Hacker News new | past | comments | ask | show | jobs | submit login
Marak's GitHub account suspended after he erased his faker project (twitter.com/marak)
99 points by phoronixrly 11 days ago | hide | past | favorite | 71 comments

Just a quick note to say I learned more about the backstory of this post from 4 comments on HN than trying to run down the rabbit holes of that Twitter thread. Thanks for that.

Summary from what I can tell: Faker.js is a JavaScript tool for generating realistic test data. Marak is the developer of said tool. He hosts a public version of it on a personal, public GitHub account repository. For some reason he updated the README of this repo to include links to some conspiracy threads on Reddit. Microsoft, owner of GitHub, has suspended his GitHub account. No one seems to know why and whether or how it relates to this action. Various people have opinions and suggestions about this.

Okay, there is more actually.

Marak develops this very useful tool and gives it away for free, receives praise but no money. After realising that there is no money in giving stuff for free with no further plan down the road, gets cranky as others are not giving Marak free services and don't accept applause as a payment method, says that someone needs to pay for it or take over the development. Declares that will no longer do free work for corporations[0] but corporations seems to be unimpressed that the free worker will no longer work.

Since no one seems to be interested to pay for work offered for free, Marak launches SaaS of the tool as fakercloud.com, which is a popular strategy and sometime can actually work.

Unfortunately, according to Marak[1], engineers from Retool copy the SaaS platform and launch it as a part of Retool. Marak realising what has happened offers the CEO of Retool to sell the fakercloud.com to them. The CEO ghosts Marak, maybe because doesn't want give evidence for a lawsuit or maybe doesn't see the point of purchasing a product that the internal engineers already build.

As a result, Marak gets angry and deletes everything and posts conspiracy theory memes and links everywhere. As this tool is a popular one and people depend on it, NPM suspends Marak's account and continues to provide lates working version that Marak gave them for free.

Honestly, I feel for Marak. What a talented engineer and romantic businessman.

[0] https://news.ycombinator.com/item?id=25032105

[1] https://web.archive.org/web/20211030075524/https://marak.com...

Just WOW! It's fascinating when you put a face on an online persona. Sooo, is He doing these things from Guantanamo or was the incident considered "no biggie"?

Charged with a misdemeanor, no data to show he was convicted. Or if he was, it might have been through a program that allowed the conviction to be wiped.

This man should be thankful he’s not in jail right now. For reasons unbeknownst he basically got a slap on the wrist. If he wasn’t caught who knows what may have happened.

My guess is that you're legally allowed to own all the different bomb-making pieces unless they can find any solid evidence you planned to commit harm with them. I wonder whether the court ordered a psych evaluation for him?

> receives praise but no money

Sort of. faker.js has an open collective [0] which receives some money each year. However, living off a single open source package - even one widely used like faker - is very difficult even in lower cost of living areas.

[0]: https://opencollective.com/fakerjs

Nobody has an issue if an unpaid open source developer doesn't feel like developing anymore. The issue here is that he tried to take back what was already out there.

In the old days that wasn't a problem - when you released some OSS, you put a tarball somewhere and told people to download it. Some of those people were redistributors (mostly Linux distros or BSDs, but also CD vendors, people running FTP sites of neat things, etc.). Many of those redistributors, in turn, got their software to people from further redistributors (mirrors, people burning CDs and passing them around, etc. - up to even a decade ago I was both giving and receiving Ubuntu CDs). More people got your software from a redistributor than directly from you.

If you tried to "un-release" some OSS, not only would that not work, it would be abundantly clear to you that it wouldn't, and moreover that would be clear to you well before you even published the first version, so you wouldn't feel like you were tricked or didn't have the chance to think this through.

With the new world of GitHub and NPM and such and especially tools like Go that pull directly from GitHub, the role of the distributor is basically n more than the role of GeoCities: they provide hosting for you, but it's in your account. So you can take things out of GitHub and NPM just as easily as you can un-publish a web page. (In fact an analogy could be made here to blogs, where you can un-publish, vs. newsgroups/mailing lists, where you can't.) There could be mirrors, certainly, but there aren't necessarily mirrors, and the social norms on both ends are against them: you aren't explicitly asking people to mirror your code and distribute it independently from you, and other people may feel that it is rude/inappropriate to continue to distribute code that you've chosen to stop distributing.

There are certainly very strong advantages in scale of participation (and in the loss of a certain gatekeeping that could not scale) in this new world, but it does seem like it would be good to recapture this one feature of the old world.

It's a bit similar to your email address not only being just a way to send you email, but also effectively your identity.

> For some reason he updated the README of this repo to include links to some conspiracy threads on Reddit.

For more clarity here, he didn't just update the README. He deleted the repo and replaced it with one that only has the modified readme and no content, and pushed an empty package to npm as the latest version (npm has removed the latter).

I think it's utter bullshit that npm took action the way they did. It's well within his rights to pull the project and update the namespace to whatever he wants. Woe be to those who didn't contribute all these years.

npm is under no obligation to facilitate that. It's well within their rights to use their TOS to refuse service to him in publishing his disruptive package, and simply continue distributing the previous versions under the license terms Marak explicitly licensed them under.

You seem to be treating the "THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND" section of the MIT license as a blanket "well it says they can do whatever so it's fine", but not giving the "Administrators at npm reserve the right to delete content hosted on the npm Services that they deem unacceptable" term the same leeway.

Either we can expect some sort of implied good faith from both parties despite their legal terms and licenses disavowing such, or we can simply expect the exact text of the licenses. To have one set of expectations on Marak, and another on npm is unreasonable.

It just really rubs me the wrong way -- who can argue this isn't just a legitimate reboot of faker? Why does npm get to say that the future of faker isn't a directory with a single .md file? What's to stop this from happening with something higher profile, like npm just decides the new version of webpack is trash, and locks out the maintainers. Sounds like some sussy sourceforge shit to me. It's one thing if there is a virus or a cryptominer in the repo, or if the package maintainer gets hacked and needs control restored. It's another thing to exert editorial control over a popular package and lock out the maintainer. Bad look.

Would rather live in the universe where people just re-upload the original under a different maintainer or (gasp) actually pay the guy for all the work he's done over the years, than the world in which certain npm packages become "too big to fail" so we never get to see the actual dynamics of failure, that are supposed to happen, come into play.

Is it really open and free if NPM can make editorial decisions that trump the repo owner, whenever they want? I think the implication of this is software packaged on NPM isn't really open source.

Freedom 3 of the Free Software Definition:

> The freedom to distribute copies of your modified versions to others (freedom 3). By doing this you can give the whole community a chance to benefit from your changes. Access to the source code is a precondition for this.

One of the tests for the Debian Free Software Guidelines:

> "The Tentacles of Evil test". Imagine that the author is hired by a large evil corporation and, now in their thrall, attempts to do the worst to the users of the program: to make their lives miserable, to make them stop using the program, to expose them to legal liability, to make the program non-free, to discover their secrets, etc. The same can happen to a corporation bought out by a larger corporation bent on destroying free software in order to maintain its monopoly and extend its evil empire. To be free, the license cannot allow even the author to take away the required freedoms.

By these standards, if NPM could not do this (or could only do this by virtue of their TOS), then faker.js and colors.js would not qualify as free software.

Most free software definitions are focused on preserving the freedoms of the user first, other wishes of the author like "being paid" or "printing ascii American flags" are secondary

Maybe the issue isn't that NPM and GitHub are taking that decision, but the risk of network-effected monopolies. Same discussion as with generic social media and FB/Meta.

A more distributed network benefits everyone. So if this rubs you the wrong way, why not take the opportunity to consider defaulting to alternatives (even just a smaller player), or even self-hosting?

Regarding the Faker.js incident, I’m torn between two positions, however unpopular they might be:

1. If I publish a library somewhere, I expect to have control over its future versions, even if I want to effectively break it. If you have not pinned its version in a lockfile or vendored it, it’s your problem if the new version breaks the API. If you have forked it, you can republish it license permitting, but my thing is my thing. If NPM and GitHub allow themselves to take that control away from me, that sounds like news.

2. My attitude to OSS is “help yourself, then help others”: find income (consult, make a business, join a business, etc.), then contribute when you’re comfortable. If you contribute to the extent that it causes you financial ruin, please don’t contribute.

On the other hand, the alleged copying of author’s SaaS is unequivocally bad if true. One could sue in response, but presumably it might be difficult depending on local laws, and especially if the thief is in another country.

> If NPM and GitHub allow themselves to take that control away from me, that sounds like news.

That's the thing. When will people realize these obvious downsides when they decide to use these big, centralized platforms to distribute their software?

You are using someone else's computer and this has some actual consequences. If your thing being your thing is important to you, make it so?

I know the problem might be hard for NPM, but noting forces you to use GitHub.

Marak force-pushed to his GitHub repo to remove all prior version history. If all he did was publish a new broken version, then my opinion would be very different.

I believe I should be able to do this with my GitHub repo. (Obviously, anyone is free to fork and I don’t expect to be able to do anything about that.)

Absolutely. In my view the ability to destroy something is nearly the definition of ownership.

It’s even more worrying once you consider that both NPM and GitHub are owned by the same company.

I don't see why not. There are perfectly valid reasons for such an act (enforcing a new licence, e.g.), and even if there weren't, it's his repo.

If you want to maintain control over your distribution, you must self-host it.

Interesting. So he got upset with his project and pushed a new version to NPM which was an empty repo, breaking lots of people's builds. Fair enough I suppose. It's his project.

Then NPM reverted the last version to unbreak things probably suspecting his account had been hacked. Fair enough.

Now what happens when the author declares it was him? Is it his right to push a broken version? Is it his right to delete the npm package entirely? I'm sure there are some npm terms of service around this, but it's an interesting scenario.

> Now what happens when the author declares it was him? Is it his right to push a broken version? Is it his right to delete the npm package entirely? I'm sure there are some npm terms of service around this, but it's an interesting scenario.

NPM's terms of service indicate they can refuse service for any reason, and the package's own license of GPL indicates that NPM legally can distribute it without the author's consent otherwise. Even if the package was not license as such, NPM's terms of use indicate you grant them an irrevocable license to distribute what you upload. Unlike some social media platforms, they don't reserve the right to sublicense it, but they do require you agree they aren't the ones liable if someone they distribute it to breaches the license.

> breaking lots of people's builds

Why would it break people's builds? I can only see this happening if they upgraded faker.js.

Besides, best practice says to check each package's repo before upgrading because of 1) malware, and 2) potentially breaking changes.

Also, many forks exist, and you can point to GitHub versions of a package.

In case you want to backup all your Github repos quickly:

apt install git parallel jq -y;

TOKEN=xxxxxxxxxxxxxxxxxxxxx; ORG=yyyyyyyyyyyyyy; page=1; while links=($(curl -H "Authorization: token ${TOKEN}" -s "https://api.github.com/orgs/${ORG}/repos?per_page=100&page=$..." | jq -rc '.[] | {ssh_url} | .ssh_url')); [[ "$links" ]] do GIT_TERMINAL_PROMPT=0 parallel git clone --depth=1 {} ::: "${links[@]}" ((++page)) done

your ssh public key should be added on github for it to work

--depth one will lose allll your history, and only keep `master` branch, though

He did say quickly

Quickly does not imply lossy

My org has forked this to https://github.com/graycoreio/faker.js from a fairly recent verified commit from Marak, even if its only temporary for some semblance of stability.

Maybe they (gh) suspected someone tampering his account? I'm against the "tantrum" (assuming it was about money) he threw, but it's kind of crazy how NPM can just totally nullify his "activism".

It's hard to feel bad for you when you try to do an end-run around FOSS licenses being irrevocable and intentionally cause another leftpad incident.

So now we are getting into the same situation as with Twitter for example, where the people running platform are going to start to be the ultimate arbiters of “rules” and “truths”.

Should github get involved in this like they did? If they thought his account got hacked, maybe yes. But he did it on purpose, so what happens now? Are they gonna reinstate the empty repo?

With all our code so dependent on external sources nowadays, this kind of situation could happen more and more.

I wonder if this is because of faker project or he did something else to violate GitHub rules.

Because if it’s only related to FakerJS then that’s really fucked up.

Yeah it's pretty ridiculous if they locked him out for changing the README + issue comments of his own repo. Curious if he actually violated anything in GitHub's TOS.

I think changing his own repo his one thing, but using the repo admin ability to edit another user's post reporting an issue to link to conspiracy theories does feel like an abuse of that ability.

"Erased" is the key term here, they rug-pulled a popular NPM package. That's within their rights, but it's going to break things and looks very suspicious, so I'm not entirely surprised their account has been locked down.

> they rug-pulled a popular NPM package. That's within their rights

That sounds like malicious activity. That's normally against most terms of service

Just because it's malicious doesn't mean it's against the rules (or should be).

He didn't do anything wrong. You should have local mirrors of stuff you rely on.

It's literally a crime. malware is illegal.

No, it's not. Publishing malware is protected expression in the USA, like all source code (thanks, djb!). Forcing it onto the computers of others is illegal, but as you know that's not what happened here.

Pulled, not pushed.

Meh, by that argument a typosquatter that hosts a malware download is not doing anything illegal as the user who made a typo pulled the malware, not pushed.

Given the rather flakey behaviour (however provoked he feels) by the owner of a quite high-profile project, its not unreasonable to presume caution on the part of github.

The account appears to be there, so either the suspension was temporary, or its visibility is not related to his access to it?


Without getting in to the conspiracy theories or watching someone's YouTube, it appears the (oft controversial) author rug-pulled a popular npmjs package.

This is probably Github doing damage control / fixing up build pipelines for everyone while they figure out next steps.

But npm already did the damage control and restored an older version, fixing all broken CI pipelines.

What does any of this have everything to do with GitHub?

You know NPM isn’t the only way to install JavaScript packages, right? You can add a GitHub repository directly. Yanking the NPM package doesn’t protect people who are pulling from GitHub directly.

It's a suspicious action, so probably locking the account down until they can get in touch and confirm that's what the user wanted to do, and wasn't hacked etc. Could even be automated between npm and github, a compromise warning or similar. All conjecture though.

Aren't npm and GH all owned by Microsoft anyway?

Yes GH and NPM are part of the same company Microsoft

is the full story anywhere? people mentioning some conspiracy theory on twitter?

So, Ghislaine Maxwell, (edit: suspected to be) reddit power mod maxwellhill is currently being tried as an accomplice to Epstein's underage sex trafficking.

The usual conspiracy crowd however are trying to connect it to their old favourite, pizzagate, where they assume basically every left wing figure of note is involved in a satanic child sex cult operating out of a fake pizza shop in DC. They're also implying Aaron Schwartz was murdered to cover it up, rather than driven to suicide by overzealous prosecution of academic journal piracy.

When Marak deleted faker.js, he replaced everything with links to reddit conspiracy threads containing the same allegations.

Is this the same Marak who got in trouble for setting his house on fire when his homemade explosives project went wrong? (https://news.ycombinator.com/item?id=25038438)


maxwellhill is suspected but not confirmed to be the same person as ghislaine.

They're also inactive for >1yr.

Important context for people who aren't going to read further.

That's undesrststing it quite a bit. The activity & interests match up well, both high and low activity periods, lots of posting about age of consent, goes dark the same day she's arrested. The name may also be an allusion to her estate.

Judge for yourself: https://reddit.com/r/conspiracy/comments/r45a5n/here_is_the_...

Public forums are a goldmine for identifying people who have compromising or plain illegal perversions. A rich and diverse source for both buying and selling perversions. Of course she and Epstein and others were using deep access to this site to their advantage. Like wolves to sheep.

Another important context is that maxwellhill, whoever they were, were more than just another reddit power user. They were the first user to pass 1 million upvotes, they were instrumental in promoting the site from early on, and Aaron Swartz, of course, was an early reddit dev often credited as a co-founder.

It seems unlikely the early reddit admins would not know who maxwellhill is, whether they were Ghislaine or not.

That said, it seems to me maxwellhill (again, whoever they are) did absolutely not "promote pedophilia". The worst they've been able to find is some questions about age of consent laws.

Thanks for the background. Truth really is stranger than fiction. You couldn’t make this stuff up.

I can absolutely see how people would be pulled deeply into conspiracy webs by this stuff.

That said, I wonder what the ToSs say on GitHub and NPM on basically taking over an account that pushes content they don’t personally agree with.

The right thing to do is for someone to properly fork the project and then they can spend the time and money providing a repo for the world to freeload on.

If someone can’t update references quickly, that’s a serious problem they need to fix with their own pipeline if they’re pointing to random third party libraries.

If the content wasn’t illegal the owner has every right to do what they want with it. They have no duty of care or warranty implied or otherwise on their own repo under that license. That’s the whole point! The whole point of pulling the rug out was an important protest on people freeloading on this person’s work.

To now freeload so badly that they effectively cancel the protest and takeover the account is certainly indicative of how ethically bankrupt the freeloaders truly are.

Speaking of conspiracy…

Data-mining 1980s/early 90s alt.sex and its subgroups would provide interesting insights. In the Wild West days of Usenet, internationally criminal explicit content was being passed along the university backbones. Epstein & Maxwell would have had excellent access to their respective university’s unfiltered Usenet feed. I think it would be relatively easy to identify communication networks in which they and their peers were involved.

Swartz not Schwartz

Thanks, the edit window on my post is expired so unfortunately I can't fix it now

Im eagerly awaiting a really interesting documentary about these things in a few years. Interesting time to be alive!

That's like the last paragraph of the story... what even is faker.js?

I guess I should do my own research.

It's an open source library for generating convincing looking mock data for demos so you have a bunch of mixed, convincing names and not just John Doe1, Jane Doe2, test@example.com

It handles about 60 types of data.

It was previously a source of controversy in the open source funding debate when Marak posted a fuck you, pay me where he refused to make any more updates until some of the corporate users started sponsoring the project, which Godaddy eventually did.

What I learned is that GitHub is no longer a reasonable place to hold your personal source codes, no matter it's private or public. github is still a good place as a platform to show yourself, but it's never home like place where you hide.


Since the cloud services (not only GitHub) are increasingly unreliable these days, maybe we should think more before choose to use them.

not a solution to the problem... but npm explore should be available to all npm users. Not just enterprise users... I want to know exactly what is being installed when I run `npm install`.

GitHub become shit these days. Moving to Codeberge.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact