It doesn't feel like there was enough criticism against GitHub for their decision to ban the developer of faker/colors. This was his own corner of the internet for him to publish his own personal projects.
I understand the decision for npm to take ownership of his packages, because npm is a community package repository owned by, and for, the community. All community package repositories have some sort of policy for package takeovers.
But GitHub claims to be your home for public hosting of your own personal code. What GitHub policy did he violate? The really outrageous thing is that the developer going "rogue" was actually him expressing his freedom of speech, again on his own personal GitHub account, in his own personal (not organization) repositories. He spoke about his thoughts about open source, businesses, and economics. Defending this type of political speech is especially important and GitHub banning his account and censoring this type of speech(whether you agree with it or not) is especially shameful.
You have to keep in mind that his changes were basically indistinguishable from a security breach of his account. Nobody really sabotages their own repos in a malicious manner like this. Suspending his account while they investigated doesn't seem like a stretch.
> This was his own corner of the internet for him to publish his own personal projects.
Which he's still free to do. But the actions in question had nothing to do with his "personal projects". It was specifically about his actions to intentionally break popular Node.js packages and do so with a version number that would disguise the change as a non-breaking update. It was a malicious act, and there's no way to paint it as anything else.
It was a malicious act to the users of his project, sure. But how was it a malicious act to GitHub? I'm glad to hear that they reversed the suspension, but without understanding why it was suspended in the first place, it leaves open the question of what GitHub's motives were in the whole situation.
If DHH decided that Rails was contributing more harm to the world then good, and tried to remove it from GitHub, would GitHub lock his account and restore his repos "on behalf of the community", to side with the smooth operation of the open source ecosystem over a user's personal decisions? To what extent has GitHub decided that they "know best" for the open source community?
Github first responsibility comes to the community of users it supports, then to any individual user. Free speech/ personal choice / Freedom of expression come secondary to the welfare of its users.
Is it a slippery slope ? Yes, but Github does not have a choice if it cared about the interest its community
Usually if I modify my car in my own backyard (aka my property) it is nobody's business to intervene, as long as it's on my property.
Legally speaking, fakerjs was Marak's property and GitHub has no right to intervene with a legitimate user action.
I can see that they "tried their best" but we also have to uphold the law here. If GitHub, say, called him on his phone whether or not his actions were intended...they would've had to restore the account and the "broken" repository as it was before the suspension immediately...which I assume they did.
My point is mostly that there is no legal contract between Marak and the "community", as he was never paid anything. Some might argue about mitigations in between disagreeing parties, but as I said there's nobody forcing you to use his library, just as there was nobody forcing you to update.
It cannot be malicious intent if the other party is free to decide to just ignore it and move on.
This code has never belonged to Marak. This code is ported from other existing projects which had been acknowledged by Marak.
I see it like this. I can't buy a Harry Potter book, translate it to a different language, maybe change some of the character names and then claim ownership while not acknowledging the original work even if I publish it for free.
It's like you and your friends building a Mustang in your backyard, all of you put time, energy, and even money into the project only for you to turn around and claim you invented a new car model built entirely by yourself. No, it's a ford and most of the upgrades were done by others. People that helped you might feel that you are in fact being malicious.
Since we're using analogies, this wasn't his backyard, this is the GitHub's yard.
The ToS of GitHub state that it's not their property, they only claim the license for redistribution. If it would be their property, legal cases (e.g. DMCA) would be against GitHub, not the owners of the repositories. So from their point of view they do not want to be legally responsible for the code they're hosting.
So I'd argue that it wasn't GitHubs backyard. They might be the landlord but they can't take ownership of the things that you build in your (rented?) flat.
Don't get me wrong, I also agree with you. For me this whole situation is kind of a paradox where there's no easy moral (or legal) answer on what to do, and on what society already has agreed upon.
In fact, this action could set a precedent that allows RIAA/MPAA/etc to sue GitHub because it demonstrates they curate and editorialize everyone's code, effectively.
> This code has never belonged to Marak. This code is ported from other existing projects which had been acknowledged by Marak.
Completely irrelevant to the issue at hand, though. The copied code was copied in accordance with an open source license. By this same token, the affected users/companies are free to start their own fork, but they didn't. The developer shouldn't be under any obligation to maintain anything, and GitHub shouldn't be intervening in these kinds of situations as that will simply serve to dull the positive effects these scenarios could have on the dependency landscape (people actually figuring out their shit). This is the package equivalent of a bail-out. At the end of the day it hurts more than it helps.
If you modify your car in your backyard sure, but it wasn't his backyard, it was the public roads, and it wasn't (just) his car, it was his car that he shared with his neighbours. And then he decided to tamper with the brakes as a "prank", knowing full well that others would then use the car.
No. Imagine if all traffic lights were 3D-printed, and that entire infrastructure depended, as an active dependency each time a new traffic light is printed, on some random guy's 3D model that he decided to post on his personal blog years ago. Guy decides to take down the model, now all of a sudden his hosting provider takes control of his site and forces him to put the model back. That is the lens through which you should view this situation.
The people building infrastructure that depends on one guy's 3D model existing on his blog at all times were the ones who made a mistake. If one of your thousands of dependencies breaks, shame on you, make a fork. The dependency owner owes you nothing, and he can change his creation or remove it any time he likes. If you weren't fortunate enough to fork it while it was still up, then too bad.
Instead we as a corporate community are encouraging coddling and ensuring that if you make this mistake, GitHub, NPM, et al will take care of it for you. The downstream effects of this are much worse than the temporary damage of making people actually figure out their dependency chains.
I'm not sure why it matters they are Github users. The packages were hosted on npm through Cloudflare - does that allow Cloudflare to take over the packages too? And NS1 since they host the fakerjs domain?
It’s cool that you’re internet rules-lawyering and all but ultimately he used his free account with intent to harm others, just as surely as if he backdoored his code. Freedom of speech is good, and protest is fine, but why would GitHub amplify the speech of a nutso who abused his position of trust?
> used his free account with intent to harm others, just as surely as if he backdoored his code
There's a huge difference between displaying a message and going in an endless loop and backdooring as in providing an alternative access to control a system you're not supposed to have access to. Words have meaning. This wasn't a backdoor.
They don't have to amplify anything. This is why open source is valuable; if the current maintainer is considered to be unfit or unreliable in some way, the community that disagrees with their rhetoric/leadership can fork the package and keep going like nothing happened. If you don't care/the package is still usable, then ideally no further action has to be taken.
At no point down the road should that involve revoking someone's ownership of a software project, though. Software ownership is sacred, not just because of tradition but because understanding who owns your packages and libraries is paramount to auditing security. Some of the most valuable contributions to computer science have been ones that allow people to verify integrity, be it SHA, TLS or GPG. If Microsoft abuses their position of power to break that chain of integrity, how can we be sure that other repos belong to their respective authors?
I can understand if you, the individual don't find this interesting or consider it inconsequential to your workflow. But other people rely on it, and you can't pretend like an honest chain of custody is somehow valueless.
And to be clear, even if NPM goes and replaces his package with this new fork, it wouldn't take away his ownership.
Github could do the same... doesn't take away his ownership.
His ownership of a Github page is not his ownership of the code.
I don't like this rules-lawyering stuff either, yet this is one time where even if you decide to be purposely inflexible with your understanding of laws/licensing/contracts etc... there's still no issue with how this has been handled.
I see only one of those alleged "nutso's", and that was GitHub.
Everyone else should have been responsibly consuming the dependency. You don't get to call foul when you knowingly use something for something important and don't check to make sure it is okay.
As an engineer, part of your responsibility is to foresee this type of thing. Software that does exactly what it should, and is free of defects for it's immediate use case, has no need to be continually updated. As each line is adding more functionality you do not need.
Even if you're trying to keep things rolling forward and buy into taking in updates anyway; you don't do it in such a way as to cause it to leak to production until you are good and certain there is no potential for breakage. If you haven't learned this yet, give a monorepo a try. I assure you, you will be divested of any naivete in this regard.
That's fair, it does sound like a novice take; but it's still "business as usual" w/r/t what is touted as best practices where it comes to version control. At least that's my slightly above novice take on the matter.
Can != Should. we're not discussing whether Cloudflare had the physical capability of being able to take over the packages. We're asking if they should. Many people seem to believe that they should have, or would have been justified in doing so, and others disagree.
If the attack had been conducted by retargeting cloudflare at a hostile upstream, maybe so. But the attack originated at GitHub, so they're the ones to take action in response.
This is an opinion you can have, but it's far from clear that it's an obvious or inherent one. What is the Github "community"? Who constitutes it? If I use Github for a personal project, and share the link with my friend, are we "part of the Github community"? How were we harmed by this incident? Did anyone say "We should shut Github down because they're irresponsibly hosting someone who would use his public JavaScript libraries to make a political statement"?
How was Github's community, specifically, harmed? A lot of developers were inconvenienced, but they would have been just as inconvenienced if he pushed the code to NPM from his local git repo, and never touched Github at all. Where does Github come into this?
It sounds like you’re looking for very clear lines which can and can’t be crossed. Whereas others see a blurry grey area in which GitHub makes judgement calls, and then individuals decide whether or not to use GitHub.
Mm, not really. There are lots of cases much more blurry and questionable then this one. What I'm looking for is 1) a recognition that Github would be in the wrong to suspend Marak for doing whatever he wanted with his own open source project, and 2) an acknowledgement that it's important for Github to be transparent about why they took the actions they did and what motivated their actions.
If I ever get hacked someday and my repo gets defaced, I hope GitHub acts just as they did to Marek. GitHub can’t tell the difference between an authorized and an unauthorized defacement, and I’d rather they err on the side of caution in this regard. It protects me against attackers, and the only risk of false positives is having to reauth and verify to support that I’m an authorized user when I’m trying to deface my work.
Exactly this. The changes were intentional malware, designed to break the usage of these two modules. GitHub is under no obligation to assist you in hosting malware. The fact that these changes were intended by the original author has no bearing in this situation.
Breaking a build in a way that is trivially rolled back is not in the same league as pushing code that harvests email addresses, CCs and mines bitcoin.
I'm disappointed to see this kind of comparison made.
Appreciate it can be confusing to the layperson, but a build is not quite the same thing as an application.
A build will often reach out, download and install new and potentially breaking software components and it is part of its function to prevent breaking software components from reaching the application where it could cause material harm.
It was a bit of code printing ascii art in a loop, with a preceding comment "don't commit this", and we have bo information about whether it was put into the release on purpose or malicious intent afaik. Is it really malware?
If I set up a nice shopfront and invite customers in, and then start kneecapping everybody who walks through the door, you gonna bet the city will have something to say about it. I'm not kneecapping the city, just its citizens, so why should they care - and I'm doing it on my own property which they voluntarily entered after seeing my "dollar store" sign out the front - so it's their own damn fault for believing my sign.
There is a fundamental difference between physical violence like kneecapping and industrial sabotage which causes a minor temporary disruption in production, which is why the former is punishable by most national laws, while the latter isn’t.
> causes a minor temporary disruption in production
pick one
ETA: if someone created a virus that would just display the text "you've been hacked!" and then that virus infected thousands of computers around the world, that someone would have a visit from the FBI with very serious charges. I don't see how this is different.
I don’t understand. Industrial sabotage is an act of vandalism with the intended purpose of causing disruption in productivity. This incident in particular only caused a relatively minor disruption not much bigger then e.g. a partial github outage.
> I don't see how this is different.
The difference is in 1) the intended targets. This incident was targeted against particular industry. The worm you are describing would be indiscriminate and would have the potential to be 2) much larger scale and therefor you could deduce the 3) intention of your hypothetical attacker would not be to cause disruptions of productivity withing a particular industry, but rather to prank random strangers. The difference is rather obvious.
GitHub's market is developers. They want to do everything they can to protect that community, and if a developer uses their service to damage other developers, they aren't going to stand for it.
> It was a malicious act to the users of his project, sure. But how was it a malicious act to GitHub?
You can't use GitHub to perform malicious acts, even if the victim isn't GitHub. GitHub isn't obligated to support anyone's malicious acts with their platform.
> If DHH decided that Rails was contributing more harm to the world then good, and tried to remove it from GitHub, would GitHub lock his account and restore his repos "on behalf of the community", to side with the smooth operation of the open source ecosystem over a user's personal decisions? To what extent has GitHub decided that they "know best" for the open source community?
GitHub hasn't done any of these things with faker.js.
Marak deleted the code and replaced it with a non-functional repo that has a README.md that just says "What really happened with Aaron Swartz?" (Reference to a conspiracy theory)
Exactly - that really looks like malware. If the same sort of replacement happened with rails, I imagine the same course would happen there - but if there were some corresponding blog post or reasoning in the Readme, GitHub would leave it to the community to let the drama play out (maybe still investigating to see if the login was suspicious in any way).
I would say colors.js definitely can be considered malware. He in effect intentionally spinlocked a lot of packages either directly or indirectly via transitive dependencies, and also intentionally bypassed common semvar rules to maximize the damage.
whether or not those packages should have been affected is another discussion, but it appear it probably had more of an effect on other open source packages and perhaps the work of small mom and pop companies rather than huge corporations.
To an automated protection system that detects “repo deletion + index.html rant” commits, deleting the codebase and updating the README would red flag instantly except for the different filename, and catch lots of garden-variety intrusions.
The deletion here was more complex, and most likely a human was assigned to review user reports to GitHub Security, who accurately determined it was a defacement from someone claiming to be the author’s credentials.
Turns out the author was the attacker, and with that confirmed, it appears that their access was restored so they could proceed with it.
> Turns out the author was the attacker, and with that confirmed, it appears that their access was restored so they could proceed with it.
I suspect this is how it played out as well. In fact, there was a lot of people on Twitter who were questioning whether the author really got suspended since he was posting to github a day or two after he posted his suspension picture.
Like I said above: if that really was how it happened, I would be totally okay with that, and it's completely understandable. But without a public statement from Github on such a visible and public controversy, we're left to speculate on their motives. Many people here disagree about why and whether Github should have or did suspend Marak. I would say that your view is the maximally charitable view to Github themselves. And frankly it's very likely to be true. But it seems like a lot of people believe that Github should have suspended his account, and I disagree with that.
People don't just believe his account should have been suspended, they feel that he should be prosecuted and charged with civil tort given the comments. I think they are ridiculous Karens who would destroy open source in a heartbeat given the opportunity.
> GitHub isn't obligated to support anyone's malicious acts with their platform.
Github isn't obligated to support anyone's anything, your relationship with Github is entirely at-will. And yet, I believe that there are moral boundaries on how Github should act, and that different people can disagree on where those boundaries are. I do not believe that "updating a popularly used library to break it's core functionality" is harmful enough to the other users of Github-the-code-hosting-site that it necessitates intervention from the owner of the platform. I think specifically that the way in which Github came to the determination that this change was "malicious" is unclear, and that Github very clearly has a conflict of interest when it comes to determining which sorts of political speech are "malicious", and which sorts are allowed.
> GitHub hasn't done any of these things with faker.js.
Correct, that's why it's a hypothetical question. If Github is willing to intervene against "malicious behavior" on behalf of "the community", then the obvious question is "which behavior, and which community?"
As another hypothetical example, the https://996.icu/ website is hosted on Github. Chinese browser manufacturers have implemented a pop-up that calls it a "illegal and fraudulent site" if you navigate to the repo. Is this "malicious" behavior? Many in China would think so, and definitely the browser manufacturers seem to believe that it's malicious behavior targeted at Chinese tech companies. Should users be allowed to use Github to perform this "malicious" act, even if the victim isn't Github itself? If Microsoft was criticized for their Chinese offices' working conditions on the site, do you think this would change their viewpoint on whether the repo should stay up? Personally, I would hope that those within Github who are responsible for making such a decision wouldn't take such personal matters into consideration.
> Reference to a conspiracy theory
I'll be honest, I didn't know this was in reference to a conspiracy theory. Aaron Swartz was driven to suicide by the relentless and cruel prosecution of the United States government, and the inaction of the MIT administration. That incident is tragic and sad enough as is, and I hope it goes without saying that don't agree with anyone attempting to co-opt that tragedy for their own conspiracy theories about Qanon. But I don't think Github should be responsible for making the call on whether something is "good" enough political speech to be worth protecting.
I am completely baffled by folks defending Marak, or putting any sort of blame on GitHub. What Marak did was not "political speech". If he wanted to, he could have easily done any of the following:
1. Pulled down his repo, or replace his repo by whatever message he wanted to send.
2. Output his political message during the build.
3. Heck, all faker.js does is output fake data for things like names and addresses. I think he would have been well within his rights to make this data something like "123 Fascist Way, Fascistville, NY".
But he didn't. He replaced his code with an infinite loop that was a DoS attack. He deliberately released it as a patch version because he knew it would be pulled in by others that follow semver rules. The fact that his attack wasn't more severe (like, say, encrypting someone's hard drive) doesn't mean it wasn't an actual attack.
And for those quoting the "no express or implied warranty" section of the license, I guarantee no legal system is going to let an actual malicious act be defended by a license.
What he did was utterly unprofessional, hazardous, and outright dangerous to those who trusted and used his library.
By putting it on Github, he surrendered a portion of his right to distribute to Microsoft, and Microsoft did the best course of action to protect their reputation and the interest of their stakeholders.
then pay him?
I'd admit that this person didn't really contribute anything really worthy.
But please do not require someone to be "professional" when you did not pay him a dime.
So what you do mean is someone had to spend hundreds of hours maintaining some projects you've been using and also should have perfect personality and well behaved enough before you hire him?
There is a little bit of dissonance here. Microsoft, a multi billion dollar company who works with organizations such as ICE which routinely engages in human right abuses and causes sever suffering and harm to thousands of people who are already pretty vulnerable.
vs. an open source developer who’s work benefits companies like Microsoft who have no obligation to pay for that labor. And engages in a single industrial sabotage which causes minor disruptions, and harm which at most costs other developer some time and temporary frustrations.
I feel like we need some sense of relativity when we attribute nouns such as hazardous and dangerous here. Especially when we are talking about Microsoft.
Indeed, he definitely could do his protest in a way which wouldn’t inconvenience billion dollar companies or even anyone.
Just like BLM could protest in a remote location or do an online petition. Except that no one would give a fuck about that. The same about a message during the build.
You call it a DoS attack, I call it a brownout warning about unsustainable open source funding. After all old versions are unaffected. No hidden RCE there. Only ones who opted in for pulling a new version without due diligence (aka free shit lovers) experienced a minor inconvenience. He didn’t do anything a malware author would do with such distribution channel.
I would definitely do it some other way, but can’t blame him. If he had put a notice during the build, no one would see it. If he added an unskippable five minute timeout to that message it would a DoS attack as well.
I suffered a similar “DoS attack” myself. By Microsoft. They did one hour brownout of Devops pipelines still using windows server 2016 or something, to warn about unsustainably of supporting them (striking similarity). Right at the moment we had to deploy an urgent hot fix for our client. If there was a notice somewhere, I didn’t read it. No one does. Which is why they do brownouts. He didn’t put an early warning, but that might be a difference between a multibillion company and some random guy on the internet.
He is unprofessional, but well, don’t expect professional behavior from people you don’t have professional relation with. Who I would call unprofessional, are the developers who expect free working shit from some random internet guy and have audacity to complain when he intentionally releases a broken version to protest taking free stuff without giving back.
I’m mildly entertained by the uproar caused by his protest. Reverting to an older version of a library is not an end of the world. I think it is not caused by the minor inconvenience he caused to the lazy devs, but by the threat of the end of relying on free work from open source devs.
We will have to do it ourselves or pay for it. Like in any other industry.
Did you not read his message? The entire point was to inconvenience billion dollar companies not helping pay or foot the bill for all the software they use and steal unpunished and unscathed.
Microsoft behaved as a good steward of both a code-hosting service and a package-hosting service in the face of an attempt to exploit both to harm users.
Except that it was his code, and it's open source therefore the risk of using said code is your own. It's his project, He's under no obligation to maintain it in a functional state or at all just because you happen to use it. That's just egotistical and narcissistic on your part
You're wrong. If I routinely share my lunch with someone at work, I don't get to poison it because "It's my sandwich, I'm under no obligation to make sure it's safe just because you happen to eat it." Hell, I can't poison it even if someone's stealing my lunch.
I can't create code with malware. I can't modify my code to make it malware. That's a crime. You're wrong
Everything about your comment is wrong. For one you're not giving your lunch to anyone, More analogously you're putting something in the refrigerator, and people can take at their own leisure and risk. You can poison it if you want, in fact it's a pretty common workplace tactic for people to mix in something like a laxative to THEIR OWN food because they're tired of it being stolen everyday. Again you make the choice to use the software, or take the food, the risk is on your head.
And the cybersecurity industry would like to have a word with you since you don't believe it's possible to create malware.
> I can't create code with malware. I can't modify my code to make it malware.
I guess I can appreciate your confusion but I still think I was clear in my previous comment. I'm willing to concede I would have been more clear if I had written:
I can't legally create code with malware to distribute without a warning. I can't legally modify my code to make it malware if I know people are using it.
"I am completely baffled by folks defending Marak, or putting any sort of blame on GitHub."
Github's actions are unwarranted. (Marak should have at least been able to verify his ownership of the account and get it back)
"1,2,3"
Honestly, these ARE better things to do (and probably more effective) than what Marak has done.
"replaced his code with an infinite loop that was a DoS attack"
So far I haven't seen anything about this actually causing harm and denying service.
"The fact that his attack wasn't more severe (like, say, encrypting someone's hard drive) doesn't mean it wasn't an actual attack."
The fact that his attack wasn't more severe shows that he wanted something that would make an impact without hurting anyone.
" guarantee no legal system is going to let an actual malicious act be defended by a license. "
That's the legal system's problem. The license is the license. Somebody's violation of an EULA (because they didn't read it) may be in all ways justified, but that argument probably won't hold up in court.
I wish he did something less controversial while still impactful, but it is incorrect to put it under the same term used to describe real cyberattacks that severely harm and kill innocents.
General rule (at least for me) is to avoid people wanting to be a people-pleaser or politically correct without offering real tangible solutions at the problem on hand.
What he just did is intentionally mess with the society for the heck of it and naturally the society will find ways to fix it and restrict him as necessary, right.
> I am completely baffled by folks defending Marak...
> I think he would have been well within his rights to...
I think this is the crux of it all. I (and many others it seems) disagree with the actions he took and think they're shitty, but also think he has a right to do this with his code that he provides and publishes for free.
> It doesn't feel like there was enough criticism against GitHub for their decision to ban the developer of faker/colors.
HN, at least, had a ton of discussion on this[1]. People advocated both ways.
> This was his own corner of the internet for him to publish his own personal projects.
No, it wasn't. It was Github's corner of the internet and then it was Microsoft's. If he just wanted a place to publish his personal projects, he could have put them on a personal, self-hosted website.
By putting them on a social network, like Github, he is submitting to their whims. He doesn't have any legal right to stay on that site if they want to kick him off of it.
He also wasn't the only author. Other people contributed to his repos. He was happy to receive the benefits of Github, and he should also realize that it comes with some loss of control.
Notably, he eventually used Github as a platform to deploy a Trojan to thousands of unsuspecting users. The other circumstances don't matter. Microsoft can and should remove Trojans from Github.
> By putting them on a social network, like Github, he is submitting to their whims. He doesn't have any legal right to stay on that site if they want to kick him off of it.
Of course, legally speaking, Github can do whatever they want with their website, but we're not talking about the legal aspect.
The developer community has put some trust on Github not to do whatever they want. It's an implicit, non-legal, non-enforceable, social agreement that Github is going to "respect" our user accounts on their platform as long as we don't break the TOS.
They could delete all existing repositories tomorrow, and replace them with pornographic images, and they would probably be in their legal right, but that doesn't mean that we can't critizice them for it.
Yes we are. I was responding to someone[1] who was alluding to the legal aspect using legal terms s/he clearly doesn't understand.
> > "What GitHub policy did he violate? The really outrageous thing is that the developer going "rogue" was actually him expressing his freedom of speech..."
FWIW, GitHub's actions here have in no way damaged my trust in them.
They interpreted a developer's attempt to harm the community via abuse of the trust the community had placed in him as damage and mitigated it in the short run. That's a value-add.
Value add in to who? It sounds like you believe open source developers owe something to someone which simply isn't the case. You should evaluate the license(s):
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
I don't see where this license obligates github to distribute future versions.
Also if we're expecting people to do the bare minimum specified in their license, github's license gives them all the leeway they needed for their actions too.
GitHub is under no obligation to distribute further versions. Neither is Marak under any obligation to maintain and upkeep the repository. While in bad faith of the community, you are the consumer who CHOSE to use his software, free and at no cost to yourself. You have no right to dictate how that repository is used, especially if you never donated or contributed to the project itself.
> While in bad faith of the community, you are the consumer who CHOSE to use his software, free and at no cost to yourself. You have no right to dictate how that repository is used, especially if you never donated or contributed to the project itself.
Either we're going by a legalistic interpretation of the terms in which case Marak was free to fuck up his project and github was free to kick him off npm for it, or we're agreeing that people can be held to moral standards apart from legal ones.
If we agree that moral standards about bad faith should prevent npm/github/microsoft from taking control of something that Marak has put work into, then we should also be able to agree that moral standards should prevent Marak from releasing a deliberately broken version of a package as a fuck you to corporate users. Even that action of Marak's I think is wrong, but the backlash also landed on many open source projects.
I don't have a problem with GitHub or NPM taking down his project. Just like I don't have a problem with him poisoning it if he so chose. I do have a problem with people here whining about their own selfish wants. Again not one person is obligated to use faker.js, if you wanted the security that parts of your code base would not be tampered with, then you probably shouldn't have been using a third party library that wasn't under your control in the first place. Common sense is all too lacking here across the first world.
At the end of the day, open source is built on trust. Even the more paranoid-architected flows outside of npm (checksums via side-channel, curated package distributions maintained by a third-party such as debian) don't protect the end-user from actual malicious action on the part of the trusted source. Consider the story of how Univesity of Minnesota got banned from adding patches to Linux (https://www.theverge.com/2021/4/30/22410164/linux-kernel-uni...). In that case, they were caught. But if they weren't caught (or if a critical mass of Linux maintainers went rogue and were in on it)? Enough malicious actors with the right credentials can publish and checksum a damaging package in any system that allows code reuse. It is, perhaps, riskier to rely on a system with one maintainer. If that's the case, moving Faker .js to community controlled was a great first step in restoring trust in the package; it's harder to compromise a group.
We can sit here and cluck our tongues and say "Should have known better than to trust someone else's code," but that's just victim-blaming. Marak broke trust. He took advantage of a system with a vulnerbility and he exploited it. And everybody uses a system that is vulnerable in some way.
Because he did this, the system interpreted his actions as damage and routed around them. The system may change to make this attack harder in the future. And the result will be more complex and have more failure modes, and everything will be slightly worse as a result because we have to replace with process what we were previously able to do with human-to-human trust. "Nice job breaking it, hero."
I'm just as much an armchair lawyer as the most of the rest of HN but my understanding is that liability waivers aren't considered enforceable if malicious intent or gross negligence is involved. Anybody with more legal expertise want to clarify?
I am also not a lawyer, but this is what I found for NY and would be surprised if it doesn't apply in most states and many other countries too:
> Under New York law, a party can waive ordinary negligence, but not gross negligence, reckless conduct, willful/wanton conduct, or intentional acts. See Kalisch-Jarcho v. City of New York, 58 N.Y.2d 377 (1983); See also Restatement (Second) of Contracts § 195 (1981) (“A term exempting a party from tort liability for harm caused intentionally or recklessly is unenforceable on grounds of public policy.”).
If we're stressing the analogy, Marak put food out in a park with a sign "Take the food, just tell everyone you got it from Marak, quality not guaranteed".
Then one day the food had laxatives because he felt not enough people put money in the tip jar.
I think that would still be actionable. Most people wouldn't bother, just like I don't think anyone is seriously thinking of taking Marak to court over what is mostly broken CI builds, but maybe the park staff won't let him offer food there anymore.
There was no more "food". An loop in a script isn't malicious, as a user can terminate a script and by running an unknown script they are assuming some liability as well. What you're advocating for is that if an open source developer changes their code, even to say, prompt the user to confirm executing when before they didn't prompt and that somehow breaks automation that the user has built (not the developer) then they should be liable for harm. It sets terrible precedence, and the end result is no on will want to create open source software anymore. I can only hope you are simply playing devils advocate than being serious, cause if you are serious then I hope you reap what you sow.
"By eating food of unknown provenance they are assuming some liability as well" isn't really an argument that would hold up in a court of law if someone intentionally taints the food.
> What you're advocating for is that if an open source developer changes their code, even to say, prompt the user to confirm executing when before they didn't prompt and that somehow breaks automation that the user has built (not the developer) then they should be liable for harm.
We should probably divide the conversation into two threads: one on the tainted-food analogy, and one on the changing-code reality. Because they aren't the same, and one can reach weird conclusions trying to conflate them.
Liability for tainted food is pretty settled law. If someone eats your food and gets sick, it's a problem for you. If they eat it and get sick and can prove you poisoned it, it's a real problem with real legal consequences. Food handlers and preparers go out of their way to avoid both of those scenarios.
Intentionally modifying code knowing you'll break downstream consumers hasn't been tested (to my knowledge) in court, so we can set that aside. But is it immoral? That's going to depend on one's morality, but I have a hard time seeing my way to agreeing with the standpoint "Sure, it's moral. User beware." That principle, written large, creates a strictly worse world, where people are hiding in their digital caves, unable to trust anything outside. A lot of people (including GitHub and NPM's owners) are trying ot build something better than that.
Marak had a right to do what he did, but that doesn't mean it was right, we don't have to agree that "because he could, it was good" (that's just rule-by-power, and almost nobody thinks that's a good moral philosophy), and I applaud the open-source community who stepped in to minimize his harm.
GitHub doesn't = open source community. Quite the opposite actually. It is a closed system designed to take open source software and put it behind a closed-source ecosystem, and apparently to moderate open source developers and taking away their individual freedoms.
How was Marak's individual freedom taken away? They locked his account temporarily (because what happens looked like somebody had stolen his credentials and impersonated him)... Then what happened?
His freedom to post what he wants in his repo does not extend to a freedom to screw users depending on the software he licensed for open source use working. GitHub and npm took steps to protect users from his malicious actions.
Value-add to the people who actually use github to build software, of course. It's fine to discuss license terms and what you should or shouldn't expect when you use github/npm/etc, but in the real-world JS landscape, many projects (commercial and otherwise) use many open-source packages through complex dependency hierarchies.
Your can think what you want about whether that's good or bad, but it's unquestionably our current reality. Protecting JS projects from malicious updates, regardless of whether or not the project license technically permits this by the author, is clearly in the best interest of users of this ecosystem.
No one took steps to protect JS projects from malicious updates. They took action in this one case but did not fix the underlying issue which is with package managers.
It is true that there are some vulnerabilities in the standard design for npm package management. Packages are designed to assume by default sources can be trusted and to pull aggressively. That's a system that's very convenient for developers... Assuming somebody doesn't use it in an extremely malicious way by building our trust with a working package and then pushing a change designed to screw users.
Fortunately, it appears the system has been stress tested now and we can see how that damage can be mitigated. If this kind of attack can be minimized by what is essentially moderation and curation, everything's good.
The only reason anything happened cause the developer intentionally crippled their own package which they had the right to do. If someone was modified a package to do something actually malicious you could go months without ever finding out.
I don't disagree that there are degrees of harm and differences in the ease of detecting such harm. But what's the significance of the distinction? Whether it's found out immediately or found out months later, the remedy for the community will likely be the same if the damage is widespread enough... Flag the version as bad in npm, break the connection between npm and the GitHub repo if the damage was purposeful, and the community picks up the package and starts maintaining a non-malicious version.
What you are going to get is people separating out into 2 camps, those that believe in individuality, and those that believe in more collectivism.
This is a divide that extends well beyond programming and this topic.
People that support GitHub actions believe in the concept of "greater good" and believe the actions of GitHub are ethical because it prevented harm to the community
People that oppose GitHub actions reject the idea of "the greater good" and believe this individual should have had the right to do with their property (i,e their code) anything they wanted and the responsibility was upon the people consuming / using that code to vet it before use.
Except that use of GitHub implies you see a benefit to the collectivist use of GitHub's property, which is why you agree to GitHub's terms when using their property.
If I'm leasing a part of my land to you (and others), and your use of your assets on my land has the potential to harm other users of my land - you'll be asked to leave. I have a business to run. You are still free to take your property to your own patch of land and do with it what you will. Your freedom has not been compromised. You just assumed a freedom you did not have - which is the use of my land in an unfettered way.
> What you are going to get is people separating out into 2 camps, those that believe in individuality, and those that believe in more collectivism.
I am extremely individualistic. Github is also an "individual" that has its own private rights.
The author of this library absolutely had the right to write code, change it, etc. He does not have the right to use Github as a delivery mechanism for malware.
I don't really see it that way -- GitHub is run by a company to (albeit somewhat nebulously) make money. They almost certainly made this call because distributing an obviously malicious package like this was damaging to their brand, not through some philosophical framework.
Expecting a company to have a moral framework is just setting yourself up for disappointment. They will always just do what they think will maximize their long term ROI. Possibilities lay between "enlightened self interest" and "barefaced self interest."
> What you are going to get is people separating out into 2 camps, those that believe in individuality, and those that believe in more collectivism.
I agree wholeheartedly with this statement, but we're diametrically opposed on how these two groups are allocated. I.e., the people you're labelling as collectivists I are in the other group, and vice versa. People who think GitHub did right are a real me-first bunch, not collectivists.
I'm not sure how we get to me-first when the story is one actor using the wide-cast popularity of packages he had admin rights to to intentionally cause harm.
It's a "the needs of the many outweigh the needs of the few" situation.
It's a bit mind-boggling that FOSS authors who give their work away for free are the selfish baddies, and Microsoft of all people, are the communistic heroes in your telling.
> It's a bit mind-boggling that FOSS authors who give their work away for free are the selfish baddies
This is a straw man. No one made this generalization.
Marak, specifically, is a "selfish baddy", and it has nothing to do with FOSS. It has to do with his abuse of Github, npm, and Faker.js (which other people also contributed to) to distribute malware.
None of that can be generalized to a position about FOSS, Microsoft, or any other nonsense you're trying to extrapolate. It's specifically about a bad actor who was removed from a platform.
>> It's a "the needs of the many outweigh the needs of the few" situation.
> It's a bit mind-boggling that FOSS authors who give their work away for free are the selfish baddies, and Microsoft of all people, are the communistic heroes in your telling.
The discussion is about Github - microsoft - undoing the author's changes, the guy I replied to saying that this was good because he felt the author was "doing harm". So he definitely is saying that microsoft are the heroes there defeating "harm". And since he is supposed to be "doing harm" for his own benefit, the FOSS author being overridden by microsoft is the "selfish baddie".
For my edification, if you have a moment you can you help me understand where my comment failed to hew to a valid analysis of that part of the discussion and became some nasty straw manning activity?
Not all FOSS are selfish baddies. Not even most. Not even many.
But Marak specifically is, and Microsoft being the good actor is indicative of how badly he messed up.
If his goal was to make a statement about big corporations taking more than they give to FOSS, arranging things so Microsoft gets to be the hero was a foolish way to go about it.
I have a feeling bare metal servers, a leased spot in a cage, and self hosted systems is about to become popular. There are just too many stories like this these days.
I’m in the camp that if it was his repo then he can do whatever the eff he wants to it.
Yeah, but most vocal proponents of so-called "individuality" are simply self-centered anti-social assholes who haven't thought through the Libertarian ideologies they parrot deeply enough to realize how extremely dependent on and beneficial from collectivism they actually are, and they continue bitching about "socialism" while sucking the government's tit with their social security and disability benefits and medicare, and driving on the roads in their trucks while "rolling goal" and waving their guns at pedestrians and bicyclists and electric cars, and calling the fire department when their house catches on fire, and calling an ambulance when they accidentally shoot themselves in the dick while "cleaning their gun", and foaming at the mouth and railing against Obamacare for no better reason than the person THEY renamed the ACA after is black, then refusing to self isolate and wear masks and take vaccines, and finally overcrowding the hospitals and cursing at health care workers when they get sick, then running GoFundMe campaigns to pay for their "unexpected" self inflicted illness and funeral, and some even go as far as using projects hosted on github and hosting their own projects on github for free, and then complaining when github takes down the malicious repo of another mentally ill person whose apartment the police had to break into and remove his bomb making supplies.
If you are going to insult people at least get the terminology correct, it is rolling coal, not goal.
Further most people rolling coal are not libertarian.
>>d "individuality" are simply self-centered anti-social assholes who haven't thought through the Libertarian ideologies they parrot deeply enough to realize how extremely dependent on and beneficial from collectivism they actually are
Incorrect, Libertarians / Individualists do not reject the concept of society or working in groups to accomplish a goal. However they believe said interactions should be VOLUNTARY, and not forced upon you by 3rd party actors.
>>against Obamacare for no better reason than the person THEY renamed the ACA after is black,
Ohh yes, the only possible reasons someone could oppose ACA is because of racism.
Lord forbid I make a typo. But of course you knew exactly what I meant, and despite your attempt to disown that behavior, those people now OWN your precious Libertarian party just as much as they now OWN the Republican party. When your leaders are kissing Trump's ring, and you refuse to renounce and continue to follow those same leaders, you're kissing Trump's ring, too.
Do you support with the way your glorious Libertarian leader Rand Paul has attacked and endangered Anthony Fauci's family by lying about him, and reject the government's right to mandate vaccination, but support spreading lies about people and endangering their families for political purposes? What ever happened to personal responsibility?
>How politically helpful have Rand Paul’s attacks on Anthony Fauci been?
>One of the more remarkable political disputes in recent history involves two doctors.
>One is Sen. Rand Paul (R-Ky.), an ophthalmologist by training. The other is Anthony S. Fauci, the federal government’s top infectious-disease expert. The genesis of their fight is the coronavirus pandemic and, specifically, government recommendations (for which Fauci is a figurehead) that Paul opposes. Over the course of more than a half-dozen hearings centered on the pandemic, the fight has become much more personal, with Paul accusing Fauci of having contributed to the creation of the virus and Fauci forcefully pushing back.
>On Tuesday, there was a new escalation. Obviously expecting Paul to challenge him, Fauci came prepared with an argument he hadn’t made previously: Paul was attacking him and putting his personal safety at risk for Paul’s own political benefit.
>Fauci pointed out that a man had been arrested while on his way to Washington to attack a number of public officials, including himself.
>“I ask myself, why would senator want to do this,” he continued, obviously flustered. “So, go to Rand Paul website, and you see ‘Fire Dr. Fauci,’ with a little box that says ‘Contribute here’ — you can do $5, $10, $20, $100 — so you are making a catastrophic epidemic for your political gain.”
And of course there are possible reasons to oppose the ACA, but most of them don't hold any water because they are based on lies ("It's SOCIALISM!!!", "DEATH PANELS!!!"), and are just cover stories and dog whistles for naked racism. You know that as well as I do, so don't play coy and deny it.
>>those people now OWN your precious Libertarian party
I see you have confused the Libertarian party with libertarianism they are pretty different
>>Do you support with the way your glorious Libertarian leader Rand Paul has attacked and endangered Anthony Fauci's
Aside from the complete falsehood of this statement entirly, I do support elected officials grilling non-elected bureaucrats in the manner used by Rand.
I also believe Fauci unfit to serve in his current role and there are serious questions around his tenure that need to be addressed including the funding of the Wuhan lab.
And just to be clear: by "grilling" you mean lying about and endangering the families of non-elected bureaucrats for the purposes of political fundraising. You're exhibiting and defending precisely the behavior I mean when I say Libertarians are "self-centered anti-social assholes".
You are not pretty different yourself, since you believe and spread the same conspiracy theories, and support Rand Paul's attack of complete falsehoods against Fauci and his family. Rand Paul's statements were mendacious lies, yet you support him and his lies and threats against Fauci for the sole purpose of fundraising.
I'm glad you don't incorrectly disagree with the fact that most of the arguments proffered against ACA are just lies and racist dog whistles, but I certainly don't agree with you that it's a valid tactic, the ends justify the means, or that using racism and lies and threats and spreading misinformation against people's families to grab power and raise money is in any way ethical or justified, or a "great tactic" and that "misinformation works", as Rand Paul himself says.
>>I'm glad you don't incorrectly disagree with the fact that most of the arguments proffered against ACA
Just because I choose not to respond to all of our unhinged conspiracy laced non-sense claims that everything you disagree with is a dog whistle to racism does not in anyway imply I support said statements. '
I choose not argue with crazy people on the internet, and clearly President Trump broke your mind and I hope for your sake you get professional help.
>> since you believe and spread the same conspiracy theories,
Sorry information released from government records pursuant to a FOIA request is not "conspiracy", I am sure you so biased in favor of your lord and savior (Dr Fauci) that you probably have one of those candles or figurines on your desk devoted to him so you will never believe anything negative however reality does not require your faith.
He is mid rate bureaucrat thrust in the lime light by circumstance and this hero worship of him is insane.
Further at no point did Rand threaten him or his family. The attempt to shift any real or imaged danger there is due to public backlash is a very dangerous game, tell me do you apply the same standard to Democrats who inflame AntiFa and other violent groups? Are these democrat politics to blame for all the violence, riots, etc they "cause" (and to be clear I do not believe they cause it, but you world view dictates we place this violence at their feet, i am judging you by your own standard)
In no way do I "worship" Fauci. You're projecting your own hero worship of Trump onto me. You're the one who believes and spreads unfounded conspiracy theories, and whose mind Trump broke, if it was not already broken before. It's you foaming-at-the-mouth Trump-worshiping Fauci-haters who are the deranged ones injecting disinfectants, popping horse dewormer pills, and drinking your own urine, instead of wearing masks and getting vaccinated. Get a grip on reality and stop parroting lies and drinking Trump's piss flavored kool-aid. The rampant racism in the US and the fact that Trump exploits it is not a conspiracy, it's a historical fact that you can't deny. You fanatical Trump supporters are spreading ridiculous unfounded and totally disproven conspiracy theories that it was actually AntiFa who attacked the US Capitol to make Trump look bad, when we all know because we saw with our own eyes that they were racist Confederate Flag brandishing Trump supporters, egged on and organized by Trump himself. So do you also believe the election was stolen from Trump, too, like MOST Republicans do? Or do you just pretend to believe those lies and conspiracy theories as performance art trolling, the same way you go out of your way to purposefully mis-spell "democrat politics"? Then Popehat's Law of Goats applies:
>He who fucks goats, either as part of a performance or to troll those he deems has overly delicate sensibilities is simply, a goatfucker.
>He claimed he was just pretending to be racist to trigger the social justice warriors, but even if he is telling the truth, Popehat's Law of Goats still applies.
You are the only unhinged person here. I am having a calm conversation where you are ranting and raving... It is sad really
>>In no way do I "worship" Fauci.
Press X for doubt
>>You're projecting your own hero worship of Trump onto me.
Never voted for the man... I disagreed with him about 50% of the time, however I saw in real time the lies and misinformation the media was putting out.
>>It's you foaming-at-the-mouth Trump-worshiping Fauci-haters who are the deranged ones injecting disinfectants, popping horse dewormer pills, and drinking your own urine, instead of wearing masks and getting vaccinated.
Fully vaccinated, just do not support the mandates
//and for the record Trump also supports the Vaccines.. Much to the chagrin to part of his base
Also calling on of the most widely distributed human drugs, a drug that won accolades for saving peoples lives across the world a "horse dewormer" is unhinged conspiracy, and medical misinformation. Sure it may not be a treatment for COVID, that however does not change the reality that is a human drug, proscribed by doctors all over the world, and is infact on the WHO list of essential drugs...
>> disproven conspiracy theories that it was actually AntiFa who attacked the US Capitol
Where did I say that? There is clear evidence AntiFa violence all through out 2019, 2020, and 2021 with out having to talk about 1/6 protest turned riot.
>> So do you also believe the election was stolen from Trump, too, like MOST Republicans do?
Stolen in the sense you are talking about... No. However I do believe many states governors (on both sides) inappropriately (and IMO illegally) used their executive powers to change election laws under the guise of "emergency" to manipulate election turn out and other factors for their (or their parties) political advantage.
I also do not believe or support the narrative that voter ID is a threat to democracy, nor do I support or believe the narrative that the US has the most "secure" elections in the world.
>>Popehat's
Ahh yes... Ken White. another famous person broken by Trump. The one famed free speech advocate now fully supporting Censorship of all manner.
Github is still in theory a place to collaborate on code - its not a blogging platform. I think a reasonable argument could be made that he violated the "spirit" of github.
> No, it wasn't. It was Github's corner of the internet and then it was Microsoft's. If he just wanted a place to publish his personal projects, he could have put them on a personal, self-hosted website.
Exactly. Marak's defenders are quick to argue that he had every right to do what he did based on the repo's license. It's inconsistent to then blame GitHub for suspending him from their platform.
> I strongly encourage you to stop making false allegations.
I encourage you to find out the definition of Trojan[1] and then find out what Marak did to sabotage his code.
To qualify as a Trojan, Faker.js needed to be:
- advertised as being for a certain purpose
- coded to do something to damage the person who installs it (even if it still does the thing it advertises that it does)
In this case, Marak allowed people who thought they were installed Faker.js and tricked them into installing something that ran an infinite loop, which would break a lot of CI/CD servers and build processes.
In some circumstances, this could easily lead to economic harm. In the worst circumstances, it could take down a vital service (like a health app) and cause people to be seriously harmed.
> Marak allowed people who thought they were installed Faker.js and tricked them into installing something that ran an infinite loop
They were installing a legitimate new version of Faker.js though - which just happened to be running an infinite loop. It's users who trusted Faker.js author to not pull this kind of stuff off and it turned out they were wrong to do that.
If it isn't security-breaking, it isn't a Trojan. I have not seen any evidence that this prank, immature as it may be, resulted in an actual security breach.
The term is derived from the ancient Trojan Horse. It doesn’t have to involve security breaches because the only requirement is a breach of trust through deceit.
That's BS. Mark didn't just remove it or make it "non-functional". He deliberately changed the code to run in a infinite loop and halt any code that pulled it in. That seems exactly like the definition of a Trojan to me.
It isn't disguised as anything. If you included a random module in your application package manager, and allowed it to update itself and run scripts then liability is on you for not verifying it and checking the license to see if they provided any warranty.
But is this really a "warranty" issue? Sounds more like a fraud issue (ianal).
Given it was done with the intention of messing up other people's computers which the maintainer did not have legit access to - maybe its even a CFAA criminal hacking issue (ianal).
Anyways, there's a huge difference between accidentally doing something and doing something with the specific intention of hurting someone else. Sure you can disclaim responsibility for accidents & negligence, but i'm pretty sure you can't disclaim responsibility for intentionally malicious conduct in a contract, certainly you wouldn't be able to do so if it was criminal conduct (IANAL).
If someone hands out free food on the corner with a sign that says you aren't entitled to it and so you get used to getting free food there. In fact, you've found ways to save on your budget because of it. You also optimized your route home from work to get there at the most convenient time.
One day, you show up and they have a sign up that says... No more free food, vote for Bernie. Are you really the type to complain that now you have to pay for food again or find someone else to give you free food, and throw a fit that their vote for Bernie sign is a trojan?
It's software, not consumable carbohydrates. Easily copied infinitely once created. Nobody is arguing he doesn't have to stop making it. Nobody is even arguing he doesn't have the right to delete his tepos. What he did was intentionally poison the templates to trigger automated updates to break other people's software, and that's just not okay. Forget the machines... It's simply misanthropic behavior.
But he didn't withdraw his offering he sabotaged it.
I guess the metaphor would be if you gave out free food all the time with a sign saying people aren't entitled to it, and then one day decided to add laxatives to it because you felt the people were ungrateful.
Which would land you in jail for a long time no matter what the sign said.
No, the person giving free free food here did not go up to people's houses saying here is free food still, eat it cause it is yummy and safe. The people getting the free food showed up cause they felt entitled, grabbed whatever they could find and said... oh, this isn't the free food that I'm used to getting here... oh, and I forgot to read the sign that has been there all along.
This analogy doesn't work the way you want it to. What you are describing would be literally illegal.
The person who put up the free food and the sign, after it was proven that they willfully poisoned the food (which is the only way I can interpret intentionally encoding an infinite loop in your testing library), would be liable for assault. You cannot just put up a sign that says "taker beware" to indemnify yourself from liability, especially after establishing the pattern that the food is safe.
If you ever wondered why grocery stores throw out perfectly good food (and sometimes padlock their dumpsters) rather than donate it to shelters, it's because this is how society works. They have to be clear that even food being thrown away is not intended to be free for the taking because if a pattern becomes established of people eating safe food out of a grocery store dumpster and one day that food is not safe, the grocery store can be held liable for injuries. Even if the grocery store never wanted anyone to use that food. The hard part would be proving the store intentionally poisoned it... But if that proof were made, the law is clear on who is responsible for the harm caused, and it's not the people eating out of the dumpster.
The underlying philosophical principle that underpins all of this legal precedent is "Don't intentionally cause harm." Marak broke that principle. Thank God Marak was only writing npm libraries and didn't own a grocery store.
This entire story, from the initial changes through the breakages through third parties intervening to mitigate their services being used to cause the breakages through other third parties stepping in to take responsibility to continue maintaining the code that had become vital, is one big open source community success story. The community interpreted intentional harm as damage and routed around it. And that was always one of the intended benefits of the open source approach, right? That the creator of the software can't ruin your day because they feel like it? Whether that creator is an evil corporation refusing to open their proprietary code, or a rogue actor deciding to take a sledgehammer to the pipeline... Open source mitigates the harm caused by both.
You seem to be misunderstanding what a Trojan is. From Wikipedia:
> In computing, a Trojan horse is any malware that misleads users of its true intent. The term is derived from the Ancient Greek story of the deceptive Trojan Horse that led to the fall of the city of Troy.
> Trojans generally spread by some form of social engineering; for example, where a user is duped into executing an email attachment disguised to appear not suspicious (e.g., a routine form to be filled in), or by clicking on some fake advertisement on social media or anywhere else.
Marak disguised his malicious DoS attack as previously released useful software. I am completely baffled why people are defending his actions, at all. He could have easily just pulled down his repo, that would have been totally within his rights. Releasing malicious software under the guise of something else is not.
And the fact that people are quoting the license of "no implied warranty" is irrelevant. The law does not look kindly on those that act with malicious intent, regardless of what a license agreement says. For example, if he changed the repo to instead encrypt your hard drive, I guarantee he'd be going to jail. While thankful this was just a DoS attack and not something more serious, it was attack all the same.
Unless you can show Marak Squires breached these folks security systems, it simply is not a Trojan.
(As a separate point, a claim that something distributed as source code is "disguised" simply cannot be in good faith.)
By claiming it is a Trojan, you are accusing Marak Squires of a potential felony by accessing a computer system without authorization. Making serious accusations like that should require some evidence. I don't see any.
They didn't disguise anything. It was MIT licensed, so you could have forked it long ago. You got used to the source you were using being useful, and so you felt entitled that they would maintain it in a way that was appropriate for your standards based on what you felt entitled to. The thing is with open source projects like this, no one owes you anything but it is too hard to admit that for many people.
No one reads licenses lol. The intent is the same as a trojan: making software malfunction for the intent of either economic gain or geopolitical goals. Intent matters; there is a fundamental difference between shipping crappy code for fun, and making good code break without warning for thousands of users.
A Trojan is where the attacker gains direct access to a protected system. It is a back door disguised as an innocuous file. The whole point of the Trojan Horse was the Greeks hiding inside of it to get into Troy.
Where is your evidence that Marak Squires gained access to any of the systems that downloaded and used his packages?
I think there is two aspects of the word "trojan", but it does not imply "remote command and control", it's often that, but more broadly it means something that is disguised as one thing, but is not.
Chalk maintainer here. I said before I wouldn't comment on Marak but I don't want to stand by and watch him profit from this like he is, monetarily or otherwise, nor should GitHub receive ANY hate for their actions.
He's not banned. It was most likely an initial response to a suspected compromised account situation. Once they determined the actions were carried out by the account holder, they reinstated it.
There are MANY reasons to be annoyed with GitHub but this isn't one of them. Github's actions here helped, not hurt. I would hope they'd suspend my account if they too thought it was compromised and pushing out malicious updates to packages.
The security of users is of the utmost importance.
Marak needs professional medical help. It is clear he's having a mental break and the people defending him and egging him on are only making things worse. He has a history of erratic behavior (dating back to almost a decade ago) and needs to find healing, not accolades.
Since this whole fiasco, Marak has garnered loads of followers and has increased his sponsor count dramatically. We should not be rewarding this behavior. If you at all dig into this, you'll find not a stable, perhaps loud individual, but a troubled, erratic, unpredictable, and hurting one. He is not martyr. He's not a patriot or a revolutionist. He's an abuser, potential "freedom fighter", malicious OSS maintainer and a beggar.
Please. Let's end this and not give any more attention to Marak. He needs help, and we're all collectively making things worse.
Freedom of speech doesn’t mean you can do whatever you want on someone else’s server. The project was hosted on GitHub, so GitHub can take significant action to protect the community. He can host his project elsewhere if he doesn’t agree with GitHub’s actions
Whether you agree or disagree with it, ISPs have the right to fire you as a customer. However, I don't usually see that exercising that right unless it's for piracy.
> But GitHub claims to be your home for public hosting of your own personal code.
Github claims to be a home for developers to publicly host code of public use. Any benefit to an individual developer is incident to that overriding purpose and they are clear about that in their use policies.
I think they could easily make claims on any or all of sections 2, 3, 4 and 10.
Section 10 in particular notes that Github is a service run for a mass of users and will favor users as a whole over individual privileges.
> expressing his freedom of speech, again on his own personal GitHub account, in his own personal (not organization) repositories.
Was he running his own Github server instance and I missed it somehow? The flipside to Github paying to run your git repo, issue tracker, etc. is that you agree to abide by their terms of use, and these terms are written for Github's benefit.
If a million Github users are impacted by this package breaking their code then why are you surprised that Github took action to protect their users?
Marak could have hosted his own git repo if he wanted to ensure his malicious code couldn't be intercepted by others. That's the tradeoff you have to choose.
> He spoke about his thoughts about open source, businesses, and economics. Defending this type of political speech [snip]
Inserting infinite loops into packages isn't "political speech" and trying to claim as such just waters down the entire argument...
Yes, I'm also curious about GitHub's justification for this. It feels like they should have made some sort of statement about why the account was suspended, for the sake of transparency in such a large controversy. It's perfectly imaginable that Marak used his GitHub account to spam/harass other projects, or engage in some other type of speech that went against GitHub's guidelines, but there needs to be more clarity so that this doesn't seem like a case of "You annoyed me, so you're gone". As you said, it really can give the appearance of GitHub siding with the commercial use of open source for their own self-interest, even if I have enough trust in GitHub to know that that's probably not what they intended to do.
EDIT: I'm glad to hear from a sibling comment that GitHub has since unsuspended his account, since TFA and this comment made me think he was still suspended. Still, it feels like a misstep for GitHub not to have made some sort of comment here.
Is domain enough? I doubt it. You probably also need your own server in your own rack in your own building with your own peering to other networks. Once you've done all of that, you can probably credibly keep your site up counter to corporate interests.
Well, if you have your own domain then you can at least move it around between providers. But yeah, if you are doing anything truly unpopular then I don't think there's much you can do to stay online.
As a network, the internet will tend to favor the interests of large groups acting coherently. Sometimes we call those "corporations." But yes; control online is a two-way street because it's a communications network and it always takes at least two to communicate.
The fact that the conversation is happening at all is a sign that GitHub reputation is damaged. As anyone would point out they are certainly within their rights to terminate any account for any reason.
But certainly not beyond repair (as injecting adware in your package).
Also it is certainly a reminder for everyone that GitHub should not be treated as an archive of your code, and more like a collaboration space.
>"The really outrageous thing is that the developer going "rogue" was actually him expressing his freedom of speech, again on his own personal GitHub account, in his own personal (not organization) repositories. He spoke about his thoughts about open source, businesses, and economics. Defending this type of political speech is especially important and GitHub banning his account and censoring this type of speech(whether you agree with it or not) is especially shameful."
This Tuesday is the 10-year anniversary of the SOPA/PIPA blackout [0,1]. Half of the tech internet crippled their own functionality for a day, in an act of political speech. (Was GitHub part of that?)
I’m not defending the author. GitHub is in their right to do what they did. But certainly not because of the nonsense GP claims. And yes you can host viruses on S3. What you can’t do is use Amazon’s network to do illegal shit (such as distribute viruses without consent).
Obviously I mean to distribute viruses via S3, which is what’s happening here. Your account is guaranteed to be flagged as soon as they find out. The update here was distributed to every subscriber.
he did it to protest billion dollar tech companies making money off open source, which is Github's entire business model. His protest was an existential threat to them so of course they are going to crack down
I believe that none of the billion dollar tech companies were affected by this in any way as they tend to have proper process in place for managing dependencies, the only ones who suffered were small developers and other open source projects which have limited manpower and just pull in updated versions without verifying them. Saying that this is an "existential threat" is ridiculous - megacorps can and do have procedures that won't be bothered much even if you'd have a case like that every single day.
Whatever his intentions were, acts like this threaten the open source community, but do not actually threaten the big companies at all.
This is such a bad take I don't even know where to begin. Please, read up on FOSS licenses and check which one colors.js uses. That's just the first of about five flaws with your argument.
Unbelievable that now almost all people is discussing "how" marak's action caused results. Not try to figure out "why" this happens. Just like seeing something wrong, and discuss it. DO NOTHING!! CHANGE NOTHING. ALL meanless. unless you figure out all stuff, change something. What I do? I think GitHub is wrong, so I take action, delete all repos on GitHub. F*K it, that what I do. At least I have an action. So what you did? Talking is cheap.
This strikes me as hyper-defensive exercise in wrapping the lib thick with every cheap trapping of "community" to hand. I suspect because of the Open Collective handover.
In the end, this thing spits out strings. Does it need eight maintainers, only a few of whom had commits, in low double digits? Does it need its own GitHub org, Twitter account, and Google .dev domain? Addressing open pull requests could be good, but the rest of the roadmap looks like packaging, doc, twiddling with test infra, and more "community" again. That is also work, I suppose, but API and function feel baked. Before he did "bad", Marak did good.
Overall, the vibe here is self-righteous hostile takeover. That's a pretty fraught concept I don't see a need to go near. Maybe it's not fair or accurate, for those better in the know. But from the outside looking in, seems to me a fork, a new name, and a quick tweak to package.json could fully address the issue of another 6.6.6-like release, cleanly. No special deals with the platforms. Name brainstorm, clone, fork, push, and publish of existing MIT code would have been intensely normal. Especially in JS land.
I get that "community" is supposed to make me happy and calm. But in the end, I don't see anything here addressing root causes of what happened, or even speculating on what they might have been. Marak isn't the only solo leading projects who's snapped, and he won't be the last. It's convenient, but ridiculous, to say that has nothing to do with the environment we've built up. Plus we've learned a new way to lose donors, it being no mean feat to get them in the first place.
> In the end, this thing spits out strings. Does it need eight maintainers, only a few of whom had commits, in low double digits? Does it need its own GitHub org, Twitter account, and Google .dev domain?
I'm pretty sure the org and multiple people are to avoid a single point of (mental) failure - quite reasonable given the project history.
Also, if we really want to go that way, Google Search is also just a product that spits out strings. And a few orders of magnitude more over-engineered ;)
> But in the end, I don't see anything here addressing root causes of what happened, or even speculating on what they might have been.
Well, they have a larger team now, which can reasonably prevent a single person from doing that kind of damage when set up correctly. What other root cause are you looking for? Mental checkups for open-source maintainers? Redefining the "free" in free software?
If what happened here was mental health, I'm not sure more people is more better, from a security standpoint. If it was strongly linked to workload and maintainers' plight, I'm not sure more scope is, either. If the harm done was time wasted and confusion incurred, I wonder about users who got burned teaming up as a group of eight.
In any event, the median count of contributors to an open source project remains one. This team-up doesn't help projects != faker.js.
Not worrying about endian conversion or the format of your floating point is a very good thing (Yes, I'm old enough to have dealt with software developed on Intel machines having to be ported to run on VAX based machines).
Marak isn’t the only one who snapped, but he’s the only one to my knowledge who has introduced malicious commits to this code to purposely hurt other people’s projects. (Even Hans Reiser didn’t do that.) It seems that this might have been a precursor to Marak attempting to hurt people in real life
"Hospitalized Queens man charged with reckless endangerment after cops find bomb-making materials in his home"
I’m not surprised with Marak’s behavior given his mental state. What surprises me is the amount of support he’s garnered for his actions with a lot of people on HN.
I don't think what he did was particularly good but I think he was entitled to do it. And the blame falls on the system we have which relies on random people to do work for free with no contract or obligation.
It's like if a business delivered packages by asking some random homeless person on the street to walk it to its destination. And then one day the person just chucks your package in the river instead of delivering it. It's amazing that the company got so much value out of a free service for so long rather than shocking that it eventually didn't work.
Open source works because we can trust authors to not maliciously harm other people. If it was a bug that's one thing it happens, you move on. But when you purposely do something that you know will cause harm to people that is where I draw the line.
Your analogy isn't even close. No one forced him to write faker.js. He chose to do it and he chose to make it open source under a license allowing people to use it. He also chose to maintain it and help people with issues. If he didn't want to maintain it anymore, It is his right to stop. No company could force him to continue. But he nor anyone is not entitled to add malicious code. Full stop that is where I draw the line. I can't believe anyone is defending that.
He chose to put a package online. He didn't sign any contract stating the package would meet some kind of quality obligations. He had no obligation to do anything.
Yes, it is particularly shitty to intentionally screw it up. But the system that put so much value on something not happening without any safeguards or obligations is the real problem.
The move fast and break things attitude of web development is the cause. A single rogue dev is just an example of the worst happening. In the future I imagine we will have package managers which do not give random individuals so much power. And we will rely on packages from trusted names, Google for example has a very very low risk of sabotaging a package compared to a no name individual. If companies had paid for this package, they could take legal action against the author. But they paid nothing and had no assurances of anything other than a vague hope it would continue to work.
He did something much worse than break a contract, he committed a crime that he could probably be prosecuted for. He did the whole thing with malice aforethought. It looks like fraud at the very minimum - he released a version with the intent to deceive, victims relied on his deception, and they suffered damages as a consequence.
Fraud requires that he used deception (I don't see any evidence that he did) to obtain something of value (again, I don't see it).
The code was open source. The code was published under a new major version number. The code had a descriptive change log that definitely didn't seem congruent with earlier versions. And he wasn't getting paid for it. What thing of value did Marak Squires defraud people of?
I get the sense that people are reacting with extreme hyperbole in their accusations, out of anger that he did something assholish.
Serious question: how is this different from 1Password publishing an upgrade that removes the ability to use standalone vaults in the iOS Safari extension?
At the end of the day, Marak published an update, knowing some people would update the software automatically due to their own workflows, and the update had negative effects on the users. Companies do this all the time and nobody accuses them of installing a "Trojan Horse" or committing a felony.
How did it come to this? Where HN, a place that is supposed to be genuine and curious, believes an act should be acquiesced to or branded a felony based on the individual's personality? Because that seems to be the consensus here and I find it disturbing.
He chose to put a package online. He didn't sign any contract stating the package would meet some kind of quality obligations. He had no obligation to do anything.
If there was a bug in his logic that caused an infinite loop in some scenarios he was under no obligation to fix it. While I think he should in that scenario, I would defend his right to leave it. Another maintainer could fix it, someone could fork the package, whatever.
I am not arguing he owed anything to anyone. I am arguing that he is not entitled to maliciously break things on people. He committed it knowing full way most packages would grab it automatically, most people are okay with that as if it breaks things they can go back a version no big deal. His package is so popular some people might not even realize that one of their dependencies relies on it.
We can argue about how much time you should invest in knowing your dependencies and checking every commit for them, until we are blue in the face. The reality is he knew most people just can't or won't especially in npm world.
There is no defending a malicious act. He is not entitled to commit code maliciously. OS works because we trust maintainers to do their best to have the best interests of the users at heart. The flip side of that is they are under no obligation to work on it. They can walk away at anytime.
If peoples idea of OS software starts to include that someone could do something malicious at any moment, that's the beginning of the end of OS.
> I don't think what he did was particularly good but I think he was entitled to do it. And the blame falls on the system we have which relies on random people to do work for free with no contract or obligation.
Utter nonsense.
You don't put out code under open-source MIT and then want to take it back when you realize other people are using it exactly as you instructed them to use it, which in this case is "anyway they please".
You have to think about this stuff before hand if you want to be compensated if it "takes off", there are other licenses you could use.
The MIT license doesn't prevent you from doing this. If someone cloned the repo, they could continue doing whatever they wanted with it, but the owner is entitled to put up whatever new code they want on their repo.
This is technically true. If he wants to act like spoiled brat and put malware in his own code, he can under MIT (he can do whatever he wants, just like anyone else can do with it).
Most of the companies that got hit by this (and any paying attention) will probably just change their deployment strategy to slightly slow down their updates. I guess this is equivalent to... I dunno, checking if the random homeless person had at least made one successful delivery? Except the analogy breaks down because code doesn't randomly begin to pick up different behaviors without any intervention (Well, hopefully!).
> What surprises me is the amount of support he’s garnered for his actions with a lot of people on HN.
Well, his motivations were somewhat understandable and his actions were still scratching the realm of acceptable (not cool, but no serious damage and nobody was hurt). It's actually hitting the pretty much perfect spot to generate lots of discussions, since it's very easy and understandable to argue for either side.
What he did was no where near acceptable. Instead of adding an infinite loop to purposely sabotage other projects, he should have either walked away or changed the license for future versions of faker into a much more restricted one. SugarCRM transitioned their software from open source to closed source, and they’re still here with paying customers. There are also many restrictive licenses that change depending on the type of user eg free for personal use but paid for medium to large corporations
Actually, when redis changed their license to get paid by cloud services like Amazon, there was a huge uproar. The people behind redis didn’t purposely break anything, had a lot of people talking about it, and had a clearer way towards getting paid. There are better ways to bring attention to an important issue.
It was a rebellious act against (what seems like) overbearing organizations, comparable to spraying a graffiti on their walls. As I said, there was no serious damage and nobody was hurt; it's not like he burned down buildings or shot at people. I'm of the opinion that this was not the right way as well, but in the end it really wasn't that bad.
Changing the license would be just as “rebellious” and it wouldn’t have hurt anyone. It also would have drastically increased his chances of getting paid. Given his bomb making activities, I feel that this was more of an excuse to watch the world burn.
Nice bait-and-switch, but we can scroll back and see how relevant your defense of the comment I responded to really is.
Declamations are fine; declarations about what is "acceptable" and what "they should have done" are more than mere criticism of poor judgement, etc., and are what the author of the comment I responded to actually wrote.
> Instead of adding an infinite loop to purposely sabotage other projects, he should have either walked away or changed the license for future versions of faker into a much more restricted one
Then from the context, you can clearly read the comment you responded to did not mention that Makar needed to do anything for him specifically.
> he should have either [done this thing (that I deem would be "acceptable") or this other thing]
(This is my last response to you, since you were strawmanning from the beginning and this is obviously not going to go anywhere that doesn't involve intellectual dishonesty dressed up as a clever retort.)
What GitHub did was completely reasonable. They mitigated harm to their users on their own infrastructure and property. They did not change his code. They just took down his malicious code that caused harm.
The vast majority of people on HN would never purposely harm strangers. Most of these strangers are fellow developers ie “Us”
I understand some of the imperatives GitHub's people must have felt. I've advised folks providing open source infra under drama, though I can't talk details.
I'm sure the people who got burned on builds had bad days. It's not fair to blame them entirely, for not locking deps. It is fair to point out this isn't the first time builds have broken, with npm or other repositories. Nor the most widespread in effect. Does this count as a crisis?
If anything, I suspect a crisis of faith. Seeing bad things can come of `npm install`, and those bad things might be intentional or just plain weird, instead of well intended but accidental, can make people anxious. Publishers to npm don't just disappear or malfunction. Their faults can be byzantine. But there are defenses against them.
On the maintainer side, like it or not, we all have an editor when it comes to publishing on GitHub. But it matters how invasively that power gets wielded, and how heavy-handed it's perceived. This episode suggests to me that the threshold for intervention in the name of user interest's pretty low.
That's based on the information I have. Perhaps GitHub will share more on the blog.
If people want full control over their repo, then they shouldn’t use GitHub, gitlab, bitbucket or any other free service. They should host it on their own server.
This is an open and shut case. GitHub did the right thing.
A social scientist who has studied industrial sabotage might be able to correct me if I’m wrong: But I have read one (1) book on the subject—which frankly is one more then most—and I don’t think there is any evidence of correlation between industrial saboteurs and sociopathy. In fact, quite the contrary, saboteurs often go to quite a length to prevent people being physically harmed in the sabotage.
A saboteur is more often then not mostly frustrated at their employer, or the industry, and try to maximize harm to those entities, not innocent bystanders. However given that saboteurs are often quite angry and have often been in a prolonged state of stress, and most often act alone—keeping their plans secret until they are executed—they are often not in the best position to correctly estimate who will receive the most harm.
In our industry there are plenty of frustrated workers, some are underpaid, others are overworked, some work for entities they morally object to, etc. When a colleague engages in this kind of sabotage which causes disruption on some scale we might see it as an act of solidarity from a shared frustration. This is certainly the case in other industries, and I don’t think tech is any different. In fact this incident reviles that our industry might even be more vulnerable to industrial sabotage then other industries.
Most of what you’ve written is valid. The main issue I have is that you’re implying that software developers and engineers are “underpaid”. That doesn’t reflect reality. We are one of the highest paid professions in the US due to several factors. There is also a lot of career mobility ie If you’re not happy, change companies. The other issue is assuming that Marak is rational. I do not believe he is at the moment since he was involved with manufacturing homemade bombs at his apartment.
> After the funds were moved we were invited to become admins of the Faker collective. This meant that we retained the existing sponsors of the Faker collective who were paying for the continued maintenance of the project.
I'm sorry but this feels wrong. The existing sponsors should have their subscriptions cancelled, instead of going to a new organization automatically.
> Only sponsorships tied to the project itself will continue to be tied to the project
Yeah, but the project is not actually the same anymore. The new project taking over the name and URL of the old project doesn't make it "the same" project.
> The new project taking over the name and URL of the old project doesn't make it "the same" project.
Do you really think the sponsors and the people using this code actually care that one person (of many contributors to the project) who wanted to break the project is no longer part of the project?
It's a technicality, but in practice nobody actually cares. If they wanted to sponsor Marak they would have done it through his Github sponsorships. If they wanted to sponsor Fakerjs, in whatever form it takes, they would choose the Open Collective and their associated terms that allow for exactly this scenario.
> Do you really think the sponsors and the people using this code actually care that one person (of many contributors to the project) who wanted to break the project is no longer part of the project?
Some of them probably do. And some probably don't like the way in which the takeover was done, or don't like the new guys, even if they don't really like what the old guy did either.
Good preparation? The fact that this site is at the top of HN? I don’t think anyone really cares as long as the community settles on only one. Personally I’m happy a group (and only one group) of people has stepped up to take over stewardship.
The terms of the funding are attached to the project, not a specific maintainer:
> During the conversation with Ben, he went over the terms and conditions of the Open Collective with me.
> Ben said that simply, "The funding is attached to the project, not the current maintainer."
None of Marak's personal GitHub sponsors were changed (obviously).
To be clear: Marak deleted the original project as part of his protest. The sponsors in question are donating money to sponsor the project, not a single person. It wouldn't make sense to send their money to someone who deleted the project.
Then you cancel the sponsorships to the project and notify the supporters. When the maintainer effectively cancels the project, this makes sense. But you don’t migrate supporters automatically over to a brand new project (even if it is the most stable fork of the original).
> We came to the determination that users unfamiliar with the whole Faker situation wouldn't know that the repository's sponsorship links aren't funding the continued development of the project.
If the intent of the supporters was to support the project, then you can ask them to continue funding the new fork. But you don’t just move funding by default. Cancelling the ongoing support would be fine, but you are relying on people (who were never aware of the switch and the new fork) being okay with this, without their consent.
This is a messy situation, but you can’t make these decisions unilaterally. Inform the supporters and let them decide.
But they are changing the “project”. Just because the new project is named “Faker-JS” doesn’t make it “official”.
Does the open collective have the ability to decide who is in charge of a project? Can they remove maintainers?
Let’s say there is a fork of a different popular project. Are you suggesting that they could they unilaterally decide to support the fork over the original project? However unlikely that is, I don’t think they have that power. Decertifying a project? Sure. Redirecting funding to a new project (even a fork), just isn’t right.
To me, this is like the left-pad incident and npm. There was a vocal minority who denounced npm for looking after the greater good, maintaining continuity and transferring the project to someone else.
In this case, since the author also deleted the project, the proper way to maintain continuity for the sponsors seems to transfer it to the new community of folks who are interested in maintaining the project. Sponsoring the old deleted project does nobody any good.
Personally, I don't see anything wrong with what OC did.
You have to let the supporters make that decision.
You can make that decision easy, you can automate a lot of it, you can inform, but you can’t change which project the funding is going to without explicit consent.
And yes, for these purposes, the new fork should be considered a new project. It is a completely different situation than if the project itself decided to change maintainers, etc.
This is really a crazy situation where the original maintainer blows up the project. The best scenario would be for the original authors to hand over the project in some capacity. But that seems pretty unlikely.
To put it in different terms… this was not a SQL UPDATE. The was a DELETE. You don’t just change foreign keys to a different project_id when you delete a record.
I would also argue that the author was completely irresponsible, and made life difficult for everyone that used and supported the project. But that’s a separate issue and doesn’t make what the open collective decided right.
I don't see how it's immoral. If someone wants to sponsor Marak personally, they can do so easily. If people are donating to the project under the false belief that the money is exclusively going to Marak, then that's their problem for misreading the details of what they were donating to.
The project no longer exists. It was deleted. These people forking it does not give them the ownership of the project. The problem in the supply chain was solved by NPM rolling back the version. Github temporarily suspending his account could be attributed to suspicious behavior. These guys commandeering someone else's open collective and general community identity (hn handle, twitter handle, library name) does not solve any actual problem, and is clearly just an opportunistic way to boost their own standing in the community and financially gain off someone else possibly having a breakdown. Shameless and very unethical.
Saying "the funding is attached to the project" doesn't really answer anything.
This new fakerjs isn't the old project, technically or practically speaking (technically being the important part here).
So funding attached to the old project should be still attached to that now-abandoned fakerjs, or straightly up canceled if Open Collective considers it violates their terms, instead of transferring.
The fact they can't do it themselves and asked Open Collective's exclusive director to do it "manually" basically self-confirmed it shouldn't be done.
> This new fakerjs isn't the old project, technically or practically speaking (technically being the important part here).
No, it's definitely a continuation of the old project.
Marak deleted the old project. It's now just a non-functional GitHub repo with a Readme that says "What really happened with Aaron Swartz?". Nobody would consider that to be more like the original fakerjs than this active fork that, literally, retains the original fakerjs.
> So funding attached to the old project should be still attached to that now-abandoned fakerjs
Not just abandoned. It's deleted. Or at least rendered useless, devoid of history, and non-functional.
Why would they continue funneling money to that? Why would they not give money to the actual project as it continues?
Marak's GitHub sponsors aren't changed. If people wanted to specifically sponsor Marak, they would have chosen to do it there. The Open Collective is very specifically about the project, not a specific person.
> What I don't agree is to transfer its sponsors to an account that has zero relationship with original account.
The current fakerjs has more of a relationships with the original code than what's in Marak's repo.
I don't see the issue. The Open Collective is specifically about sponsoring the project, which Marak clearly and publicly washed his hands of.
Again, they weren't sponsoring Marak. They were sponsoring the project. The project is still going.
Do you also have no issue if GitHub just transfers Marak's repo to the new team? Or all the stars? Since obviously most of people are starring the "project" not him.
I'm trying to use analogy to show the ridiculousness of transferring followers (sponsors) around without agreement of two parties. Hell, I think it makes even less sense in OC's case since there is real money involved.
This is a bullshit excuse. People don't decide to sponsor a project in a vacuum. They look at the project, its history, and the circumstances of its creation. The project is free to begin with, so what is there to sponsor in the first place?
If I make a donation to a charity which I trust, and some third party simply takes the money and hands it over to some other charity instead, claiming that it doesn't matter because the goal is the same, I'd be rightfully outraged. How is this different?
It is up to them to cancel their sponsorship. At most I'd go along with cancelling all sponsorships, but even that would be a huge asshole-move. This is outright theft.
If one single sponsor does not agree with their sponsorship being transferred, then that is THEFT. There's just no way of excusing that.
On the other hand, even if an overwhelming majority were okay with sponsoring the fork instead, cancelling their sponsorship and emailing them about the reason and how they can sponsor the new project (or continue sponsoring the old one, if for whatever reason they'd want that), then that's a minor inconvenience.
Is it really such a hot take that erring on the side of minor inconvenience is better than accepting outright theft based solely on the perception that most™ users will be okay with it?
Faker.js is why software should move a lot slower. There's no other industry this unprofessional. "But....vetting every single dependencies (supply chain) is tough and we can't really know which one to trust (which is why we have certificates)!!". It will never happen tho, because software is too ephemeral for anyone to give a shit about, "leaking millions of personal info" doesn't feel as bad the thought of myself "falling off a faulty chair".
I don't understand how you can "commandeer" the fakerjs identity. I realize you can fork and maintain said fork, but to take a) the name (which should be protected as a copyright, no?), b) the sponsors (this feels very unethical if not illegal). You can't assign yourselves as the successor to a project. You can be a "spiritual successor", but unless Marak officially hands the mantle over to you, you're thing is just a fork. Surely if all 8 of you are engineers as in the intro, you had to learn some sort of curricula on professional ethics.
Why is this project so popular? I’ve built mini APIs to do this in several previous jobs - either for the purpose of fuzzing, anonymizing real user data for test environments, or readable testing. Each time it’s taken maybe two days of effort in total starting simple and growing for internal needs. How has this been funded so much, for something that’s as simple as dictionary.getRandom()? And why does it need eight contributors, social media accounts, etc?
> I’ve built mini APIs to do this in several previous jobs [...] Each time it’s taken maybe two days of effort
So...just you, in your career, have spent between 1 and 2 total weeks of developer time building the exact same functionality, and you're curious why an open source project that cuts that time down to like an hour is popular?
I'm also a little suspicious of the claim that it's the exact same, because Faker has a lot of functionality under the hood, but you've more or less demonstrated why it's useful in this comment.
A) most of the dependencies that Faker has are common with lots of JS projects that I work/have worked on in the last few years. Looking at that dep list[0], I'm familiar with most of them. They're mostly common packages. To some degree, I'm relying on the thousand eyes here.
B) In terms of security risk, Faker runs in test suites to generate data and locally on dev machines, sometimes, to populate sample DBs. It lives and runs in managed environments and doesn't get packaged into prod anywhere. The risk profile isn't nonexistent, but it's also not a massive risk.
C) I really think we're underrating the amount of work that would required to recreate this project (not uncommon here). Faker can spit out 205 different types of random data in 46 different languages/dialects. Building that is not a two day project (evidenced in the fact that people have been working on this for years now); making sure you can generate all that data correctly in all those different languages is a non-trivial task; building and maintaining it internally will take dev time and energy and will continue to require that time and energy on an ongoing basis.
You're talking about this choice here and in other comments with an air of "silly JS devs, just build this easy thing!". I don't know if it's your intention, but you're coming off dismissive and ignorant. People think about these tradeoffs all the time, and sometimes decide to use packages like this. I think it might behoove you, if you find someone's decision confusing, to start from the position that they are also reasonably competent professionals and see if you can understand why a competent professional might make a different decision than the one that seems obvious to you, rather than assuming that if someone makes a different decision they're stupid and/or incompetent.
Because for some people, they don't want to spend the extra time to build and maintain a solution that they are now responsible for.
`npm install --save faker` and boom you have access to a huge variety of random test data, across different locales. Doesn't stretch my imagination to see the appeal.
Sure but realistically most people only use a few of fakers features right? It’s not that time consuming to make in-house. And after those few hours of work you don’t have a dependency/new security vector to consider. I guess the JS ecosystem like to import everything (isOdd).
Building something in-house comes with its own sets of pros and cons, which can be compared against the pros and cons of taking a new dependency. The balance and the "correct" decision will vary by team/project/org.
Of course! That's good engineering. However I argue that the default is far too often to use something 'off-the-shelf' and trusting it A) works, B) is secure, C) is supported, and D) will remain so for the lifetime of your project.
I wonder if those who say "2 days?! Just npm install!" answered those questions, or if they googled "nodejs fake data generator" and installed it onto their businesses main product in the next 5 minutes.
It's a combination of both. You're weighing up the time to build the right thing for yourself vs picking something up from the shelf. Specifically you have to factor in:
1) Is the project built correctly
2) Is it the correct project for your issue
3) Is the project maintained
4) Is the project going to be maintained for the lifetime of your project
5) Is the project secure, and how risky is including it to your project?
And if these are all good then sure, it makes sense to include it in your project. And this is good engineering. But what people seem to do is go "Oh hey, I need to get a random name from a dictionary of names. Let's google that. Oooh faker!" without even thinking these questions through.
This just helps my point, I believe. Someone is going to google how to import fake data, find the npm repo with loads of downloads, import it, read a stackoverflow issue on how to use it, and not understand why it's broken for a while (because it's now a dead project). All so they can get a dictionary of first names and strings that look like addresses in a unit test somewhere, probably.
It's really nice to have a project that someone's thought through about how to build sample data a lot more than I have time to think through.
Could I/anyone else build this? Of course. Could I do it so thoroughly, provide support for it, and still do my day job? Not easily, not as easily as I could install this project and use it.
Also keep in mind it's not like those 8 contributors are throwing a full 40 at this project every week.
This is the modern JS philosophy - don't reinvent the wheel taken to an extreme e.g. left-pad (https://www.npmjs.com/package/left-pad) which had its own very public fiasco around the developer deleting the npm package.
I don't think it's a bad philosophy, just different perhaps from yours (and mine).
Hmm, but as I understand original developer was rather pissed off by situation when devs are working on projects in theirs own time, and those projects sometimes become important tools to lower costs of creating software for big companies, and authors are not getting a dime and are forced to use some kinds of sponsorship and so on....
In such case making one of tools "community" owned smells like some kind of dick move, even if original wasn't doing too many commits.
Working for companies we are taking big bucks for writing some glorified invoicing systems (let be honest 90% or 99% of business logic is "move from screen to DB, move from DB to screen"), but code which is often important part of whole process is created for free by some folks. Strange.
I've already posted this before, but what Marak has done is anything but reasonable. If anyone was being a "dick", it was him.
If he just wanted corporations to pay, there are plenty of other alternatives like changing the license for future versions like SugarCRM did. It's been years since they've done that and they have plenty of customers.
Since the developer in question has been acquired in the past (https://en.wikipedia.org/wiki/Nodejitsu), he could also make it into a SAAS play. He has the connections, skill and experience.
Otherwise, he can just walk away like everyone else. Maliciously changing code to break people's stuff is uncalled for. If he wanted to charge people from the start, then maybe he shouldn't have used the free for all MIT license for his code? If you want more restrictions on usage, choose a more restrictive license. Here's one of many restrictive licenses that changes depending on who's using the software
Fakerjs is also not completely original work. It's a port of a Ruby library which is also named Faker. That Ruby library is also likely a port of a Perl library that is also named Faker. I haven't read anything about Marak even mentioning to support those projects financially.
On a related note, Marak is not well mentally which helps rationalize what he did
"A team of NYPD investigators and FBI agents found potassium nitrate, which is used in fertilizer, metal containers, fuses and other bomb-making materials in the crate, along with printed bomb-making and survivalist materials and a book on how to make a bomb scattered throughout the home, the source said."
“'The chemicals separately are what they are, but taken together they can assemble an explosive device,' NYPD Dep. Commissioner of Intelligence and Counterterrorism, John Miller, said. 'There were books about military explosives, booby traps and other things.'"
I could be wrong, but Marak purposely trying to sabotage other people's projects was a precursor to him attempting to hurt people in real life. This was not reasonable behavior from a sane person. He should not be getting this much support from so many people on HN.
Morally the author is in the wrong according to many. He did publish malicious versions against the short term interest of the community.
However he also distributed the software under the MIT license - that is "as-is" and "without warranty of any kind". So I'm having some trouble understanding why would you point out his personal life, psychological state, or his past projects as justification for anything related to Faker?
I haven't checked earlier versions of Faker but 5.5.3 does credit both the Ruby and the Perl libraries.
In the spirit of the law, that license is meant to protect authors from honest mistakes. I highly doubt that purposely made malicious changes will fully protect authors.
To be honest I'm commenting only part with "f.. it I'm not longer working on it", I have ambivalent feelings to "lets change code in such way that builds will go into infinite loop or fail", ambivalent because as it is not nice, but somebody who was a victim of such situation should learn not to add dependencies to newest version, because here was only some small "joke", but it might be something much worse like poisoning whole code with some malicious thing.
Problem is in this that default behavior is "we are not paying for tools", people are looking for free tools to avoid fighting with procurement and everyone seems happy.
Only really big companies are giving something back, most is simply leeching from OpenSource community.
You are mentioning several ways how this guy was able to collect money, yep, but again changing license would mean that somebody else will fork previous version and thats all.
I'm not saying that this action was super, but for me it is result of problem deep in whole idea of "free libraries" and "free tools", often this all base on some poor guy or gal spending weekends on some project, which at the start was cool and funny, but later becomes burden.
> Problem is in this that default behavior is "we are not paying for tools"
The problem is if the person wants to get paid, then they need to use licensing that is more restrictive and sets the expectations for eventual payment. The MIT license is a "do whatever you want with my code as long as you don't sue for inadvertent mistakes" license. No one else is at fault for that license except for Marak. The expectation of doing what you want based on the license is inline with behavior. If he wanted to change behavior, he just has to change the license or don't go open source. You can't have your cake and eat it too ie. you can't have open source's viralness and expect everyone to pay. If you want a near guarantee that people will pay for your work when they use it, don't go open source. Open source is not about getting paid.
> You are mentioning several ways how this guy was able to collect money, yep, but again changing license would mean that somebody else will fork previous version and thats all.
Since we're on this subject, I'm going to remind you that Marak didn't come up with faker on his own. He ported it and maybe even the data from a ruby project that was also called faker. To my knowledge, he hasn't shared any of the monetary contributions to his project with the people maintaining the ruby version of faker.
If his software is so simple that someone can just fork it and gain an audience, then maybe it's too simple to replicate and too much of a commodity; but as I've already pointed out SugarCRM successfully transitioned to closed source and I believe redis has successfully transition to a more restrictive license. Neither of them messed with other people's projects. There's no excuse for the bullshit that Marak pulled. Zero. Changing the license is more simple than adding an infinite loop to waste CPU cycles.
> which at the start was cool and funny, but later becomes burden.
I've already written this, but most people just walk away instead of doing something malicious.
how about you do it for him? like forking and maintaining your own copy of faker.js and all the nodejs packages you are actively using in the first place?
You either didn’t read my comment, or you meant to respond to a different one. He didn’t have to do anything. He could have just walked away.
I only wrote the other stuff to show that there are other better alternatives to getting paid as a response to people who supported the terrible thing that Marak did to open source.
You aren’t in control on a platform that isn’t yours. You don’t have rights. If you want to behave like a child, Microsoft may very well just take the keys away from you.
It absolutely is if you’ve read all the comments about this saga. So many people completely shocked that MS will unilaterally take access away for something they claim to be the right of the author.
“He can do whatever he wants. Users should just not download it.” Well, Microsoft can do whatever they want. And they did.
And that's why we should all get a cheap-ass server somewhere and install gitea on it. If any project ever makes it big, migrate there and treat github as a read-only mirror. Also never accept money over github. Just use paypal or some cryptocurrency if you have trust in those.
I'm not understanding this situation from the perspective of intellectual property. This new project probably doesn't have the copyright of the author??
I doubt the original author had a trademark on the name "Faker" [0] and the MIT license the project was published under allows anyone to re-upload the source code to the internet and subsequently modify it.
The copyright to the original code still belongs to the original author, of course, but the author has chosen to license his code in such a way that this is a perfectly fine thing to do. This is the power (and, for some, the weakness) of open source.
For what its worth, there were a lot of conversations this week around package security and compensation for open source projects among tech decision makers. Ultimately it wouldn't have happened if he had a generous sponsor and in that way I consider the act somewhat selfish. That said, I it both reaffirms that there is a vibrant community of individuals who are willing to volunteer their time for the benefit of the software ecosystem regardless of compensation, as well as a growing number of corporations who are understanding that open source projects deserve their patronage. Despite breaking some builds, it didn't break the internet but made for some good controversy. If nothing else, I think that makes this good art.
Isn’t calling this “malicious” a bit of a stretch?
It’s not like he is mining crypto on your machine. It’s a (however misguided) act of protest and demand for attention.
Fine GitHub put the breaks on in case it was an account takeover but they should allow him to do whatever he wants with his repos once it confirms it’s really him.
Also npm just removes his access…? If I was the author of a popular npm package and decided I wanted to remove it I’d hope npm and the “community” wouldn’t appropriate it and decide I don’t have an opinion about it.
Wanna clone it and upload your own? Fine. As the original author I should have the final say?
> We're referring to it as the official library in the immediate term in order to disambiguate between the many rewrites and forks that are not community-maintained.
I was out of the loop on this and I stumbled across this -> Neighbor on Queens man with bomb-making equipment: 'Obviously the man is sick'[0]. This is just weird. It isn't like what the OS community could have done for him, it is what he should have done for his mental health.
Here's a hot take: By sabotaging the project, the author has quite clearly expressed that they do not want people to be using their software anymore, even though, legally speaking, the license allows them to do so.
Anybody who continues using this new fork should therefore never again complain about evil corporations making money from FOSS and not giving back just because they're legally allowed to. This is the exact same thing.
I'm surprised the blockchain gang isn't coming up with a solution for trustless npm packages or is it that a blockchain can't solve the problem of a trusted developer suddenly becoming untrustworthy?
> solve the problem of a trusted developer suddenly becoming untrustworthy?
This would be an exceptionally hard problem to solve, with-or-without blockchain.
Could you develop a system where any new releases are required to be reviewed and "signed off" by a random assortment of users before becoming "active"? Sure.
I find this line of thinking frustrating and dismissive of new(er) technology. Is "blockchain" necessary for anything? Probably not. Is it potentially the best solution when compared to the alternatives and weighed on its pros and cons? Maybe - but one has to be willing to investigate before dismissing it.
Don't get me wrong, there are definitely areas where blockchain tech is (or may be) a good solution. Those are for problems where distributed trust and consensus between (potentially) adversarial agents is necessary; where a central authority either doesn't exist, or can't be trusted.
In this situation, you are downloading code from a central authority, and have placed your trust there already. What benefit does a distributed solution give here?
Oh wow, this is cool. I refuse to use npm because these issues keep cropping up and no solution gets implemented, but this looks good. I was just looking at an interesting static site generator today until I saw it used nodejs and noped out of there.
In contrast, Powershell on Windows won't even let you use scriipts you've written yourself on your local hard drive unless you call them in a way the lets PS know you approve them. Scripts off the net have to be signed.
crev is so neat, I have really been expecting npm/pypa/... to pick it up any day, for years. It solves those problems without taking power away from the package repository, and with minimal changes needed to the repository itself. With a spec already complete, I would expect an organization with the resources of npm could implement it in a few days, and I am really confused (and disappointed) that it is still not taking off.
Signatures from the author doesn't solve much unfortunately. You would still need a mechanism to build trust (or review the script manually) and once you put that trust in the author, all that a cryptographic signature gets you is automatic trust in the next version... so the Faker attack slips through.
I understand the decision for npm to take ownership of his packages, because npm is a community package repository owned by, and for, the community. All community package repositories have some sort of policy for package takeovers.
But GitHub claims to be your home for public hosting of your own personal code. What GitHub policy did he violate? The really outrageous thing is that the developer going "rogue" was actually him expressing his freedom of speech, again on his own personal GitHub account, in his own personal (not organization) repositories. He spoke about his thoughts about open source, businesses, and economics. Defending this type of political speech is especially important and GitHub banning his account and censoring this type of speech(whether you agree with it or not) is especially shameful.