When providing my expertise to a company as a consultant many months ago, I reviewed their code and architecture. One of the suggestions I asked them as a question, was whether they maintained backups of the various versions of the open source code they used. That question seems ever more relevant now.
Today, I came across a shocking article by Niclas Gustaffson, which outlines how an open source developer introduced malicious code in his open source project as a mark of protest. This went on to cause problems in even a large company that used the code.
What did he do?
According to the article, this developer named Marak Squires, introduced an infinite loop...
for (let i = 666; i < Infinity; i++;) {
...which caused a Zalgo text issue that makes gibberish appear on the screen of projects that used some of his code.
 |
| The gibberish that appeared on one users screen |
The changes were made to colors.js (2,67,01,901 weekly downloads and allegedly, 19K projects dependent on it) and faker.js (apparently used to have 2.8 million weekly downloads and 2.5K dependent projects).
Why he did it
Marak had apparently announced in Nov 2020, that he'd no longer be supporting large companies who used his software for free.
Why this isn't right
When anyone is accepted into the open source community as a creator or a contributor, it's done with a great amount of trust and respect. It should be an honour for a person that so many people use their open source project. If Marak didn't want to support large companies unless they paid him, he could have made an announcement that he's no longer working on the project, and stopped updating the repository. By introducing malicious code, he broke everyone's trust and even maligned the good reputation of the source community. A stark contrast to all the responsible developers who have built reliable systems like Linux, Git, Firefox and so many open source projects.
What can be done by companies?
- Well, first of all, setup a CI/CD system right from day one. There are companies involved in projects of high importance (I'm not going into details), which do not have such basic infrastructure setup. The CI/CD infrastructure will ensure that you always have multiple working, shippable versions of your software even if the latest build broke.
- Keep backup versions of all the open source code you use. Remember that the code comes with no guarantees.
- Build a test-run framework where you can test the latest version of the project before you actually deploy it to a customer-facing server.
- Have a security team perform an audit of all your code. Even the open source libraries you use. Learn about zero day exploits.
- Consider donating to open source developers, Wikipedia, StackOverflow or any other such source where you get knowledge and resources for free. There are many ways to contribute.
- Consider involving your developers in open source projects. Not on their time. Do it on company time. I know ThoughtWorks allows this.
I condemn what Marak did. However, it also reminded me of various ways in which deserving people like scientists are exploited (they make discoveries and publish it but don't get royalties or anything in return, even when companies use those ideas and massively profit from it), while un-deserving and deceitful people like fake god-men and other corrupt people and certain corporations are given respect and are allowed a pompous lifestyle by a gullible society.
Anyway, open source developers, please maintain your integrity.
2 comments:
Contrarian take:
I disagree with the last paragraph - no is being willingly exploited. You use words like "deserve" and "undeserving" - who decides this? As a follower of free market economics, nobody deserves anything - value is dictated by supply and demand of market forces
A scientist who works in a lab has already made the transaction - he has traded risk for stability (paycheck, insurance, etc) so that he can do his work in peace. Nobody owes him more than that - whether or not his idea works out commercially, he is still assured of getting a salary
if he feels his work can be commercially viable, he should take the risk and strike it out on his own. If he wins, he wins big and if he is wrong, it would be his losss
Similarly, open source developers who spent time and effort should also look at the best way to monetize it - he has all the liberty of software licenses to do so. So this is just pure frustration, nothing else on his part
Who decides this? Well, in this case, I decided it :-) The free market concept cannot be used to justify exploitation. Please search the internet for "why are researchers not able to earn from research papers".
Post a Comment