Hacker News new | past | comments | ask | show | jobs | submit login
NPM package event-source-polyfill compromised by political activists (github.com/yaffle)
124 points by ramesh31 on April 8, 2022 | hide | past | favorite | 241 comments



Why is "compromised by political activists" in the title?

"political activists" is 1) plural (wasn't it only 1 committer?) and 2) an opinionated label for someone we don't know much about. Sure, the commit may be an act of political activism, but to label the individual based on this one action seems inappropriate.

And "compromised" makes it sound like it's against the will of the maintainers. Do we know that? The commit was 23 days ago. There's an ongoing open discussion here where there are folks defending both sides: https://github.com/Yaffle/EventSource/issues/202

Anyway, a better title might be "event-source-polyfill displays popup about Ukraine in Russian timezones" or if its malware, then "event-source-polyfill affected by malware in Russian timezones"


I think the title can be shortened to NPM package event-source-polyfill sabotaged.

Sabotage is a better word since it is not loaded politically. It does not infer a reason nor motive. Just that something happened which was deliberately done by someone.


Sabotage, to me, explicitly means that the act was committed with the intent of derailing the project’s original purpose. This act seems orthogonal to the original intent of the project, so it’s underhanded but it’s not really sabotage.


Sabotage is quite a fascinating concept. IWW are big promoters of using sabotage as direct action. An industrial saboteur might have the goal of disrupting the supply chain causing damage to their boss’s profits, either as a revenge for poor labor condition, or as negotiating tactic during a strike. Here the saboteur is disrupting at the end of the supply chain when the product is consumed with the goal of delivering a political message.

Like I said sabotage isn’t loaded and does not depend on the motive. Only that something was disrupted on purpose.


Sabotage seemed a bit weird of a choice to me, but the dictionary disagrees, so fair call on that one

> destructive or obstructive action carried on by a civilian or enemy agent to hinder a nation's war effort

https://www.merriam-webster.com/dictionary/sabotage


I think it's a bit much to call this sabotage. It's not as if this opensource node-library is fulfilling a crucial role in Russia's war efforts.

Using this reasoning you could argue that any negative comments about the war towards a russian could be construed as sabotage, because it goes against Russian war-propaganda.


Negative comments usually don’t have anything disrupted. This however disrupted the consumption of websites that use this library. So these websites were indeed sabotaged for the end user through this library.

In comparison this act is probably more disruptive then anti-war sticker bombing in grocery stores (https://t.me/nowarmetro/465) and most people would call that sabotage.

But like I said, sabotage is not loaded. It can cause anything from a minor or trivial disruption, to a major destruction. It can have a positive or negative message, or even no message at all.


If to some people this source code change provides helpful information, is it sabotage? If seen through their eyes?

Eg about using Tor to get access to forbidden news.

(Maybe the way it was done, won't work in practice, but if you pretend it worked, as a thought experiment?)


I would think so, for two reasons: First the web pages using this library are still disrupted (hence sabotaged), and second—a bit far fetched—the propaganda campaign and information gatekeeping efforts by the Russian government have been sabotaged with leaked information.


The popup message is information that there's a war going on, and a suggestion to download the Tor browser (to get past Putin's censorship).

To some, that's malware, whilst to some people in Russia, it could be valuable information, something helpful.

But maybe most software people know about Tor and VPNs already. And I suppose that the popup in most cases got stopped during Q/A.

I don't really see the message reaching its intended audience


We should probably start an open source sanction list of individuals who abuse trust to ship malware. The faker/colors guy, node-ipc guy, whoever's responsible for this, etc. Then npm audit or some other checker should crit if there's a package under their control in your supply chain. Well they can assume new identities, but at least we learn about clearly unsafe packages created before any identity change.


So... cancel them? I get that people are angry, but such a central enforcement authority would be at least as abusable, if not more.

You can't win here. If you trust someone else's software, you need to evaluate the author and establish a relationship. For decades in open source, we did this via formal organizations with charters and incorporations and foundations and boards and stuff (FSF, Red Hat, yada, yada). We can trust gcc or Linux because we have visibility into the reward structure that produced it beyond "what this developer did".

NPM's big failing is in short-circuiting that process and inviting a culture where any rando can push out a package that can be trivially slurped up and used by everyone, transitively. That's great for the rando developers, not so great for the consumers as it turns out.

But you don't fix it via mob justice. You fix it via organization.


If you classify revoking a malware author’s developer certificate in a signed environment (e.g. Apple platforms) as cancelling, sure. Not to mention warnings from a checker which can be ignored are far weaker than revoked certificates.


Your hyperbolic use of "malware" for what is clearly a prank is precisely why this is abusable. I buy that you feel strongly and think this developer should be punished for, essentially, making their views visible in their work. Now imagine the people who would want to punish you for your views. Think they won't find anything?


This is as much a “prank” as “benign” adware that pops up an ad on your desktop every hour.


Maybe adware that pops a message that doesn't generate any revenue once after 15 seconds would be more accurate. But I suppose that depends on if a single non-commercial message counts as an ad.


Adware tend to be localized to your own computer instead of working its way into websites you build and pushing itself to all your users.


Perhaps you should reflect why you are pushing adware to YOUR users then. Maybe you should vet YOUR work more carefully instead of pulling in hundreds of dependencies that YOU haven't bothered to vet.


Yes, more visibility into which packages are published/controlled by malware authors helps with vetting (immediate pass instead of reading thousands of lines of code). Yet some people are terrified by that prospect. Really makes you wonder.


"i dont even want to bother reading the code i ship to my users"


Perhaps this is the year when we will collectively realize that cancellation is, in fact, an appropriate response to someone behaving in an anti-social manner.


Is this satire?


I can’t speak for GP, but ostracizing and shunning are pretty much the assumed enforcement mechanism—when they’re articulated—among people with libertarian principles when those principles are applied consistently. “Cancelling” is far more humane than incarceration or other forms of punishment, because you can emigrate elsewhere. It’s also far less likely to create implicit hierarchies if it’s commonplace.


So someone misplaces their idealism and your solution is canceling them until they must emigrate? Who are you people?


I mean I’m not asking for anything to be done here at all, but I hope you’d agree that “someone misplaced their idealism” would be better served by a trip to another package registry than a trip to prison… right? Who are me people? I’m not that organized. I’m just observing that “cancelling” has a philosophical underpinning in even more theoretically libertarian thought than which I personally endorse. I think it’s worth the observation because the people who most object share similar philosophies.

I do have a strong sense of freedom of association which makes me sympathetic to that idea. I also understand it’s not the end of the conversation.

But I find the hypocrisy of ideological freedom contrasted with freedom to associate really galling.


I'm not sure why you're making the claim that writing out a list is somehow "mob justice."

It's just documentation.


Lists have been used as far more than documentation throughout history. Lists expand in scope and purpose and can be used for mob justice.

How will your list safeguard against this?

This is one of the more bizarre proposals I’ve seen entertained on HN.

Where is the line?

If I commit a political dissertation in the comments or README? If I change all my unit tests to use political phrases? If I name all my functions with political connotations? If I pass extra politically motivated data back with every response?

And how long does your name stay on the list? Any way to get it removed faster? Any way that it gets extended?

And this is in response to using free software?

We already have mechanisms for dealing with poor OSS decisions: raise an issue, fork it, unstar it.

Maybe we should focus on building up the better OSS projects than trying to create a blacklist of maintainers that don’t adhere to some standards they never agreed to, but we imposed on them.


Cool story.

Anyway, the list that they're discussing has actually existed for 30 years, and your hair pulling about what might happen hasn't.

.

"Where is the line?"

Relatively easy for the rest of us to see.

.

"If I commit a political dissertation in the comments or README? If I change all my unit tests to use political phrases?"

Nobody suggested this should be penalized. This is common.

.

"And how long does your name stay on the list?"

Forever.

When you commit a crime, that knowledge never disappears in any country.

.

"Any way to get it removed faster?"

No.

.

"And this is in response to using free software?"

No.

.

"We already have mechanisms for dealing with poor OSS decisions: raise an issue, fork it, unstar it."

None of these address what happened in any way.

.

"Maybe we should focus on building up the better OSS projects"

You go ahead.

The rest of us will act without you. Your agreement is not required.


> Cool story.

Actually, "blacklists", "redlists" and many other "lists of undesirables" weren't cool at all. But every generation or so they unfortunately seem appealing again.

> the list that they're discussing has actually existed for 30 years

Where is this list? Who maintains it?

OC certainly didn't know about it: "We should probably start an open source sanction list of individuals who abuse trust to ship malware"

> When you commit a crime

"crime"? Please link me to the law you think they broke.

Here's the license: https://github.com/Yaffle/EventSource/blob/master/LICENSE.md

> THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED

So, how is this a "crime"?

> that knowledge never disappears in any country

Not true in any country except maybe North Korea or some other authoritarian state. In any society with checks and balances, verdicts can be appealed, judgements reversed, records expunged and rights restored. This "undo" feature is pretty critical to any legitimate system of justice, as is "innocent until proven guilty". I didn't see any details about the rights of the accused in anyone's blacklisting proposals.

> None of these address what happened in any way.

Yes, it does. MIT licensed software is provided "AS IS, WITHOUT WARRANTY". If you don't like it you can fork it. If you're afraid of a bad commit, vendor it, which is a best practice anyway, for this exact use case.

> Relatively easy for the rest of us to see.

Our entire legal branch of government exists because these lines are not always easy. Judges judge things all the time, and not uniformly. If everything was easy to see, we wouldn't need judges or juries. The interpretation of language or of an act on a case by case basis is where things get tricky.

> The rest of us will act without you

At this point I have way more questions:

* Would you blacklist this contributor if they documented the Russian timezone popup as a feature in the package as the issue creator suggested (https://github.com/Yaffle/EventSource/issues/202#issuecommen...)?

