https://opensource.org/open-source-protestware-harms-open-source Skip to main content * Home * Contact * Login Search form [Search this web] [] Home Open Source Initiative * About + Board o Minutes o Organization & Operations o Articles of Incorporation o Board Elections o Bylaws o Conflict of Interest + Volunteers & Staff + Associations + History + International Authority & Recognition + Trademark & Logo o Trademark Guidelines o Logo Guidelines * Licenses + Open Source Definition + Licenses by Category + Licenses by Name + License Review Process o Licence Proliferation o LP report to the Board * Open Standards + The Open Standards Requirement + Open Standards Requirement Compliance + Open Standards Requirement Rationale + OSR Frequently Asked Questions * Benefits * Community + Individuals o Join + Affiliates o Become an Affiliate o Affiliate Criteria + Mailing lists o Licensing Code of Conduct o General Code of Conduct o Discussion List Reports o Disclaimer for OSI Public Forums o Policy on Public Communications and Archives + Resources o Getting Help # Bibliography # Open Source Case for Business o FAQ o Open Source Education o Articles & Books * News + Blog + Newsletters * Sponsors * Donate now Open source 'protestware' harms Open Source Submitted by smaffulli on Thu, 2022-03-24 05:31 This week marks one month since the start of Putin's war against Ukraine. We stated the OSI position at that time--the OSI condemns the attack on Ukraine by the Russian army at the direction of Vladimir Putin--but there is a new development that directly impacts the open source community, and it warrants a new commentary. The new development is that angry maintainers have started adding code to a small number of open source repositories to protest against the war. When deployed, this 'protestware' expresses the maintainer's opposition to the Russian government's invasion of Ukraine. Most protestware simply displays anti-war or pro-Ukrainian messages when run. This is a non-violent, creative form of protest that can be effective. But, in at least one case--the peacenotwar module in the node-ipc package--an update sabotages npm developers with code intended to wipe data stored in Russia and Belarus. In a March 16 blog post on the malicious code, Liran Tal at Snyk said, "This security incident involves destructive acts of corrupting files on disk by one maintainer and their attempts to hide and restate that deliberate sabotage in different forms." The "weaponization of open source" as Gerald Benischke calls it in his March 16 blog post is indiscriminate, and the collateral damage it causes damages the work of developers and operators solely because they have a Russia-assigned IP address. It harms peacemakers as much as the warmongers--even ethical hackers using a VPN to work against the invasion might become collateral damage. Understandably, this has caused outrage. We share that outrage. Protest is an important element of free speech that should be protected. Openness and inclusivity are cornerstones of the culture of open source, and the tools of open source communities are designed for global access and participation. Collectively, the very culture and tooling of open source--issue tracking, messaging systems, repositories--offer a unique signaling channel that may route around censorship imposed by tyrants to hold their power. Instead of malware, a better approach to free expression would be to use messages in commit logs to send anti-propaganda messages and to issue trackers to share accurate news inside Russia of what is really happening in Ukraine at the hands of the Russian military, to cite two obvious possibilities. There are so many outlets for open source communities to be creative without harming everyone who happens to load the update. We encourage community members to use both the freedoms and tools of open source innovatively and wisely to inform Russian citizens about the reality of the harm imposed on Ukrainian citizens and to support humanitarian and relief efforts in and supportive of Ukraine. Longer term, it's likely these weaponizations are like spitting into the wind: The downsides of vandalizing open source projects far outweigh any possible benefit, and the blowback will ultimately damage the projects and contributors responsible. By extension, all of open source is harmed. Use your power, yes--but use it wisely. [osi_standard_logo_0_f6eae8bd0474088ce57799c580844a47_1000] * smaffulli's blog * Log in or register to post comments You must have JavaScript enabled to use this form. User login Log in using OpenID [ ] What is OpenID? Username * [ ] Password * [ ] * Log in using OpenID * Cancel OpenID login * Create new account * Request new password [Log in] Keep up with Open Source You must have JavaScript enabled to use this form. Sign up with your email to receive our newsletter -- your resource for industry news, upcoming events, insights from Open Source thought leaders and more. Sign up with your email to receive OSI's newsletter -- your resource for industry news, upcoming events, insights from open source thought leaders and more. Email * [ ] First Name [ ] Last Name [ ] Leave this field blank [ ] CAPTCHA This question is for testing whether or not you are a human visitor and to prevent automated spam submissions. [Send me the newsletter!] To promote and protect open source software and communities... For over 20 years the Open Source Initiative (OSI) has worked to raise awareness and adoption of open source software, and build bridges between open source communities of practice. As a global non-profit, the OSI champions software freedom in society through education, collaboration, and infrastructure, stewarding the Open Source Definition (OSD), and preventing abuse of the ideals and ethos inherent to the open source movement. Open source software is made by many people and distributed under an OSD-compliant license which grants all the rights to use, study, change, and share the software in modified and unmodified form. Software freedom is essential to enabling community development of open source software. [twitte] [linked] [ccby] Sign-up for our newsletter! The content on this website, of which Opensource.org is the author, is licensed under a Creative Commons Attribution 4.0 International License. Opensource.org is not the author of any of the licenses reproduced on this site. Questions about the copyright in a license should be directed to the license steward. Hosting for Opensource.org is generously provided by DigitalOcean. Please see Terms of Service. For questions regarding the OSI website and contents please contact us.