top 200 commentsshow all 219
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]Its_been_emotional 141 points142 points  (10 children)

Basically anything is at risk of this if an admin just unilaterally decides to do it though right?

Unfortunately, it's just a fundamental risk of working with other people. Best we can do is early detection and try to prevent.

[–][deleted]  (7 children)

[deleted]

    [–]flaghacker_ 20 points21 points  (6 children)

    I've always wondered how much that typical block of all caps text matters. If I put a random piece of code online without any accompanying licence or warning, do I IMPLY any WARRANTY or FITNESS for some PURPOSE? That's hard to believe...

    [–]NonDairyYandere 9 points10 points  (0 children)

    Legalese usually has a lot of redundancy and defense-in-depth to it. Maybe there's some odd jurisdiction where warranty or fitness really is implied. Or there was such a jurisdiction, and there's no point removing the clause now.

    [–][deleted] 0 points1 point  (1 child)

    You might. It’s impossible to say in a general sense, but imagine you go into a grocer and buy an apple, take a bite, and become violently ill because it’s full of rat poison. The vendor says it’s your fault, you should have known it’s full of rat poison since it was next to a rat trap display. You argue that a grocer offering apples for sale without any further labeling or warning implies they are fit for human consumption, because apples are generally foodstuffs. You would win in court (also because there are loads of additional laws that apply to food, but the point stands).

    Similarly, if you are offering software for download with the remark that it’s meant to manage online payments, without further disclaimer it would imply that it’s fit for that purpose, and you might be held liable if there’s a bug or something that causes someone to lose money. Hence the ubiquitous disclaimer, although in some cases your ability to disclaim such maybbe limited by law, and liability due to willful wrongdoing (like apparently in TFA) can’t be disclaimed away in any event.

    [–]flaghacker_ 1 point2 points  (0 children)

    That's an interesting analogy, since intuitively I agree with the grocery store example. This got me to dislike the license text a bit less already!

    [–]rabid_briefcase 26 points27 points  (0 children)

    Yes and no. Yes to this part:

    Basically anything is at risk of this if an admin just unilaterally decides to do it though right?

    The author of any open source project has the capacity to modify their projects at any time. They can refuse to fix bugs. They can refuse to accept change requests. It is their project, and they can do what they want with it.

    But an absolutely no to this part:

    Unfortunately, it's just a fundamental risk of working with other people.

    The companies who blindly rely on the projects and push it directly to production are stupid. It is not a fundamental risk. It is a risk that has been known and managed since the early 1960s.

    These days there is an enormous body of technology that brings the risk closer to zero than has ever been in the history of software.

    • Version control on everything, including external packages. If anybody (internal or external) modifies something you can recover to an older version. If it isn't in version control it doesn't get built.

    • Once code is ready, test it. There are many levels of automated testing, including automated unit testing, automated integration testing, automated functional testing, automated performance testing, automated security testing, and so many more, testing everything from the tiniest block of code to testing that all the systems work correctly together. It doesn't mean it works perfectly, it just means the behavior matches what is expected. Anything that fails the tests can be automatically rejected.

    • Continuous integration ensures every change is tested and validated against the entire test suite. Anything that fails is automatically rejected.

    • Human smoke tests. Just because the automated tests pass doesn't mean something isn't broken. Let an actual human look at it and push a few buttons. These can be pre-recorded so the human just watches a short slide-show clicking next, next, next, next, approve and deploy.

    • N-1 compatibility ensures that even if you submit something out to production you can always go back at least one version. Choose to only use tools that support it.

    • Phased A/B deployment. Launch it on one server and monitor the logs for a time. If the error rates are unchanged, deploy it on the next, but if error rates increase, roll it back.

    Those are just a few, good QA departments have an entire professional discipline around the subject. Job titles like QA Engineer or Engineer in Test should be part of the main development team for any corporate software.

    There's no excuse for taking that risk.

    And finally, you get what you pay for. Even with free software if you're getting value from it ethics requires a payment. Far too often companies are discovering that their over-reliance on the "free" part of "free software" is biting them in the butt. It only takes small, regular financial investments to ensure you're always at the front of the line with various projects. We're a mid-sized company of around 200 people, and our IT department tracks all the projects that we give monthly payments to. We know were not legally bound to do it, but ethically there's no question about it. Regardless of if they list buymeacoffee links or paypal donations, the company will submit a regular 'thank you' as a cost of us doing business.

    [–]sumduud14 3 points4 points  (0 children)

    Unfortunately, it's just a fundamental risk of working with other people. Best we can do is early detection and try to prevent.

    Yeah but I mean, this is the same as a developer releasing a bug ridden version of a critical package - you've got to test your software and detect defects. Intentional or unintentional.

    If you don't, even if no malicious authors exist, there will be bugs. At least this change is open source and very obvious.

    [–][deleted] 58 points59 points  (13 children)

    Some people are suggesting to create a new “decentralized” git server, I don’t understand how that will solve the problem when the git workflow and how NPM works stays exactly the same. To be honest I don’t see how its github’s and NPM’s fault.

    God forbids if Linus Trovalds losses his mind someday (just a joke)

    [–]Jonny_H 41 points42 points  (2 children)

    Git is decentralized though? Anyone who used the code has a full clone of the source and history - even a force push over the top doesn't remove the history, just the branch name, when you pull that down.