* What "test" would you apply to code to determine if the developer should be blacklisted or not? Would this blacklist only pertain to malware? Wikipedia (https://en.wikipedia.org/wiki/Malware) defines a few different malware categories: "Many types of malware exist, including computer viruses, worms, Trojan horses, ransomware, spyware, adware, rogue software, wiper, and scareware." If the code doesn't fall into one of those categories (as is this case), under what circumstances might you still blacklist the developer?

* If a maintainer stops maintaining their current library and says all future maintenance will be done on a new library, and that new library contains this Russian timezone popup code, would they be blacklisted?

* Would it matter if the "bad code" was intentional or not? Or a joke or not? Or temporary or not? How would you determine the author's intent? Would they have a chance (or be obligated) to respond? Or would you only look at the impact of the code? If you look at the impact, under what conditions would a "bug" get you blacklisted?

* Would you blacklist a developer for making a breaking change to a package? What if the breaking change was politically motivated?

* Who runs and maintains the list? Does this list have an appeals process? What are the rights of the accused?

* How will you disambiguate the list so as not to misconstrue "innocent" developers as blacklisted developers? Will you include their birth name? Social profiles? Emails? Addresses? How will you deal with name changes (someone gets married, or changes their name?), or new online handles?

* What age and definition of a minor will you use? And will minors be given different treatment or excused from the blacklist?

I could go on, but if you're serious about this idea, you'll probably want to communicate it in more detail because a "forever list of bad developers" sounds a lot like a "forever list of communists" or a "forever list of undesirables". If you're not going to make the same mistakes McCarthy (and others before him) did where this list turns into a biased weapon of control and intimidation, then these details will be really important.


> Actually, "blacklists", "redlists" and many other "lists of undesirables" weren't cool at all.

That's nice. That isn't what's happening here.

What's happening here is akin to the list of photos that every restaurant has to prevent people from bouncing bad checks.

Go into the Post Office and you'll see another. Same one as at most grocery stores.

I see that you are trying, as hard as you can, to equate keeping a list of bad actors with political suppression. I reject this. Society is fundamentally built on these things that you're extremifying.

You have a credit score. Go learn about it.

.

> Where is this list? Who maintains it?

Please stop asking me questions that have already been answered.

.

> > > When you commit a crime > > "crime"? Please link me to the law you think they broke.

If you remove the surrounding context, you will edit what I said to remove that this was a comparative metaphor, in the effort to manufacture an error.

This isn't very effective, however.

People can just look at the previous comment to see that you've edited what was said in a fashion that significantly changes the intent, and are asking someone to justify something that clearly is not what they actually said, despite being a verbatim quote.

.

> > that knowledge never disappears in any country > > Not true in any country except maybe North Korea or some other authoritarian state.

When you edit out that what I said was that a record of past crimes exists in every country, then you might be able to come to a facile conclusion of this form.

In reality, in the United States, criminal records are public and can be looked up online except for minors, and this is true of most modern countries.

.

> In any society with checks and balances, verdicts can be appealed, judgements reversed, records expunged and rights restored.

Though truthful, none of this is in any way related to what I said.

.

> This "undo" feature is pretty critical to any legitimate system of justice

Keeping a text file on github is not an attempt to create a legitimate system of justice.

You seem to be unable to differentiate between a text file and a court of law.

.

> Our entire legal branch of government exists because these lines are not always easy.

Your attempts to turn a simple text file into a valid comparison tom the legal branch of a government of 330 million people are confusing to me.

Do you believe that a person found in such a list has been tried by a court and is incarcerated?

The metaphor you're making seems absurd to me

.

> At this point I have way more questions

They aren't really interesting to me, is the problem

.

> Would you blacklist this contributor if they documented the Russian timezone popup as a feature in the package as the issue creator suggested

Of course not. This person hasn't caused intentional harm. What a weird question.

.

> What "test" would you apply to code to determine if the developer should be blacklisted or not?

My own personal judgement.

I'm not really interested if you find that unacceptable. I am not keeping this list for you.

My approximate rule of thumb is "did they attempt to cause harm?"

If you try to frame this differently, by injecting politics or wild hand waving about your fictional oppressive society, or keep insisting that only North Korea has public court records (it's actually the oppressive regeimes that hide them,) I guess I kind of won't really care

I'm sure that, over time, such a definition might become more nuanced, but your attempt to cast someone keeping a list of "this person tried to harm users" as a form of government overreach just ... just seems silly, to me

I cannot name a business that doesn't have a list of banned bad customers. Maybe in tiny towns or something?

.

> If a maintainer stops maintaining their current library and says all future maintenance will be done on a new library, and that new library contains this Russian timezone popup code, would they be blacklisted?

I have no idea why you're obsessing about a "russian timezone popup code."

These questions are silly. Nobody's blacklisting anyone over a timezone.

It's not clear to me if you just misunderstood what actually happened here, or what

.

> Would you blacklist a developer for making a breaking change to a package?

Please stop asking aggressively inappropriate questions.

I make breaking changes to packages all the time. Sometimes it's the right thing to do. Sometimes people disagree. More often than not I do it by accident.

If you are not able to understand the difference between an intentional bad actor and the vague process of software, you are not equipped to be a participant in this discussion.

.

> Who runs and maintains the list?

I'm aware of about 40 of them. One of them is me.

You don't seem to grasp that these lists are common, and are not centralized.

This is not a government court body. Please stop pretending that it is. As long as you act this way, you will fail to understand what's actually being discussed here.

.

> How will you disambiguate the list so as not to misconstrue "innocent" developers as blacklisted developers?

By whatever identity mechanism is appropriate for the given package system. Using the example of feross, github and npm username, as well as email.

This will vary system to system, of course, but whatever common sense equivalent is appropriate would be used.

I have less than zero interest in watching you attempt to deep think about how this could go wrong. These lists are not complicated, and if it actually does go wrong, that person can just say "hey, i'm not that guy, can you fix it," and people will.

You're being deeply unreasonable. These things are common.

.

> I could go on, but if you're serious about this idea, you'll probably want to communicate it in more detail

No thanks. I don't have any interest in these opinions you're attempting to put in front of me. These systems are extremely common, and have been for decades. They've been thought through by tens of thousands of people, and the objections you're making are trivially easily solved.

.

> sounds a lot like

Your often repeated opinion is noted.

.

> "forever list of communists"

No.

.

> or a "forever list of undesirables"

Yes.

.

> If you're not going to make the same mistakes McCarthy (and others before him) did

Imagine thinking this was a reasonable thing to say.

Unlike McCarthy, if we make mistakes and are told, we fix them.

Unlike McCarthy, we aren't ruining lives, ending careers, disbanding university participation, censoring, jailing, or murdering.

I have a hard time understanding why you're reacting so severely to systems that are decades old and have never actually had any of the problems you describe.

If you're unable to tell the difference between a text file on github that lists people who have intentionally caused harm through package managers, and someone who manipulated world government to jail tens of thousands of people, some for decades?

Then I guess I just don't really trust your judgment.

We're not the TSA. Nobody's getting banned from any flights.

We're just a list that says "oh, if your package manager installs something and the owner key or the author keys include this email address, pop a warning and get user confirmation before anything gets executed"

Just so you know, if you're in the United States, and are an adult citizen, you're on dozens of these lists no matter what.

Have a good day.


> What's happening here is akin to the list of photos that every restaurant has to prevent people from bouncing bad checks.

No, that list is privately maintained and exclusive to the restaurant. It’s used for internal purposes. You’re talking about a public list used by others for external purposes.

> My own personal judgement.

Sorry, but I don’t know you or trust you. If you want a system people trust, it has to have more thought and transparency put into it than that.

> I have no idea why you're obsessing about a "russian timezone popup code."

The code introduced to the repo linked above creates a pop up if your in a Russian time zone about the war in Ukraine.

> I'm aware of about 40 of them. One of them is me.

Can you link to some?

> These lists are not complicated, and if it actually does go wrong, that person can just say "hey, i'm not that guy, can you fix it," and people will.

I have much less faith in people in positions of power than you do apparently. Especially when they’re arbitration rules are “their own personal judgement”.

> Unlike McCarthy, if we make mistakes and are told, we fix them.

How could someone like me verify this claim? I don’t have a link to the list or documentation of errors being corrected. Plus, it seems like these lists (yours at least) are run by individuals at their sole discretion? What McCarthy lacked was transparency and accountability to others. I haven’t heard how you’ve implemented either of those yet.

> Unlike McCarthy, we aren't ruining lives, ending careers, disbanding university participation, censoring, jailing, or murdering.

You don’t think ending up on a developer blacklist (forever!) would end a career or get them excluded from participating in other developer groups or uninvited from speaking at conferences?

And these lists in history always start with public shaming, and then progress over time from there. It doesn’t start out at maximum evil on day 1.

I’m not saying your list will 100% lead to evil, but “lists of undesirables” has been a precursor to some pretty bad things, so I hope you’re vigilant.

> I have a hard time understanding why you're reacting so severely to systems that are decades old and have never actually had any of the problems you describe.

I’ve been coding since ‘97, running tech companies since ‘08 and reading HN almost every week since ‘15 and I have never heard of such lists until this thread. OC said that the community should start one, and others agreed. No one linked to these lists and said they already existed. This is all very new to me.

I’m perhaps reacting strongly because I know of people who were accused by McCarthy and how destructive and unfair it was. I don’t want to see similar mistakes happening again in a community I’m familiar with and involved in.

This feels very reactionary, and lacking in many safeguards.

> If you're unable to tell the difference between a text file on github that lists people who have intentionally caused harm through package managers, and someone who manipulated world government to jail tens of thousands of people, some for decades?

