Skip to main content


FLOSS developer intentionally corrupts his libraries and has multiple depending applications print out garbage, stating that "I am no longer going to support Fortune 500s [...] with my free work."

https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/

#FLOSS #labor
fascinating to watch a disobedience strategy to negotiate with big capital. However, the demand for 6 figure salary is individual and lacks solidarity & collective action. The debate whether such act is justified or not avoids the topic of copyleft, used as a collective, systemic solution to corporate exploitation.
I have a lot of respect to BSD license/software, but BSD developers were badass enough and had institution support to just let go of their work. The new wave of contributors of NPM ecosystem swallowed the pill of MIT/Apache default. No headache with viral license right? Also better for companies right? And there you have it.
I wouldn't say NPM ecosystem has a lot in common with community or concept like "software as a garden". It's an environment of harsh competition where old bundlers and frameworks are not taken care of but depreciated and replaced by new, better and faster, every year. An ecosystem of multiple innovation - perhaps - but vulnerable to corporate cherry picking of projects and of spitting out burnt out developers.

@rysiek
also, a way better strategy is to release stuff under the AGPL. Big Tech is allergic to it.
If you don't want to support fortune 500s with your free work, don't publish your work under the MIT license

I can't fathom people in this thread are siding with him. This is a breach of trust in the open source world. The updates were purposefully malicious.

He was allegedly also making a bomb and set his house on fire:

https://abc7ny.com/suspicious-package-queens-astoria-fire/6425363/
yeah, I am not siding with the developer. His actions were shitty.

I am underlining the fact that:
1. Microsoft GitHub will block your account if it doesn't like the changes you make to your own code;
2. AGPL is a way better choice of license if one doesn't want to support Big Tech.
Regardless of if it's your code or not, if you upload malware into a widely used software package you deserve to have your account blocked.
I do not see them as *malicious*. these were not cryptominers, no data stealing code, it just rendered the libraries unusable.

"Mischievous" is the word used in the original story, and I think that's a way more accurate description.
It didn't just make the library output the wrong value, it introduced an infinite loop, which in my view constitutes a denial of service attack.
I can see why you feel that way. Personally, to me it does not cross the "malicious" line -- partly because this is something that should be trivially caught in any pre-deployment testing.

We can agree that this is not an acceptable behavior for a FLOSS developer, and it is in fact irresponsible.

That said, I do think focusing on the developer's (shitty) action is less useful than focusing on the bigger problem of open-source software developers doing free work for Big Tech.
They brush over these issues as if they were a "misunderstanding" on the part of people reporting them.

I'm afraid that the Unix philosophy doesn't really work these days. You can't trust hundreds of developers and their code for the most basic JS project.
NPM has little to do with Unix philosophy. Unix/Linux is maintained in distributions where the quality of the toolset is taken care by the core teams. See projects like Gnome or KDE. Nothing like this in NPM which resembles more a laissez-faire market.
this has nothing to do with distributions. In Debian or Fedora, or Arch, or any other Linux distro, the *packagers* are responsible for quality of the packages that are published in the distribution-specific repository.

In your example the Angular people just pull random crap from Teh Intertubes and hope for the best.

It's not even comparing apples to oranges, it's comparing apples to the number three. 🤷‍♀️
is changing things, but they went with "install from src" + bigger StdLib. So... no packagers yet.

@movonw @Gargron @fcr
yes, I really like deno.land approach to things!
i suspect many FOSS developers have been caught off guard when some Fortune 500 company starts using their code: “oh, so i didn’t actually want it to be free for everyone. i just wanted it to be free for hobbyists and small cutesy mom and pop shops. if you’re making millions, i want my fair cut, but i didn’t realise that until it happened to me.”
yup. Hence the sudden rise in weird "anti-capitalist" licenses that actually make the situation worse by fracturing the FLOSS ecosystem.
I can't say I'm surprised about nr 1. GitHub, like most of these big companies, have a "We can close your account and remove your content at any time for any reason" in their TOS. The code is still his but GitHub is not obligated to host it.
oh I agree and have recognized that for years.

My feeling, however, is that a lot of people miss that fact. And then act surprised.
@Eugen 🎄 @fcr It was obviously a desperate move, but the developer was treated like a modern-day slave by github - something that would never happen if he had code in his private repo (gitlab, gitea, etc...). A strong argument to NOT keep your code on corporate servers.