LWN: Comments on "Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of apps(Bleeping Computer)"

Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of apps(Bleeping Computer)

Darkstar — Mon, 31 Jan 2022 09:51:04 +0000

Developer gives something away for free, then gets angry that people use it without paying him.

I wonder if that developer actually understands anything about this Open-Soure thing that he seems to like so much

a general strike ...

pebolle — Sat, 15 Jan 2022 18:34:07 +0000

> It's an old story, and I have a lot of empathy for folk that gave, and gave, until there was nothing left to give.

In https://lwn.net/Articles/880954/ I wrote, just a few days ago: " I think we should be very careful about what happens when we expect more than just software freedom."

Apparently what can happen is what you describe. Which reinforces my belief we should seriously reconsider expecting more from everyone involved than simply providing and using Free Software.

a general strike ...

mtaht — Sat, 15 Jan 2022 17:31:28 +0000

I have sometimes thought about going "on strike" for the things I've been stuck maintaining for too many years, basically removing the repository *temporarily*,
with a brief note as to why, but absolutely *not*, corrupting it. A "general strike", for a day, like that, might be a potent force for change in how maintainers are treated (but could backfire badly). I remember when we turned the web dark for a day, in protest, once upon a time.

Instead I've tried really hard to "pass on" the things I no longer want to care for, pointing users at the new maintainers location, as being the civilized solution. I'm pretty sure at this point, if I deleted my github account entirely, few would notice,
and I'm glad of that.

Others face burnout if their stuff becomes overpopular, and have no exit strategy,
and handle desperation badly. It's an old story, and I have a lot of empathy for folk that gave, and gave, until there was nothing left to give.

http://the-edge.blogspot.com/2003/06/wireless-connection.html?m=1

Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of apps(Bleeping Computer)

kreijack — Sat, 15 Jan 2022 09:59:27 +0000

I think the key point is that it was an *intentionally* sabotage action.

However I agree with you that the GITHUB action requires some reflection: what happened if the developer changed the API in a not compatible way; what I means is that what happened if the intention was not explicit.

Let me to be more operative: which is the owner of the tag/branch of a repository ? And if the author of the project is the owner, where start the responsibility about possible damage.

Anyway, if a site crashes because an uncontrolled fetch is performed, the site has a bigger responsibility in the fault. It is like if a grocery store sells milk without checking the expiration date .

BR
G.Baroncelli

Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of apps(Bleeping Computer)

jebba — Fri, 14 Jan 2022 05:36:34 +0000

Could be. It's probably safest to assume that and the that multi-billionaire VC is playing nice.

I saw those news articles, the name matched, and it said he was a software developer. Though I'm a bit hesitant to say that's 100% him because I've seen that go awry on the Internet often enough (cf. history of reddit). I assume it is though... I tried to find follow up stories about the fire and search for a court case, but I didn't see anything else about that. I didn't see anywhere else mention Retool. Their site appears to have a lot more than just some faker.js API.

Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of apps(Bleeping Computer)

jschrod — Fri, 14 Jan 2022 00:14:23 +0000

Concerning the credibility of the developer, a comment above you is the information that he burned his own home while building a bomb.

In other fora, I have also seen credible links concerning this affair.

Maybe this guy is simply a lunatic?

Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of apps(Bleeping Computer)

jschrod — Fri, 14 Jan 2022 00:10:23 +0000

The developer in question burned his own home while building a bomb.

Talk about stress... ;-)

Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of apps(Bleeping Computer)

gmgod — Thu, 13 Jan 2022 12:24:11 +0000

That doesn't work if the project is not heavily relied on yet... And even then, it's quite a bet... If no one shows up for a while, your libbwill just become obsolete and the day you say "ah dang it, people are flocking away, let's implement the rest", you've lost.

Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of apps(Bleeping Computer)

gmgod — Thu, 13 Jan 2022 12:19:53 +0000

Yes, key word is "nice". It's not an obligation... People do stupid things and to be fair to them, when people read "this is free lunch, you can do whatever you want with it" they rarely think "what they do is admirable, I rely on that free lunch fairly often, let's pay for it".

I am aware the metaphore is not correct (a lunch cannot be copied, it does not get better in quality for all if you pay for yours specifically...), but in people's mind this is how they see things.

Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of apps(Bleeping Computer)

gmgod — Thu, 13 Jan 2022 12:08:45 +0000

Ah this... While I do feel sympathy for the dev, his point is vastely undermined by having chosen a MIT licence. You can't say "you can do whatever you want with my library" and then "hey why are you doing what you want and not contributing back?"...

Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of apps(Bleeping Computer)

anton — Wed, 12 Jan 2022 18:20:23 +0000

No, the idea in free software is not that all software should be distributed under a free license, but that all distributed software should be free. There are statements by RMS that say that there is no obligation to distribute modifications.

Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of apps(Bleeping Computer)

developer122 — Wed, 12 Jan 2022 01:34:49 +0000

There are other ways to fund development.

Bountysource is a successful example. Interested parties contribute towards implementing a feature or resolving an issue and the total rises until someone is compelled to close out the issue and collect it. With the various changes in coreboot (relocatable ramstage, transition to the new resource allocater, etc) being mostly discrete events this is a feasible avenue. It's analogous to the conversion of GCC's AVR support to a different backend which was successfully accomplished this way.

BIOSs *aren't* the kind of thing that normally require a lot of continual development effort. It's how Libreboot has hung around so long on older forks.

Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of apps(Bleeping Computer)

developer122 — Wed, 12 Jan 2022 01:28:06 +0000

The problem is that isn't all that coreboot is. It's most *famous* as an aftermarket BIOS for thinkpads and other consumer motherboards and still accepts ports to new consumer boards that are long out of production.

There isn't a corporate backer for the support of these boards, so dev time is considerably more constrained. It didn't help that AMD dumped a bunch of code and then stopped supporting it when they fell on hard times, but here we are. That code now underpins a bunch of community-used platforms.

There's a lot of tension, with the corporate side and it's funded development waiting for the community-supported side to catch up on all new developments, but obviously not being unable to spend resources on them.

Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of apps(Bleeping Computer)

jengelh — Wed, 12 Jan 2022 00:53:23 +0000

>"I'm fed up with 'freeloaders' so I'm making my software inoperable for *everyone*"

I would contest this. If you were on a deserted island and had an existing copy of colors.js code, it would keep running. AFAICS, colors.js does not depend on an external blackbox (e.g. a networked service).

If a new colors.js version deletes files, who's to say it's malice? Zawinski's law need not be specific to e-mail, for all it's worth, colors.js could have grown to the point where it can delete files (of course, with colors). It could be running as specified, and would preclude you no more from running colors than /bin/rm would.

Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of apps(Bleeping Computer)

jebba — Tue, 11 Jan 2022 19:39:27 +0000

This appears to be the best account of what happened, from the developer's perspective:

https://web.archive.org/web/20210628030444/https://marak....

Note: I have no idea about his credibility or how true this is, but it is at least his side of what is going on, which may be relevant.

In sum, he says he created a SaaS version of faker.js, and the company Retool copied it all, including deep linking to his images. Retool had received $76 million in VC at that point ($96 million now), and included heavy hitters such as Sequoia Capital and Nat Friedman (former Github CEO).

https://www.crunchbase.com/organization/retool/company_fi...

So it appears there was a lot of money, according to the developer, he just got screwed out of it.

Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of apps(Bleeping Computer)

fman — Tue, 11 Jan 2022 16:01:15 +0000

Yeah. He promotes go's behaviour over npm's, even if what he praises is exactly what package-lock.json[1] does (if deployed that is)
[1]: https://docs.npmjs.com/cli/v8/configuring-npm/package-loc...

Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of apps(Bleeping Computer)

Kluge — Tue, 11 Jan 2022 14:43:22 +0000

No. The obligations *required* by Free Software licenses are black-and-white. That's because licenses are legal documents.

Outside of the licenses themselves, there are disagreements about what the ethical and social obligations are. Hence this discussion. For instance, some people think the "ASP loophole" and "tivoization" are ethical issues, some don't.

Stallman himself has suggested that Free Software development should be funded by taxes, which would make "giving back" a legal obligation.

Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of apps(Bleeping Computer)

Kluge — Tue, 11 Jan 2022 13:40:44 +0000

You've switched from talking about the ethics and obligations of Free software/OSS to civil liability and website terms of service. Those are different things.

Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of apps(Bleeping Computer)

mfuzzey — Tue, 11 Jan 2022 13:38:15 +0000

It seems like a bit of a grey area.

>malicious change in the code after the user has authorized it,

If the user authorized v1.1 and then the developer pushes a new malicious v1.2 can this be considered a change after authorization?
Of course if he rewrote history to replace existing tags with malicious code then this could apply (not sure quite what happened here the original article mentions "forced push" so maybe he did)

The "extorsion" part is pretty unclear too.
That seems more about stuff like ransomware where there is a defined victim and the purpertrator says "pay me and I'll restore your data" .
This case is more like the dev saying "I'm fed up with 'freeloaders' so I'm making my software inoperable for *everyone*"

So like you I'm doubtful any legal action will be taken on this, even if there may be grounds to do so.

But even if nothing happens legally it's a really stupid move for the developer in question.

In open souce individual reputations matter, globally; if you do something stupid in a company even if you end up getting fired it probably won't be *too* prejudicible to your future employment elsewhere, sure you may not get a great reference but other employers will probably take that with a pinch of salt as they don't know what really happened, your reputation is pretty much internal to the company.

But if you publicly attack your users as a OSS dev you've burnt all your trust with the entire community. And as it's all public that's also likely to greatly reduce your chance of getting hired even for non OSS related roles.

Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of apps(Bleeping Computer)

farnz — Tue, 11 Jan 2022 13:07:10 +0000

Noting that NPM provides npm shrinkwrap to avoid precisely this case - if you use it as documented, then no automatic version changes take place.

Which means this is an interesting case to consider, and would probably make new case law - how much of an implicit guarantee do you actually have if you authorise your tools to take updates unsupervised?

Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of apps(Bleeping Computer)

farnz — Tue, 11 Jan 2022 13:04:38 +0000

The interesting question in your analysis is whether the user authorized the change by telling NPM (or equivalent) to take the latest version from the author. This would make a fascinating test case to get to the bottom of, since NPM recommends using an npm-shrinkwrap.json file for CLIs which locks dependencies to precisely the tested version.

So, did the publisher of the code the users tried to install via npm install intend to authorise any code from the original author of their dependency (and thus there's no criminal computer misuse, there's just a breach of trust to be handled via the contracts you have, or don't, with that author)? The lack of an npm-shrinkwrap.json implies, after all, that you're happy to trust the author's publication of versions you've not tested.

Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of apps(Bleeping Computer)

jlicht — Tue, 11 Jan 2022 12:54:06 +0000

I don’t think most of moral philosophy can be filed under ‘hot air’, but I understand with the bigger point you are making.

I also think that you are under no moral obligation to be good steward for any project if you’ve not entered into a contract that states otherwise, so breaking compatibility in your example seems fine to me, even if you additionally have a “Pay me money and I’ll support your legacy stuff going forward”-esque protection racket going on.

A fundamental difference between this example and the physical world is that there is zero reason for them to ever upgrade, and they could have always chosen to fork+freeze the version of the software they were clearly happy with. In that sense, this entire situation (and your example) is a gaggle of folks misunderstanding that just because there is now a new, yet objectively shoddy deal on the table, does not mean you could/should not simply keep using the older (working) stuff. Pretending this is some sort of Open Source apocalypse and praying to Powers That Be to save and regulate us all is misguided at best. The ‘guilty party’ for the damages should be the folks who authorised the automatic upgrades without any oversight in the first place; I hope they learn that the social contract known as SemVer is simply that; a shared understanding, but not something that can easily be enforced. Act accordingly, and mitigate any risks that you deem unacceptable.

Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of apps(Bleeping Computer)

eduperez — Tue, 11 Jan 2022 11:56:58 +0000

Or you can open a funding channel, set a price for your time, and work on the project accordingly to the funds received.

No money? No maintenance!

Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of apps(Bleeping Computer)

jd — Tue, 11 Jan 2022 11:27:58 +0000

IANAL and so the below is purely an uninformed lay interpretation of the law as it would seem to be written.

If the code is intentionally booby-trapped through a malicious change in the code after the user has authorized it, then at least in the UK, there'd probably be a sound case under the Computer Misuse Act sections 3 and 3A whether or not my interpretation of it is correct.

Now, obviously here, the code was uploaded in the US and GitHub is a US company, so US law probably applies (although if a UK company got burned, Internet jurisdiction issues get interesting).

In US law, I see this:

18 U.S. Code § 1030 - Fraud and related activity in connection with computers
(7)with intent to extort from any person any money or other thing of value, transmits in interstate or foreign commerce any communication containing any—
(C)demand or request for money or other thing of value in relation to damage to a protected computer, where such damage was caused to facilitate the extortion;

Since the purpose was to demand contributions, and thus "other thing of value", where the damage was indeed caused to facilitate that demand, this might be arguable. There may be more clear-cut laws on this, and I suspect companies would be looking especially given the cost, not to mention the publicity and risk if any case was lost, but the action - because it was coupled with demands - would appear on the face of it to be in violation.

I'm not confident any action will be taken, especially if this remains low profile. There is relatively little obvious benefit and the potential for fallout across the Open Source community would be high, especially amongst the more libertarian in the community. But there would appear to be laws broken.

Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of apps(Bleeping Computer)

jd — Tue, 11 Jan 2022 10:46:20 +0000

Well, ish.

There are laws that prohibit malicious interference in a computer's operations, so deliberately, stealthily planting malicious code inside valid code for the purpose of causing harm and then distributing it with that purpose in mind is something he has no legal right to do. It is indeed "his code", which gives him the right to do whatever he likes with the stuff he doesn't distribute. It may be plastered with "no warranty" and "no fitness for purpose" disclaimers, but these exemptions aren't going to cut the mustard when it comes to a deliberate attack on other people's machines from a change of purpose that constitutes running unauthorized code on the victims' machines.

There are two differences between this and a bug. Firstly, there is both a provable intent to cause harm. Secondly, there is a change in the purpose of the code such that the code that is executed cannot be considered the code that was authorized.

He's unlikely to face any kind of legal consequence, but that's not because it's his code, because it's Open Source or because the software carries disclaimers. Rather, it's because there's no obvious benefit.

Your second point, I absolutely agree with. New code, whether from Microsoft, Oracle, or more reputable sources like the Open Source community, should be isolated and tested before any deployment takes place, with all deployments being local. It delays fixes, but given that bugs in updates have been known to brick - or severely cripple - systems in the past, this should be de rigueur. This goes double for all "mission critical" systems (where the company cannot function without them or where the cost of an outage is significant). These should be updated with far greater care still, although I've never been convinced by the paranoia of some places where such code is never updated at all and you end up with systems that are unpatched for 20+ years.

Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of apps(Bleeping Computer)

pebolle — Tue, 11 Jan 2022 10:26:25 +0000

> These days there is a cultural expectation in the FLOSS world to contribute back, with bug reports, patches and funding where appropriate.

But the other side of that expectation is that developers are then expected to handle bug reports, review patches, use the funds to enhance their projects. So these expectations come at a cost to both sides. I tend to think that those costs are pretty large and possibly larger that any benefits these expectations bring. Demands for funding (by developers) or demands for bug fixes (by users) seem to be extremes that follow from these expectations.

I think we should be very careful about what happens when we expect more than just software freedom.

Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of apps(Bleeping Computer)

pebolle — Tue, 11 Jan 2022 09:50:14 +0000

If I parsed the legalese of QPL correctly, this provision to provide modifications to the original author is rather specific. It kicks in if you distribute modifications but do not make their source available to the general public. That's not an obligation to contribute back but more of an uncommon method to ensure access to source code.

(The FSF explicitly recommends to avoid using the QPL.)

Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of apps(Bleeping Computer)

mjg59 — Tue, 11 Jan 2022 09:43:37 +0000

The accusation is that Ghislaine Maxwell, who it is claimed may have been an influential moderator of multiple subreddits, was somehow involved in his death. This is, uh, not credible.

Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of apps(Bleeping Computer)

nim-nim — Tue, 11 Jan 2022 09:23:33 +0000

The basic problem is that someone who publishes a bit of free software code does not owe anyone any further maintenance, but there are lots of crooks out there that integrate the result in products they are *paid* to maintain and support, but do not provision anything to actually perform this maintenance.

Instead they create support pyramids where the money they get for support is wasted on people opening tickets (recursively), support dashboards (where you see those tickets), renaming components to escape audits, blind vendoring, and nagging the original devs when everything else fails and their customer asks some contractual performance. Sometimes they are they are not even able to build the software they deliverer, they hope someone else will do it and they can just lift binaries from the internet.

And, some end users are complicit in this scam, they know perfectly well the company they hired to maintain things won’t perform, the contract exists to lie to their own customers. Otherwise they would require contractual delivery of software as deployable components, with integration deadlines (both in presence of security issues and natural obsolescence), instead of using “existence of ticket in the dashboard” as contractual KPI.

A lot of stuff does not build easily because no one is actually supporting it and therefore fixing the build chain is not worth anyone's time.

Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of apps(Bleeping Computer)

flussence — Tue, 11 Jan 2022 08:28:55 +0000

That's dependent on the distro devs being a separate entity from upstream and behaving like responsible adults.

Sometimes they aren't one or either and we end up having to endure things like libav.

Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of apps(Bleeping Computer)

niner — Tue, 11 Jan 2022 08:26:00 +0000

There is no obligation. It is simply polite to contribute back. A show of good manners.

Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of apps(Bleeping Computer)

taladar — Tue, 11 Jan 2022 08:08:29 +0000

It is not as if language ecosystems with large libraries like Java or C++ do a lot better here.

Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of apps(Bleeping Computer)

ms-tg — Tue, 11 Jan 2022 07:29:17 +0000

Following up, does anyone know the context of the text that he posted to the README of Faker.js [1]?

> What really happened with Aaron Swartz?

[1] https://github.com/Marak/faker.js

Is there a conspiracy theory at play here regarding the tragic suicide of the inventor of RSS? Or is this something else?

Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of apps(Bleeping Computer)

ms-tg — Tue, 11 Jan 2022 07:25:22 +0000

Is this the same Marak Squires who injured himself in 2020 in a home fire caused by his own bomb-making supplies including 40 pounds of potassium nitrate, for which he was charged?

https://www.nbcnewyork.com/news/local/possible-bomb-makin...

https://abc7ny.com/suspicious-package-queens-astoria-fire...

Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of apps(Bleeping Computer)

kunitz — Tue, 11 Jan 2022 07:23:01 +0000

This blog entry from Russ Cox appears to be relevant to the discussion: https://research.swtch.com/npm-colors.

Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of apps(Bleeping Computer)

LtWorf — Tue, 11 Jan 2022 07:01:46 +0000

Nothing in free software gives you any right to complain if the new version is broken either though…

But yeah I would never use any other license than a FSF one. At least they are forced to publish any changes they might make.

Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of apps(Bleeping Computer)

neilbrown — Tue, 11 Jan 2022 03:08:35 +0000

> I don’t recall Free Software leaders saying you get to stop thinking about ethics. Quite the opposite.

Ethics can be highly subjective. What you see as ethical, I might see as ... inconvenient.
Ethics can only be objective when it is encoded - a Code Of Ethics. Like the 4 freedoms or many other documents. Without the encoding, it is hot air.

If I choose to release a new version of some software that I maintain, with some behavioural change which is not backwards compatible, is that unethical? If you choose to use it without due-diligence and suffer a loss, is that in any way my responsibility?

This is all really not a "free software" issue. This is an "unregulated supply chain" issue. Maybe we need a code-of-ethics of open-supply-chains.

The Linux kernel as distributed by Linus does have a "no user-space regressions" policy so depending on that is defensible. Depending on a supply chain which does not make any similar promise is fool-hardy.

Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of apps(Bleeping Computer)

pabs — Tue, 11 Jan 2022 02:02:49 +0000

These days there is a cultural expectation in the FLOSS world to contribute back, with bug reports, patches and funding where appropriate.

In addition to the expectation, keeping projects you rely on alive and healthy by contributing back should just be common sense for any self-interested corporation; if they go away it means a lot of work to switch to something else or fork them, which distracts from core business activities.

Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of apps(Bleeping Computer)

pabs — Tue, 11 Jan 2022 01:57:28 +0000

Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of apps(Bleeping Computer)

NYKevin — Tue, 11 Jan 2022 01:50:42 +0000

I'm not sure if this qualifies as malware under strict legal definitions. If it does, it may (or may not) be a crime under anti-hacking laws.

Remember: The warranty disclaimer is a contractual term. It is not empowered to excuse you from criminal law. Uploading intentionally booby-trapped code is a bad idea regardless of whether it's technically legal or not.