It’s a text file that’s used to take some action though... Someone recommended pinning a visual indicator to the developer’s avatars (public shaming). Another wanted to identify the developer as someone who “conducted sabotage” with an alert.

And “intentionally caused harm” is where the problem is.

I’m sure you have good intentions. I just don’t like the “forever” stick approach, when the community was built around carrots (stars, forks, blog posts, ratings, instal stats, etc.).


> No, that list is privately maintained and exclusive to the restaurant. It’s used for internal purposes.

Wendy's, McDonald's, and Burger King share their lists, and post them in public.

The lists for all airlines are now being shared by law in the United States. Airlines do not have the privilege of not barring some other airline's violent customer.

This has always been a requirement of participating in American Express.

Credit scores, as were already pointed out to you, are shared between actors and posted in public.

You're being facial recognized at almost every major grocery chain, and the vendor of the cameras is exchanging underlying results. Shoplift a ham at Albertson's in California? You're now banned from Giant Eagle in Pennsylvania, an unrelated company, too.

Drug stores. Fast food. Jiffy lube. Target.

Not even kidding, buddy, just walking down the street gets you put on lists by ATM vendors because they're trying to see if you're casing the joint.

You can't oversee or get yourself removed from any of this. None of it is internal, none of it is privately maintained, and none of it is exclusive.

In the meantime, my list is privately maintained, and you're claiming that's a problem. My list is exclusive, and you're claiming that's a problem.

.

> > My own personal judgement. > > Sorry, but I don’t know you or trust you. If you want a system people trust

Your trust is not something I seek.

.

> The code introduced to the repo linked above creates a pop up if your in a Russian time zone about the war in Ukraine.

Thanks. The answer hasn't changed.

What I had clearly said was "caused harm." This does not "cause harm." To me, this seems like a simple concept.

I do not care if you disagree. If you do, make your own list. Or don't.

.

> Can you link to some?

Can? Yes.

Will? No, use Google. You're annoying and I don't care if you believe me.

.

> I have much less faith in people in positions of power

Your faith is not a goal for me.

.

> How could someone like me verify this claim?

Find a mistake and tell me about it, and I'll fix it.

Or, y'know, accept that you generally don't get to verify these lists. You don't have that level of authority.

.

> You don’t think ending up on a developer blacklist (forever!) would end a career or get them excluded from participating in other developer groups or uninvited from speaking at conferences?

That's just not how I would evaluate the situation.

If someone turned up on a blacklist during an interview, and that blacklist gave factual, researchable information about what that person had done, and the person lost that job offer as a result, I would think their actions, not the list, resulted in the lost offer.

You know, like when they call the FBI and ask "is this person on the predator list" before hiring you. If the FBI says "yes," they're not costing you the job, your history as a predator is.

It's kind of wild to me that you seem to be suggesting that I am failing in my responsibility to the bad actor somehow, by permitting the facts of their past to come to light.

.

> I’m not saying your list will 100% lead to evil

Cool story.

.

> I’ve been coding since ‘97

Cool story.

.

> I have never heard of such lists until this thread.

You can get to one of them from the alarm bell on your github account, if you've released any open source.

Your unawareness of social standards in software is genuinely not relevant to me. You can just look these things up, instead of telling me over and over that you don't know about them.

I mean, there's a plant that recycles plastic bottles somewhere in your city, but I bet you have no idea where it is. I don't know where mine is. Does that mean there isn't one? No, that just means you don't know it.

Honestly, assuming you're a regular person in the United States, you actually have heard of a whole lot of these; you just aren't trying very hard to think of them.

.

> This feels very reactionary

Your feelings are not relevant to me, especially with your habit of accusing me of being similar to Joseph McCarthy.

Also, it seems like you're saying "writing down what people did is reactionary." Reactionary has two meanings: 1) to react to something, or 2) to resist sociopolitical change.

There's nothing wrong with reacting to things, and I'm not resisting sociopolitical change, so I guess I'm not entirely certain what point you're trying to make with this heavily loaded word.

.

> I’m perhaps reacting strongly because

The reason is not relevant to me.

.

> It’s a text file that’s used to take some action though

No, it's not.

.

> I’m sure you have good intentions.

Your certainty is not important to me.

.

> I just don’t like the “forever” stick approach

Cool story.

.

Call your bank and ask what a "credit score" is. Those lists are shared too.

Anyone with even a trivial understanding of the world knows that they are absolutely surrounded by this stuff.

What do you think your Uber rating is? Did nobody tell you that the highschool permanent record they talk about is actually real? Did you know your doctor has your charts from your previous doctors, including all their criticisms? Did you know that if you bounce three checks at Walmart, you can't go to Jiffy Lube anymore?

Did you know nine US states have public lists of check fraud people, farmed from any company in the state which wants to participate? Did you know the US Post Office publicly has this nationwide?

They don't have to be formal, either. One thing I really enjoy is telling people they should look themselves up on NextDoor. You're going to be horrified how many lies the Karens who live near you have written about you.

Go tell Amazon how it's Joseph McCarthy and keeping lists of undesirables. Maybe you could hit the big red button and say "holocaust?"

Are you about to tell me how unfair it is that people get cancelled on Twitter, next? Maybe it's not okay that Will Smith doesn't have the right to have the slap forgotten? Maybe it's Joseph McCarthy that The Academy banned him from all Hollywood events for ten years?

Are you aware of the sex offender registry? The arsonist registry? Have you ever heard of the Neighborhood Watch? Does it bother you that the McGruff the Crime Dog kits used to send out lists monthly?

What about Lyft? Are those independent contractors or the company sharing that data around, that when you say racist stuff in the car you can never take a Lyft again?

Do you feel bad for Mel Gibson?

Do you think there's something wrong with Snyk? They have exactly this list, with Marak and so on, on it. They sell this as a service. So does SonarQube.

How do you feel about the Russian oligarchs that the United States has put on a list recently?

Or, on a smaller scale, you can go into any chain hotel - let's just say a Hilton - and take a big fat dump on the ground. Guess what other 35 hotel chains will not rent to you worldwide, afterwards? Are they somehow harming your delicate sensibilities?

What about large franchisees? It's not uncommon for one person to own a bunch of instances of various competing fast food brands in a neighborhood. Where I grew up, at the mall nearest me, the same guy owned a Taco Bell, a Wendy's, and a Subway, all of which are unrelated companies. Do you think he shouldn't pass bad check information between his three stores? If a bad check gets bounced at a Wendy's, and his Subway has a local friend franchise with a different Subway owner across town, is it bad for this Subway owner to tell that Subway owner because the information was originally domiciled in a Wendy's?

Why are you claiming that these systems are ethical when a walled garden exists, but not when it doesn't? How does that actually make sense, without telling me anything about your emotions?

Do you think that if you call them, and say Joseph McCarthy enough times, they'll stop keeping that list, worldwide? Is your monologue that powerful, that it will convince people to change the standard ways of the world?

When you contact Amazon, have you considered asking them how long the notes on your account are? Because if you've ever asked them where your shipment is, they're keeping a list about you too.

I googled the phrase "list of con men," and I got things on CNBC, Wikipedia, Ranker, Money Magazine, a page on Penguin Publishing about a book about this, the BBC, etc. Are all these groups in need of learning rudimentary ethics from you?

What ... what do you think of the news? Is it bad that they tell the rest of the country when a murder happens who did it, or criticize a politician, or whatever? Those are all permanent record. Even the weird public access TV stuff.

When Ashley Judd made a list of rapists in Hollywood, and got the ball rolling on Harvey Weinstein, do you think she was doing a bad thing somehow?

If you want to change this extremely common practice of keeping track of problem people, tell a lawmaker, not me. I don't actually agree with you, that people who harm one another have some weird right to privacy from consequences of their own actions.

For my part, I actually struggle with the US law about hiding this stuff just for minors. I mostly agree with it, but not entirely.

Honestly, sometimes I don't understand why people don't realize that this level of exaggeration makes people less likely, not more likely, to listen.

Please be aware that the second you tell someone they're in any way similar to Joseph McCarthy, your chances of being taken seriously have dropped to epsilon.


> Airlines do not have the privilege of not barring some other airline's violent customer.

> Shoplift a ham at Albertson's in California

> when they call the FBI and ask "is this person on the predator list" before hiring you

> if you bounce three checks at Walmart, you can't go to Jiffy Lube anymore

> nine US states have public lists of check fraud people

> Are you aware of the sex offender registry? The arsonist registry? Have you ever heard of the Neighborhood Watch? Does it bother you that the McGruff the Crime Dog kits used to send out lists monthly?

> you can go into any chain hotel - let's just say a Hilton - and take a big fat dump on the ground. Guess what other 35 hotel chains will not rent to you worldwide, afterwards

> Do you think he shouldn't pass bad check information between his three stores

> I googled the phrase "list of con men," and I got things on CNBC, Wikipedia, Ranker, Money Magazine, a page on Penguin Publishing about a book about this, the BBC, etc.

> Is it bad that they tell the rest of the country when a murder happens who did it

> When Ashley Judd made a list of rapists in Hollywood, and got the ball rolling on Harvey Weinstein, do you think she was doing a bad thing somehow?

> extremely common practice of keeping track of problem people

You keeping equating these developers to criminals. I don’t think it’s a fair comparison.

1) They broke no law

2) There’s no civilized justice system here

> I don't actually agree with you, that people who harm one another have some weird right to privacy from consequences of their own actions.

You agreed to use the code “AS IS”. They have no obligation to you.

> For my part, I actually struggle with the US law about hiding this stuff just for minors. I mostly agree with it, but not entirely.

I think it’s something worth considering. Minor’s brains are still developing as is their ethics and knowledge of the world. Seems harsh to me to associates them with a rash act from their childhood forever.

> Please be aware that the second you tell someone they're in any way similar to Joseph McCarthy, your chances of being taken seriously have dropped to epsilon.