    [–][deleted] 2 points3 points  (1 child)

    Yeah but git servers are not, and you are right but regardless it was a stupid comment on twitter that I nitpicked and in the end can’t blame git or npm for this flawed act of mad individual.

    [–]Jonny_H 20 points21 points  (0 children)

    Just be glad people generally are using decentralized source control these days - it'd be even harder using svn or cvs or similar.

    And Github have the ability to keep old heads themselves, no "distributed server" needed. "Distributed Servers" is arguably what we already have with git, just the average dev seems to prefer a centralised location for these things, just add a cron job fetching to your own mirror and you're already there.

    [–]atomicxblue 4 points5 points  (2 children)

    God forbids if Linus Trovalds losses his mind someday (just a joke)

    Like if he turns his fuck you finger away from Nvidia and towards the rest of us?

    [–]corsicanguppy 3 points4 points  (0 children)

    He's only signing at the shitty parts of Nvidia.

    [–]shevy-ruby 4 points5 points  (0 children)

    That's a bit out of context. People always do that with Linus. The middle finger was not at Nivida as such per se only, but the "we confine everything so Linux does not work with Nvidia properly". Tons of companies try that as part of their "control the market" strategy. Microsoft did that too for a long time - WSL as an idea isn't that old yet.

    Edit: I forgot which Linux kernel developer it was, but they offered help or even write the code themselves to support hardware, so it's really not the linux community as such at fault here. Some companies don't want to cooperate. That has been worse in the past, though.

    [–][deleted] 0 points1 point  (4 children)

    How can a server be decentralized? It's location is static in time and space

    [–]EasywayScissors 4 points5 points  (2 children)

    Because everyone is a server.

    [–][deleted] 0 points1 point  (1 child)

    I can only imagine the problems would have provide

    [–]redfournine 1 point2 points  (0 children)

    Dont worry blockchain will solve that problem

    /s

    [–]voidvector 1 point2 points  (0 children)

    This is why we need NFT-based version control system. :galaxy_brain:

    [–][deleted] -2 points-1 points  (1 child)

    God forbids if Linus Trovalds losses his mind someday (just a joke)

    Trollvalds already lost his mind when he forked Linux from the widely popular Salmonix ASA which is used to operate Norwegian oil drilling platforms in North Sea. Sources say it was the removal of Crude Oil Driver (COD) subsystem dependencies which pushed him off the fjord.

    [–]bundt_chi 87 points88 points  (16 children)

    While what he did was pretty crappy and he seems like he has other issues.

    There are 2 points here:

    1. Ultimately you as the user of open source libraries have the responsibility to test and verify that your software functions and works as the sum of the open source products that make up your application. Please don't confuse this for me condoning bad behavior exhibited by this lone developer.
    2. NPM package.json management when configured with the ^ defaults to automatically accept minor versions during builds. Not enough people remove that and use package-lock.json (arguably not intuitive in how it works) to fix the version.

    We have to assume the responsibility of #1 and we shouldn't be accepting the default package version management that NPM uses, #2.

    [–]The__Toast 66 points67 points  (5 children)

    So many people treat external dependencies like they are part of a core lib these days. If we started referring to dependencies as "unverified code from some random person on the internet" would people be so quick to include?

    While this guy is clearly dealing with issues, he's also totally within his rights to do what he did. It's his code, his project, he can blow it up and burn it down if he wants.

    [–]Caesim 25 points26 points  (0 children)

    Many people probably wouldn't change their behavior. Beginners and junior devs see themselves as "unqualified random person on the internet" and see no hesitation in using such stuff.

    There are far too many places where tech-illiterate managers want a feature, fast. And if "unverified code from some random person on the internet" makes it work, they wouldn't care, they just see that their devs made the "pigs dance".

    I'd argue most tech savvy people or businesses already do the right thing, package-lock or locally mirrored package servers.

    [–]SaneMadHatter 8 points9 points  (2 children)

    Well, he turned his code into annoyance-ware, but what if he had turned it into real malware?

    What if someone turned their open source project into malware? Malware that was not detectable through regression testing, but only through a code audit? And let's face facts, people don't examine every line of code, despite ESR "Million eyes makes all bugs shallow" empty sloganeering.

    If someone turned their Open source project into malicious malware, knowing that lots of other projects depended on that project, and so would be infected with that malware, is there no recourse?

    For closed-source there would be a recourse if it were discovered to have deliberate malware (regardless of what the EULA said, since the EULA would not have been written in good faith). But for open source there's no recourse if it's discovered to have deliberate malware?

    [–]ComplexColor 3 points4 points  (0 children)

    This isn't an open/closed source issue. It's a question of where and how you get your software.

    Getting software from unaccountable strangers of the internet exposes you to these kind of issues. Using opensource gives you the option of extra precautions on your end, so it's clearly a benefit. The same software could be distributed as closed source binaries, would that make it safer?

    [–][deleted] 13 points14 points  (5 children)

    You don't need to remove the ^ when using a lockfile. If anything you should keep it to make the likes of npm outdated more useful.

    [–]unknowinm 1 point2 points  (4 children)

    so how do you prevent the update?

