct role is causing them to be pursued?
"Another user pointed out that Chef isn’t the only company to profit from working with ICE. Microsoft has raked in $4.6 million, IBM has received $1.6 million, and CISCO has received about $500,000 through their work with ICE."
Those numbers seem very low. Is this just for one year or one contract?
Does each government agency have to individually enter into a contract with Microsoft et al.? That sounds wildly inefficient and silly. My guess is that this "user" pulled those numbers out of thin air.
The purpose of a contract isn’t to be efficient with paperwork or describe a high-level view of transactions. It’s a document that very granularly describes those transactions.
Any large organization has many people with the authority to spend money, and each one of those transactions will be supported by a contract.
The contracts are generally for specific products or services, for a specific time. High-level agencies have a great deal of autonomy and also get to pull their needs out of their own budgets. Lower-level elements within an agency (a NASA center, for example) can also have more or less autonomy.
Yeah I shouldn't been more clear in my question. I was more referring to high-level services (e.g. Office). For specific use-cases, it makes sense for lower level agencies to have at least a little autonomy.
That would be an insane precedent to send if breaking or removing a FOSS project becomes a crime simply because your project happens to be used in some mission-critical system.
Good way of making sure no one ever contributes to FOSS again.
Do you think that there is a point in having boarders between countries? If so how should they be enforced? If a 17 year "child" crosses the boarder should they be detained (ie. kept in prison until deportation) or should they be allowed to walk free in the US. If a child and parent both crossed the border should only the parents be detained leaving the child to fend for itself in America? Should they be detained in the same cell? ie keep children detained with adult.
I agree that keeping children in cages is not good, but there are solutions. If ice had a bigger budget maybe it could have more beds, larger cells, better food. I don't see how removing enforcement is a solution.
Using children as a way to take advantage of existing policy is a well known strategy employed by the cartels to get across the border, which is what initially precipitated the separation policy under the Obama Administration. While, sure, ICE having more funding would be good it's still just treating a symptom of a much larger problem (growing strength of Cartel activity and human trafficking).
Would you be much happier if it was a normal room, but locked from the outside?
I never saw anyone talking about "cages" until about a year or so ago. It seems the alternative of better accommodation isn't what people are demanding here, but rather, giving children a waiver to break any and all laws. If you want to see children being forced or recruited into cartels in record numbers, making them immune from any kind of border enforcement is a surefire way to do it!
I'm waiting for you to write what the alternative is? Make a law stating that if you cross the boarder illegally, or for that matter, commit any crime, but are a child, then you do not get detained?
Free movement of peaceful people is a basic human right; borders are based on entirely arbitrary violence, and are utterly ridiculous and plainly contrary to decent morals and good sense.
Guess I don’t have decent morals and good sense, because open borders sounds like a really bad idea and is something that’s only ever advocated for by an entrenched elite that’s completely insulated from any potential problems that policy will cause.
The goal was not to disrupt ICE, Chef, or any organization thereof. The goal was to remove my code from an ecosystem that was using it for purposes I perceive as evil. I had no goals of disrupting ICE operations or Chef operations.
I suspected a small percentage of people with a hard, runtime dependency would be impacted, but I did not know Chef (the software) had a hard runtime dependency and was pulling that dependency from public RubyGems instead of a mirror they control.
Besides the political statement, do you have any technical opinion about an organization such as Chef shipping things that have runtime deps to third parties?
It wasn’t a political statement. I have a few thoughts in general. These aren’t specific to this situation.
First, always minimize runtime dependencies. I personally prefer compiled things for this very reason.
Second, if you’re going to include a third party dependency, how are you auditing it? There’s an unexplored area around security here too. The Node.js ecosystem has had a series of incidents where popular packages have had cryptocurrency miners injected into otherwise helpful packages. If you’re depending on third party runtime dependencies: how are you auditing changes and contributions, how are you scanning for vulnerabilities, how are you patching those vulnerabilities if you don’t have an internal fork upon which you build?
Third, RubyGems is a volunteer-run organization. I believe other software ecosystems are similar. From my understanding of the situation, a RubyGems outage would have had similar effect.
If you use Go, then try one of the new self-hosted repositories, such as github.com/gomods/athens since it allows you to archive every dependency you ever update so you can always retrieve past dependencies.
It's a political statement that will do nothing but echo in people's respective echo chambers. It'll get positive coverage like this in places like the Daily Dot and MSNBC, and Tucker Carlson will use it as "just another example of far left Silicon Valley attempting to circumvent our laws".
Tucker Carlson talking about this is a good outcome. This will only highlight the power that open source and open source contributors have. Lol, a political kerfuffle over an devops FOSS project.
Make working with ICE a toxic asset. Make people not proud of working for ICE contractors.
You actually think that Carlson is going to inform his viewers of the virtues, let alone technical details, of a FOSS project?
>Make working with ICE a toxic asset. Make people not proud of working for ICE contractors.
This kind of activism in tech leads no where good. It will lead to witch hunts, more "cancel culture" purity spirals, and generally shit software used for critical functions of our government.
There have been some angry people on Twitter/HN/Reddit, but I would say “no” in general. Most feedback has been “you broke my stuff, but I don’t mind. thank you for standing up”.
I contacted them three times. One by mail, twice publicly via Twitter. I received no response. My correspondence did not request cancellation of the contract but rather an explanation. Inside sources at the company confirmed the contract and also noted leadership was forbidding them to speak publicly.
What stunt? He removed an open source library from his own personal account because he felt the nazis shouldn't be using his software. It's kinda like when IBM sold the nazis hardware to keep track of the Jews.
It’s also worth noting that the same result would have happened if I’d died. My will requests the immediate deletion of “all Internet accounts”. Such an action (deleting my GitHub account) would have had a very similar result.
Detaining and deporting people illegally crossing a border is far, far from comparable to the deliberate extermination an religious minority. There are good objections to make regarding treatment of migrants at the border, but this kind of extreme hyperbole seriously cuts away at the credibility of those arguments.
If ICE are literally Nazi's and immigration deletion centers are literally concentration camps, then why not? After all that would mean that they are effectively the embodiment of evil. You would be a hero.
If you actually genuinely believe that then I can't see why you wouldn't. Unless deep down you're self aware that you're using such rhetoric not because it is valid but because you think it supports your political cause while hurting politically those who you disagree with.
Perhaps under an alternative definition of the term "concentration camp" which would also include prisons and jails. Whether or not you believe the law is just the people being detained have committed the crime of illegal entry, and they are being detained because of this crime.
The mainstream definition of concentration camp is one where people are interned on the basis of a national, ethnic, or religious identity [1]. The term came to prominence during the Boer War [2] where Afrikaners were imprisoned on the basis of their ethnicity, not for any particular crime. Detaining people illegally crossing a border is not a concentration camp under the commonly accepted definition.
Except they aren't. No group is being concentrated for being members of religious, political, or ethnic groups. The people in ICE detention facilities are there having been arrested for crossing the border illegally and awaiting a hearing in which a judge reviews their case usually to determine if their refuge claims are valid. By your standard jails and prisons would be concentration camps, which is also ludicrous.
It's also pretty short-sighted because ICE does some uncontroversial things (border crossings, customs), and a lot of the flak they've been getting is from actions pushed down to the from the administration. Now, they're also not known for being defenders for human--or even constitutional--rights.
It seems more effective to donate $2,800 to pick-a-democrat. Or Mark Sanford.
While border crossings and customs are themselves not controversial for merely existing, how they are administered is definitely a source of controversy.
Seth, as a person that has learned a lot from you over the years and benefited from your work while at Chef, Hashicorp, and Google Cloud, this act has only increased my respect for you. Thank you for taking a stand against oppression and injustice.
I expect that, to be ethically consistent, this developer will also return all salary or payments he received while creating this now-deleted code.
I think leaving a job is a better protest than doing damage to your employer. And perhaps for his next contract, he might insert a clause limiting what his code can be used for. In limiting the utility of the code he sells, I expect he'd be taking a lesser pay rate for it.
If you read the article, the developer already was not working for Chef. Chef was/is relying on OSS components which the former develop pulled from the open repository. -edit for clarity.
Interesting approach. Makes me wonder if you authored a component and extended a license to say that “use of this code must abide by [inert relevant code of ethics]”, could you enforce that?
Fundamentally, it depends on the license. When this came up under Bush 43, the appeal was "the military is not allowed to use this!" and RMS and many others pointed out terms like this. This one is from the GPL v3 specifically:
> All rights granted under this License are granted for the term of copyright on the Program, and are irrevocable provided the stated conditions are met. This License explicitly affirms your unlimited permission to run the unmodified Program.
Other licenses have similar clauses and a short list of requirements which must be met. Since the relevant groups, agencies, etc were (and presumably are) meeting the requirements, there's no grounds to revoke the license.
iirc, the Open Source Initiative stated that any claims/requirements limiting who could use the software or where they could use it would not meet the definition of "open source."
It's under Apache license. I think the ethics of code placed under that license include "you may use this; you may rely on being able to continue to use this; if you don't like the direction the main package is taking for whatever reason, you may fork it and [optionally] release your fork under Apache as well."
Is it unethical, though? The entire point of OSS is that you cannot revoke the license once granted. A hostile fork is the expected result of Chef's actions.
The zeroth freedom is the freedom to use the software for any purpose whatsoever. That inherently must include purposes which the author finds unethical, even abhorrent.
But forking with the intention of helping people run concentration camps and changing the authorship of the commits? Doesn’t fit into my model of ethics.
So the developer already had left the company but one of his own Open Source code hosted on his personal github was used in production by Chef Customers ? Really ? That is just Wow. I don't have any strong opinions on whether he did the right thing but this absolutely surprises me. Running a small company, I am very strict against any of us using any personal accounts for anything that impacts our company work especially production. This has to be a no no by default I would assume.