Not end result McCarthy, early days McCarthy where he probably thought he was doing good in the world.

> If someone turned up on a blacklist during an interview, and that blacklist gave factual, researchable information about what that person had done, and the person lost that job offer as a result, I would think their actions, not the list, resulted in the lost offer.

This is why these lists are so powerful. Not everyone bothers to read the details of each case. They see the name on the list and assume they did it. Take any of your criminal list examples above. Do you think other people research these individual cases? No, they assume that if you’re on the list, you did the “bad thing”. They all assume it was the person’s actions that got them on the list. McCarthy supporters would have said the same thing about his list: don’t want to be on it? Don’t be a communist. That’s why transparency and some type of “undo” is so important. Everyone makes mistakes — even the list makers.

It’s clear you’ll keep doing whatever you feel like doing. I just hope at some point you realize that you’re fallible and not a neutral arbiter and to get some outside checks and balances and a variety of thought processes to the task if you want to keep doing this.


What are you suggesting here? That npm Inc (basically Microsoft), Python Software Foundation, Ruby community, PHP community, Rust community, Go community raise funds to hire people to individually vet each and every change in each and every package? OK, let's do that because we have SO MANY excess jobless developers. /s

OR we could use MUCH less resources and just make a sanction list.


There is some validity in the idea itself, but I am pretty sure there is no way to actually make it work.


I see a downside too, like forcing a package owner out of anonymity by flagging their package as "by an unscrupulous author", therefore forcing them to reveal their identity to dispute it.


ehh nobody has to reveal themselves... but I don't want to necessarily consume random packages from anonymous authors either...

I think that a sanction list would make sense, perhaps https://socket.dev/ could use it as a data point for alerts if they are not already


Founder of https://socket.dev here. We’re considering an alert like “Maintainer has engaged in sabotage behavior in the past” to cover cases like colors, node-ipc, event-source-polyfill.


It's sad watching OSS go from the carrot approach (GitHub stars, blog posts, etc.) to the stick approach (blacklisting developers).

If you insist on doing this, maybe try to answer a few of these questions first:

* How are you defining "sabotage"? And how do you reconcile the act of "sabotage" on a project with an MIT license: "AS IS, WITHOUT WARRANTY OF ANY KIND"?

* What are the rights of the accused? Is there a review / appeal process? A way to get your record expunged? Who will be the arbiters?

* Many minors contribute to OSS, what are their rights? And what age is a minor? How will you verify age?

* How long does this "black mark" last once "convicted"?

* How are you going to differentiate between a bug, an intentional breaking change, activism, sabotage, malware, etc.? And will it make a different if it's in the test suite? In non-breaking functionality? In undocumented functionality? In documented functionality? Or if it affects a minority of users vs. all users?

* What's your tolerance for jokes, easter eggs, etc. that intentionally or unintentionally cause mischief / unexpected results?

* What's your stance on maintainers that refuse to remove or revert code committed by other developers that you consider "sabotage"? Will the entire project team be flagged as "sympathizers"? Or will everyone but the author of the offending commit get a pass?

* How do you disambiguate between developers, through their birth name or username? What happens if a "blacklisted" developer changes their username or creates a new one?

Lots more questions, but if you proceed, I hope it done with a firm understanding of history. Joe McCarthy (https://en.wikipedia.org/wiki/Joseph_McCarthy) famously tried to stamp out communism with a list of "subversive" individuals. The blacklist ultimately became a way to intimidate and control, because it had no safe guards, no transparent criteria, no neutral arbiters, no compassion, no due process, etc.


100% agree, perhaps instead of only tracking usernames it can also track external Github URLs (to portfolios, linkedin, twitter, and the like), email addresses, etc etc, just to make it a little harder to evade the sanction while also taking credit for their work off of Github.


Maybe we could pin a symbol on their avatars, to make them easy to identify


But what? Something like an "H" for "hacker" would be considered a positive by far too many people who wouldn't realize at first that it's using the other, wrong, definition.


[flagged]



The defense is that it's an obscure reference to a story in which women are physically marked instead of Jews?


The Scarlet Letter is not obscure, there was even a major Hollywood movie made a few years ago that was extremely loosely based on it.

Perhaps you need to read more.


Perhaps you need to find a better argument.

https://trends.google.com/trends/explore?date=today%201-m&ge...


it’s always the people accusing folks of being nazis, but it turns out they’re the real nazi. pretty cool shit going on


Wow. You escalated that quickly.


It was the other guy that "escalated it" there. "pin a symbol on their avatars, to make them easy to identify" is a reference to the star of David that Jews were made to wear in Germany, so they could be "easy to identify".


Its a reference to the scarlet letter and making bad actors of marriage easy to identify. Here we are identifying bad actors in the field of business, analogous to a marriage.

You people are insufferable.


I never read the book/story, nor do I know anything about it. Star of David and the stuff around Jews in Germany I do. You can't blame people for not knowing some "more" obscure reference that you know.


I'm defending an assault of my character. Your ignorance of common knowledge does not negate anything I said in my own defense.


I find it funny that the same person who made an obvious comparison between an online shame list and the physical marking of Jews in Nazi Germany is now

(a) claiming I'm assaulting their character (b) "defending" themselves by claiming it's a super obscure reference in which a woman is marked instead of Jews.

Seriously?


Seems you're assuming bad intentions, also after the other person, 0des, gave an explanation.

To me, it wasn't an obvious comparison. There're lots of icons and symbols on people's avatars, in online forums and GitHub etc already, not that special? Eg admin or moderator icons.

(I think a saboteur icon is a bad idea but for other reasons)


Even if I believed his explanation, which I don't, it's an explanation referencing a story in which women are physically marked for what the in-universe society believes is bad behavior. To claim that is what I was arguing for is still unacceptable.

I'm also allowed to assume bad intentions based on his replies in other comment threads here, which you're free to look at and come to your own conclusions.


> Your ignorance of common knowledge

The Star of David and Scarlet Letter (or letter "A" for adulterer) were both symbols people were made to wear, so they could be identified as "undesirable". The Star of David is probably far more well known world-wide because of how much more recently it was used (some people still alive today were forced to wear it) and the atrocities that followed. Either way, in history it's never been a good thing when people are shaming and identifying people publicly by "marking" them.

> I'm defending an assault of my character

I hope "Maybe we could pin a symbol on their avatars, to make them easy to identify" was missing a "/s". Unfortunately, from the other comments in the thread and your follow up: "Here we are identifying bad actors in the field of business, analogous to a marriage.", it seems like proposals like this are unfortunately real.

And it's unclear how comparing your proposal to a Scarlet Letter would be a good thing. The Scarlet Letter (https://en.wikipedia.org/wiki/The_Scarlet_Letter) is a cautionary tale of public shaming:

> The major theme of The Scarlet Letter is shaming and social stigmatizing

Plus, the analogy doesn't even make sense.

1) business is nothing like marriage

2) this isn't even a business situation since you have no fiduciary relationship with the author (you got something, but paid nothing), and you have no contractual relationship with the author, other than you unilaterally agreeing to be bound by the "AS IS, WITHOUT WARRANTY OF ANY KIND" terms of the MIT license

3) adulterers (or "bad actors" in a marriage) are rarely punished in modern society, and are no longer "marked" in any country I know of

Badges of shame (https://en.wikipedia.org/wiki/Badge_of_shame) are long gone from modern society because of how cruel, unusual and humiliating they were.

This idea of creating a symbol and process to "publicly identify bad actors" is more in alignment with 17th century Puritans and 20th century dictators, not any modern social structure I know of.

The better thing to do is: if they broke a law or a Terms of Service, or a Code of Conduct, then warn, suspend or ban them from the platform and/or repository where the offense took place. If they didn't break any rules, then let them be and use your GitHub stars, free speech, forks, etc. to promote alternatives.


Uh. Interpreting that as referencing the Holocaust seems a little extreme.


To not interpret it that way would be naive.


“everything I disagree with is Holocaust references”


No, obvious Holocaust references are Holocaust references.

Just because your favorite Twitter followings love to put that in a quote tweet, does not mean there are no longer any valid Holocaust references.


It's not actually naive to disagree with you, and at the time of this writing, several other people have disagreed with you as well, including two people giving alternative and less extreme interpretations which also fit the casual usage of the phrase. Several other people have pushed back on what they suggest is you inserting nazis into the conversation.

It's pretty aggressive to tell someone they're being naive because they don't agree with you and are trying to defend someone, in my opinion. Nominally, saying someone is being naive suggests that you can show that something is not just wrong but shouldn't have been believed by anyone sensible. Since you appear to be interpreting the words of a stranger, I doubt that this is the case.

Usually, in my experience, going to the most extreme possible interpretation without direct support isn't actually justified.

If several different people have disagreed with you, perhaps that's a point at which you might reconsider, instead of criticizing everyone as being unable to see what you see. One possibility is that you might be overreacting.

But to be clear, to me, the wording that they used seems to specifically indicate the novel The Scarlet Letter, by Nathanial Hawthorne. This is a culturally significant phrasing with frequent repetition, which is non-offensive, and unlike a mention of the Nazis, actually makes sense in context. In the rest of the text, they are talking about shaming, not wholesale slaughter of human life.

If I wanted to discuss someone wearing a mark of social shame as a pariah, it's quite likely that I would phrase it the same way, and I'm quite startled to realize that anyone might interpret such a comment in this radically other way. It's pretty common to talk about wearing a mark of shame, and you are the first person I've ever seen in my life suggest that that should be associated with the genocidal extermination of people by their religion.

I think that you might be well advised to look at what other people are saying here. Two people have told you that they feel that other interpretations are appropriate besides me, and another two have expressed concern for what they suggest is the inappropriate addition of a genocide to what was being discussed. I'm inclined to agree with them.

It's hard, because earlier in the discussion when you were saying "zero tolerance policy," I was super on your side. I thought that you were one of the few people here discussing solid common sense.

But also, ... I dunno, man, this just seems like an unjustified public shaming, to me.

In my private experience - and this has no attached data, and I could be wrong - but in my private experience, when someone is actually making a comparison like that, they're doing it for one of three reasons:

1. Shock value

2. Demonization

3. It's actually legitimately relevant in context

In all three of those cases, I would expect the person to come out and directly say what they meant, instead of making a vague metaphoric reference. Metaphor defeats shock value; metaphor does not make people look evil; metaphor doesn't have impact when you're trying to make someone face history.

Call me naive if you want, but I just don't think that person said what you claim, and I'm not alone in that.

If someone didn't say "nazi," and there's a reasonable common way to interpret what they said which makes sense in context, when "nazi" doesn't, probably ... probably they didn't mean nazi, friend. Horses and zebra, and all that stuff.


Just because multiple people claim the same thing doesn't make them right.

I did consider what they've said, and I'm starting to love the "It's the Scarlet Letter, something everyone has read, obviously" argument, a story in which women are physically marked instead of Jews.

Also, yes, it's naive to ignore the implications of what people say and read everything strictly based on what's on the page. If that's aggressive to say, then... sorry?


Just because you claim one thing doesn't make you right either.

No, it's not naive to disagree with you, even if you inappropriately dress it up as "ignoring the implications."

You just hit the big red button unjustifiably, and now you're trying to say "well you can't prove it was unjustifiable."

I'm not supposed to. Your failing to justify it is sufficient.


You can claim my justification is insufficient all you'd like. You can claim it's not naive to ignore any implications or subtext in what people say.

Similarly, that doesn't make you right. Sorry.


Ugh this bickering is like reddit. Keep it off hacker news!


You should read usernames


Until they invoke their right to erasure


There is no right to erasure from other individuals. That's for businesses you worked with.

The GDPR does not have the ability to mandate my personal behavior, and even if it thought it did, many of us turn out not to live in Europe.

What are they going to do, prevent my text file from doing business in France?


Where are those individuals going to host these lists? Probably using a business, such as github or some other hosting company. Just target them.


Why would I target them, when I agree with them?

Besides, you're saying "just target them," but you don't actually have the ability. Nothing you can do will get those lists taken down, even if you're on them.


> Nothing you can do will get those lists taken down, even if you're on them.

Wrong.


Only silly people think that right exists.


Sure retcons are inherently a silly idea, but if "silly people" includes courts and law enforcement is it really that silly?


"Sure retcons are inherently a silly idea, but if "silly people" includes courts and law enforcement is it really that silly?"

The key understanding is that silly people do not, here, include courts and law enforcement.

The thing the poster is trying to reference is the GDPR, and the GDPR does not offer this right with regard to other individuals.

What makes this silly is people pretending rights exist that actually do not.


If someone is publicly compiling a database of other individuals, and hosts this on e.g. github, you can absolutely get it taken down.


Well, go ahead, then. They've been up for literal decades.


Link to any that have my personal data listed on them?


Stdlib or die. You did this to yourself by trusting strangers for your laziness.

"Its just a package for X" until its not.


Yes.

I checked out a small project recently and it had over 2000 nom packages as dependencies. The culture around node development was/is just too dependency happy.

I get standing on the shoulders of giants and that not all people are bad, but with thousands of dependencies, the chances of a supply chain issue starts to become significant.


Most people are good, but because destruction is so much easier than creation a few people can destroy what it takes a lot of people to build. For example it will take Ukraine months just to dig the bodies out the destroyed family homes that Russia spend a few minutes bombing.

However I don't think the number of dependencies is a useful number: node was one of the first languages to have a build in standard way to get and manage dependencies, which meant that dependencies could be much, much smaller. Boost for C++ is a giant project, so you can say that your C++ project only has a few dependencies, but if C++ had a decent standard dependency manager, projects like Boost were probably split up more.

* I am aware Maven exists for Java, but the cultural expectations for Java were set long before it became a thing.


> node was one of the first languages to have a build in standard way to get and manage dependencies

CPAN? Pip in python? Pear for php?


Bundler for Ruby, maven for Java, ...


Most people are good

incorrect, try again please.


Until something bundled with a large amount of linux distros has a root privilege escalation[1].

[1] https://access.redhat.com/security/vulnerabilities/RHSB-2022...


Aren't bugs different than malice? I sure hope so or I'm in a tight spot.


My main point was that it's silly to treat stdlibs as gospel and everything else as vulnerable nonsense.


So… no more open source?


>So… no more open source?

No more random-source. And no more "automatically pull from master, then build & deploy".


Well, maybe no more "pull someone else's master and build without scanning".

Inside a walled garden / from specific people you trust should be fine. Some automated scanning could maybe be ok-ish at least sometimes.


This is why I commit node_modules to my own repos.


Unless you are reviewing the code in your assumedly large bundle of dependencies there, this is not a solution if you weren't posting this in jest


Not in jest. Still using node_modules from before these stunts started to occur. I recognize I am accepting risk. What I am avoiding is the surprise of a ^version-compatible file introducing new and unwanted “features”.


What do you do for security updates? There are a lot of them for NPM modules. Seems GitHub manages the database for those now:

https://github.com/advisories


I swear 99% of them are prototype pollution or regex DOS that don't apply to how I'm using the dependency.


What about the 1% that delete data or allow for code execution?


See, now I can only assume you are playing with our emotions. You got the forehead vein going at first though so I'll give you that.


Snapshot VM, npm install


And how do you know that is safe and hasn't exfiltrated all your data or used a VM escape exploit.


Even then, if undocumented functionality is waiting for a certain day or certain action for something to execute you have no way in asserting one way or the other if it is safe because you haven't reviewed it.


Just pipe curl to bash ;)


Nope, just a smaller circle of trust.


Vet and pin your dependencies.


Seems like overkill. You can just pin the version of the dependency and host it, no? It’s standard practice the last few places I’ve worked.


Unless you are reviewing their code too then it is no different. I've read every privacy policy and TOS I've ever signed and even I can't fathom reviewing node modules to completion. I don't even know if that is possible given that any node project can have endless cyclic dependencies


I have worked at a big famous tech company where you had to have approval for every dependency. It was slow to get a new library reviewed, but usually the popular ones were already on the list. I think this process actually scales reasonably well because the more engineers you have, the more likely it is someone else has been there before.


Thought experiment: imagine you were in a country being shelled by foreigners; the thought process shaping your decision making might be different from someone sitting a safe country.

Granted, it's possible these commits are from people outside Ukraine, in which case, I wouldn't give them a pass.


I even agree with the message but we must keep this out of open source or we're going to lose all of it because nobody will be able to trust it and use of open source will immediately fail certifications. This is wells poisoning, all of them.


Correction: no one should have been trusting it for years already. There's very obvious supply-chain vulnerabilities in pretty much all open source developer repositories. And that's by design: npm, pypi, rubygems, cpan etc are developer resources. Nobody should have been deploying them unseen to production. Ever.

If you want trust, use a (Linux) distribution as intermediary.


Why should I trust open source today? Packages are routinely hacked, political message or not. I 100% agree this has no place in open source but (1) people subject to the effects of war aren't in most sound state of mind and (2) "npm install" is arbitrarily running pre- and post- hook commands that can do all sorts of fun things on your machine. This commit looks harmless in comparison to packages looking for wallets and AWS credentials.

OSS is used not because it's safe or secure, but because the benefits outweigh the costs.


> Why should I trust open source today? Packages are routinely hacked, political message or not.

Correction: NPM packages are routinely hacked.

I've been using linux packages for two decades, and not once have they been hacked (to my knowledge). I consider those packages to be infinity more secure than proprietary packages where I and others can't check what's running under the hood.

OSS being safe and secure is one of the primary reasons why I prefer open source to closed source software.


Anecdotally, I agree because it's difficult to find much on linux package distribution hacks. But there is this: https://lwn.net/Articles/295406/

I guess I wonder where you draw the line, and if this sort of incident is acceptable, why, and is the line being drawn arbitrary.


and typo name hijacks in other language specific repos


> I even agree with the message but we must keep this out of open source or we're going to lose all of it because nobody will be able to trust it and use of open source will immediately fail certifications. This is wells poisoning, all of them.

There are deeper issues with NPM: how many developers review or audit any packages they download anymore cause each time they pull a single package, it comes with 3000+ dependencies? I'm being hyperbolic, but "open source" isn't the issue here.

What certification are you even talking about if developers themselves can't be bothered to audit their 3000+ NPM dependencies at first place? It's too much work cause too much dependencies? Well that's the architecture NPM chose. I don't have that issue with Go, PHP or Java package management oddly...


Agree with this. Open source is not the problem, but running code written by a random guy without fixed version and without auditing between upgrades is.


If they want something they can trust they ought to pay for it. If rich companies feel like they can no longer afford to mooch off people working for almost nothing and have to write their own libraries tell me what of value will be lost?

I mean do you hang out in your kitchen hoping that Bezos will come by your house to borrow a cup of sugar?


this sort of hacktivism is causing more damage than it does good because it just annoys people, isn't telling anyone anything they haven't heard yet, and is going to exclude that person from participating in other software projects.

Donate money, take in a refugee, if you're so inclined go fight on the frontlines but this kind of theater is only done because people want personal attention.


Looking at the actual code, I think your criticism slightly misses the mark.

> is going to exclude that person from participating in other software projects

It's not targeted at developers. It targets end users. It shows a browser dialog containing the author's message if the timezone is set to a Russian city.

> isn't telling anyone anything they haven't heard yet

It's not trying to inform you. It's trying to inform Russian citizens by sharing an onion link to the BBC website so they could have access to uncensored information.

> is only done because people want personal attention

It's probably done because the author is Russian. It's stated in the author's GitHub profile.


Would you follow such a link that pops up?


Depending on the situation, yes. In an environment where information is heavily censored, some people are going to be desperate for outside sources of information. They just need to know where to look for.

It's also a red herring too. No answer to your question validates the original commenter's factual understanding of this incident. The commenter got the basic facts completely wrong, which highly suggests that the commenter didn't bother to look beyond the title. But it was apparently enough to label someone an attention seeker.


Would your grandmother?


My grandmother doesn't have the tor browser installed.

If you already have tor installed you are already capable of getting the information you want.


Losing people's trust isn't likely to help your cause, whatever it may be.


Doesn't matter where you are from, you don't know what the effect of your actions are and who will be effected.

Put in onto social media, your website, your disclaimer, code comments, code license etc.

But never in the functionality of your code.


In today's world, it's guaranteed that these are folks outside of Ukraine.

Virtue signalling will be the death of us. Wanting to look like you're doing something is winning more than actually doing something.


Unless you're one of a handful of a senior politicians, you can't 'do something' meaningful.

But fortunately, we live in a society where speech has an effect. Speech (which you derisively refer to as 'virtue signaling') shifts the Overton window, and influences the direction society goes.


The expression "virtue signaling" implies insincerity.


And there's nothing more insincere than telling strangers on the internet to believe what you do because "it's the right thing to do!"


Do FOSS contributors actually expect malware like this to produce signifiant positive attention to their cause? More-so than social networks and the media?


Exactly. They piss off ten people for every one they think they're helping. It's not sustainable.


> shifts the Overton window

It's ironic that you mention this, because the Overton window has been shifted so far to the left, I don't even think it's on the wall anymore.

Censorship is _rampant_ around the world. I'm glad you think it's all roses and daisies out there, but you have no idea how naive your perspective is.


Has it? Because in the past few years, it's started including ideas like 'The shadowy forces of Antifa and the occasional broken window on May Day is a bigger threat to liberty than actual fascism' and 'Is an election that the right loses actually a legitimate election?' and 'Basic public health measures are tyrrany!' and 'The most popular podcaster in the world with millions of followers is actually an incredibly repressed, censored, and silenced person, who can't say anything anymore because he's a straight white guy.'

If anything, the common trend seems to be insecurity and feelings of martyrdom among disciples of ideas that would have been considered batshit insane a decade ago. Have you completely failed to miss the boat where the American right took a hard step away from the center, courtesy of Obama, and later Trump and Q?


> occasional broken window

I repeat, as someone who moved out of a city to get away from much more than 'the occasional broken window', your perspective is naive and you look ridiculous.

> Is an election that the right loses actually a legitimate election?

That's a cute way to 'remember' it was the first time we did mail-in voting at scale, or did you also forget that in 2016 the media and left wouldn't shut-up about Russia infiltrating our elections? You know, if things were so f*cked in 2016, I'm not sure what changed to make the 2020 elections so impervious to fraud by comparison.

> Basic public health measures are tyrrany!

You do realize that the models for COVID-19 got more wrong the longer the charade went on? You do realize that for 2 years things such exercise and preventative care were put off for sheer virtue signaling through cloth masks? No, of course not, you're just another person who thinks we all made it through a 'pandemic' when worse pandemics have happened no sooner than a decade ago. Here's a hint: None of the measures during the pandemic were in the name of "public health" and someday in the near future, you'll learn in difficult ways why that is the case.

I truly hope you find the right way. From only two comments I can tell you're the type of person who thinks propaganda could never affect them, but is somehow hyper aware of the propaganda that is affecting others. It's the most dangerous type of pawn and you're the epitome. Congratulations.

You're not informed if you're just repeating what some billionaire wants you to.


What is it about nodejs/NPM in specific that leads to malicious changes being so noteworthy/significant?

I barely never see anything about other package indexes (crates.io, PyPI, etc).

Doesn't npm also use a lock file by default for packages?


There's a few reasons.

First, the scale of the JavaScript ecosystem. JavaScript is so much larger than every other ecosystem, so even a very small probability event (somebody introducing malware into a package) can happen surprisingly often given the scale of the ecosystem. Supply chain attacks are a problem in all open source ecosystems – not just JS – but they are a bit rarer and don't effect as many people so fewer people take note.

Second, npm was one of the first package managers to solve the classic "dependency hell" problem. In Python, if you have two dependencies, A and B, which both depend on different versions of C, say C@1.0.0 and C@2.0.0, respectively, then you're in trouble. You have an broken project. Python can only install one version of C. So now you're in dependency hell.

Npm on the other hand just installs both versions of C and it gives A the version that it wants, C@1.0.0. And it gives B the version that it wants, C@2.0.0. Both packages are happy - problem solved.

This caused Python maintainers to think twice before adding a new dependency lest they cause "dependency hell" for their users. Much better to just copy paste these 50 lines of code rather than adding a dependency. So there was an intrinsic sort of resistance – some pain is involved in adding new dependencies.

Npm maintainers had no such constraints. In a way, npm’s better developer experience led to the whole module ecosystem scaling "too well".

Disclosure: I started Socket (https://socket.dev) to help solve open source supply chain security. To learn more, see: https://news.ycombinator.com/item?id=30521913


>Python maintainers would think twice before adding a new dependency lest they cause "dependency hell" for their users. So there was an intrinsic sort of resistance – some pain is involved in adding new dependencies.

Well, no, it's because the standard library is so good.


I don't know if there is a way to objectively compare "good"-ness of standard libraries but more often than not, I'm missing JS sugar when coding in python than python sugar when coding in JS.


both


nodejs is full of "full-stack developers" that used to be "front-end engineers" or "integrators" 10-ish years ago. In a lot of cases, they do not come from a CS background but a more creative one due to the related tasks their profession used to have to deal with before js and node exploded (eg slicing templates), thus are less aware of/strict on security risks and issues.

That's biased as hell but it's been my experience


Really terrible take seeing as Javascript devs span all areas of focus and every level of experience, and education.

I've seen plenty programmer's with CS degrees make terribly dumb mistakes, and some self-taught developers are some of the smartest people I've worked with.

There are more javascript developers, because JS is far and away the most popular programming environment due mainly to its ubiquity on the web. Because of that the JS supply-chain is a much larger attack surface than most languages.


The self-taught developers of today are a far, far cry from the self-taught developers of yesteryear.

Self-taught developers were once ardent hobbyists hailing from an era before (we had quite this much) aggressive commercialization of the internet. They found it fun to make computers blink pretty colors.

Self-taught developers today heard you could make a quick buck from the profession.


This is what’s known as a “just-so story”. In an alternate universe you could tell the same story to explain why js devs only copy/paste code and never use dependencies because they can’t wrap their heads around a complex dependency graph and the required tooling.


Its basically a social network for new developers.


explain this comment?


Npm is primarily hosted out of github where your code posts get stars, followers, etc. This drives user engagement, encourages tons of content, and helps new entrants network with other developers. There is good content in there for sure but it’s mostly just the code versions of Facebook posts


The size of the ecosystem.

Industrial sabotage happens in most industries and JavaScript developers are no exception. This particular industry is huge. It contains millions of workers, some of which are politically motivated to engage in this kind of sabotage. The potential reach is even larger. And a well performed sabotage can potentially affect millions of people inside or outside the industry without putting the saboteur in that big of a risk.

I’m actually surprised we don’t see more of this.


you missed the package typo name hijacks on pypi that installed malware?


npm lock file is platform-dependent, so people are reluctant to check it in.


NPM default "package-lock.json" lock files only prevent your immediate dependencies from changing.

If a transitive dependency (the majority of them) have changed, you're out-of-luck.


If I recall it right, `npm ci` installs the exact same version defined in package-lock.json, for all dependencies.


I recommend reading "What NPM Should Do Today To Stop A New Colors Attack Tomorrow" by Russ Cox (Go's lead): https://research.swtch.com/npm-colors


Also see "What's Really Going On Inside Your node_modules Folder?" for examples of recent supply chain attacks and steps you can take to protect your team: https://socket.dev/blog/inside-node-modules


Wow, awesome to see what you're working on with Socket. I feel it's a much-needed tool.

One question though: how do you think https://socket.dev will compare to https://snyk.io/ and other similar tools? How do you differentiate yourself from competition in the space?

(I've been a big fan of yours since early WebTorrent days.)


Snyk doesn’t address supply chain attacks.

Snyk and the entire security industry is obsessed with identifying known vulnerabilities. But they all miss the point. Looking for known vulnerabilities is reactive. Vulnerabilities take weeks or months to be discovered.

A malicious dependency can be updated, merged, and running in production in days or even hours. We need to assume all open source may be malicious and try to proactively detect indicators of compromised packages. A better approach is to detect when dependency updates introduce new usage of risky APIs such as network, shell, filesystem, and more.

And thanks for the WebTorrent love!


Great answer, thank you! I'm going to sign my company up for socket.dev.


Pretty much every Western democracy is sanctioning Russia, causing severe shortages that are felt most by ordinary Russian people -- but it crosses the line when a Russian expatriate makes an anti-invasion message show up for Russian visitors to some websites that used his code, "provided 'as is', without warranty of any kind, including fitness for a particular purpose"?


Ran this through Google Translate, omitting URLs:

24 February Russia attacked Ukraine

The people of Ukraine are universally mobilized and ready to defend their country from enemy invasion

91% of Ukrainians fully support their President Volodymyr Zelensky and his response to the Russian attack.

The whole world condemned the unjustified invasion and decided to impose unprecedented sanctions against Russia. With each new day, they will be felt more and more strongly among civilians.

At the same time, the Russian government restricts citizens' access to external information, planting one-sided formulations and versions of what is happening.

As a reliable source of information, download the secure Tor Browser:

Stop this senseless war! Stop war criminal Putin!


On version 1.0.26. Committed 23 days ago as "update":

https://github.com/Yaffle/EventSource/commit/de137927e13d8af...

Also looking more at the update, I'm guessing it came from the repo owner (who is in Russia), not necessarily "political activists". Committed by a deleted "Viktor".


What do mean deleted? The commit author is “Viktor Mukhachev <vmukhachev@rocketsfotware.com>” but from a GitHub perspective it seems pushed directly to master. AFAIK GitHub links commits to usernames based on public emails associated with accounts, purely as a UI convenience.


Good. If you open yourself up to this form of exploitation by increasing your attack surface proportional to the order of the insane dependency graph that is the NPM ecosystem... then prepare to be exploited.


Looks like a pretty reasonable & non-destructive message to reach Russians who are within the curtains of Kremlin propaganda.. Plus it'll teach some people about dependency management.


At least this doesn’t delete your hard drive. Seems relatively benign.


There should still be a zero-tolerance policy for hidden undisclosed functionality in open source repos


Do you feel the same about easter eggs?

Because when I argue that and give example of easter eggs which caused security vulnerabilities or broke shell scripts on certain dates people reply "oh, lighten up, you are just a party killer, allow some human touch"


> Do you feel the same about easter eggs?

Absolutely! Undocumented Easter Eggs cannot be tolerated in any software project today.

Larry Osterman wrote about why Microsoft (and most other major software vendors) banned easter-eggs: https://docs.microsoft.com/en-US/archive/blogs/larryosterman...

The important point is (to quote):

> If the manufacturer of the software that's on every desktop in your company can't stop their developers from sneaking undocumented features into the product (even features as relatively benign as an Easter Egg), how can you be sure that they've not snuck some other undocumented feature into the code.

But if an easter-egg is is documented and implemented following normal software engineering practices then that's fine (of course paying customers won't be happy to learn that's where the team is putting their resources), and you can still keep things "secret" by hiding them in spoiler-tags or similar in your changelist - but there must never be any unaccounted-for functionality in a software project.


I'm a bit torn, tell you the truth.

But there is absolutely a difference between an easter egg, something that usually takes real effort to discover and trigger, and something that runs as part of normal execution.

In regards to the examples you give where it causes vulnerabilities or bugs, I think it can be a test if the software you're actually embedding the egg in needs to be improved. If an easter egg breaks something then that's probably indicative of a larger problem.


Please don't try to equate easter eggs with intentional damaging code.

This shouldn't be a difficult discussion in this way.


> hidden undisclosed functionality

That describes basically all the code I install from open source repos, bar the very specific section of code I actually use.


Further, there should be zero-tolerance policy for injecting The Current Thing.


To me it doesn't really matter what is injected, as long as it's undisclosed in places people would look (NPM/Readme/Docs/etc), it's unacceptable


It's in the code. That's where people should look first and foremost in opensource dependencies. Otherwise how do you know you're not pulling in some horrible, bug ridden crap as a dependency? Most npm code has almost 0 documentation anyway.


If you expect a developer to review every line of code of every version of every module all the way down the NPM dependency tree then we can forget about anyone ever completing a project.

There are other solutions.


You don't need to review every line. Just general code quality, and search for obvious obfuscations/or things like these.


Simply instantiating a React project with `create-react-app` generates a lock file with over 1300 transitive dependencies:

    $ npx create-react-app sample-app
    $ cd sample-app
    $ cat package-lock.json | jq '.packages | length'
    1393
Expecting all developers (including those new to the field) to manually audit each and every one of these packages simply isn't feasible.


I’m curious what this “The Current Thing” phrase is supposed to mean. I’ve seen it used a few times very recently, and as best I can tell it seems to mean something along the lines of “all opinions on a current event or political issue are equally valid and thus any strong position on the event or issue ought to be mocked.”


I think it's poking fun at people who didn't care about [the current thing] X days ago, but are now really passionate about it.

Like one month almost all their posts are about COVID and the next month almost all their posts are about BLM.

But the "current thing" often isn't a new thing, and instead touches on some core value. For example, people who have never been to Ukraine or know anything about it still care about Ukraine because the situation speaks to issues of violence, freedom, honesty, safety, etc. And people who have never watched a college swim meet care about the trans swimmer because it speaks to issues of fairness, inclusion, gender, etc.

I think there's some validity to pointing out that we don't all have to weigh in on national conversations or lose sight of the bigger picture. But I think it's also a way to try to shut down conversations using a blanket criteria: new, popular conversation == bad conversation. That philosophy can't reasonably be applied to all new conversations without doing more harm than good. In my experience the "current thing" critique is very selectively applied to discussions the commenter is opposed to or bored with, which is subjective and very personal.


"the current thing" is everywhere and it gets incredibly tedious to see the same opinions and ~~discussions~~ arguments infecting everything.

This has nothing at all to do with the correctness of any of the positions, just their pervasiveness.


You pop up in a few convo threads that TobyTheDog is in. That's a coincidence isn't it


"You pop up in a few convo threads that TobyTheDog is in."

So do you. So do I.

It's not a coincidence, and it's not the implied other explanation.

It's because the structure of vote-sorted top-N list sites like HN, Reddit, and so on, focuses most people on the same short list of topics.

We will all bump into each other again, whether or not we have any intention of doing so.

We're all chatting on the first two pages of stories. We will all collide frequently with people holding similar hours.


It's.... almost like people want to have a discussion about this? I'm confused about what you're implying.


Did you mean to respond from your other account?


I guess I should've figured out that you've been arguing in bad faith this entire time.

I'll give less benefit of the doubt with the next troll.


Whatever is pushed by big media as high virtue to the masses for benefiting corporations or established political forces e.g. the Iraq war, "orange man bad", dictatorial vaccines over any therapeutics, the Ukraine war etc.


How about just console.log-ing a few support messages for Ukraine?


It's all about where people draw the line.

Personally, I don't think I'd count console.log as "hidden/undisclosed functionality", while I would claim opening a browser window is.

But some people might, and if I was creating a FOSS library I would not include it.

---

EDIT: On second thought, I might consider it functionality:

People have application logs that are exposed to customers (so it would cause the company to appear to be taking a stance), or exported to other systems which only understand certain log messages, causing issues there.


>undisclosed

it's open source


This is a really bad (bad faith?) interpretation of what I said.

Just because something is in the source code doesn't mean it's acceptable - it's not disclosed anywhere the majority of people would look: A readme, a NPM description, documentation, etc.


Undisclosed imply that it's secret/hidden. By definition, OSS software has no undisclosed functionality.

You're looking for better documentation/a community contract.


You can discuss semantics all you'd like, like I said above it doesn't make it acceptable.

If I could I'd update my original comment to be more explicit, with either "unadvertised" or "undisclosed where the majority of people would look"


Is that now the standard we hold people to in NPM world?


I assume it’s a reference to this incident, which didn’t quite destroy hard drives but got them into a pretty messed up and hard-to-fix state:

https://news.ycombinator.com/item?id=16435305


The web needs APIs that enables certain blocks of codes to run under specific permission constraints. Such constraints might include ability to read/write to DOM; window.alert; redirecting (well I guess CSP covers that one) etc. At least let us mitigate it.


This already exists: iframe sandboxes and content security policies. All we need now is a library that allows you to easily load, run, and interact with code in a sandboxed frame, using something like Comlink to make it feel as if it's all running in the same environment.


I know about CSP and iFrames, but I think they aren't ergonomic enough to be used as mechanisms to restrict deps right?

Iframes need a full web context whilst CSP cant target individual code blocks. For example, I might want my code to be able to do alerts, but I dont want dependency x to be able to.

EDIT: Ah I think thats what you meant by your "code in a sandboxed iframe thing". Fair.


I was digging through node_modules today and almost had a heart attack. We are running this code across millions of users right now.


Did you ever audit the code in that package or read the source at least once?


That's a tremendous expectation. There are 913 node_modules in the first project I glanced at. That's millions of lines of code.... More than one person can reasonably audit even if it's their full-time job. Where would this responsibility end? Should they also be auditing Node.JS source code? And nightly browser builds? No, we necessarily federate our trust at some point in these things being raised by others (like now, albeit 23 days late).


It seems like you're attempting to suggest that third party javascript is on equal trust footing with major tools and things by international corporations


My point was that it's unreasonable to expect the exhaustive audit of all node modules. That said, "major tools and things by international corporations" like Gatsby depend on the topic library [0].

https://www.npmjs.com/browse/depended/event-source-polyfill


There is a distributed code review system that is intended to make it feasible to do the necessary review:

https://github.com/crev-dev/


I don't run nigtly browser builds because that's too much to keep up with. I have actually read quite a bit of the code for the browser I use. I read almost everything I deploy because I'm responsible for it. Using other people's code absolves you from maintenance but not responsibility, that's something people need to start understanding. It's a very reasonable expectation that you read through your dependencies, if it's too much then it's time to trim some fat.


I feel like this question has good intentions but comes across wrong. It's virtually impossible to audit literally every nested dependency.


Depends on how much the company values (i.e. is paying for) that supply chain security. And if enough companies cared they could even save money by pooling efforts.


The crev folks aim to create a tool to allow that pooling:

https://github.com/crev-dev/


If nobody can audit the dependency tree, should you really be using it?


"Depends". The benefits of leaning on open source pays off the majority of the time. Are you exposed to more risk? Yes. Does that mean you shouldnt take that risk? Not really. Otherwise you'd struggle to move quickly and be competitive.

Of course certain things change this balance. Hopefully nuclear power plants dont have NPM in their toolchain. And I believe financial orgs already have quite heavy auditing of dependencies.


