fcr

FLOSS developer intentionally corrupts his libraries and has multiple depending applications print out garbage, stating that "I am no longer going to support Fortune 500s [...] with my free work."

https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/

#FLOSS #labor

Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of apps

Users of popular open-source libraries 'colors' and 'faker' were left stunned after they saw their applications, using these libraries, printing gibberish data and breaking. Some surmised if the NPM libraries had been compromised, but it turns out there's more to the story.

BleepingComputer
Jan 10, 2022 at 12:10amWeb
Show threadOdo TournesolJan 10, 2022

@fcr The most telling part is that GitHub suspended him.

No FLOSS developer should be on Github after this.

Show threadMarcin KoziejJan 10, 2022
@fcr fascinating to watch a disobedience strategy to negotiate with big capital. However, the demand for 6 figure salary is individual and lacks solidarity & collective action. The debate whether such act is justified or not avoids the topic of copyleft, used as a collective, systemic solution to corporate exploitation.
Show threadMarcin KoziejJan 10, 2022
@fcr
I have a lot of respect to BSD license/software, but BSD developers were badass enough and had institution support to just let go of their work. The new wave of contributors of NPM ecosystem swallowed the pill of MIT/Apache default. No headache with viral license right? Also better for companies right? And there you have it.
Show threadMarcin KoziejJan 10, 2022

@fcr I wouldn't say NPM ecosystem has a lot in common with community or concept like "software as a garden". It's an environment of harsh competition where old bundlers and frameworks are not taken care of but depreciated and replaced by new, better and faster, every year. An ecosystem of multiple innovation - perhaps - but vulnerable to corporate cherry picking of projects and of spitting out burnt out developers.

@rysiek

Show threadXenharmonic ForestJan 10, 2022
@fcr I support this behaviour
Show threadπ•Ήπ–žπ– 妛彁  :labrys-45-sickle:  Jan 10, 2022
@fcr this is so unbelievably based
Show threadLukas πŸ₯”Jan 10, 2022
@fcr non commercial license is where it's at
Show threadgulfie officialJan 10, 2022
@fcr good for him
Show threadErrant  Jan 10, 2022
@Gulfie @fcr It wasn't really, the platforms reverted the change and blocked his access :/
Show threadPsy Chuan Jan 10, 2022
@errant @Gulfie @fcr well fuck
Show threadPsy Chuan Jan 10, 2022
@errant @Gulfie @fcr so i mean they have basically just stolen his code
Show threadEugen RochkoJan 10, 2022

@fcr If you don't want to support fortune 500s with your free work, don't publish your work under the MIT license

I can't fathom people in this thread are siding with him. This is a breach of trust in the open source world. The updates were purposefully malicious.

He was allegedly also making a bomb and set his house on fire:

https://abc7ny.com/suspicious-package-queens-astoria-fire/6425363/

Queens man charged after bomb-making materials found after fire in Astoria

The investigation continues into the discovery of bomb-making materials after a fire inside a home in Queens, and the neighbor who first noticed something strange is speaking out about what led authorities to the suspect.

WABC-TV
Show threadDusty Jan 10, 2022
@Gargron The open source world could use more breaches of trust in that case, because it could just as well have been actively malicious instead, like the last three times, instead of just causing an infinite loop.
Show threadsome kinda catJan 10, 2022
@ChlorideCull @Gargron getting angry at this guy is similar to getting mad at people who block traffic when protesting imo. His actions might not have been β€œright” but this is someone driven to what is arguably a mischievous act of protest by a system that is often exploitive. At some point it’s going to break down more than it already has and this is probably just a symptom of that.
Show threadSee: @[email protected]Jan 10, 2022
@Gargron @fcr
It reads more to me like another victim of the pandemic-induced mental health crisis. Also Eugene, nice avatar, you look good!
Show threadMiKlo:~/citizen4.eu$πŸ’™πŸ’›Jan 10, 2022
@Gargron @fcr It was obviously a desperate move, but the developer was treated like a modern-day slave by github - something that would never happen if he had code in his private repo (gitlab, gitea, etc...). A strong argument to NOT keep your code on corporate servers.
Show threadinferenceJan 16, 2022
@Gargron @fcr It's always our responsibility to audit the code. Always. No excuses.

Open source does not mean safe, it means auditable.

Also, unless you audit the code AND compile from source, it's not different to closed source.
Show threadColin the MathmoJan 10, 2022

Calling @Chartodon ...

@fcr