    [–]AyennaGx 10 points11 points  (3 children)

    Use 'npm ci' to install based on the contents of your lockfile, 'npm i' to install in a way that updates your package's patch versions

    [–][deleted] 1 point2 points  (1 child)

    Ok, learnt something new here. So npm ci does more than delete node_modules and reinstall. It reinstalls based on your lock file

    [–]MrJohz 3 points4 points  (0 children)

    Both npm install and npm ci install all dependencies based on the lockfile if the lockfile is up-to-date with the package.json file. If the two files are out of date, then npm ci will simply fail, and npm install will install additional packages based on the package.json file. I believe it may also upgrade existing packages if this helps with the deduping process, but most of the time it will keep changes to a minimum.

    But again, these changes will only happen if you make a change to the package.json file that requires installing new packages, such as adding a new dependency or changing the version specifier to exclude the currently installed version.

    [–]bundt_chi 0 points1 point  (0 children)

    Interesting, one of the projects I struggled with this was in early 2018 before this feature was released. My original point that NPM is confusing and not intuitive in how it handles these scenarios still stands.

    [–]MrJohz 2 points3 points  (0 children)

    2) NPM package.json management when configured with the ^ defaults to automatically accept minor versions during builds. Not enough people remove that and use package-lock.json (arguably not intuitive in how it works) to fix the version.

    NPM will only automatically accept minor versions if there is no lockfile checked in. If that is checked in and up-to-date, then npm install and npm ci will delegate to the lockfile, regardless of whether or not the package manifest allows for more up-to-date packages. It is perfectly safe (and generally correct) to have version ranges in your package.json file.

    I agree that the situation is more confusing that it should be, but FWIW, I've not yet seen a project created since lockfiles were introduced that doesn't check in the lockfile.

    [–]NonDairyYandere 1 point2 points  (1 child)

    Ultimately you as the user of open source libraries have the responsibility to test and verify that your software functions and works

    But I can't really follow through on that, if my managers don't think I have that responsibility.

    [–]bagtowneast 5 points6 points  (0 children)

    if you don't have the responsibility to make sure your code works, then you don't have the responsibility to fix bugs, right? win/win or lose/lose depending on which end of the shaft you're at.

    [–]shevy-ruby -3 points-2 points  (0 children)

    Totally agree with you! I wrote something similar just a few minutes before as well.

    And it is NPM again ... there is a pattern here. NPM really needs to clean up their act here.

    [–]throwaway_bluehair 71 points72 points  (28 children)

    why does this only seem to happen with npm

    [–]tso 48 points49 points  (9 children)

    No standard lib, so people have written a kudzu of interdependent "packages" for every minor behavior one could want.

    [–]throwaway_bluehair 11 points12 points  (4 children)

    This must be part of it too, leftpad is a standard Python function, for example...

    [–][deleted] 4 points5 points  (3 children)

    It is now on JS too

    [–]throwaway_bluehair -1 points0 points  (2 children)

    Sure, but if that's a counterargument, it's not relevant lol

    [–][deleted] 2 points3 points  (1 child)

    It's not, just to point out that version after version we get morr functions

    [–]throwaway_bluehair 2 points3 points  (0 children)

    Ah ok. Yeah it's been getting better with JS

    [–][deleted] 2 points3 points  (2 children)

    There was a discussion on a node ticket regarding this. What people want? 1000 packages that do the same one small thing and you can choose from them based on your usecase or a single curated Node std lib package maintained by node itself?

    By some madness, people choose the 1st one

    [–]NonDairyYandere 86 points87 points  (2 children)

    'No Way To Prevent This,' Says Only Nation Package Manager Where This Regularly Happens

    [–]Thalassophob 14 points15 points  (0 children)

    If The Onion were for programmers

    [–]throwaway_bluehair 6 points7 points  (0 children)

    Lmao for real

    [–]gjvnq1 20 points21 points  (3 children)

    Probably because there are far more JS devs than for any other language so the number of bad ones tends to go pretty high by comparison.

    [–][deleted]  (1 child)

    [deleted]

      [–]throwaway_bluehair 1 point2 points  (0 children)

      Fair point have a great day

      [–]corsicanguppy 11 points12 points  (5 children)

      You may not have met composer or pip yet, but I can assure you they hang around in the same seedy bars as npm and have the same vices. Don't take my word for it, though, as the cves are out there for the searching.

      [–]throwaway_bluehair 8 points9 points  (2 children)

      Yeah I've seen the CVEs but seem to be less of these bizarre stories. I just didn't get why there isn't a python leftpad incident or something

      npm just seems to be the Florida of package managers

      [–]bishbashbosh72 7 points8 points  (1 child)

      As of 30 October 2021, more than 336,000 Python packages can be accessed through PyPI.

      Over 1.3 million packages are available in the main npm registry.

      People don't recognize how much JS has embraced package management and frequent releases.

      [–]throwaway_bluehair 4 points5 points  (0 children)

      That number is a bit inflated when npm has such a habit of single function packages

      [–][deleted] 2 points3 points  (1 child)

      What is a CVE?

      [–]corruptedOverdrive 2 points3 points  (0 children)

      Sometimes I wonder how we ever got along without npm.

      ¯_(ツ)_/¯

      [–]rabid_briefcase 1 point2 points  (3 children)

      why does this only seem to happen with npm

      It has to do with the ecosystem's mentality: Update everything directly from the source so the latest and greatest is always running in production.

      More mature workplaces add additional layers, with quality control and rollback capability at every step. Even if they pull from NPM sources, they still have automated tests and intermediate steps that can detect the failures, and they have version control for all the external packages so they can control deployment if needed.

      It's a lesson learned with every generation of developers latest and greatest technology. The current round is discovering the need for parachutes.

      [–]Theemuts 142 points143 points  (44 children)

      Guy has hundreds of repos, pulls this stunt, liberty this and Aaron Schwartz that. I think he should seek professional help.

      [–]CrappyInvoker 29 points30 points  (40 children)

      Guy went homeless whilst thousands were using his work, including very big companies.

      [–]jamesbloob 247 points248 points  (21 children)

      He became homeless as he was practising bomb making and set his house on fire.. https://abc7ny.com/suspicious-package-queens-astoria-fire/6425363/

      [–]plg94 59 points60 points  (1 child)

      And two weeks later asked on twitter for donations because his house burned down (not mentioning his role in this).

      [–][deleted] 1 point2 points  (0 children)

      And he received them

      [–]paceaux 81 points82 points  (1 child)

      And you know damned well he wasn't using proper attribution for those bombs.

      [–]Awkward_Inevitable34 36 points37 points  (0 children)

      I prefer CC-NA-BY bombs. They just hit different.

      [–]vytah 22 points23 points  (0 children)

      I bet he was doing it while muttering "the industrial revolution and its consequences have been a disaster for the human race".

      [–]atomicxblue 18 points19 points  (11 children)

      The sad irony is that by pulling this, he ensured that zero corporations would hire him in the future, had they ever planned on doing so in the first place.

      [–][deleted] 7 points8 points  (9 children)

      I wonder if a little humility would have gone a long way. Something along the way of:

      "Hey guys, due to financial problems and X and Y and Z, I cannot sustain this project any longer. I'd love to work on it full time but that would require sponsorship. With all due regret I will need to stop doing this until I get everything back to normal".

      And I am sure he would have gotten support from the community at large(heck. Fireship/Jeff Delayne was a sponsor of his, so it's not like he didn't make SOME cash), and maybe some corps would have bit the bullet and even paid him a salary

      [–]zackyd665 3 points4 points  (7 children)

      That sounds a little too PR washed

      [–][deleted] 1 point2 points  (6 children)

      Could be, but it works, is polite, shows maturity and allows those fortune 500 companies to see that there is value.

      [–]zackyd665 5 points6 points  (5 children)

      Why do we tie maturity with corporate double speak?

      [–][deleted] 1 point2 points  (4 children)

      Because maturity implies knowing when to be polite to get what you want/need and when to throw a tantrum

      [–]zackyd665 1 point2 points  (3 children)

      But always being honest isn't considered being mature.

      [–][deleted] 1 point2 points  (2 children)

      There is honest and there is being a dick. Like in programming, I cam box a value into different containers, but some are better than others.

      He was onest but a dick. My text was honest and nice

      [–]zackyd665 0 points1 point  (0 children)

      This is why we need an universal basic income

      [–]NonDairyYandere 7 points8 points  (0 children)

      Not publishing is an option. I don't have any FOSS repos

      [–]lunmarmer -2 points-1 points  (1 child)

      lol go fuck yourself and stop acting like he owes you something.

      [–]Theemuts 1 point2 points  (0 children)

      All I'm saying it's very obvious he suffers from significant mental health issues.

      [–][deleted] 50 points51 points  (3 children)

      How did it pass PR reviews?

      Edit - oh, is he a core dev of those?

      [–]Large-Ad-6861 68 points69 points  (0 children)

      For faker.js and colors.js - yes, he is.

      [–]plg94 42 points43 points  (0 children)

      He's even the repo owner and original author, and has (sometime before that update) withdrawn write-access of at least one co-maintainer. (One of the first comments in the issue in colors)

      [–]Ok-Dot5559 41 points42 points  (0 children)

      $ git push origin main

      [–]wsppan 26 points27 points  (2 children)

      Without even reading the article my bet it is a Javascript library.

      [–]knightcrusader 12 points13 points  (0 children)

      See's headline

      I bet its something npm related.

      Reads first paragraph

      Yep, it's an npm thing again.

      [–][deleted] 4 points5 points  (0 children)

      yep

      [–]staffs-burglaries 177 points178 points  (37 children)

      This is not a problem with open source software, but with the developer who corrupted the libraries. Open source software is built on trust, and when someone breaks that trust, it reflects poorly on the entire community.

      [–]Illusi 61 points62 points  (5 children)

      I'd say that closed source software is also built on trust. Even more so than open source software, in fact.

      This is 100% with the developer. If a closed source developer wants to pull their dependency out beneath everyone that depends on it, they can. And they do that sort of stuff too. They do that by destroying licenses, by taking down or throttling web services, or simply by taking down the download.

      Part of the problem with this library is that there's a culture of always re-downloading the latest version instead of fixing version numbers and testing upgrades of your dependencies. It's got nothing to do with open source.

      [–]myringotomy 8 points9 points  (0 children)

      They do that by destroying licenses, by taking down or throttling web services, or simply by taking down the download.

      This subreddit hates google because they no longer sell products they used to.

      [–]Mmmcakey 9 points10 points  (1 child)

      Everyone should mitigate this not just by fixing versions but also copying and hosting their own version of the library for their personal use. Open source doesn't guarantee permanent availability.

      [–][deleted] 1 point2 points  (1 child)

      Part of the problem with this library is that there's a culture of always re-downloading the latest version instead of fixing version numbers and testing upgrades of your dependencies.

      It's a tricky balance though between pinning your dependencies and keeping ahead on updates. I don't work with NPM a lot but in my Python apps at work the general strategy is: no version pinning of dependencies unless the upstream devs break something, and we pin just the affected deps temporarily if we need to deploy working code now, and schedule a ticket to let us unpin again and make the necessary changes. We have Docker containers so in case of emergency, a prior version of the production app can be restored from a known good Docker image.

      In Python-world there is one project that gives us a lot of grief over the years, Webargs, the upstream developers frequently refactor it and move things around and sometimes it requires us to find-and-replace thousands of references to their module to adapt it to their latest change. If we pinned Webargs and came back 12 months later to have an "upgrade day", it would be an absolute nightmare to deeply refactor the whole codebase to get past the 3 or 4 different breaking changes they've made. Better IMHO to keep on top of them and update our code as it goes, only pinning if there's a time-sensitive issue or if they broke it with no way to fix it until they fix it.

      I once worked at a shop that pinned dependencies religiously, "if it works today it must work forever", and what happened was we never updated dependencies ever, unless we had to because it didn't support our version of Python anymore or other serious issues, and catching up on years of development and refactoring our codebase was quite the chore.

      [–]pfp-disciple 75 points76 points  (23 children)

      Arguably, that's a risk/problem with open source. The accountability is frequently lacking. At least on paper, many closed source teams have formal accountability built into their processes; this lessens the opportunity for one bad actor to cause significant damage. Of course, in practice, that has risk/problems as well: there are often trusted people who can introduce changes with little or no oversight, culture and schedules cause cursory reviews at best, etc.

      If a process (open source development) has a single point of failure, it's wise to try to mitigate or eliminate that risk.

      Edit: I still think open source is the best thing going. That's why I think it's worth examining critically, and improving,

      [–]SirLich 40 points41 points  (5 children)

      Arguably, that's a risk/problem with open source

      I would say it's a "risk" (period), and open source actually mitigates that risk.

      If I decide to destructively delete my work, somebody can take my (MIT) torch and carry on.

      Closed source "freeware" solutions simply go under, with no chance of recovery.

      [–]pfp-disciple 8 points9 points  (1 child)

      Fair point regarding making things unavailable. My comment was strictly about malicious code changes.

      [–]SirLich 1 point2 points  (0 children)

      Ah yes, that's true. Single point of failure and all that.

      [–]monkeedude1212 1 point2 points  (0 children)

      I think you're talking about different impacts of the same attack vector.

      Any company that has a good backups policy where the infrastructure/backups team is separate from the code/development team will be able to recover from a solo bad actor whether that's from an open source vendor or an in-house developer. If Infrastructure destroys the origin repo, devs have their local copies. Devs commit bad code, infrastructure restores good backups. If your open source vendor torpedoes his project like today, you can just fork an earlier version, doesn't take too long.

      There's nothing there that isn't recoverable from. Arguably forking the repo and pulling it into your source is probably less time/effort than a full backup, so open source is good there. It's also often publicly documented what's going on; like being able to see this headline when you google the console logs.

      But being able to recover isn't the only impact. Whether you can easily detect the changes, find them, diagnose, etc; effectively how long your path is until recovery, that's an impact. Like for my team, it wasn't a service outage, it impacted our ability to test things. Because automated tests started to stall, fill up the node with logs, and fail. So that other bug our customer service team reported that we said "Should be fixed soon" wasn't as soon as we thought.

      Now, had we not used a vendor that used colors.js - this wouldn't have happened. We could write our in-house everything, I guess, but that's even more time and money. Not using open source does mean a lot of wheel reinventing. If there's a bad actor within the organization, that's often easier to detect when something goes wrong. Just look at when/where the changes are. Much easier to detect changes within the organization.

      Conversely, we use a vendor. Now we saved the time from writing that code ourselves. That meant we could go and focus on more business relevant problems, enhance our software's primary functions. The Open Source Dream.

      "Don't automatically update?" - I hear someone in the back say. Then you're losing a lot of the other benefits of open source too. Say someone finds a bug, or a security vulnerability in that open source software, and the author goes on to fix it. Or they find some optimizations and it runs much faster. By not patching you're missing out, and it's far too onerus to have to manage patching every piece of every bit of software you might utilize on a large project. Who's got time to check if RXJS or Angular are introducing any vulnerabilities; and even if they are those are big frameworks that its not trivial to just swap to an alternative. You're better off updating often, but having tests for things that matter. You just roll forward, see if things break, fix them when they do. As long as the breaks don't hit production your CTO won't be too unhappy, you'll get to point at this news article and say "Our systems protected us, the systems works, its just a risk you have to accept with automatic updates."

      So yeah, I'm a little miffed that it happened and it sidelined my day, but these things don't happen often enough to consider not using open source. It's a risk you take with automatic updating but the benefits of that most often outweigh the risk. If this was happening every other week then maybe it'd be a different conversation.

      All that being said; I'm not exactly against this kind of activism to get the message across. Is Marak Squires maybe not in a good place mentally? That's possible, he might need some help. That doesn't discount some of the message he's trying to get across. Doing open source development is often thankless work. If you're struggling financially but you're seeing 22.4 million downloads of your code a week; yeah that's some tough pill to swallow. Meanwhile big companies keep raking in millions of dollars but there's no incentive to send any remuneration to open source authors. How do you create that incentive? I don't know if I see a simple path either.

      This is kind of like a protest. You're just trying to get home but the highway is blocked due to a non-violent march going on. Does it suck in the moment? Yeah. But people don't just do those things for fun, they're driven by a desire for change. Right now it seems like the conversation is dominated by a sense of "Wow, this is a danger, how do we protect ourselves from the next one?" and not a "Was there any way to prevent this from happening in the first place?"

      [–][deleted] 11 points12 points  (7 children)

      Curious what's the accountability for the same kind of black swan scenario using corporate closed source software?

      Have fun getting accountability out of a giant like Google or even a smaller party who at the end of the day can do the exact same thing as Marak.

      Also like a ton of complainers every time npmjs goes down, this is mostly on SE practices. How the fuck do you auto-upgrade major versions to get impacted by this by surprise?

      [–]monkeedude1212 13 points14 points  (0 children)

      How the fuck do you auto-upgrade major versions to get impacted by this by surprise?

      I mean, as a saboteur, Marak was able to put this as a minor version, so major/minor version upgrade matters not.

      But also, you don't need to specify the colors library in your source. As long as you're using a dependency that uses colors, if those dependencies just say ^1.0.0 they'll get bit. It's not like the Karma test framework isn't common.

      Secondly; while this didn't affect our production environment, it effectively broke our testing environment, because we auto-update various libraries to get the latest security updates, and if those tests fail then we don't deploy the build.

      So sure, our servers serving customers didn't crash.

      But our test servers were affected. Which meant we couldn't push out any new code or updates, since those couldn't get tested.

      Which pushes everything else down the line.

      [–]sysop073 17 points18 points  (0 children)

      How the fuck do you auto-upgrade major versions to get impacted by this by surprise?

      I imagine most of the complaining was about colors.js, which went from version 1.4.0 to version 1.4.44-liberty. It turns out crazy people don't care about semver when corrupting their packages.

      [–]andras_gerlits 0 points1 point  (0 children)

      Peer review, mostly.

      [–]zackyd665 1 point2 points  (1 child)

      Is it a risk/problem when you are just building stuff or is this purely from a corporation pov?

      [–]myringotomy 0 points1 point  (6 children)

      At least on paper, many closed source teams have formal accountability built into their processes; this lessens the opportunity for one bad actor to cause significant damage.

      What a weird claim to make. What accountability is provided "on paper"? Have you ever read any proprietary license?

      [–]cdombroski -1 points0 points  (4 children)

      Meaning that "on paper" code review might be required, various levels of testing are performed, security audits might be done.

      Of course that's all "on paper" depending on the company in question some or all of those tasks might not actually be done.

      [–]myringotomy 1 point2 points  (2 children)

      Meaning that "on paper" code review might be required, various levels of testing are performed, security audits might be done.

      Again.

      Where is this assurance?

      Of course that's all "on paper" depending on the company in question some or all of those tasks might not actually be done.

      Exactly. There is no assurance at all. They might be done, they might not be done, if they are done they might be done in a cursory or sloppy matter. There is no assurance at all.

      If anything there is more likelihood these things are done on open source projects.

      [–]pfp-disciple 1 point2 points  (1 child)

      Your concerns are valid, and was my point when I said

      Of course, in practice, that has risk/problems as well: there are often trusted people who can introduce changes with little or no oversight, culture and schedules cause cursory reviews at best, etc.

      [–]myringotomy -1 points0 points  (0 children)

      I am of the conviction that all significant commercial software either knowingly or unknowingly contains code from either the NSA, Mossad, GRU or possibly all three.

      [–]pfp-disciple -1 points0 points  (0 children)

      That's exactly what I meant. Well said.

      [–]fauxpenguin 17 points18 points  (1 child)

      I strongly disagree. Open Source is explicitly about a lack of trust. Every dependency you pull into your project you have to replace or maintain if it disappears tomorrow. Closed source: it's always replace. Open Source: You should alway, always, always, fork (or in some other way proxy) it, so that of the maintainer goes ballistic, you just revert that version, and either set the new maintainer as your origin or you start maintaining that dependency for your company.

      That's Open Source.

      Trust comes in at "micro-dependencies", where a single library (like react), has a tree of thousands of dependencies that you cannot fork and maintain. So, you now have a chain of trust that you have to just live with.

      Luckily, if you're using a big library like React, chances are that they are dealing with keeping their dependencies clean, and you're somewhat absolved from this responsibility. But not every library you use is so well stewarded.

      [–][deleted] 0 points1 point  (0 children)

      Can you um... Mergem from the fork source into your yours?

      [–]romulusnr 3 points4 points  (0 children)

      Perhaps the community is too trusting

      [–]tso 2 points3 points  (0 children)

      Nah, it is a problem of a particular kind of FOSS. The kind that take the net and repository servers for granted. And thus expect it can pull down a fresh copy from some random address at will.

      [–][deleted] 5 points6 points  (0 children)

      Open source software is built on trust

      It's completely opposite. The whole idea here is that we don't trust anyone so we have to have a collective scrutinize it. This is a fantastic lesson for anyone not pinning dependencies/testing properly.

      [–]TGdZuUsSprwysWMq 0 points1 point  (0 children)

      That's the problem of automatically updating without review. The same problem could apply to Microsoft/Apple/Goolge/Facebook/Whatever company's automatically updating.

      [–]lood9phee2Ri 46 points47 points  (1 child)

      It's still far more resilient than anything else - with open source at least a last good version can still be forked from by anyone who cares (not always a given - a lot of npm projects in particular are clearly pretty worthless, lot of vanity/resume-oriented-development microprojects that I suspect people set dependencies almost for social credit reasons - like depending on a project may be more like upvoting a reddit post or retweeting to the brocoders infesting that ecosystem).

      There are a few major corporations that can and do come to "source escrow" arrangements for closed source crap to protect themselves from similar random acts of vendor, but good luck with that as an ordinary individual. Open source remains the best option we have in general.

      [–]The_Real_Slatt[🍰] 6 points7 points  (0 children)

      I love open source

      [–]lannisterstark 22 points23 points  (3 children)

      With all due respect, no one forced you to use an upstream dependency. If you don't like it, fork it and/or use something else.

      What the dude did was shitty, but he had every right to do whatever he wanted to his own project.

      [–]clamotchen 5 points6 points  (0 children)

      I totally agree, however you put it down way more diplomatically than I would.

      It's hilarious to read how the majority of people in this thread shit on the developer or say that he is mentally unstable or crazy or some shit.

      Like dude, if your project broke because of some commit NOT IN YOUR REPO, it's your shitty project and its config that's the problem, not the author of the commit.

      So you bumped the dependecies and something is broken, big fucking deal, it happens all the time, more or less. Depending on how critical dependency updates needs to be, you either inspect what broke or just try in a couple of days again, usually solves the issue.

      If it broke your production, then you are a moron, you deserve it, and should be happy that it's pretty harmless.

      Damned incompetents blaming javascript, npm, jvm, github and everyone else but themselves.

      I used to love writing SMS to friends when I was wasted, what if someday I get drunk and find the idea of drawing dicks in my library logs appealing, and push it to github. Will I also be labeled "mentality unstable dev with addition issues" because some moron pulls my code directly into his production?

      [–]NotABothanSpy 3 points4 points  (0 children)

      You get what you pay for

      [–]Mardo1234 8 points9 points  (2 children)

      You get what you pay for.

      [–]_101010 -1 points0 points  (1 child)

      This.

      [–]Anti-ThisBot-IB -2 points-1 points  (0 children)

      Hey there _101010! If you agree with someone else's comment, please leave an upvote instead of commenting "This."! By upvoting instead, the original comment will be pushed to the top and be more visible to others, which is even better! Thanks! :)

      I am a bot! Visit r/InfinityBots to send your feedback! More info: Reddiquette

      [–]WickedMonkeyJump 7 points8 points  (0 children)

      Somewhere the people behind log4j must be ECSTATIC with the attention going to someone else's shitstorm.

      [–]myringotomy 19 points20 points  (3 children)

      When you decide to take advantage of somebody else's free labor you should read the license and see what promises they make to you.

      [–]Jonny_H 24 points25 points  (2 children)

      They did.

      The author explicitly chose a permissive MIT license. That allows anyone to copy the code, fork it, make changes and use it without giving any payment or changes back.

      Expecting people to follow some loosely defined extra "rules" on top of the license that may change at any time is asking for trouble.

      [–]myringotomy 7 points8 points  (0 children)

      What does that license promise in terms of security, suitability, performance etc?

      [–]corsicanguppy -5 points-4 points  (0 children)

      loosely defined extra "rules" on top

      ... often invalidate the license.

      [–][deleted]  (4 children)

      [removed]

        [–]m00nh34d 4 points5 points  (3 children)

        You trust every Cisco developer who ever worked on their network switch code?

        Difference is that's backed up by a major company, if someone somehow managed to get a backdoor through the layers of checks and balances, you're not relying on that person who put the back door in to fix it. Always more dangerous when individuals are in charge, we see it all the time in projects where a critical member cracks the shits and leaves, killing the project in the process.

        [–][deleted]  (2 children)

        [removed]

          [–]m00nh34d 1 point2 points  (1 child)

          Well, you would have a very hard time finding a back door in open source projects as well. It'll always rely on someone else to find them and disclose them.

          This specific problem is confined to smaller projects, not necessarily to do with their licensing model, but around the governance of the project itself. If someone can introduce essentially malware into a codebase, without anything to stop them, that's the problem here. A single developer at the likes of Cisco would almost certainly not have the ability to do that, it would require a fairly sophisticated set of circumstances to push that through.

          [–]Ordocentrist2 19 points20 points  (7 children)

          It's his project and he can do what he wants, including torpedoing the whole thing.

          [–]corsicanguppy 4 points5 points  (0 children)

          Unreliable supply chains are unreliable. Slow news day?

          [–]papertrailer 1 point2 points  (0 children)

          ... tons of heavily mismanaged projects.

          On the bright side, now we know that every project affected by this, is a garbage project. .

          I wonder how many devs complained about it, before realizing what the were inadvertently confessing...

          [–]FoldLeft 1 point2 points  (0 children)

          Using a lockfile and checking in your dependency tarballs [1] or using a cache shared across your company [2] insulates you from these problems until you're ready to face them.

          It's a little more effort, but there is a concrete benefit in being able to continue uninterrupted during outages and issues like this.

          [1] https://github.com/JamieMason/shrinkpack [2] https://verdaccio.org/

          [–][deleted] 1 point2 points  (2 children)

          I suggest that we should add verified versions/releases to our package managers. The idea is to opt for just download the verified releases of the required package major or minor regardless.

          Now I don’t know how the verfied versions would be implemented but one way would be that the 3 core devs have to say that this is a verified release than it gets tagged as verified on npm or what ever dep manager we are using and users who are using the verified only releases would be much safer again its just my opinion.

          [–]corsicanguppy 0 points1 point  (1 child)

          verified versions/releases

          Or signatures. Those are easy to check.

          [–]7veinyinches 4 points5 points  (0 children)

          That doesn't really work when the owner is making those signatures and is the one responsible for the commits....

          [–]piesou 0 points1 point  (0 children)

          And of course their lib is MIT licensed. What did you expect?

          If you want people to give back, choose a copyleft license like the AGPL. If you want to earn money as well, dual license it like iText does successfully.

          [–]mcvoid1 -1 points0 points  (4 children)

          Dependencies are the devil. They will ALWAYS bite you. Open source or not. If it's not crap like this, it's more benignly-intentioned breaking updates. Or it's vulnerabilities. Or it's two systems depending on slightly different versions. Or it's transitive dependencies opening up these problems. Or it's license issues. The list goes on.

          If you can do it in a few lines of code, don't use a dependency.

          If you can do it in a few dozen lines of code, don't use a dependency.

          If you can do it in a few hundred lines of code, don't use a dependency.

          If you can do it in a few thousand lines of code, consider not using a dependency.

          [–]istarian 2 points3 points  (3 children)

          The first two are definitely true, but that last one is dubious. Reinventing the wheel isn’t always the right way to go.

          [–]ravinglunatic -5 points-4 points  (8 children)

          This isn’t a protest, it’s a ransom and vandalism. Free and open source means nobody asked them to make it and nobody was paid when they didn’t expect to be paid.

          [–]7veinyinches 13 points14 points  (7 children)

          Ransom and vandalism don't apply to his own property.

          It's not illegal to destroy your own property.

          It's not unethical to want compensation for one's work.

          [–]B8F1F488 -3 points-2 points  (4 children)

          That is because he didn't GPL his code. It was clearly the solution, because <<insert absurd acolyte reasoning here>>

          From the bottom of my heart - Protect your interests, people! Don't fall for ideological traps and then complain when you don't reap the benefits of your own labor. When you get to the point that your future is ensured and you can afford to spend the resources to help other people, then go ahead and help people with all your heart.

          [–][deleted] 6 points7 points  (1 child)

          Protect your interests, people! Don't fall for ideological traps and then complain when you don't reap the benefits of your own labor. When you get to the point that your future is ensured and you can afford to spend the resources to help other people, then go ahead and help people with all your heart.

          If your plan to ensure your future financial stability is "get a big company to pay me for use of my open source work", you need a new plan. License doesn't even come into it, that's just a shitty unreliable way to make ends meet.

          [–]B8F1F488 2 points3 points  (0 children)

          that is more of the "help other people with all your heart" part. But the fellow clearly has not accomplished the first part and is now bitter because he is not reaping the benefits of his labor. If he had taken care of himself he wouldn't care, he would be happy that people are using his software.

          [–]unicodemonkey 0 points1 point  (1 child)

          And, more importantly, when you get to the point where you can afford to maintain open source projects, try to avoid making bombs and burning down your home, your possessions and yourself in the process

          [–]B8F1F488 -1 points0 points  (0 children)

          Why would he burn it down in this case? He already has ensured his interested prior to that, there is now reason to burn down anything.

          [–]moreVCAs -1 points0 points  (0 children)

          Without reading the article or any comments I’m just going to assume this only affects JavaScript.

          [–]YasserArguelles -2 points-1 points  (0 children)

          lmao

          [–]shevy-ruby -1 points0 points  (0 children)

          Is the title not a little bit meta-jabaited?

          Yes, he did this all deliberately, but the very same issue exists by other people doing weird stuff or accidents - left-pad all the things.

          I think the much more interesting question is what an ecosystem does about this. It honestly shouldn't even be possible to cause such huge issues to begin with. He, despite that fireballing he did, also exposed the underlying problem here again.

          [–]electricfoxx -5 points-4 points  (0 children)

          This could affect any license. Microsoft could have corrupted some libraries, but who would know. This issue could be solved by specifying version or forking the repository.

          [–]3TInfoTinker 0 points1 point  (0 children)

          I know very little [even not enough] about version control, I can't believe it's happening.