Open source and large dependency trees are orthogonal. You can depend on closed modules in compiled languages, many people do. You can write open source software and only depend on the standard library, many people do.


It's literally possible. You just have to have that as a goal from the start of the project. I just looked at our call center product. Across frontend and backend we have 70 npm dependencies required for build/runtime. Most are small.

It's not that hard to do some superficial review once and do a diff of node_modules when updating npm-shrinkwrap.json for whatever reason.

It's utterly irresponsible to not do so when pulling code from untrusted sources like npm.

Don't pull in dependencies which have many dependencies themselves. There are many projects that pride itself on minimalism and lack of transitive dependencies. Choose those. Etc.


Good question, I'd love to see an honest answer...


Around line 1050. Triggers an alert and opens a new page.


Specifically 15 seconds after the code is loaded - since this is a polyfill this means immediately after the page loads - it checks if your browser is in one of Russia's timezones, and alerts the message if it is. It then tries to use window.open to open a change.org petition (user? I'm wary of checking the link), but because this call is triggered by a timer and not user interaction, most browser's popup blocker will block it by default.


Change.org is a legitimate site -> it's just a campaign to donate to Ukraine, still unacceptable to include as a forced-window-open


compromised? it is his code, he can do what ever he wants to do

he can put a ukranian flag on my terminal, just like he can put a russian flag on your terminal, it is the purpose of his library, it's not yours

you decided to rely on this individual for free, without consulting, without asking yourself how updates are delivered and what he plan to do with his code

you are the only one responsible of compromising your company by depending on such library

NPM/Cargo driven development is bad for everyone

if code on NPM/cargo can't be reviewed by moderators, then you can't complain

if you don't review code from your dependencies, then you also have your part of responsibility


This is in the latest published version 1.0.26 https://www.npmjs.com/package/event-source-polyfill


The version was released 22 days ago. npm has a list of dependents https://www.npmjs.com/browse/depended/event-source-polyfill.

Gatsby is the big one, and it doesn't use a lockfile or pin the specific version so any new installation will receive the bad version, but this package is to only be used in development environment https://github.com/gatsbyjs/gatsby/blob/441a5af8e665256c7703....


So my NIH "syndrome" is not so bad, after all. :D


100% off topic but golly this "dont unleash zalgo" fear & it's propensity for spawning new sync+async concurrency systems. if a promjse weren't so vengefully async we could have just not written most of this code:

    this.abort = function () {
        if (this.signal._reader != null) {
          this.signal._reader.cancel();
        }
        this.signal._aborted = true;
      };


Reading the source the compromise is on these lines in particular (https://github.com/Yaffle/EventSource/blob/de137927e13d8afac...).

To experience the exploit set your computer timezone to any Russian timezone (e.g. asia/omsk) and paste the following data URL to your url bar:

    data:text/html;charset=utf-8,<!DOCTYPE html><title>EventSource</title><meta charset="utf-8"><script type="module">import "https://unpkg.com/event-source-polyfill@1.0.26"</script>
In 15 seconds an alert window will open with a message which translates to:

> On February 24, Russia attacked Ukraine.

> The people of Ukraine are universally mobilized and ready to defend their country from enemy invasion. 91% of Ukrainians fully support their President Volodymyr Zelensky and his response to the Russian attack.

> The whole world condemned the unjustified invasion and decided to impose unprecedented sanctions against Russia. With each new day, they will be felt more and more strongly among civilians.

> At the same time, the Russian government restricts citizens' access to external information, planting one-sided formulations and versions of what is happening.

> As a reliable source of information, download the secure Tor Browser:

> https://www.torproject.org/

> And visit:

> https://www.bbcweb3hytmzhn5d532owbu6oqadra5z3ar726vq5kgwwn6a...

> Stop this senseless war! Stop war criminal Putin!

After you dismiss the alert window a new window will open with the page http://www.change.org/NetVoyne


At the very least, this should have been a minor version bump, as it changes the output of the package and adds a new feature in the popup. The proper bump would have been a major version. But the author of the commit wasn't looking to be proper. They were looking to make a statement.


I know right, 2 spaces for indentation!!!


Snyk is having a field day with new signups.


Snyk doesn’t address supply chain attacks.

Snyk and the entire security industry is obsessed with identifying known vulnerabilities. But they all miss the point.

Looking for known vulnerabilities is reactive. Vulnerabilities take weeks or months to be discovered. A malicious dependency can be updated, merged, and running in production in days or even hours.

We need to assume all open source may be malicious and try to proactively detect indicators of compromised packages. A better approach is to detect when dependency updates introduce new usage of risky APIs such as network, shell, filesystem, and more.

Disclosure: I started Socket (https://socket.dev) to help solve open source supply chain security.


I wonder if Yarn can do anything more to solve these problems from a CLI tool perspective. Stricter version locking? Better alerts for compromised dependencies?


Yarn and NPM are enablers of these issues, not solutions to them. The convenience they afford combined with the culture of the JavaScript package ecosystem needs to be entirely revisited. As it stands, we are all simply waiting for something widescale and truly serious to happen from one of these incidents. Then--and only then, it seems--will mature perspectives be called for.


Why does the JS ecosystem attract so many puddingheads like this with their emojis and their cotton-candy bullshit? No wonder it's a house of cards.


TBH I think its not because JS somehow fundamentally attracts a different group of people, its probably more like:

- It being web based means you can target this kind of software for maximum "impact"

- NPM dep trees are massive and you generally have thousands of tiny libs. The chance of something like this happening and being noticed goes up therefore.

- NPM ecosystem is a bit more wild west which again leads to increased chance of something like this being able to occur in the first place.


On the emoji side: JS devs are frequently fullstack/designers sometimes/on Macs, which make emoji very easy to use.

So they end up using it.

You rarely/ever see things like emoji commit messages in the other worlds (ex C#, Java, etc)


That's a funny way to say "leveraged by it's authors for their ends"

Maybe something's are more important than a js package?


Well, open source volunteering is a form of anti-capitalistic political activism to begin with. This is just adding a geopolitical angle to it, but all FOSS is political already. When you depend on an open source project, you depend on the politics of that project as well.


Committed 23 days ago and no contributor or author has deigned to do anything about it. Says a lot about the health of this library.

The "open source maintainers are not your bitch" argument is moot when one publishes a library on something like npm and then disappears when a security incident happens. I reckon publishing a library on a package manager should come with a promise of responsibility or at least communication.


I don't think that's reasonable. People use NPM for various purposes, and professional-grade software with guarantees is only one use of many.

You need to vet your packages. Always, even if you paid for it.

There are package managers that work with Github repos. Should this apply to every public Github repo too?


Fine, then let's adopt a standard of announcing whether you're serious about your projects, and then other people know if they can rely on your library or not. Some kind of "verbal" promise of being proactive when catastrophe happens. That you'll personally won't bundle malware in your code, or your reputation will suffer.

I mean it. The open source world, especially the JS ecosystem, desperately needs something like this. And a monetary incentive isn't enough, unless it's significant, but no one will pay $500 a month per JS library they depend on.

A simple ".serious-project" committed to the project root would suffice.


> And a monetary incentive isn't enough, unless it's significant, but no one will pay $500 a month per JS library they depend on.

Maybe they should, and if they fail to do so, then maybe they have zero right to complain about it.


Let's see how many people will pay money for their `is-odd` dependency.

Again, enforcing responsibility by paying is non viable and doesn't scale, especially in the JS world when you depend on 500 packages for a bare React project.

Yet I as an open source developer I want to announce that my projects are actively maintained, i.e. I'm serious about them and I'll react in less than 23 days if someone adds malware to my code.


> Let's see how many people will pay money for their `is-odd` dependency.

If they're unwilling to pay for it, then maybe they should reconsider including it as a dependency? And maybe, just maybe, if they include it as a dependency without any intention of paying for it, then they should have zero expectation of support for it?

And likewise...

> especially in the JS world when you depend on 500 packages for a bare React project

...then maybe they should consider an ecosystem wherein they, you know, don't depend on 500 packages for a bare project? And if they do, then maybe - just maybe - they should expect to either contribute to the ongoing maintenance of those 500 packages or else be entirely unsurprised when they inevitably fall into disrepair?

> Yet I as an open source developer I want to announce that my projects are actively maintained

Then do so: remove the clauses in your licenses w.r.t. warranties and liabilities and fitnesses for particular purposes, and declare that you'll commit to active maintenance. If that's your prerogative, then nobody's stopping you. Chances are, though, you'll grow weary of the expectations from others with which you've burdened yourself without compensation.

A better form of seriousness would be to offer support to those willing to pay you for it. Naturally, this means producing something that's worth such an agreement.


> Fine, then let's adopt a standard of announcing whether you're serious about your projects

I don't believe in Tidelift myself nor I actually pay them any money, but there's that already.

If you're willing to use less recent packets, you can trust vendors like SUSE or Red Hat to do that for you.


Is this a security incident? My first read was that it was just pushed by the maintainer directly (“Viktor”). I thought the headline was misleading. Is there any confirmation either way?


I don't think it is, the name seems to be spoofed and the email attached to the commit doesn't match @Yaffle. Git author and email are easily forged anyway.


Is it even spoofed, or is that his real name? It could just be an email not publicly associated with the GitHub account. AFAIK GitHub displays links to profiles purely as a convenience, based on the commit metadata.


I disagree, the responsibility is ultimately on the consumer, assuming the dependency is FOSS.


If it's a bug, sure, but intent matters. If it is malicious code written to harm people on purpose, than the responsibility is on the FOSS dev. What if it is code that is used to interact with hardware and that there is malicious code intended specifically to physically harm the user? Is it ok to kill someone if it's through FOSS? I don't think so.


npm is not a curated repository of high quality packages. Folks using it like so are at fault for having no digillence.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: