Hacker News new | past | comments | ask | show | jobs | submit login
Faker.js is now a community controlled project (fakerjs.dev)
250 points by fakerjs on Jan 16, 2022 | hide | past | favorite | 329 comments



It doesn't feel like there was enough criticism against GitHub for their decision to ban the developer of faker/colors. This was his own corner of the internet for him to publish his own personal projects.

I understand the decision for npm to take ownership of his packages, because npm is a community package repository owned by, and for, the community. All community package repositories have some sort of policy for package takeovers.

But GitHub claims to be your home for public hosting of your own personal code. What GitHub policy did he violate? The really outrageous thing is that the developer going "rogue" was actually him expressing his freedom of speech, again on his own personal GitHub account, in his own personal (not organization) repositories. He spoke about his thoughts about open source, businesses, and economics. Defending this type of political speech is especially important and GitHub banning his account and censoring this type of speech(whether you agree with it or not) is especially shameful.


> It doesn't feel like there was enough criticism against GitHub for their decision to ban the developer of faker/colors.

He's not banned: https://github.com/Marak

You have to keep in mind that his changes were basically indistinguishable from a security breach of his account. Nobody really sabotages their own repos in a malicious manner like this. Suspending his account while they investigated doesn't seem like a stretch.

> This was his own corner of the internet for him to publish his own personal projects.

Which he's still free to do. But the actions in question had nothing to do with his "personal projects". It was specifically about his actions to intentionally break popular Node.js packages and do so with a version number that would disguise the change as a non-breaking update. It was a malicious act, and there's no way to paint it as anything else.


It was a malicious act to the users of his project, sure. But how was it a malicious act to GitHub? I'm glad to hear that they reversed the suspension, but without understanding why it was suspended in the first place, it leaves open the question of what GitHub's motives were in the whole situation.

If DHH decided that Rails was contributing more harm to the world then good, and tried to remove it from GitHub, would GitHub lock his account and restore his repos "on behalf of the community", to side with the smooth operation of the open source ecosystem over a user's personal decisions? To what extent has GitHub decided that they "know best" for the open source community?


It was malicious act to Github's users.

Github first responsibility comes to the community of users it supports, then to any individual user. Free speech/ personal choice / Freedom of expression come secondary to the welfare of its users.

Is it a slippery slope ? Yes, but Github does not have a choice if it cared about the interest its community


> malicious act to Github's users

Usually if I modify my car in my own backyard (aka my property) it is nobody's business to intervene, as long as it's on my property.

Legally speaking, fakerjs was Marak's property and GitHub has no right to intervene with a legitimate user action.

I can see that they "tried their best" but we also have to uphold the law here. If GitHub, say, called him on his phone whether or not his actions were intended...they would've had to restore the account and the "broken" repository as it was before the suspension immediately...which I assume they did.

My point is mostly that there is no legal contract between Marak and the "community", as he was never paid anything. Some might argue about mitigations in between disagreeing parties, but as I said there's nobody forcing you to use his library, just as there was nobody forcing you to update.

It cannot be malicious intent if the other party is free to decide to just ignore it and move on.


This code has never belonged to Marak. This code is ported from other existing projects which had been acknowledged by Marak.

I see it like this. I can't buy a Harry Potter book, translate it to a different language, maybe change some of the character names and then claim ownership while not acknowledging the original work even if I publish it for free.

It's like you and your friends building a Mustang in your backyard, all of you put time, energy, and even money into the project only for you to turn around and claim you invented a new car model built entirely by yourself. No, it's a ford and most of the upgrades were done by others. People that helped you might feel that you are in fact being malicious.

Since we're using analogies, this wasn't his backyard, this is the GitHub's yard.


The ToS of GitHub state that it's not their property, they only claim the license for redistribution. If it would be their property, legal cases (e.g. DMCA) would be against GitHub, not the owners of the repositories. So from their point of view they do not want to be legally responsible for the code they're hosting.

So I'd argue that it wasn't GitHubs backyard. They might be the landlord but they can't take ownership of the things that you build in your (rented?) flat.

Don't get me wrong, I also agree with you. For me this whole situation is kind of a paradox where there's no easy moral (or legal) answer on what to do, and on what society already has agreed upon.


In fact, this action could set a precedent that allows RIAA/MPAA/etc to sue GitHub because it demonstrates they curate and editorialize everyone's code, effectively.


> This code has never belonged to Marak. This code is ported from other existing projects which had been acknowledged by Marak.

Completely irrelevant to the issue at hand, though. The copied code was copied in accordance with an open source license. By this same token, the affected users/companies are free to start their own fork, but they didn't. The developer shouldn't be under any obligation to maintain anything, and GitHub shouldn't be intervening in these kinds of situations as that will simply serve to dull the positive effects these scenarios could have on the dependency landscape (people actually figuring out their shit). This is the package equivalent of a bail-out. At the end of the day it hurts more than it helps.


If you modify your car in your backyard sure, but it wasn't his backyard, it was the public roads, and it wasn't (just) his car, it was his car that he shared with his neighbours. And then he decided to tamper with the brakes as a "prank", knowing full well that others would then use the car.


No. Imagine if all traffic lights were 3D-printed, and that entire infrastructure depended, as an active dependency each time a new traffic light is printed, on some random guy's 3D model that he decided to post on his personal blog years ago. Guy decides to take down the model, now all of a sudden his hosting provider takes control of his site and forces him to put the model back. That is the lens through which you should view this situation.

The people building infrastructure that depends on one guy's 3D model existing on his blog at all times were the ones who made a mistake. If one of your thousands of dependencies breaks, shame on you, make a fork. The dependency owner owes you nothing, and he can change his creation or remove it any time he likes. If you weren't fortunate enough to fork it while it was still up, then too bad.

Instead we as a corporate community are encouraging coddling and ensuring that if you make this mistake, GitHub, NPM, et al will take care of it for you. The downstream effects of this are much worse than the temporary damage of making people actually figure out their dependency chains.


> It was malicious act to Github's users.

I'm not sure why it matters they are Github users. The packages were hosted on npm through Cloudflare - does that allow Cloudflare to take over the packages too? And NS1 since they host the fakerjs domain?


It’s cool that you’re internet rules-lawyering and all but ultimately he used his free account with intent to harm others, just as surely as if he backdoored his code. Freedom of speech is good, and protest is fine, but why would GitHub amplify the speech of a nutso who abused his position of trust?


>he used his free account

actually, marak has github pro, so it is not a free account


“Your freedom of speech ends at the tip of my nose.” as the saying goes. He took a swing, not just a stand.


> used his free account with intent to harm others, just as surely as if he backdoored his code

There's a huge difference between displaying a message and going in an endless loop and backdooring as in providing an alternative access to control a system you're not supposed to have access to. Words have meaning. This wasn't a backdoor.


There is a difference between robbery and burglary.


There’s a difference between a simile and a metaphor too, but GP is ignoring the fact I used one of those entirely.


They don't have to amplify anything. This is why open source is valuable; if the current maintainer is considered to be unfit or unreliable in some way, the community that disagrees with their rhetoric/leadership can fork the package and keep going like nothing happened. If you don't care/the package is still usable, then ideally no further action has to be taken.

At no point down the road should that involve revoking someone's ownership of a software project, though. Software ownership is sacred, not just because of tradition but because understanding who owns your packages and libraries is paramount to auditing security. Some of the most valuable contributions to computer science have been ones that allow people to verify integrity, be it SHA, TLS or GPG. If Microsoft abuses their position of power to break that chain of integrity, how can we be sure that other repos belong to their respective authors?

I can understand if you, the individual don't find this interesting or consider it inconsequential to your workflow. But other people rely on it, and you can't pretend like an honest chain of custody is somehow valueless.


Amazing you wrote this entire comment without taking a second confirm the premise you're so passionately defending...

No one took away his ownership.

Marak:

https://github.com/marak/Faker.js/

https://www.npmjs.com/package/faker

Post:

https://github.com/faker-js/faker

https://www.npmjs.com/package/@faker-js/faker

Faker.js is not a trademarked term, so someone made a new Faker.js.

In fact multiple people did, and one emerged as the preferred fork: https://twitter.com/faker_js/status/1481918305669627905

-

And to be clear, even if NPM goes and replaces his package with this new fork, it wouldn't take away his ownership.

Github could do the same... doesn't take away his ownership.

His ownership of a Github page is not his ownership of the code.

I don't like this rules-lawyering stuff either, yet this is one time where even if you decide to be purposely inflexible with your understanding of laws/licensing/contracts etc... there's still no issue with how this has been handled.


I see only one of those alleged "nutso's", and that was GitHub.

Everyone else should have been responsibly consuming the dependency. You don't get to call foul when you knowingly use something for something important and don't check to make sure it is okay.


Now that’s just plain victim blaming


As an engineer, part of your responsibility is to foresee this type of thing. Software that does exactly what it should, and is free of defects for it's immediate use case, has no need to be continually updated. As each line is adding more functionality you do not need.

Even if you're trying to keep things rolling forward and buy into taking in updates anyway; you don't do it in such a way as to cause it to leak to production until you are good and certain there is no potential for breakage. If you haven't learned this yet, give a monorepo a try. I assure you, you will be divested of any naivete in this regard.


Setting your package version to allow for minor updates _is_ responsibly consuming the dependency.


This sounds like "I responsibly test in production".

If you do test and isolate testing environment then this kind of breaking update is just business as usual.


That's fair, it does sound like a novice take; but it's still "business as usual" w/r/t what is touted as best practices where it comes to version control. At least that's my slightly above novice take on the matter.


> does that allow Cloudflare to take over the packages too?

Fundamentally cloudflare can do that if they so chose. If your threat model doesn't account for that sort of action then you should reassess.


Can != Should. we're not discussing whether Cloudflare had the physical capability of being able to take over the packages. We're asking if they should. Many people seem to believe that they should have, or would have been justified in doing so, and others disagree.


If the attack had been conducted by retargeting cloudflare at a hostile upstream, maybe so. But the attack originated at GitHub, so they're the ones to take action in response.


People point at github repositories all the time for packages.


Github owns npm.


This is an opinion you can have, but it's far from clear that it's an obvious or inherent one. What is the Github "community"? Who constitutes it? If I use Github for a personal project, and share the link with my friend, are we "part of the Github community"? How were we harmed by this incident? Did anyone say "We should shut Github down because they're irresponsibly hosting someone who would use his public JavaScript libraries to make a political statement"?

How was Github's community, specifically, harmed? A lot of developers were inconvenienced, but they would have been just as inconvenienced if he pushed the code to NPM from his local git repo, and never touched Github at all. Where does Github come into this?


It sounds like you’re looking for very clear lines which can and can’t be crossed. Whereas others see a blurry grey area in which GitHub makes judgement calls, and then individuals decide whether or not to use GitHub.


Mm, not really. There are lots of cases much more blurry and questionable then this one. What I'm looking for is 1) a recognition that Github would be in the wrong to suspend Marak for doing whatever he wanted with his own open source project, and 2) an acknowledgement that it's important for Github to be transparent about why they took the actions they did and what motivated their actions.


I still keep failing to see how it's malicious to gh users and I've red all your comments.


If I ever get hacked someday and my repo gets defaced, I hope GitHub acts just as they did to Marek. GitHub can’t tell the difference between an authorized and an unauthorized defacement, and I’d rather they err on the side of caution in this regard. It protects me against attackers, and the only risk of false positives is having to reauth and verify to support that I’m an authorized user when I’m trying to deface my work.


Github will not allow you to use your personal corner of the platform to propagate malware, and hasn't allowed it for many years.


Exactly this. The changes were intentional malware, designed to break the usage of these two modules. GitHub is under no obligation to assist you in hosting malware. The fact that these changes were intended by the original author has no bearing in this situation.


I don't get how people don't understand this.


Breaking a build in a way that is trivially rolled back is not in the same league as pushing code that harvests email addresses, CCs and mines bitcoin.

I'm disappointed to see this kind of comparison made.


Deliberately breaking people's applications? It's malware.


Appreciate it can be confusing to the layperson, but a build is not quite the same thing as an application.

A build will often reach out, download and install new and potentially breaking software components and it is part of its function to prevent breaking software components from reaching the application where it could cause material harm.


It was a bit of code printing ascii art in a loop, with a preceding comment "don't commit this", and we have bo information about whether it was put into the release on purpose or malicious intent afaik. Is it really malware?


If I set up a nice shopfront and invite customers in, and then start kneecapping everybody who walks through the door, you gonna bet the city will have something to say about it. I'm not kneecapping the city, just its citizens, so why should they care - and I'm doing it on my own property which they voluntarily entered after seeing my "dollar store" sign out the front - so it's their own damn fault for believing my sign.


There is a fundamental difference between physical violence like kneecapping and industrial sabotage which causes a minor temporary disruption in production, which is why the former is punishable by most national laws, while the latter isn’t.


> industrial sabotage

> causes a minor temporary disruption in production

pick one

ETA: if someone created a virus that would just display the text "you've been hacked!" and then that virus infected thousands of computers around the world, that someone would have a visit from the FBI with very serious charges. I don't see how this is different.


> Pick one

I don’t understand. Industrial sabotage is an act of vandalism with the intended purpose of causing disruption in productivity. This incident in particular only caused a relatively minor disruption not much bigger then e.g. a partial github outage.

> I don't see how this is different.

The difference is in 1) the intended targets. This incident was targeted against particular industry. The worm you are describing would be indiscriminate and would have the potential to be 2) much larger scale and therefor you could deduce the 3) intention of your hypothetical attacker would not be to cause disruptions of productivity withing a particular industry, but rather to prank random strangers. The difference is rather obvious.


GitHub's market is developers. They want to do everything they can to protect that community, and if a developer uses their service to damage other developers, they aren't going to stand for it.


> It was a malicious act to the users of his project, sure. But how was it a malicious act to GitHub?

You can't use GitHub to perform malicious acts, even if the victim isn't GitHub. GitHub isn't obligated to support anyone's malicious acts with their platform.

> If DHH decided that Rails was contributing more harm to the world then good, and tried to remove it from GitHub, would GitHub lock his account and restore his repos "on behalf of the community", to side with the smooth operation of the open source ecosystem over a user's personal decisions? To what extent has GitHub decided that they "know best" for the open source community?

GitHub hasn't done any of these things with faker.js.

Marak deleted the code and replaced it with a non-functional repo that has a README.md that just says "What really happened with Aaron Swartz?" (Reference to a conspiracy theory)

It's still here. You can still see it: https://github.com/Marak/faker.js


Exactly - that really looks like malware. If the same sort of replacement happened with rails, I imagine the same course would happen there - but if there were some corresponding blog post or reasoning in the Readme, GitHub would leave it to the community to let the drama play out (maybe still investigating to see if the login was suspicious in any way).


[flagged]


I would say colors.js definitely can be considered malware. He in effect intentionally spinlocked a lot of packages either directly or indirectly via transitive dependencies, and also intentionally bypassed common semvar rules to maximize the damage.

whether or not those packages should have been affected is another discussion, but it appear it probably had more of an effect on other open source packages and perhaps the work of small mom and pop companies rather than huge corporations.


To an automated protection system that detects “repo deletion + index.html rant” commits, deleting the codebase and updating the README would red flag instantly except for the different filename, and catch lots of garden-variety intrusions.

The deletion here was more complex, and most likely a human was assigned to review user reports to GitHub Security, who accurately determined it was a defacement from someone claiming to be the author’s credentials.

Turns out the author was the attacker, and with that confirmed, it appears that their access was restored so they could proceed with it.


> Turns out the author was the attacker, and with that confirmed, it appears that their access was restored so they could proceed with it.

I suspect this is how it played out as well. In fact, there was a lot of people on Twitter who were questioning whether the author really got suspended since he was posting to github a day or two after he posted his suspension picture.


Like I said above: if that really was how it happened, I would be totally okay with that, and it's completely understandable. But without a public statement from Github on such a visible and public controversy, we're left to speculate on their motives. Many people here disagree about why and whether Github should have or did suspend Marak. I would say that your view is the maximally charitable view to Github themselves. And frankly it's very likely to be true. But it seems like a lot of people believe that Github should have suspended his account, and I disagree with that.


People don't just believe his account should have been suspended, they feel that he should be prosecuted and charged with civil tort given the comments. I think they are ridiculous Karens who would destroy open source in a heartbeat given the opportunity.


> GitHub isn't obligated to support anyone's malicious acts with their platform.

Github isn't obligated to support anyone's anything, your relationship with Github is entirely at-will. And yet, I believe that there are moral boundaries on how Github should act, and that different people can disagree on where those boundaries are. I do not believe that "updating a popularly used library to break it's core functionality" is harmful enough to the other users of Github-the-code-hosting-site that it necessitates intervention from the owner of the platform. I think specifically that the way in which Github came to the determination that this change was "malicious" is unclear, and that Github very clearly has a conflict of interest when it comes to determining which sorts of political speech are "malicious", and which sorts are allowed.

> GitHub hasn't done any of these things with faker.js.

Correct, that's why it's a hypothetical question. If Github is willing to intervene against "malicious behavior" on behalf of "the community", then the obvious question is "which behavior, and which community?"

As another hypothetical example, the https://996.icu/ website is hosted on Github. Chinese browser manufacturers have implemented a pop-up that calls it a "illegal and fraudulent site" if you navigate to the repo. Is this "malicious" behavior? Many in China would think so, and definitely the browser manufacturers seem to believe that it's malicious behavior targeted at Chinese tech companies. Should users be allowed to use Github to perform this "malicious" act, even if the victim isn't Github itself? If Microsoft was criticized for their Chinese offices' working conditions on the site, do you think this would change their viewpoint on whether the repo should stay up? Personally, I would hope that those within Github who are responsible for making such a decision wouldn't take such personal matters into consideration.

> Reference to a conspiracy theory

I'll be honest, I didn't know this was in reference to a conspiracy theory. Aaron Swartz was driven to suicide by the relentless and cruel prosecution of the United States government, and the inaction of the MIT administration. That incident is tragic and sad enough as is, and I hope it goes without saying that don't agree with anyone attempting to co-opt that tragedy for their own conspiracy theories about Qanon. But I don't think Github should be responsible for making the call on whether something is "good" enough political speech to be worth protecting.


I completely agree with this take.


I am completely baffled by folks defending Marak, or putting any sort of blame on GitHub. What Marak did was not "political speech". If he wanted to, he could have easily done any of the following:

1. Pulled down his repo, or replace his repo by whatever message he wanted to send.

2. Output his political message during the build.

3. Heck, all faker.js does is output fake data for things like names and addresses. I think he would have been well within his rights to make this data something like "123 Fascist Way, Fascistville, NY".

But he didn't. He replaced his code with an infinite loop that was a DoS attack. He deliberately released it as a patch version because he knew it would be pulled in by others that follow semver rules. The fact that his attack wasn't more severe (like, say, encrypting someone's hard drive) doesn't mean it wasn't an actual attack.

And for those quoting the "no express or implied warranty" section of the license, I guarantee no legal system is going to let an actual malicious act be defended by a license.


What he did was utterly unprofessional, hazardous, and outright dangerous to those who trusted and used his library.

By putting it on Github, he surrendered a portion of his right to distribute to Microsoft, and Microsoft did the best course of action to protect their reputation and the interest of their stakeholders.

I see nothing wrong with this.


> professional

then pay him? I'd admit that this person didn't really contribute anything really worthy. But please do not require someone to be "professional" when you did not pay him a dime.


Unprofessional as in done by a person I wouldn't hire in his current mental state.


> hire him

So what you do mean is someone had to spend hundreds of hours maintaining some projects you've been using and also should have perfect personality and well behaved enough before you hire him?


I would prefer to avoid people who sabotage stuff and literally build bombs.


How was it hazardous or "outright dangerous"?

You see a build fail, you pin the previous version of that dependency, run the build again and go on with your life.

Asshole move? Sure. Hazardous and dangerous? Don't be dramatic.


There is a little bit of dissonance here. Microsoft, a multi billion dollar company who works with organizations such as ICE which routinely engages in human right abuses and causes sever suffering and harm to thousands of people who are already pretty vulnerable.

vs. an open source developer who’s work benefits companies like Microsoft who have no obligation to pay for that labor. And engages in a single industrial sabotage which causes minor disruptions, and harm which at most costs other developer some time and temporary frustrations.

I feel like we need some sense of relativity when we attribute nouns such as hazardous and dangerous here. Especially when we are talking about Microsoft.


Indeed, he definitely could do his protest in a way which wouldn’t inconvenience billion dollar companies or even anyone.

Just like BLM could protest in a remote location or do an online petition. Except that no one would give a fuck about that. The same about a message during the build.

You call it a DoS attack, I call it a brownout warning about unsustainable open source funding. After all old versions are unaffected. No hidden RCE there. Only ones who opted in for pulling a new version without due diligence (aka free shit lovers) experienced a minor inconvenience. He didn’t do anything a malware author would do with such distribution channel.

I would definitely do it some other way, but can’t blame him. If he had put a notice during the build, no one would see it. If he added an unskippable five minute timeout to that message it would a DoS attack as well.

I suffered a similar “DoS attack” myself. By Microsoft. They did one hour brownout of Devops pipelines still using windows server 2016 or something, to warn about unsustainably of supporting them (striking similarity). Right at the moment we had to deploy an urgent hot fix for our client. If there was a notice somewhere, I didn’t read it. No one does. Which is why they do brownouts. He didn’t put an early warning, but that might be a difference between a multibillion company and some random guy on the internet.

He is unprofessional, but well, don’t expect professional behavior from people you don’t have professional relation with. Who I would call unprofessional, are the developers who expect free working shit from some random internet guy and have audacity to complain when he intentionally releases a broken version to protest taking free stuff without giving back.

I’m mildly entertained by the uproar caused by his protest. Reverting to an older version of a library is not an end of the world. I think it is not caused by the minor inconvenience he caused to the lazy devs, but by the threat of the end of relying on free work from open source devs.

We will have to do it ourselves or pay for it. Like in any other industry.


Did you not read his message? The entire point was to inconvenience billion dollar companies not helping pay or foot the bill for all the software they use and steal unpunished and unscathed.


Be careful not to confuse defense of the individual with criticism of how Microsoft behaved.


Microsoft behaved as a good steward of both a code-hosting service and a package-hosting service in the face of an attempt to exploit both to harm users.


Correct. You basically never have the right to commit sabotage


Except that it was his code, and it's open source therefore the risk of using said code is your own. It's his project, He's under no obligation to maintain it in a functional state or at all just because you happen to use it. That's just egotistical and narcissistic on your part


You're wrong. If I routinely share my lunch with someone at work, I don't get to poison it because "It's my sandwich, I'm under no obligation to make sure it's safe just because you happen to eat it." Hell, I can't poison it even if someone's stealing my lunch.

I can't create code with malware. I can't modify my code to make it malware. That's a crime. You're wrong


Everything about your comment is wrong. For one you're not giving your lunch to anyone, More analogously you're putting something in the refrigerator, and people can take at their own leisure and risk. You can poison it if you want, in fact it's a pretty common workplace tactic for people to mix in something like a laxative to THEIR OWN food because they're tired of it being stolen everyday. Again you make the choice to use the software, or take the food, the risk is on your head.

And the cybersecurity industry would like to have a word with you since you don't believe it's possible to create malware.


You're wrong. You literally just described assault or (best case scenario) a tort

https://law.stackexchange.com/questions/966/can-one-be-liabl...

> I can't create code with malware. I can't modify my code to make it malware.

I guess I can appreciate your confusion but I still think I was clear in my previous comment. I'm willing to concede I would have been more clear if I had written:

I can't legally create code with malware to distribute without a warning. I can't legally modify my code to make it malware if I know people are using it.

PS I'm not discussing this further


"I am completely baffled by folks defending Marak, or putting any sort of blame on GitHub." Github's actions are unwarranted. (Marak should have at least been able to verify his ownership of the account and get it back)

"1,2,3" Honestly, these ARE better things to do (and probably more effective) than what Marak has done.

"replaced his code with an infinite loop that was a DoS attack" So far I haven't seen anything about this actually causing harm and denying service.

"The fact that his attack wasn't more severe (like, say, encrypting someone's hard drive) doesn't mean it wasn't an actual attack." The fact that his attack wasn't more severe shows that he wanted something that would make an impact without hurting anyone.

" guarantee no legal system is going to let an actual malicious act be defended by a license. " That's the legal system's problem. The license is the license. Somebody's violation of an EULA (because they didn't read it) may be in all ways justified, but that argument probably won't hold up in court.

I wish he did something less controversial while still impactful, but it is incorrect to put it under the same term used to describe real cyberattacks that severely harm and kill innocents.


General rule (at least for me) is to avoid people wanting to be a people-pleaser or politically correct without offering real tangible solutions at the problem on hand.

What he just did is intentionally mess with the society for the heck of it and naturally the society will find ways to fix it and restrict him as necessary, right.


> I am completely baffled by folks defending Marak... > I think he would have been well within his rights to...

I think this is the crux of it all. I (and many others it seems) disagree with the actions he took and think they're shitty, but also think he has a right to do this with his code that he provides and publishes for free.


> It doesn't feel like there was enough criticism against GitHub for their decision to ban the developer of faker/colors.

HN, at least, had a ton of discussion on this[1]. People advocated both ways.

> This was his own corner of the internet for him to publish his own personal projects.

No, it wasn't. It was Github's corner of the internet and then it was Microsoft's. If he just wanted a place to publish his personal projects, he could have put them on a personal, self-hosted website.

By putting them on a social network, like Github, he is submitting to their whims. He doesn't have any legal right to stay on that site if they want to kick him off of it.

He also wasn't the only author. Other people contributed to his repos. He was happy to receive the benefits of Github, and he should also realize that it comes with some loss of control.

Notably, he eventually used Github as a platform to deploy a Trojan to thousands of unsuspecting users. The other circumstances don't matter. Microsoft can and should remove Trojans from Github.

1. https://news.ycombinator.com/item?id=29877745


> By putting them on a social network, like Github, he is submitting to their whims. He doesn't have any legal right to stay on that site if they want to kick him off of it.

Of course, legally speaking, Github can do whatever they want with their website, but we're not talking about the legal aspect.

The developer community has put some trust on Github not to do whatever they want. It's an implicit, non-legal, non-enforceable, social agreement that Github is going to "respect" our user accounts on their platform as long as we don't break the TOS.

They could delete all existing repositories tomorrow, and replace them with pornographic images, and they would probably be in their legal right, but that doesn't mean that we can't critizice them for it.


I trust GitHub more based on their actions in this case. They acted to prevent further attacks and gave him access back after it was mitigated.


> but we're not talking about the legal aspect

Yes we are. I was responding to someone[1] who was alluding to the legal aspect using legal terms s/he clearly doesn't understand.

> > "What GitHub policy did he violate? The really outrageous thing is that the developer going "rogue" was actually him expressing his freedom of speech..."

1. https://news.ycombinator.com/item?id=29961662


GitHub acted reasonably to mitigate harm. They didn’t delete his older commits or “replace it with porn”. They acted reasonably unlike Marak.


FWIW, GitHub's actions here have in no way damaged my trust in them.

They interpreted a developer's attempt to harm the community via abuse of the trust the community had placed in him as damage and mitigated it in the short run. That's a value-add.


Value add in to who? It sounds like you believe open source developers owe something to someone which simply isn't the case. You should evaluate the license(s):

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.


I don't see where this license obligates github to distribute future versions.

Also if we're expecting people to do the bare minimum specified in their license, github's license gives them all the leeway they needed for their actions too.


GitHub is under no obligation to distribute further versions. Neither is Marak under any obligation to maintain and upkeep the repository. While in bad faith of the community, you are the consumer who CHOSE to use his software, free and at no cost to yourself. You have no right to dictate how that repository is used, especially if you never donated or contributed to the project itself.


> While in bad faith of the community, you are the consumer who CHOSE to use his software, free and at no cost to yourself. You have no right to dictate how that repository is used, especially if you never donated or contributed to the project itself.

Either we're going by a legalistic interpretation of the terms in which case Marak was free to fuck up his project and github was free to kick him off npm for it, or we're agreeing that people can be held to moral standards apart from legal ones.

If we agree that moral standards about bad faith should prevent npm/github/microsoft from taking control of something that Marak has put work into, then we should also be able to agree that moral standards should prevent Marak from releasing a deliberately broken version of a package as a fuck you to corporate users. Even that action of Marak's I think is wrong, but the backlash also landed on many open source projects.


I don't have a problem with GitHub or NPM taking down his project. Just like I don't have a problem with him poisoning it if he so chose. I do have a problem with people here whining about their own selfish wants. Again not one person is obligated to use faker.js, if you wanted the security that parts of your code base would not be tampered with, then you probably shouldn't have been using a third party library that wasn't under your control in the first place. Common sense is all too lacking here across the first world.


At the end of the day, open source is built on trust. Even the more paranoid-architected flows outside of npm (checksums via side-channel, curated package distributions maintained by a third-party such as debian) don't protect the end-user from actual malicious action on the part of the trusted source. Consider the story of how Univesity of Minnesota got banned from adding patches to Linux (https://www.theverge.com/2021/4/30/22410164/linux-kernel-uni...). In that case, they were caught. But if they weren't caught (or if a critical mass of Linux maintainers went rogue and were in on it)? Enough malicious actors with the right credentials can publish and checksum a damaging package in any system that allows code reuse. It is, perhaps, riskier to rely on a system with one maintainer. If that's the case, moving Faker .js to community controlled was a great first step in restoring trust in the package; it's harder to compromise a group.

We can sit here and cluck our tongues and say "Should have known better than to trust someone else's code," but that's just victim-blaming. Marak broke trust. He took advantage of a system with a vulnerbility and he exploited it. And everybody uses a system that is vulnerable in some way.

Because he did this, the system interpreted his actions as damage and routed around them. The system may change to make this attack harder in the future. And the result will be more complex and have more failure modes, and everything will be slightly worse as a result because we have to replace with process what we were previously able to do with human-to-human trust. "Nice job breaking it, hero."


IANAL but i highly doubt that that license would protect you if you were being intentionally malicious (as opposed to say grossly negligent).


I'm just as much an armchair lawyer as the most of the rest of HN but my understanding is that liability waivers aren't considered enforceable if malicious intent or gross negligence is involved. Anybody with more legal expertise want to clarify?


I am also not a lawyer, but this is what I found for NY and would be surprised if it doesn't apply in most states and many other countries too:

> Under New York law, a party can waive ordinary negligence, but not gross negligence, reckless conduct, willful/wanton conduct, or intentional acts. See Kalisch-Jarcho v. City of New York, 58 N.Y.2d 377 (1983); See also Restatement (Second) of Contracts § 195 (1981) (“A term exempting a party from tort liability for harm caused intentionally or recklessly is unenforceable on grounds of public policy.”).


This would be like suing a food pantry because they stopped giving out free food.


Marak didn't stop giving out free food. He intentionally poisoned a food delivery without notifying the recipients.

Using your food pantry analogy, it sounds more like he should go to jail.


He didn't deliver food. People picked up whatever they could find cause they felt entitled, and then said... oh look there was a sign here all along.


If we're stressing the analogy, Marak put food out in a park with a sign "Take the food, just tell everyone you got it from Marak, quality not guaranteed".

Then one day the food had laxatives because he felt not enough people put money in the tip jar.

I think that would still be actionable. Most people wouldn't bother, just like I don't think anyone is seriously thinking of taking Marak to court over what is mostly broken CI builds, but maybe the park staff won't let him offer food there anymore.


There was no more "food". An loop in a script isn't malicious, as a user can terminate a script and by running an unknown script they are assuming some liability as well. What you're advocating for is that if an open source developer changes their code, even to say, prompt the user to confirm executing when before they didn't prompt and that somehow breaks automation that the user has built (not the developer) then they should be liable for harm. It sets terrible precedence, and the end result is no on will want to create open source software anymore. I can only hope you are simply playing devils advocate than being serious, cause if you are serious then I hope you reap what you sow.


"By eating food of unknown provenance they are assuming some liability as well" isn't really an argument that would hold up in a court of law if someone intentionally taints the food.

> What you're advocating for is that if an open source developer changes their code, even to say, prompt the user to confirm executing when before they didn't prompt and that somehow breaks automation that the user has built (not the developer) then they should be liable for harm.

We should probably divide the conversation into two threads: one on the tainted-food analogy, and one on the changing-code reality. Because they aren't the same, and one can reach weird conclusions trying to conflate them.

Liability for tainted food is pretty settled law. If someone eats your food and gets sick, it's a problem for you. If they eat it and get sick and can prove you poisoned it, it's a real problem with real legal consequences. Food handlers and preparers go out of their way to avoid both of those scenarios.

Intentionally modifying code knowing you'll break downstream consumers hasn't been tested (to my knowledge) in court, so we can set that aside. But is it immoral? That's going to depend on one's morality, but I have a hard time seeing my way to agreeing with the standpoint "Sure, it's moral. User beware." That principle, written large, creates a strictly worse world, where people are hiding in their digital caves, unable to trust anything outside. A lot of people (including GitHub and NPM's owners) are trying ot build something better than that.

Marak had a right to do what he did, but that doesn't mean it was right, we don't have to agree that "because he could, it was good" (that's just rule-by-power, and almost nobody thinks that's a good moral philosophy), and I applaud the open-source community who stepped in to minimize his harm.


GitHub doesn't = open source community. Quite the opposite actually. It is a closed system designed to take open source software and put it behind a closed-source ecosystem, and apparently to moderate open source developers and taking away their individual freedoms.


How was Marak's individual freedom taken away? They locked his account temporarily (because what happens looked like somebody had stolen his credentials and impersonated him)... Then what happened?

His freedom to post what he wants in his repo does not extend to a freedom to screw users depending on the software he licensed for open source use working. GitHub and npm took steps to protect users from his malicious actions.


Value-add to the people who actually use github to build software, of course. It's fine to discuss license terms and what you should or shouldn't expect when you use github/npm/etc, but in the real-world JS landscape, many projects (commercial and otherwise) use many open-source packages through complex dependency hierarchies.

Your can think what you want about whether that's good or bad, but it's unquestionably our current reality. Protecting JS projects from malicious updates, regardless of whether or not the project license technically permits this by the author, is clearly in the best interest of users of this ecosystem.


No one took steps to protect JS projects from malicious updates. They took action in this one case but did not fix the underlying issue which is with package managers.


It is true that there are some vulnerabilities in the standard design for npm package management. Packages are designed to assume by default sources can be trusted and to pull aggressively. That's a system that's very convenient for developers... Assuming somebody doesn't use it in an extremely malicious way by building our trust with a working package and then pushing a change designed to screw users.

Fortunately, it appears the system has been stress tested now and we can see how that damage can be mitigated. If this kind of attack can be minimized by what is essentially moderation and curation, everything's good.


The only reason anything happened cause the developer intentionally crippled their own package which they had the right to do. If someone was modified a package to do something actually malicious you could go months without ever finding out.


I don't disagree that there are degrees of harm and differences in the ease of detecting such harm. But what's the significance of the distinction? Whether it's found out immediately or found out months later, the remedy for the community will likely be the same if the damage is widespread enough... Flag the version as bad in npm, break the connection between npm and the GitHub repo if the damage was purposeful, and the community picks up the package and starts maintaining a non-malicious version.


What you are going to get is people separating out into 2 camps, those that believe in individuality, and those that believe in more collectivism.

This is a divide that extends well beyond programming and this topic.

People that support GitHub actions believe in the concept of "greater good" and believe the actions of GitHub are ethical because it prevented harm to the community

People that oppose GitHub actions reject the idea of "the greater good" and believe this individual should have had the right to do with their property (i,e their code) anything they wanted and the responsibility was upon the people consuming / using that code to vet it before use.


Except that use of GitHub implies you see a benefit to the collectivist use of GitHub's property, which is why you agree to GitHub's terms when using their property.

If I'm leasing a part of my land to you (and others), and your use of your assets on my land has the potential to harm other users of my land - you'll be asked to leave. I have a business to run. You are still free to take your property to your own patch of land and do with it what you will. Your freedom has not been compromised. You just assumed a freedom you did not have - which is the use of my land in an unfettered way.


> What you are going to get is people separating out into 2 camps, those that believe in individuality, and those that believe in more collectivism.

I am extremely individualistic. Github is also an "individual" that has its own private rights.

The author of this library absolutely had the right to write code, change it, etc. He does not have the right to use Github as a delivery mechanism for malware.


Had github simply banned the person, and took down their code I might have even sided with your position

However that is not what github did.


I don't really see it that way -- GitHub is run by a company to (albeit somewhat nebulously) make money. They almost certainly made this call because distributing an obviously malicious package like this was damaging to their brand, not through some philosophical framework.

Expecting a company to have a moral framework is just setting yourself up for disappointment. They will always just do what they think will maximize their long term ROI. Possibilities lay between "enlightened self interest" and "barefaced self interest."


> What you are going to get is people separating out into 2 camps, those that believe in individuality, and those that believe in more collectivism.

I agree wholeheartedly with this statement, but we're diametrically opposed on how these two groups are allocated. I.e., the people you're labelling as collectivists I are in the other group, and vice versa. People who think GitHub did right are a real me-first bunch, not collectivists.


I'm not sure how we get to me-first when the story is one actor using the wide-cast popularity of packages he had admin rights to to intentionally cause harm.

It's a "the needs of the many outweigh the needs of the few" situation.


It's a bit mind-boggling that FOSS authors who give their work away for free are the selfish baddies, and Microsoft of all people, are the communistic heroes in your telling.


> It's a bit mind-boggling that FOSS authors who give their work away for free are the selfish baddies

This is a straw man. No one made this generalization.

Marak, specifically, is a "selfish baddy", and it has nothing to do with FOSS. It has to do with his abuse of Github, npm, and Faker.js (which other people also contributed to) to distribute malware.

None of that can be generalized to a position about FOSS, Microsoft, or any other nonsense you're trying to extrapolate. It's specifically about a bad actor who was removed from a platform.


> or any other nonsense you're trying to extrapolate.

Sorry you were complaining about straw man arguments?


Yes he was, and you were making them.


Are you sure you understood my point?

>> It's a "the needs of the many outweigh the needs of the few" situation.

> It's a bit mind-boggling that FOSS authors who give their work away for free are the selfish baddies, and Microsoft of all people, are the communistic heroes in your telling.

The discussion is about Github - microsoft - undoing the author's changes, the guy I replied to saying that this was good because he felt the author was "doing harm". So he definitely is saying that microsoft are the heroes there defeating "harm". And since he is supposed to be "doing harm" for his own benefit, the FOSS author being overridden by microsoft is the "selfish baddie".

For my edification, if you have a moment you can you help me understand where my comment failed to hew to a valid analysis of that part of the discussion and became some nasty straw manning activity?


I mean, catering to the needs of the many rather than the few has pretty much been npm policy since left-pad-gate:

https://twitter.com/seldo/status/712417019686100992

https://blog.npmjs.org/post/141905368000/changes-to-npms-unp...


Not all FOSS are selfish baddies. Not even most. Not even many.

But Marak specifically is, and Microsoft being the good actor is indicative of how badly he messed up.

If his goal was to make a statement about big corporations taking more than they give to FOSS, arranging things so Microsoft gets to be the hero was a foolish way to go about it.


I have a feeling bare metal servers, a leased spot in a cage, and self hosted systems is about to become popular. There are just too many stories like this these days.

I’m in the camp that if it was his repo then he can do whatever the eff he wants to it.


Yeah, but most vocal proponents of so-called "individuality" are simply self-centered anti-social assholes who haven't thought through the Libertarian ideologies they parrot deeply enough to realize how extremely dependent on and beneficial from collectivism they actually are, and they continue bitching about "socialism" while sucking the government's tit with their social security and disability benefits and medicare, and driving on the roads in their trucks while "rolling goal" and waving their guns at pedestrians and bicyclists and electric cars, and calling the fire department when their house catches on fire, and calling an ambulance when they accidentally shoot themselves in the dick while "cleaning their gun", and foaming at the mouth and railing against Obamacare for no better reason than the person THEY renamed the ACA after is black, then refusing to self isolate and wear masks and take vaccines, and finally overcrowding the hospitals and cursing at health care workers when they get sick, then running GoFundMe campaigns to pay for their "unexpected" self inflicted illness and funeral, and some even go as far as using projects hosted on github and hosting their own projects on github for free, and then complaining when github takes down the malicious repo of another mentally ill person whose apartment the police had to break into and remove his bomb making supplies.


>>trucks while "rolling goal"

If you are going to insult people at least get the terminology correct, it is rolling coal, not goal.

Further most people rolling coal are not libertarian.

>>d "individuality" are simply self-centered anti-social assholes who haven't thought through the Libertarian ideologies they parrot deeply enough to realize how extremely dependent on and beneficial from collectivism they actually are

Incorrect, Libertarians / Individualists do not reject the concept of society or working in groups to accomplish a goal. However they believe said interactions should be VOLUNTARY, and not forced upon you by 3rd party actors.

>>against Obamacare for no better reason than the person THEY renamed the ACA after is black,

Ohh yes, the only possible reasons someone could oppose ACA is because of racism.


Lord forbid I make a typo. But of course you knew exactly what I meant, and despite your attempt to disown that behavior, those people now OWN your precious Libertarian party just as much as they now OWN the Republican party. When your leaders are kissing Trump's ring, and you refuse to renounce and continue to follow those same leaders, you're kissing Trump's ring, too.

Do you support with the way your glorious Libertarian leader Rand Paul has attacked and endangered Anthony Fauci's family by lying about him, and reject the government's right to mandate vaccination, but support spreading lies about people and endangering their families for political purposes? What ever happened to personal responsibility?

https://www.washingtonpost.com/politics/2022/01/12/how-polit...

>How politically helpful have Rand Paul’s attacks on Anthony Fauci been?

>One of the more remarkable political disputes in recent history involves two doctors.

>One is Sen. Rand Paul (R-Ky.), an ophthalmologist by training. The other is Anthony S. Fauci, the federal government’s top infectious-disease expert. The genesis of their fight is the coronavirus pandemic and, specifically, government recommendations (for which Fauci is a figurehead) that Paul opposes. Over the course of more than a half-dozen hearings centered on the pandemic, the fight has become much more personal, with Paul accusing Fauci of having contributed to the creation of the virus and Fauci forcefully pushing back.

>On Tuesday, there was a new escalation. Obviously expecting Paul to challenge him, Fauci came prepared with an argument he hadn’t made previously: Paul was attacking him and putting his personal safety at risk for Paul’s own political benefit.

>Fauci pointed out that a man had been arrested while on his way to Washington to attack a number of public officials, including himself.

>“I ask myself, why would senator want to do this,” he continued, obviously flustered. “So, go to Rand Paul website, and you see ‘Fire Dr. Fauci,’ with a little box that says ‘Contribute here’ — you can do $5, $10, $20, $100 — so you are making a catastrophic epidemic for your political gain.”

And of course there are possible reasons to oppose the ACA, but most of them don't hold any water because they are based on lies ("It's SOCIALISM!!!", "DEATH PANELS!!!"), and are just cover stories and dog whistles for naked racism. You know that as well as I do, so don't play coy and deny it.


>>those people now OWN your precious Libertarian party

I see you have confused the Libertarian party with libertarianism they are pretty different

>>Do you support with the way your glorious Libertarian leader Rand Paul has attacked and endangered Anthony Fauci's

Aside from the complete falsehood of this statement entirly, I do support elected officials grilling non-elected bureaucrats in the manner used by Rand.

I also believe Fauci unfit to serve in his current role and there are serious questions around his tenure that need to be addressed including the funding of the Wuhan lab.


And just to be clear: by "grilling" you mean lying about and endangering the families of non-elected bureaucrats for the purposes of political fundraising. You're exhibiting and defending precisely the behavior I mean when I say Libertarians are "self-centered anti-social assholes".

You are not pretty different yourself, since you believe and spread the same conspiracy theories, and support Rand Paul's attack of complete falsehoods against Fauci and his family. Rand Paul's statements were mendacious lies, yet you support him and his lies and threats against Fauci for the sole purpose of fundraising.

I'm glad you don't incorrectly disagree with the fact that most of the arguments proffered against ACA are just lies and racist dog whistles, but I certainly don't agree with you that it's a valid tactic, the ends justify the means, or that using racism and lies and threats and spreading misinformation against people's families to grab power and raise money is in any way ethical or justified, or a "great tactic" and that "misinformation works", as Rand Paul himself says.

https://www.insider.com/old-video-resurfaces-rand-paul-telli...

>An old video has surfaced of Sen. Rand Paul telling students that spreading misinformation is a 'great tactic'.

https://boingboing.net/2022/01/13/watch-rand-paul-tells-stud...

>Watch: Rand Paul tells students "misinformation works" in resurfaced 2013 video


>>I'm glad you don't incorrectly disagree with the fact that most of the arguments proffered against ACA

Just because I choose not to respond to all of our unhinged conspiracy laced non-sense claims that everything you disagree with is a dog whistle to racism does not in anyway imply I support said statements. '

I choose not argue with crazy people on the internet, and clearly President Trump broke your mind and I hope for your sake you get professional help.

>> since you believe and spread the same conspiracy theories,

Sorry information released from government records pursuant to a FOIA request is not "conspiracy", I am sure you so biased in favor of your lord and savior (Dr Fauci) that you probably have one of those candles or figurines on your desk devoted to him so you will never believe anything negative however reality does not require your faith.

He is mid rate bureaucrat thrust in the lime light by circumstance and this hero worship of him is insane.

Further at no point did Rand threaten him or his family. The attempt to shift any real or imaged danger there is due to public backlash is a very dangerous game, tell me do you apply the same standard to Democrats who inflame AntiFa and other violent groups? Are these democrat politics to blame for all the violence, riots, etc they "cause" (and to be clear I do not believe they cause it, but you world view dictates we place this violence at their feet, i am judging you by your own standard)

Somehow I bet you will be hypocritical


In no way do I "worship" Fauci. You're projecting your own hero worship of Trump onto me. You're the one who believes and spreads unfounded conspiracy theories, and whose mind Trump broke, if it was not already broken before. It's you foaming-at-the-mouth Trump-worshiping Fauci-haters who are the deranged ones injecting disinfectants, popping horse dewormer pills, and drinking your own urine, instead of wearing masks and getting vaccinated. Get a grip on reality and stop parroting lies and drinking Trump's piss flavored kool-aid. The rampant racism in the US and the fact that Trump exploits it is not a conspiracy, it's a historical fact that you can't deny. You fanatical Trump supporters are spreading ridiculous unfounded and totally disproven conspiracy theories that it was actually AntiFa who attacked the US Capitol to make Trump look bad, when we all know because we saw with our own eyes that they were racist Confederate Flag brandishing Trump supporters, egged on and organized by Trump himself. So do you also believe the election was stolen from Trump, too, like MOST Republicans do? Or do you just pretend to believe those lies and conspiracy theories as performance art trolling, the same way you go out of your way to purposefully mis-spell "democrat politics"? Then Popehat's Law of Goats applies:

https://www.urbandictionary.com/define.php?term=Popehat%27s%...

>Popehat's Law of Goats

>He who fucks goats, either as part of a performance or to troll those he deems has overly delicate sensibilities is simply, a goatfucker.

>He claimed he was just pretending to be racist to trigger the social justice warriors, but even if he is telling the truth, Popehat's Law of Goats still applies.


You are the only unhinged person here. I am having a calm conversation where you are ranting and raving... It is sad really

>>In no way do I "worship" Fauci.

Press X for doubt

>>You're projecting your own hero worship of Trump onto me.

Never voted for the man... I disagreed with him about 50% of the time, however I saw in real time the lies and misinformation the media was putting out.

>>It's you foaming-at-the-mouth Trump-worshiping Fauci-haters who are the deranged ones injecting disinfectants, popping horse dewormer pills, and drinking your own urine, instead of wearing masks and getting vaccinated.

Fully vaccinated, just do not support the mandates

//and for the record Trump also supports the Vaccines.. Much to the chagrin to part of his base

Also calling on of the most widely distributed human drugs, a drug that won accolades for saving peoples lives across the world a "horse dewormer" is unhinged conspiracy, and medical misinformation. Sure it may not be a treatment for COVID, that however does not change the reality that is a human drug, proscribed by doctors all over the world, and is infact on the WHO list of essential drugs...

>> disproven conspiracy theories that it was actually AntiFa who attacked the US Capitol

Where did I say that? There is clear evidence AntiFa violence all through out 2019, 2020, and 2021 with out having to talk about 1/6 protest turned riot.

>> So do you also believe the election was stolen from Trump, too, like MOST Republicans do?

Stolen in the sense you are talking about... No. However I do believe many states governors (on both sides) inappropriately (and IMO illegally) used their executive powers to change election laws under the guise of "emergency" to manipulate election turn out and other factors for their (or their parties) political advantage.

I also do not believe or support the narrative that voter ID is a threat to democracy, nor do I support or believe the narrative that the US has the most "secure" elections in the world.

>>Popehat's

Ahh yes... Ken White. another famous person broken by Trump. The one famed free speech advocate now fully supporting Censorship of all manner.


Github is still in theory a place to collaborate on code - its not a blogging platform. I think a reasonable argument could be made that he violated the "spirit" of github.


> No, it wasn't. It was Github's corner of the internet and then it was Microsoft's. If he just wanted a place to publish his personal projects, he could have put them on a personal, self-hosted website.

Exactly. Marak's defenders are quick to argue that he had every right to do what he did based on the repo's license. It's inconsistent to then blame GitHub for suspending him from their platform.


[flagged]


> I strongly encourage you to stop making false allegations.

I encourage you to find out the definition of Trojan[1] and then find out what Marak did to sabotage his code.

To qualify as a Trojan, Faker.js needed to be:

- advertised as being for a certain purpose

- coded to do something to damage the person who installs it (even if it still does the thing it advertises that it does)

In this case, Marak allowed people who thought they were installed Faker.js and tricked them into installing something that ran an infinite loop, which would break a lot of CI/CD servers and build processes.

In some circumstances, this could easily lead to economic harm. In the worst circumstances, it could take down a vital service (like a health app) and cause people to be seriously harmed.

1. https://en.wikipedia.org/wiki/Trojan_horse_(computing)

2. https://www.theverge.com/2022/1/9/22874949/developer-corrupt...


> Marak allowed people who thought they were installed Faker.js and tricked them into installing something that ran an infinite loop

They were installing a legitimate new version of Faker.js though - which just happened to be running an infinite loop. It's users who trusted Faker.js author to not pull this kind of stuff off and it turned out they were wrong to do that.


A throwaway line in Wikipedia that does not cite a source ... versus the Jargon File.

http://www.catb.org/jargon/html/T/Trojan-horse.html

If it isn't security-breaking, it isn't a Trojan. I have not seen any evidence that this prank, immature as it may be, resulted in an actual security breach.


The term is derived from the ancient Trojan Horse. It doesn’t have to involve security breaches because the only requirement is a breach of trust through deceit.


> It doesn’t have to involve security breaches

Then it isn't a Trojan. By definition.

"A malicious security-breaking program that is disguised as something benign"


[flagged]


That's BS. Mark didn't just remove it or make it "non-functional". He deliberately changed the code to run in a infinite loop and halt any code that pulled it in. That seems exactly like the definition of a Trojan to me.


I wouldn't call that a trojan. It is being an asshole though.


It's a DoS attack disguised as other, useful software. That's exactly what a Trojan is.


It isn't disguised as anything. If you included a random module in your application package manager, and allowed it to update itself and run scripts then liability is on you for not verifying it and checking the license to see if they provided any warranty.


But is this really a "warranty" issue? Sounds more like a fraud issue (ianal).

Given it was done with the intention of messing up other people's computers which the maintainer did not have legit access to - maybe its even a CFAA criminal hacking issue (ianal).

Anyways, there's a huge difference between accidentally doing something and doing something with the specific intention of hurting someone else. Sure you can disclaim responsibility for accidents & negligence, but i'm pretty sure you can't disclaim responsibility for intentionally malicious conduct in a contract, certainly you wouldn't be able to do so if it was criminal conduct (IANAL).


Funny how well that has worked until one person comes along and uses it to break people's software intentionally.

At the very least, Marak is an example of why we can't have nice things. None of us are obligated to applaud him for that.


If someone hands out free food on the corner with a sign that says you aren't entitled to it and so you get used to getting free food there. In fact, you've found ways to save on your budget because of it. You also optimized your route home from work to get there at the most convenient time.

One day, you show up and they have a sign up that says... No more free food, vote for Bernie. Are you really the type to complain that now you have to pay for food again or find someone else to give you free food, and throw a fit that their vote for Bernie sign is a trojan?


It's software, not consumable carbohydrates. Easily copied infinitely once created. Nobody is arguing he doesn't have to stop making it. Nobody is even arguing he doesn't have the right to delete his tepos. What he did was intentionally poison the templates to trigger automated updates to break other people's software, and that's just not okay. Forget the machines... It's simply misanthropic behavior.


But he didn't withdraw his offering he sabotaged it.

I guess the metaphor would be if you gave out free food all the time with a sign saying people aren't entitled to it, and then one day decided to add laxatives to it because you felt the people were ungrateful.

Which would land you in jail for a long time no matter what the sign said.


No, the person giving free free food here did not go up to people's houses saying here is free food still, eat it cause it is yummy and safe. The people getting the free food showed up cause they felt entitled, grabbed whatever they could find and said... oh, this isn't the free food that I'm used to getting here... oh, and I forgot to read the sign that has been there all along.


This analogy doesn't work the way you want it to. What you are describing would be literally illegal.

The person who put up the free food and the sign, after it was proven that they willfully poisoned the food (which is the only way I can interpret intentionally encoding an infinite loop in your testing library), would be liable for assault. You cannot just put up a sign that says "taker beware" to indemnify yourself from liability, especially after establishing the pattern that the food is safe.

If you ever wondered why grocery stores throw out perfectly good food (and sometimes padlock their dumpsters) rather than donate it to shelters, it's because this is how society works. They have to be clear that even food being thrown away is not intended to be free for the taking because if a pattern becomes established of people eating safe food out of a grocery store dumpster and one day that food is not safe, the grocery store can be held liable for injuries. Even if the grocery store never wanted anyone to use that food. The hard part would be proving the store intentionally poisoned it... But if that proof were made, the law is clear on who is responsible for the harm caused, and it's not the people eating out of the dumpster.

The underlying philosophical principle that underpins all of this legal precedent is "Don't intentionally cause harm." Marak broke that principle. Thank God Marak was only writing npm libraries and didn't own a grocery store.

This entire story, from the initial changes through the breakages through third parties intervening to mitigate their services being used to cause the breakages through other third parties stepping in to take responsibility to continue maintaining the code that had become vital, is one big open source community success story. The community interpreted intentional harm as damage and routed around it. And that was always one of the intended benefits of the open source approach, right? That the creator of the software can't ruin your day because they feel like it? Whether that creator is an evil corporation refusing to open their proprietary code, or a rogue actor deciding to take a sledgehammer to the pipeline... Open source mitigates the harm caused by both.


> That seems exactly like the definition of a Trojan to me.

Link to even one report of Marak getting inside someone else's system.


You seem to be misunderstanding what a Trojan is. From Wikipedia:

> In computing, a Trojan horse is any malware that misleads users of its true intent. The term is derived from the Ancient Greek story of the deceptive Trojan Horse that led to the fall of the city of Troy.

> Trojans generally spread by some form of social engineering; for example, where a user is duped into executing an email attachment disguised to appear not suspicious (e.g., a routine form to be filled in), or by clicking on some fake advertisement on social media or anywhere else.

Marak disguised his malicious DoS attack as previously released useful software. I am completely baffled why people are defending his actions, at all. He could have easily just pulled down his repo, that would have been totally within his rights. Releasing malicious software under the guise of something else is not.

And the fact that people are quoting the license of "no implied warranty" is irrelevant. The law does not look kindly on those that act with malicious intent, regardless of what a license agreement says. For example, if he changed the repo to instead encrypt your hard drive, I guarantee he'd be going to jail. While thankful this was just a DoS attack and not something more serious, it was attack all the same.


> You seem to be misunderstanding what a Trojan is. From Wikipedia...

Wikipedia doesn't define industry terms, especially in one-off throwaway lines without citations.

The Jargon File clearly defines a Trojan as something that (1) breaks your security and (2) is disguised as something benign.

http://www.catb.org/jargon/html/T/Trojan-horse.html

Unless you can show Marak Squires breached these folks security systems, it simply is not a Trojan.

(As a separate point, a claim that something distributed as source code is "disguised" simply cannot be in good faith.)

By claiming it is a Trojan, you are accusing Marak Squires of a potential felony by accessing a computer system without authorization. Making serious accusations like that should require some evidence. I don't see any.


They didn't disguise anything. It was MIT licensed, so you could have forked it long ago. You got used to the source you were using being useful, and so you felt entitled that they would maintain it in a way that was appropriate for your standards based on what you felt entitled to. The thing is with open source projects like this, no one owes you anything but it is too hard to admit that for many people.


No one reads licenses lol. The intent is the same as a trojan: making software malfunction for the intent of either economic gain or geopolitical goals. Intent matters; there is a fundamental difference between shipping crappy code for fun, and making good code break without warning for thousands of users.


> The intent is the same as a trojan

A Trojan is where the attacker gains direct access to a protected system. It is a back door disguised as an innocuous file. The whole point of the Trojan Horse was the Greeks hiding inside of it to get into Troy.

Where is your evidence that Marak Squires gained access to any of the systems that downloaded and used his packages?


I think there is two aspects of the word "trojan", but it does not imply "remote command and control", it's often that, but more broadly it means something that is disguised as one thing, but is not.

For example, one of the first trojans was: https://en.wikipedia.org/wiki/EGABTR


Chalk maintainer here. I said before I wouldn't comment on Marak but I don't want to stand by and watch him profit from this like he is, monetarily or otherwise, nor should GitHub receive ANY hate for their actions.

He's not banned. It was most likely an initial response to a suspected compromised account situation. Once they determined the actions were carried out by the account holder, they reinstated it.

There are MANY reasons to be annoyed with GitHub but this isn't one of them. Github's actions here helped, not hurt. I would hope they'd suspend my account if they too thought it was compromised and pushing out malicious updates to packages.

The security of users is of the utmost importance.

Marak needs professional medical help. It is clear he's having a mental break and the people defending him and egging him on are only making things worse. He has a history of erratic behavior (dating back to almost a decade ago) and needs to find healing, not accolades.

Since this whole fiasco, Marak has garnered loads of followers and has increased his sponsor count dramatically. We should not be rewarding this behavior. If you at all dig into this, you'll find not a stable, perhaps loud individual, but a troubled, erratic, unpredictable, and hurting one. He is not martyr. He's not a patriot or a revolutionist. He's an abuser, potential "freedom fighter", malicious OSS maintainer and a beggar.

Please. Let's end this and not give any more attention to Marak. He needs help, and we're all collectively making things worse.


Thank you for stepping up and commenting on this.


maybe community should claim his personal account and get hold of those sponsors as well. in order to help marak and the whole community of course.


This is a bad faith argument and a complete misinterpretation of what it is I've said.


Freedom of speech doesn’t mean you can do whatever you want on someone else’s server. The project was hosted on GitHub, so GitHub can take significant action to protect the community. He can host his project elsewhere if he doesn’t agree with GitHub’s actions


Of course, no one is saying GitHub wasn't allowed to do what they did. What people are saying is GitHub shouldn't have done that.


What about somebody else's internet connection? If we apply the same logic to ISPs then the future of the internet would look quite bleak.


If we applied your logic everywhere, moderation wouldn't be allowed. That also seems pretty bleak.


I think ISPs should be a utility, but I don’t think git websites should


Whether you agree or disagree with it, ISPs have the right to fire you as a customer. However, I don't usually see that exercising that right unless it's for piracy.



> But GitHub claims to be your home for public hosting of your own personal code.

Github claims to be a home for developers to publicly host code of public use. Any benefit to an individual developer is incident to that overriding purpose and they are clear about that in their use policies.

> What GitHub policy did he violate?

https://docs.github.com/en/github/site-policy/github-accepta... gives their acceptable use policies.

I think they could easily make claims on any or all of sections 2, 3, 4 and 10.

Section 10 in particular notes that Github is a service run for a mass of users and will favor users as a whole over individual privileges.

> expressing his freedom of speech, again on his own personal GitHub account, in his own personal (not organization) repositories.

Was he running his own Github server instance and I missed it somehow? The flipside to Github paying to run your git repo, issue tracker, etc. is that you agree to abide by their terms of use, and these terms are written for Github's benefit.

If a million Github users are impacted by this package breaking their code then why are you surprised that Github took action to protect their users?

Marak could have hosted his own git repo if he wanted to ensure his malicious code couldn't be intercepted by others. That's the tradeoff you have to choose.

> He spoke about his thoughts about open source, businesses, and economics. Defending this type of political speech [snip]

Inserting infinite loops into packages isn't "political speech" and trying to claim as such just waters down the entire argument...


Yes, I'm also curious about GitHub's justification for this. It feels like they should have made some sort of statement about why the account was suspended, for the sake of transparency in such a large controversy. It's perfectly imaginable that Marak used his GitHub account to spam/harass other projects, or engage in some other type of speech that went against GitHub's guidelines, but there needs to be more clarity so that this doesn't seem like a case of "You annoyed me, so you're gone". As you said, it really can give the appearance of GitHub siding with the commercial use of open source for their own self-interest, even if I have enough trust in GitHub to know that that's probably not what they intended to do.

EDIT: I'm glad to hear from a sibling comment that GitHub has since unsuspended his account, since TFA and this comment made me think he was still suspended. Still, it feels like a misstep for GitHub not to have made some sort of comment here.


I get what you are saying, but I feel like this applies:

Not your domain/site, not your corner of the internet.


Is domain enough? I doubt it. You probably also need your own server in your own rack in your own building with your own peering to other networks. Once you've done all of that, you can probably credibly keep your site up counter to corporate interests.


Well, if you have your own domain then you can at least move it around between providers. But yeah, if you are doing anything truly unpopular then I don't think there's much you can do to stay online.


As a network, the internet will tend to favor the interests of large groups acting coherently. Sometimes we call those "corporations." But yes; control online is a two-way street because it's a communications network and it always takes at least two to communicate.


The fact that the conversation is happening at all is a sign that GitHub reputation is damaged. As anyone would point out they are certainly within their rights to terminate any account for any reason.

But certainly not beyond repair (as injecting adware in your package).

Also it is certainly a reminder for everyone that GitHub should not be treated as an archive of your code, and more like a collaboration space.


I don't like GitHub much but their handling of this situation actually won points for me.


>"The really outrageous thing is that the developer going "rogue" was actually him expressing his freedom of speech, again on his own personal GitHub account, in his own personal (not organization) repositories. He spoke about his thoughts about open source, businesses, and economics. Defending this type of political speech is especially important and GitHub banning his account and censoring this type of speech(whether you agree with it or not) is especially shameful."

This Tuesday is the 10-year anniversary of the SOPA/PIPA blackout [0,1]. Half of the tech internet crippled their own functionality for a day, in an act of political speech. (Was GitHub part of that?)

Tech culture has surely changed since then!

[0] https://en.wikipedia.org/wiki/Protests_against_SOPA_and_PIPA

[1] https://hn.algolia.com/?q=sopa


He wasn't crippling his own functionality though, he was deliberately crippling the functionality of everyone who trusted him.


your GitHub account is not yours but GitHub's property, they just do not claim that before they ban your account.

All cloud services do the similar things.


This isn’t how it works at all. It’s not how copyright law works, it’s not how property law works, and it’s certainly not how cloud services work.

What isn’t yours is your “right” to use the service.


Have you read the project’s license? That is literally how it works. It’s not even an original project by Marak, as it’s clearly shown in there.

The only fault here is cutting the owner out of the repo, but given the security breach it’s strange that he isn’t permanently banned at all.

And yeah, adding an infinite loop is a DoS attack.

> not how cloud services work.

Try placing a virus on S3 and let me know how that works out.


I’m not defending the author. GitHub is in their right to do what they did. But certainly not because of the nonsense GP claims. And yes you can host viruses on S3. What you can’t do is use Amazon’s network to do illegal shit (such as distribute viruses without consent).


Obviously I mean to distribute viruses via S3, which is what’s happening here. Your account is guaranteed to be flagged as soon as they find out. The update here was distributed to every subscriber.


What's your point? That doing illegal shit will strip you of your rights?

You know, I hear that if you go around stabbing people, you lose the right to not spend a bunch of time in prison, too.


not to mention that in the case of colors.js he actually owned less copyright than other contributors. they had actually changed more of the code.


he did it to protest billion dollar tech companies making money off open source, which is Github's entire business model. His protest was an existential threat to them so of course they are going to crack down


I believe that none of the billion dollar tech companies were affected by this in any way as they tend to have proper process in place for managing dependencies, the only ones who suffered were small developers and other open source projects which have limited manpower and just pull in updated versions without verifying them. Saying that this is an "existential threat" is ridiculous - megacorps can and do have procedures that won't be bothered much even if you'd have a case like that every single day.

Whatever his intentions were, acts like this threaten the open source community, but do not actually threaten the big companies at all.


This is such a bad take I don't even know where to begin. Please, read up on FOSS licenses and check which one colors.js uses. That's just the first of about five flaws with your argument.


Unbelievable that now almost all people is discussing "how" marak's action caused results. Not try to figure out "why" this happens. Just like seeing something wrong, and discuss it. DO NOTHING!! CHANGE NOTHING. ALL meanless. unless you figure out all stuff, change something. What I do? I think GitHub is wrong, so I take action, delete all repos on GitHub. F*K it, that what I do. At least I have an action. So what you did? Talking is cheap.


It takes long time to delete them all! I don't like GitHub, so I delete my repos. Is there any problem? I can manage my repos, of course Marak can too. https://twitter.com/numbchild/status/1482625168032022532


I didn't know about this before, is there a link for context?


This strikes me as hyper-defensive exercise in wrapping the lib thick with every cheap trapping of "community" to hand. I suspect because of the Open Collective handover.

In the end, this thing spits out strings. Does it need eight maintainers, only a few of whom had commits, in low double digits? Does it need its own GitHub org, Twitter account, and Google .dev domain? Addressing open pull requests could be good, but the rest of the roadmap looks like packaging, doc, twiddling with test infra, and more "community" again. That is also work, I suppose, but API and function feel baked. Before he did "bad", Marak did good.

Overall, the vibe here is self-righteous hostile takeover. That's a pretty fraught concept I don't see a need to go near. Maybe it's not fair or accurate, for those better in the know. But from the outside looking in, seems to me a fork, a new name, and a quick tweak to package.json could fully address the issue of another 6.6.6-like release, cleanly. No special deals with the platforms. Name brainstorm, clone, fork, push, and publish of existing MIT code would have been intensely normal. Especially in JS land.

I get that "community" is supposed to make me happy and calm. But in the end, I don't see anything here addressing root causes of what happened, or even speculating on what they might have been. Marak isn't the only solo leading projects who's snapped, and he won't be the last. It's convenient, but ridiculous, to say that has nothing to do with the environment we've built up. Plus we've learned a new way to lose donors, it being no mean feat to get them in the first place.


> In the end, this thing spits out strings. Does it need eight maintainers, only a few of whom had commits, in low double digits? Does it need its own GitHub org, Twitter account, and Google .dev domain?

I'm pretty sure the org and multiple people are to avoid a single point of (mental) failure - quite reasonable given the project history.

Also, if we really want to go that way, Google Search is also just a product that spits out strings. And a few orders of magnitude more over-engineered ;)

> But in the end, I don't see anything here addressing root causes of what happened, or even speculating on what they might have been.

Well, they have a larger team now, which can reasonably prevent a single person from doing that kind of damage when set up correctly. What other root cause are you looking for? Mental checkups for open-source maintainers? Redefining the "free" in free software?


If what happened here was mental health, I'm not sure more people is more better, from a security standpoint. If it was strongly linked to workload and maintainers' plight, I'm not sure more scope is, either. If the harm done was time wasted and confusion incurred, I wonder about users who got burned teaming up as a group of eight.

In any event, the median count of contributors to an open source project remains one. This team-up doesn't help projects != faker.js.

As for scope, I haven't looked at this source in a while. But it seems the strings are still static, in the package: <https://github.com/faker-js/faker/tree/29234378807c414158886...>.


In the end, this thing spits out strings.

That's not really a critism. 90% of web dev is string manipulation.


Not worrying about endian conversion or the format of your floating point is a very good thing (Yes, I'm old enough to have dealt with software developed on Intel machines having to be ported to run on VAX based machines).


Marak isn’t the only one who snapped, but he’s the only one to my knowledge who has introduced malicious commits to this code to purposely hurt other people’s projects. (Even Hans Reiser didn’t do that.) It seems that this might have been a precursor to Marak attempting to hurt people in real life

"Hospitalized Queens man charged with reckless endangerment after cops find bomb-making materials in his home"

https://www.nydailynews.com/new-york/nyc-crime/ny-queens-bom...

I’m not surprised with Marak’s behavior given his mental state. What surprises me is the amount of support he’s garnered for his actions with a lot of people on HN.


I don't think what he did was particularly good but I think he was entitled to do it. And the blame falls on the system we have which relies on random people to do work for free with no contract or obligation.

It's like if a business delivered packages by asking some random homeless person on the street to walk it to its destination. And then one day the person just chucks your package in the river instead of delivering it. It's amazing that the company got so much value out of a free service for so long rather than shocking that it eventually didn't work.


Open source works because we can trust authors to not maliciously harm other people. If it was a bug that's one thing it happens, you move on. But when you purposely do something that you know will cause harm to people that is where I draw the line.

Your analogy isn't even close. No one forced him to write faker.js. He chose to do it and he chose to make it open source under a license allowing people to use it. He also chose to maintain it and help people with issues. If he didn't want to maintain it anymore, It is his right to stop. No company could force him to continue. But he nor anyone is not entitled to add malicious code. Full stop that is where I draw the line. I can't believe anyone is defending that.


He chose to put a package online. He didn't sign any contract stating the package would meet some kind of quality obligations. He had no obligation to do anything.

Yes, it is particularly shitty to intentionally screw it up. But the system that put so much value on something not happening without any safeguards or obligations is the real problem.

The move fast and break things attitude of web development is the cause. A single rogue dev is just an example of the worst happening. In the future I imagine we will have package managers which do not give random individuals so much power. And we will rely on packages from trusted names, Google for example has a very very low risk of sabotaging a package compared to a no name individual. If companies had paid for this package, they could take legal action against the author. But they paid nothing and had no assurances of anything other than a vague hope it would continue to work.


He did something much worse than break a contract, he committed a crime that he could probably be prosecuted for. He did the whole thing with malice aforethought. It looks like fraud at the very minimum - he released a version with the intent to deceive, victims relied on his deception, and they suffered damages as a consequence.


Fraud requires that he used deception (I don't see any evidence that he did) to obtain something of value (again, I don't see it).

The code was open source. The code was published under a new major version number. The code had a descriptive change log that definitely didn't seem congruent with earlier versions. And he wasn't getting paid for it. What thing of value did Marak Squires defraud people of?

I get the sense that people are reacting with extreme hyperbole in their accusations, out of anger that he did something assholish.

Serious question: how is this different from 1Password publishing an upgrade that removes the ability to use standalone vaults in the iOS Safari extension?

At the end of the day, Marak published an update, knowing some people would update the software automatically due to their own workflows, and the update had negative effects on the users. Companies do this all the time and nobody accuses them of installing a "Trojan Horse" or committing a felony.

How did it come to this? Where HN, a place that is supposed to be genuine and curious, believes an act should be acquiesced to or branded a felony based on the individual's personality? Because that seems to be the consensus here and I find it disturbing.


He chose to put a package online. He didn't sign any contract stating the package would meet some kind of quality obligations. He had no obligation to do anything.

If there was a bug in his logic that caused an infinite loop in some scenarios he was under no obligation to fix it. While I think he should in that scenario, I would defend his right to leave it. Another maintainer could fix it, someone could fork the package, whatever.

I am not arguing he owed anything to anyone. I am arguing that he is not entitled to maliciously break things on people. He committed it knowing full way most packages would grab it automatically, most people are okay with that as if it breaks things they can go back a version no big deal. His package is so popular some people might not even realize that one of their dependencies relies on it.

We can argue about how much time you should invest in knowing your dependencies and checking every commit for them, until we are blue in the face. The reality is he knew most people just can't or won't especially in npm world.

There is no defending a malicious act. He is not entitled to commit code maliciously. OS works because we trust maintainers to do their best to have the best interests of the users at heart. The flip side of that is they are under no obligation to work on it. They can walk away at anytime.

If peoples idea of OS software starts to include that someone could do something malicious at any moment, that's the beginning of the end of OS.


> I don't think what he did was particularly good but I think he was entitled to do it. And the blame falls on the system we have which relies on random people to do work for free with no contract or obligation.

Utter nonsense.

You don't put out code under open-source MIT and then want to take it back when you realize other people are using it exactly as you instructed them to use it, which in this case is "anyway they please".

You have to think about this stuff before hand if you want to be compensated if it "takes off", there are other licenses you could use.


The MIT license doesn't prevent you from doing this. If someone cloned the repo, they could continue doing whatever they wanted with it, but the owner is entitled to put up whatever new code they want on their repo.


This is technically true. If he wants to act like spoiled brat and put malware in his own code, he can under MIT (he can do whatever he wants, just like anyone else can do with it).


> And then one day the person just chucks your package in the river instead of delivering it.

That analogy makes little sense.

In my county, what you described is malicious mischief, and is a crime. A homeless person is not entitled to act in such a manner.


Most of the companies that got hit by this (and any paying attention) will probably just change their deployment strategy to slightly slow down their updates. I guess this is equivalent to... I dunno, checking if the random homeless person had at least made one successful delivery? Except the analogy breaks down because code doesn't randomly begin to pick up different behaviors without any intervention (Well, hopefully!).


> What surprises me is the amount of support he’s garnered for his actions with a lot of people on HN.

Well, his motivations were somewhat understandable and his actions were still scratching the realm of acceptable (not cool, but no serious damage and nobody was hurt). It's actually hitting the pretty much perfect spot to generate lots of discussions, since it's very easy and understandable to argue for either side.


What he did was no where near acceptable. Instead of adding an infinite loop to purposely sabotage other projects, he should have either walked away or changed the license for future versions of faker into a much more restricted one. SugarCRM transitioned their software from open source to closed source, and they’re still here with paying customers. There are also many restrictive licenses that change depending on the type of user eg free for personal use but paid for medium to large corporations


> he should have either walked away or changed the license for future versions of faker

He could have, and nobody would be talking about or remarking on it at all, which rather defeats the point.


Actually, when redis changed their license to get paid by cloud services like Amazon, there was a huge uproar. The people behind redis didn’t purposely break anything, had a lot of people talking about it, and had a clearer way towards getting paid. There are better ways to bring attention to an important issue.


> What he did was no where near acceptable.

It was a rebellious act against (what seems like) overbearing organizations, comparable to spraying a graffiti on their walls. As I said, there was no serious damage and nobody was hurt; it's not like he burned down buildings or shot at people. I'm of the opinion that this was not the right way as well, but in the end it really wasn't that bad.


Changing the license would be just as “rebellious” and it wouldn’t have hurt anyone. It also would have drastically increased his chances of getting paid. Given his bomb making activities, I feel that this was more of an excuse to watch the world burn.


You don't get to tell other people what they should do for you.


But you do get to criticize poor judgement and provide reasonable alternative courses of action.


Nice bait-and-switch, but we can scroll back and see how relevant your defense of the comment I responded to really is.

Declamations are fine; declarations about what is "acceptable" and what "they should have done" are more than mere criticism of poor judgement, etc., and are what the author of the comment I responded to actually wrote.


> Instead of adding an infinite loop to purposely sabotage other projects, he should have either walked away or changed the license for future versions of faker into a much more restricted one

Then from the context, you can clearly read the comment you responded to did not mention that Makar needed to do anything for him specifically.


> he should have either [done this thing (that I deem would be "acceptable") or this other thing]

(This is my last response to you, since you were strawmanning from the beginning and this is obviously not going to go anywhere that doesn't involve intellectual dishonesty dressed up as a clever retort.)


Or ad hominem attacks.


I'm sure 6.6.6 threw a spanner in the works for folks who didn't lock deps. Not great. But Marak's one of us. This feels a lot bigger than that.

I don't have a direct line on what happened to him, or where it took him, mentally or otherwise. But the hints so far aren't great. To one of us.

I think the responses from the platforms---GitHub, OpenCollective---get folks thinking, whether they feel it that way or not.


What GitHub did was completely reasonable. They mitigated harm to their users on their own infrastructure and property. They did not change his code. They just took down his malicious code that caused harm.

The vast majority of people on HN would never purposely harm strangers. Most of these strangers are fellow developers ie “Us”


I understand some of the imperatives GitHub's people must have felt. I've advised folks providing open source infra under drama, though I can't talk details.

I'm sure the people who got burned on builds had bad days. It's not fair to blame them entirely, for not locking deps. It is fair to point out this isn't the first time builds have broken, with npm or other repositories. Nor the most widespread in effect. Does this count as a crisis?

If anything, I suspect a crisis of faith. Seeing bad things can come of `npm install`, and those bad things might be intentional or just plain weird, instead of well intended but accidental, can make people anxious. Publishers to npm don't just disappear or malfunction. Their faults can be byzantine. But there are defenses against them.

On the maintainer side, like it or not, we all have an editor when it comes to publishing on GitHub. But it matters how invasively that power gets wielded, and how heavy-handed it's perceived. This episode suggests to me that the threshold for intervention in the name of user interest's pretty low.

That's based on the information I have. Perhaps GitHub will share more on the blog.


If people want full control over their repo, then they shouldn’t use GitHub, gitlab, bitbucket or any other free service. They should host it on their own server.

This is an open and shut case. GitHub did the right thing.


> Marak's one of us

One of who, exactly? Marak needs professional help. This isn't a "personal army" situation.


A social scientist who has studied industrial sabotage might be able to correct me if I’m wrong: But I have read one (1) book on the subject—which frankly is one more then most—and I don’t think there is any evidence of correlation between industrial saboteurs and sociopathy. In fact, quite the contrary, saboteurs often go to quite a length to prevent people being physically harmed in the sabotage.

A saboteur is more often then not mostly frustrated at their employer, or the industry, and try to maximize harm to those entities, not innocent bystanders. However given that saboteurs are often quite angry and have often been in a prolonged state of stress, and most often act alone—keeping their plans secret until they are executed—they are often not in the best position to correctly estimate who will receive the most harm.

In our industry there are plenty of frustrated workers, some are underpaid, others are overworked, some work for entities they morally object to, etc. When a colleague engages in this kind of sabotage which causes disruption on some scale we might see it as an act of solidarity from a shared frustration. This is certainly the case in other industries, and I don’t think tech is any different. In fact this incident reviles that our industry might even be more vulnerable to industrial sabotage then other industries.


Most of what you’ve written is valid. The main issue I have is that you’re implying that software developers and engineers are “underpaid”. That doesn’t reflect reality. We are one of the highest paid professions in the US due to several factors. There is also a lot of career mobility ie If you’re not happy, change companies. The other issue is assuming that Marak is rational. I do not believe he is at the moment since he was involved with manufacturing homemade bombs at his apartment.


> After the funds were moved we were invited to become admins of the Faker collective. This meant that we retained the existing sponsors of the Faker collective who were paying for the continued maintenance of the project.

I'm sorry but this feels wrong. The existing sponsors should have their subscriptions cancelled, instead of going to a new organization automatically.


Only sponsorships tied to the project itself will continue to be tied to the project. This move was sponsored by the co-maintainers of the project.

Any sponsorships tied to marak's personal GitHub account were not changed, of course.

This is also consistent with the original terms:

> During the conversation with Ben, he went over the terms and conditions of the Open Collective with me.

> Ben said that simply, "The funding is attached to the project, not the current maintainer."

Full details: https://github.com/faker-js/faker/discussions/56#discussionc...


> Only sponsorships tied to the project itself will continue to be tied to the project

Yeah, but the project is not actually the same anymore. The new project taking over the name and URL of the old project doesn't make it "the same" project.


> The new project taking over the name and URL of the old project doesn't make it "the same" project.

Do you really think the sponsors and the people using this code actually care that one person (of many contributors to the project) who wanted to break the project is no longer part of the project?

It's a technicality, but in practice nobody actually cares. If they wanted to sponsor Marak they would have done it through his Github sponsorships. If they wanted to sponsor Fakerjs, in whatever form it takes, they would choose the Open Collective and their associated terms that allow for exactly this scenario.


> Do you really think the sponsors and the people using this code actually care that one person (of many contributors to the project) who wanted to break the project is no longer part of the project?

Some of them probably do. And some probably don't like the way in which the takeover was done, or don't like the new guys, even if they don't really like what the old guy did either.


Ok, but the question is, what entitles these people, rather than other to claim a fork as "community successor"?


Good preparation? The fact that this site is at the top of HN? I don’t think anyone really cares as long as the community settles on only one. Personally I’m happy a group (and only one group) of people has stepped up to take over stewardship.


Nothing. People vote with their feet or their checkbooks.


No they shouldn’t, they supported the project - not the crazed author.


Ask for forgiveness not permission.


You can spin it however you like, but renaming the real one "fakerjs-legacy" and appropriating all sponsors is a scumbag move.


The terms of the funding are attached to the project, not a specific maintainer:

> During the conversation with Ben, he went over the terms and conditions of the Open Collective with me.

> Ben said that simply, "The funding is attached to the project, not the current maintainer."

None of Marak's personal GitHub sponsors were changed (obviously).

To be clear: Marak deleted the original project as part of his protest. The sponsors in question are donating money to sponsor the project, not a single person. It wouldn't make sense to send their money to someone who deleted the project.


Then you cancel the sponsorships to the project and notify the supporters. When the maintainer effectively cancels the project, this makes sense. But you don’t migrate supporters automatically over to a brand new project (even if it is the most stable fork of the original).

> We came to the determination that users unfamiliar with the whole Faker situation wouldn't know that the repository's sponsorship links aren't funding the continued development of the project.

If the intent of the supporters was to support the project, then you can ask them to continue funding the new fork. But you don’t just move funding by default. Cancelling the ongoing support would be fine, but you are relying on people (who were never aware of the switch and the new fork) being okay with this, without their consent.

This is a messy situation, but you can’t make these decisions unilaterally. Inform the supporters and let them decide.


> but you are relying on people (who were never aware of the switch and the new fork) being okay with this, without their consent.

Open Collective makes it clear that the sponsorship is for the project, not for a specific person.

It's not "without their consent". It's literally the terms of the Open Collective.


But they are changing the “project”. Just because the new project is named “Faker-JS” doesn’t make it “official”.

Does the open collective have the ability to decide who is in charge of a project? Can they remove maintainers?

Let’s say there is a fork of a different popular project. Are you suggesting that they could they unilaterally decide to support the fork over the original project? However unlikely that is, I don’t think they have that power. Decertifying a project? Sure. Redirecting funding to a new project (even a fork), just isn’t right.


Does it matter what Open Collective thinks if most people believe this is immoral?


Define "most" people....

To me, this is like the left-pad incident and npm. There was a vocal minority who denounced npm for looking after the greater good, maintaining continuity and transferring the project to someone else.

In this case, since the author also deleted the project, the proper way to maintain continuity for the sponsors seems to transfer it to the new community of folks who are interested in maintaining the project. Sponsoring the old deleted project does nobody any good.

Personally, I don't see anything wrong with what OC did.


You have to let the supporters make that decision.

You can make that decision easy, you can automate a lot of it, you can inform, but you can’t change which project the funding is going to without explicit consent.

And yes, for these purposes, the new fork should be considered a new project. It is a completely different situation than if the project itself decided to change maintainers, etc.

This is really a crazy situation where the original maintainer blows up the project. The best scenario would be for the original authors to hand over the project in some capacity. But that seems pretty unlikely.

To put it in different terms… this was not a SQL UPDATE. The was a DELETE. You don’t just change foreign keys to a different project_id when you delete a record.

I would also argue that the author was completely irresponsible, and made life difficult for everyone that used and supported the project. But that’s a separate issue and doesn’t make what the open collective decided right.


I don't see how it's immoral. If someone wants to sponsor Marak personally, they can do so easily. If people are donating to the project under the false belief that the money is exclusively going to Marak, then that's their problem for misreading the details of what they were donating to.


I don’t think most people think it’s immoral. I think most people think it’s ‘questionable, but probably practically the best choice’.


> the project, not for a specific person.

The project no longer exists. It was deleted. These people forking it does not give them the ownership of the project. The problem in the supply chain was solved by NPM rolling back the version. Github temporarily suspending his account could be attributed to suspicious behavior. These guys commandeering someone else's open collective and general community identity (hn handle, twitter handle, library name) does not solve any actual problem, and is clearly just an opportunistic way to boost their own standing in the community and financially gain off someone else possibly having a breakdown. Shameless and very unethical.


Saying "the funding is attached to the project" doesn't really answer anything.

This new fakerjs isn't the old project, technically or practically speaking (technically being the important part here).

So funding attached to the old project should be still attached to that now-abandoned fakerjs, or straightly up canceled if Open Collective considers it violates their terms, instead of transferring.

The fact they can't do it themselves and asked Open Collective's exclusive director to do it "manually" basically self-confirmed it shouldn't be done.


> This new fakerjs isn't the old project, technically or practically speaking (technically being the important part here).

No, it's definitely a continuation of the old project.

Marak deleted the old project. It's now just a non-functional GitHub repo with a Readme that says "What really happened with Aaron Swartz?". Nobody would consider that to be more like the original fakerjs than this active fork that, literally, retains the original fakerjs.

> So funding attached to the old project should be still attached to that now-abandoned fakerjs

Not just abandoned. It's deleted. Or at least rendered useless, devoid of history, and non-functional.

Why would they continue funneling money to that? Why would they not give money to the actual project as it continues?


That's the sponsors' decision to make. As I said, I have no issue if Open Collective just cancels these sponsorships.

What I don't agree is to transfer its sponsors to an account that has zero relationship with original account.


> That's the sponsors' decision to make.

Marak's GitHub sponsors aren't changed. If people wanted to specifically sponsor Marak, they would have chosen to do it there. The Open Collective is very specifically about the project, not a specific person.

> What I don't agree is to transfer its sponsors to an account that has zero relationship with original account.

The current fakerjs has more of a relationships with the original code than what's in Marak's repo.

I don't see the issue. The Open Collective is specifically about sponsoring the project, which Marak clearly and publicly washed his hands of.

Again, they weren't sponsoring Marak. They were sponsoring the project. The project is still going.


Do you also have no issue if GitHub just transfers Marak's repo to the new team? Or all the stars? Since obviously most of people are starring the "project" not him.


Kinda pointless to argue about this because it didn't happen.


I'm trying to use analogy to show the ridiculousness of transferring followers (sponsors) around without agreement of two parties. Hell, I think it makes even less sense in OC's case since there is real money involved.


This is a bullshit excuse. People don't decide to sponsor a project in a vacuum. They look at the project, its history, and the circumstances of its creation. The project is free to begin with, so what is there to sponsor in the first place?

If I make a donation to a charity which I trust, and some third party simply takes the money and hands it over to some other charity instead, claiming that it doesn't matter because the goal is the same, I'd be rightfully outraged. How is this different?


I assume nobody in their right would sponsor the orginal author who instead of maintaining the project distributes malware and builds bombs.


It is up to them to cancel their sponsorship. At most I'd go along with cancelling all sponsorships, but even that would be a huge asshole-move. This is outright theft.


The bomb building arrest is not getting enough attention in all this. He is clearly mentally unwell.


I mean... don't torpedo your own project that other people use and you won't lose funding.


Serious question: why? What would you say those sponsors were sponsoring?


[flagged]


Then how do you know they don't support automatic hassle-free transfer of the sponsorship?


This isn't either or.

If one single sponsor does not agree with their sponsorship being transferred, then that is THEFT. There's just no way of excusing that.

On the other hand, even if an overwhelming majority were okay with sponsoring the fork instead, cancelling their sponsorship and emailing them about the reason and how they can sponsor the new project (or continue sponsoring the old one, if for whatever reason they'd want that), then that's a minor inconvenience.

Is it really such a hot take that erring on the side of minor inconvenience is better than accepting outright theft based solely on the perception that most™ users will be okay with it?


Okay, so how are they supposed to do it then?


Who's they and why they, whoever they are.


Faker.js is why software should move a lot slower. There's no other industry this unprofessional. "But....vetting every single dependencies (supply chain) is tough and we can't really know which one to trust (which is why we have certificates)!!". It will never happen tho, because software is too ephemeral for anyone to give a shit about, "leaking millions of personal info" doesn't feel as bad the thought of myself "falling off a faulty chair".


Huge thanks for taking this over and handling a delicate situation as cleanly as possible.

Also, kudos for emphasizing the real originator of the package:

> Faker was first implemented in Perl in 2004 by Jason Kohles


I don't understand how you can "commandeer" the fakerjs identity. I realize you can fork and maintain said fork, but to take a) the name (which should be protected as a copyright, no?), b) the sponsors (this feels very unethical if not illegal). You can't assign yourselves as the successor to a project. You can be a "spiritual successor", but unless Marak officially hands the mantle over to you, you're thing is just a fork. Surely if all 8 of you are engineers as in the intro, you had to learn some sort of curricula on professional ethics.


I should’ve put this at the top of the update itself, but the Twitter account is the main form of comms from the team.

https://twitter.com/faker_js

Thanks everyone.


Why is this project so popular? I’ve built mini APIs to do this in several previous jobs - either for the purpose of fuzzing, anonymizing real user data for test environments, or readable testing. Each time it’s taken maybe two days of effort in total starting simple and growing for internal needs. How has this been funded so much, for something that’s as simple as dictionary.getRandom()? And why does it need eight contributors, social media accounts, etc?


> I’ve built mini APIs to do this in several previous jobs [...] Each time it’s taken maybe two days of effort

So...just you, in your career, have spent between 1 and 2 total weeks of developer time building the exact same functionality, and you're curious why an open source project that cuts that time down to like an hour is popular?

I'm also a little suspicious of the claim that it's the exact same, because Faker has a lot of functionality under the hood, but you've more or less demonstrated why it's useful in this comment.


Yes but for the sake of a few hours you now have 22 dependencies and a new security vector to consider :)

And of course the reason this new version exists is because the previous version was deliberately broken.

Why add significant dependencies for the sake of a few hours (maybe a day or two in the long run if you need to add functionality)?


So, a few answers.

A) most of the dependencies that Faker has are common with lots of JS projects that I work/have worked on in the last few years. Looking at that dep list[0], I'm familiar with most of them. They're mostly common packages. To some degree, I'm relying on the thousand eyes here.

B) In terms of security risk, Faker runs in test suites to generate data and locally on dev machines, sometimes, to populate sample DBs. It lives and runs in managed environments and doesn't get packaged into prod anywhere. The risk profile isn't nonexistent, but it's also not a massive risk.

C) I really think we're underrating the amount of work that would required to recreate this project (not uncommon here). Faker can spit out 205 different types of random data in 46 different languages/dialects. Building that is not a two day project (evidenced in the fact that people have been working on this for years now); making sure you can generate all that data correctly in all those different languages is a non-trivial task; building and maintaining it internally will take dev time and energy and will continue to require that time and energy on an ongoing basis.

You're talking about this choice here and in other comments with an air of "silly JS devs, just build this easy thing!". I don't know if it's your intention, but you're coming off dismissive and ignorant. People think about these tradeoffs all the time, and sometimes decide to use packages like this. I think it might behoove you, if you find someone's decision confusing, to start from the position that they are also reasonably competent professionals and see if you can understand why a competent professional might make a different decision than the one that seems obvious to you, rather than assuming that if someone makes a different decision they're stupid and/or incompetent.

[0]: https://github.com/faker-js/faker/blob/main/package.json


I think you misread "days" as "weeks


No, "several previous jobs" and "each time, two days of effort" does come out to a week or two.


Because for some people, they don't want to spend the extra time to build and maintain a solution that they are now responsible for.

`npm install --save faker` and boom you have access to a huge variety of random test data, across different locales. Doesn't stretch my imagination to see the appeal.


Sure but realistically most people only use a few of fakers features right? It’s not that time consuming to make in-house. And after those few hours of work you don’t have a dependency/new security vector to consider. I guess the JS ecosystem like to import everything (isOdd).


Building something in-house comes with its own sets of pros and cons, which can be compared against the pros and cons of taking a new dependency. The balance and the "correct" decision will vary by team/project/org.


Of course! That's good engineering. However I argue that the default is far too often to use something 'off-the-shelf' and trusting it A) works, B) is secure, C) is supported, and D) will remain so for the lifetime of your project.

I wonder if those who say "2 days?! Just npm install!" answered those questions, or if they googled "nodejs fake data generator" and installed it onto their businesses main product in the next 5 minutes.


A lot of webdev is just pre-built stuff. When webdevs say "don't reinvent the wheel" it means "I'm too scared of doing it wrong to program it myself."


No, they value their time more than re-writing a known algorithm/pattern.


More like "I don't want to waste time building something low impact when I could pull in a dependency and be working on something high impact".


It's a combination of both. You're weighing up the time to build the right thing for yourself vs picking something up from the shelf. Specifically you have to factor in:

1) Is the project built correctly

2) Is it the correct project for your issue

3) Is the project maintained

4) Is the project going to be maintained for the lifetime of your project

5) Is the project secure, and how risky is including it to your project?

And if these are all good then sure, it makes sense to include it in your project. And this is good engineering. But what people seem to do is go "Oh hey, I need to get a random name from a dictionary of names. Let's google that. Oooh faker!" without even thinking these questions through.


Note that for this new community version its:

`npm install @faker-js/faker --save-dev`


This just helps my point, I believe. Someone is going to google how to import fake data, find the npm repo with loads of downloads, import it, read a stackoverflow issue on how to use it, and not understand why it's broken for a while (because it's now a dead project). All so they can get a dictionary of first names and strings that look like addresses in a unit test somewhere, probably.


It's really nice to have a project that someone's thought through about how to build sample data a lot more than I have time to think through.

Could I/anyone else build this? Of course. Could I do it so thoroughly, provide support for it, and still do my day job? Not easily, not as easily as I could install this project and use it.

Also keep in mind it's not like those 8 contributors are throwing a full 40 at this project every week.


This is the modern JS philosophy - don't reinvent the wheel taken to an extreme e.g. left-pad (https://www.npmjs.com/package/left-pad) which had its own very public fiasco around the developer deleting the npm package.

I don't think it's a bad philosophy, just different perhaps from yours (and mine).


Hmm, but as I understand original developer was rather pissed off by situation when devs are working on projects in theirs own time, and those projects sometimes become important tools to lower costs of creating software for big companies, and authors are not getting a dime and are forced to use some kinds of sponsorship and so on.... In such case making one of tools "community" owned smells like some kind of dick move, even if original wasn't doing too many commits.

Working for companies we are taking big bucks for writing some glorified invoicing systems (let be honest 90% or 99% of business logic is "move from screen to DB, move from DB to screen"), but code which is often important part of whole process is created for free by some folks. Strange.


I've already posted this before, but what Marak has done is anything but reasonable. If anyone was being a "dick", it was him.

If he just wanted corporations to pay, there are plenty of other alternatives like changing the license for future versions like SugarCRM did. It's been years since they've done that and they have plenty of customers.

https://sugarclub.sugarcrm.com/engage/b/sugar-news/posts/sug...

Since the developer in question has been acquired in the past (https://en.wikipedia.org/wiki/Nodejitsu), he could also make it into a SAAS play. He has the connections, skill and experience.

Otherwise, he can just walk away like everyone else. Maliciously changing code to break people's stuff is uncalled for. If he wanted to charge people from the start, then maybe he shouldn't have used the free for all MIT license for his code? If you want more restrictions on usage, choose a more restrictive license. Here's one of many restrictive licenses that changes depending on who's using the software

https://writing.kemitchell.com/2021/06/15/Big-Time-1.0.0.htm...

Fakerjs is also not completely original work. It's a port of a Ruby library which is also named Faker. That Ruby library is also likely a port of a Perl library that is also named Faker. I haven't read anything about Marak even mentioning to support those projects financially.

On a related note, Marak is not well mentally which helps rationalize what he did

https://www.qgazette.com/articles/more-charges-possible-for-...

"A team of NYPD investigators and FBI agents found potassium nitrate, which is used in fertilizer, metal containers, fuses and other bomb-making materials in the crate, along with printed bomb-making and survivalist materials and a book on how to make a bomb scattered throughout the home, the source said."

'The chemicals separately are what they are, but taken together they can assemble an explosive device,' NYPD Dep. Commissioner of Intelligence and Counterterrorism, John Miller, said. 'There were books about military explosives, booby traps and other things.'"

I could be wrong, but Marak purposely trying to sabotage other people's projects was a precursor to him attempting to hurt people in real life. This was not reasonable behavior from a sane person. He should not be getting this much support from so many people on HN.


Morally the author is in the wrong according to many. He did publish malicious versions against the short term interest of the community.

However he also distributed the software under the MIT license - that is "as-is" and "without warranty of any kind". So I'm having some trouble understanding why would you point out his personal life, psychological state, or his past projects as justification for anything related to Faker?

I haven't checked earlier versions of Faker but 5.5.3 does credit both the Ruby and the Perl libraries.


No court in the world will accept the MIT liability waiver as a defense, when the vendor intentionally distributed malicious code.


In the spirit of the law, that license is meant to protect authors from honest mistakes. I highly doubt that purposely made malicious changes will fully protect authors.


To be honest I'm commenting only part with "f.. it I'm not longer working on it", I have ambivalent feelings to "lets change code in such way that builds will go into infinite loop or fail", ambivalent because as it is not nice, but somebody who was a victim of such situation should learn not to add dependencies to newest version, because here was only some small "joke", but it might be something much worse like poisoning whole code with some malicious thing.

Problem is in this that default behavior is "we are not paying for tools", people are looking for free tools to avoid fighting with procurement and everyone seems happy. Only really big companies are giving something back, most is simply leeching from OpenSource community. You are mentioning several ways how this guy was able to collect money, yep, but again changing license would mean that somebody else will fork previous version and thats all.

I'm not saying that this action was super, but for me it is result of problem deep in whole idea of "free libraries" and "free tools", often this all base on some poor guy or gal spending weekends on some project, which at the start was cool and funny, but later becomes burden.


> Problem is in this that default behavior is "we are not paying for tools"

The problem is if the person wants to get paid, then they need to use licensing that is more restrictive and sets the expectations for eventual payment. The MIT license is a "do whatever you want with my code as long as you don't sue for inadvertent mistakes" license. No one else is at fault for that license except for Marak. The expectation of doing what you want based on the license is inline with behavior. If he wanted to change behavior, he just has to change the license or don't go open source. You can't have your cake and eat it too ie. you can't have open source's viralness and expect everyone to pay. If you want a near guarantee that people will pay for your work when they use it, don't go open source. Open source is not about getting paid.

> You are mentioning several ways how this guy was able to collect money, yep, but again changing license would mean that somebody else will fork previous version and thats all.

Since we're on this subject, I'm going to remind you that Marak didn't come up with faker on his own. He ported it and maybe even the data from a ruby project that was also called faker. To my knowledge, he hasn't shared any of the monetary contributions to his project with the people maintaining the ruby version of faker.

If his software is so simple that someone can just fork it and gain an audience, then maybe it's too simple to replicate and too much of a commodity; but as I've already pointed out SugarCRM successfully transitioned to closed source and I believe redis has successfully transition to a more restrictive license. Neither of them messed with other people's projects. There's no excuse for the bullshit that Marak pulled. Zero. Changing the license is more simple than adding an infinite loop to waste CPU cycles.

> which at the start was cool and funny, but later becomes burden.

I've already written this, but most people just walk away instead of doing something malicious.


> he must do this, he must do that.

how about you do it for him? like forking and maintaining your own copy of faker.js and all the nodejs packages you are actively using in the first place?

ad hominem does not help your argument.


The word "must" never appears in the comment you quoted.

Please read the comment before accusing its author of ad hominem attacks.


You either didn’t read my comment, or you meant to respond to a different one. He didn’t have to do anything. He could have just walked away.

I only wrote the other stuff to show that there are other better alternatives to getting paid as a response to people who supported the terrible thing that Marak did to open source.


You aren’t in control on a platform that isn’t yours. You don’t have rights. If you want to behave like a child, Microsoft may very well just take the keys away from you.


> You aren’t in control on a platform that isn’t yours

I wish everyone to read the above about 5 times and try to let it sink in.


I don't think I've seen a single person struggle with this concept. This isn't a "lesson" anyone needs learning, including Marak.


It absolutely is if you’ve read all the comments about this saga. So many people completely shocked that MS will unilaterally take access away for something they claim to be the right of the author.

“He can do whatever he wants. Users should just not download it.” Well, Microsoft can do whatever they want. And they did.


They were investigating a potentially compromised account.


And that's why we should all get a cheap-ass server somewhere and install gitea on it. If any project ever makes it big, migrate there and treat github as a read-only mirror. Also never accept money over github. Just use paypal or some cryptocurrency if you have trust in those.


Kudos to the new faker.js 'team'

On the other hand, this further proofs exactly how replaceable one can be... especially those who want to `sacrifice` themselves for opensource work.

Get a job to sustain yourself and your family; then contribute to open source when you are bored or for fun...


this is the project from the guy that set his house on fire and was caught with bomb making materials right?


I'm not understanding this situation from the perspective of intellectual property. This new project probably doesn't have the copyright of the author??


I doubt the original author had a trademark on the name "Faker" [0] and the MIT license the project was published under allows anyone to re-upload the source code to the internet and subsequently modify it.

The copyright to the original code still belongs to the original author, of course, but the author has chosen to license his code in such a way that this is a perfectly fine thing to do. This is the power (and, for some, the weakness) of open source.

[0]: I can only find one live registration by the name "Faker" here, and it's not in the same segment as computer software https://tmsearch.uspto.gov/bin/showfield?f=toc&state=4801%3A...


From the linked article:

> Faker was first implemented in Perl in 2004 by Jason Kohles



For what its worth, there were a lot of conversations this week around package security and compensation for open source projects among tech decision makers. Ultimately it wouldn't have happened if he had a generous sponsor and in that way I consider the act somewhat selfish. That said, I it both reaffirms that there is a vibrant community of individuals who are willing to volunteer their time for the benefit of the software ecosystem regardless of compensation, as well as a growing number of corporations who are understanding that open source projects deserve their patronage. Despite breaking some builds, it didn't break the internet but made for some good controversy. If nothing else, I think that makes this good art.


Isn’t calling this “malicious” a bit of a stretch?

It’s not like he is mining crypto on your machine. It’s a (however misguided) act of protest and demand for attention.

Fine GitHub put the breaks on in case it was an account takeover but they should allow him to do whatever he wants with his repos once it confirms it’s really him.

Also npm just removes his access…? If I was the author of a popular npm package and decided I wanted to remove it I’d hope npm and the “community” wouldn’t appropriate it and decide I don’t have an opinion about it.

Wanna clone it and upload your own? Fine. As the original author I should have the final say?

edit: undoing autocorrect


He intended to cause harm, and that is enough to make it a malicious act.


I'd argue this is a denial of service attack, inconveniencing the target and possibly costing them money but without stealing or destroying anything.


"It's just a prank, bro"


> We're referring to it as the official library in the immediate term in order to disambiguate between the many rewrites and forks that are not community-maintained.

Ouch. Has it diverted too far from common sense?


I was out of the loop on this and I stumbled across this -> Neighbor on Queens man with bomb-making equipment: 'Obviously the man is sick'[0]. This is just weird. It isn't like what the OS community could have done for him, it is what he should have done for his mental health.

0: https://abc7ny.com/suspicious-package-queens-astoria-fire/64...


Here's a hot take: By sabotaging the project, the author has quite clearly expressed that they do not want people to be using their software anymore, even though, legally speaking, the license allows them to do so.

Anybody who continues using this new fork should therefore never again complain about evil corporations making money from FOSS and not giving back just because they're legally allowed to. This is the exact same thing.


Am I the only one who'se browser really struggles to scroll this page? Firefox Mobile.


The amount of unnecessary drama and politics surrounding NodeJS has ensued I will never use it.


Poor Marak. Ground up on the way in and ground up on the way out.


I'm surprised the blockchain gang isn't coming up with a solution for trustless npm packages or is it that a blockchain can't solve the problem of a trusted developer suddenly becoming untrustworthy?


Blockchain is a solution to a problem that doesn't exist in the real world in any appreciable sense.


Oh it definitely exists, and this might be one place where it could help, but it's not sexy, and it won't make you rich, so nobody is bothering.

A lot easier to pretend NFTs are more important than collecting stamps.


I think this is the right answer


> solve the problem of a trusted developer suddenly becoming untrustworthy?

This would be an exceptionally hard problem to solve, with-or-without blockchain.

Could you develop a system where any new releases are required to be reviewed and "signed off" by a random assortment of users before becoming "active"? Sure.

Is "blockchain" necessary for that? No.


I find this line of thinking frustrating and dismissive of new(er) technology. Is "blockchain" necessary for anything? Probably not. Is it potentially the best solution when compared to the alternatives and weighed on its pros and cons? Maybe - but one has to be willing to investigate before dismissing it.


Don't get me wrong, there are definitely areas where blockchain tech is (or may be) a good solution. Those are for problems where distributed trust and consensus between (potentially) adversarial agents is necessary; where a central authority either doesn't exist, or can't be trusted.

In this situation, you are downloading code from a central authority, and have placed your trust there already. What benefit does a distributed solution give here?


This exists, it's called crev: https://github.com/crev-dev/crev

As you note, this doesn't require a blockchain. crev uses a web-of-trust model which is pretty well suited to the task.


Oh wow, this is cool. I refuse to use npm because these issues keep cropping up and no solution gets implemented, but this looks good. I was just looking at an interesting static site generator today until I saw it used nodejs and noped out of there.

In contrast, Powershell on Windows won't even let you use scriipts you've written yourself on your local hard drive unless you call them in a way the lets PS know you approve them. Scripts off the net have to be signed.

Methods of signing scripts https://docs.microsoft.com/en-us/powershell/module/microsoft...


crev is so neat, I have really been expecting npm/pypa/... to pick it up any day, for years. It solves those problems without taking power away from the package repository, and with minimal changes needed to the repository itself. With a spec already complete, I would expect an organization with the resources of npm could implement it in a few days, and I am really confused (and disappointed) that it is still not taking off.

Signatures from the author doesn't solve much unfortunately. You would still need a mechanism to build trust (or review the script manually) and once you put that trust in the author, all that a cryptographic signature gets you is automatic trust in the next version... so the Faker attack slips through.


Packages are written by people not algorithms. People you have to explicitly trust to install the package.


Ethereum scripts are written by people too


... and trusting them is in no way "trustless". You have to audit every version of them, just like you can do with npm.

Ethereum provides trust in the results given trust in the code, nothing more.




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: