[HN Gopher] On the Weaponisation of Open Source
___________________________________________________________________
On the Weaponisation of Open Source
Author : beny23
Score : 129 points
Date : 2022-03-18 18:57 UTC (4 hours ago)
(HTM) web link (beny23.github.io)
(TXT) w3m dump (beny23.github.io)
| smashah wrote:
| I understand that all of this may seem annoying to those that
| like to bury their head in the sand but where's this energy and
| label of "weaponisation" when OSS is LITERALLY used to build
| weapons e.g openCV being used for mass surveillance &
| ardupilot/OSS drone projects being used to make tear gass
| deploying drones?
|
| Changing the license is weaponisation?? It's the bare minimum and
| least intrusive. And then you all complain when someone tries to
| implement a Hippocratic or Do Not Harm license. "WEAPONSIATION"??
| Really?
|
| The lesson of all this is to keep an eye on your supply chain.
| Simple as. I think it's a sign of entitlement when you expect OSS
| devs to build you robust and reliable systems then leave the rest
| of themselves at the door.
| [deleted]
| quasarj wrote:
| As the article explained, this is no longer an OSS project, so
| that part of your point is invalid.
|
| As for the first one, that's just whataboutism. Sure, we need
| to stand up to that too. But that changes nothing here.
| blablabla123 wrote:
| Open Source was always political, ultimately this is where some
| moonshot projects like GNU got their momentum from. IMHO the red
| line is where it gets destructive or actually discriminates
| individuals. In the past PGP couldn't be exported to certain
| countries so sanctions apply also for OSS. Speaking of the
| immense popularity of web3 and decentralized of course not all
| measures will be realizations of government directives. That said
| I don't think OSI (opensource.org) represents the whole OSS
| movement.
|
| Also the title is a bit click-baity. The protestware example is
| clearly weaponization of OSS but the other examples are not.
| scotty79 wrote:
| > My problem is that this weaponisation is killing off trust.
|
| Trust that all programmers started to place in open source
| maintainers maybe a decade ago out of sheer lazyness is
| absolutely insane.
|
| Pulling freshest code out of thousand libraries automatically
| into the medium security project that you are building is
| absolutely crazy.
|
| It's inviting thousand strangers to run code on your machine
| which contains your comercial creation and data. Without any
| protection whatsoever besides "trust" which is just another word
| for laziness and being hopeful.
|
| The faster we can ditch this trust, the faster we will develop
| actual protections, vetting processes, delaying updates, caching,
| forking, so we can isolate our work from the thousands of
| wonderfull people all of which are one bad day from wiping all
| your files.
| musingsole wrote:
| > Pulling freshest code out of thousand libraries automatically
| into the medium security project that you are building is
| absolutely crazy.
|
| But we have a test suite and a whole CI/CD pipeline to verify
| everything works! /s
|
| /Until you realize your tests only cover what they cover in the
| way they cover it.
|
| //Until you realize there is no test suite at all and it's all
| verified in production.
|
| ///It's not like you read the library's code until something
| was *really* broken or *super* slow anyhow.
| ahelwer wrote:
| Actually things are working quite well! These events remain
| remarkable news items. There are tremendous benefits to having
| an ecosystem built on trust and mutual assumption of good will.
| Transforming this into a scar tissue bureaucracy after some
| minor cuts is only one of several options. Another is to make
| choices like this so socially radioactive that only people with
| nothing to lose would ever make them. Trust is very valuable.
| scotty79 wrote:
| Systems are not working well. They are just working
| carelessly till the catastrophy.
|
| leftpad.js wasn't even malicious action. Just one developer
| withdrawing his code from the community.
|
| Imagine what would happen if one dev of popular package just
| had a nervous breakdown and did rm -fr / on his next update.
| Or delete the contents of the repo it is a dependancy of and
| do a force push.
|
| We have zero systems in place that could catch it before work
| of thousands of people is destroyed.
| hulitu wrote:
| You don't develop protections. You develop zero trust.
| Unfortunately the current OSs cannot distinguish zero trust
| programs.
| fartcannon wrote:
| Yeah. Competing interests. We can all slow down and work like
| real engineers do, with the same level of responsibility they
| take on, and check every line of code.
|
| OR we can just do whatever the fuck we want, solving our
| problems and/or making money. But if we do it without the rigor
| of real engineering, we can't exactly blame OSS or the devs
| that provide the OSS for this choice. It's entirely our fault
| if it goes south.
| [deleted]
| [deleted]
| Jon_Lowtek wrote:
| > _I don't really want to have to read through each of my
| dependencies and transitive dependencies licences to determine
| whether I am agreeing to <the things included>_
|
| I slighly edited the last part of that sentence to highlight a
| problem with this kind of thinking. I do understand that the
| author may prefer all their software dependencies using some well
| known license like "Apache 2.0" instead of dozens of variations
| of "Apache 2.0~modified"
| frozenlettuce wrote:
| The Pandora box has been opened. Prepare for the same kind of
| attacks addressing US IPs (cloud on us-west-2? bad luck)
| WesolyKubeczek wrote:
| I'd say that the code that is malware/not malware depending on IP
| address of the server is a bad kind of weaponization. Not because
| I pity poor Russians or some such. I'm a Ukrainian national
| myself. Putin is a dickhead that should be put down with extreme
| prejudice; much of both the state and ordinary folk in Russia
| should be accountable, too. Here, I said it.
|
| The problem with those NPM packages, or better said, the approach
| they are taking is that it is a double-edged sword. IP blocks can
| be sold and bought. Today they belong to someone in Russia you
| don't mind targeting, tomorrow it's someone else entirely. Today
| you put in a trigger to turn your code into malware, tomorrow
| someone finds a way to flip that trigger at will. Bad things
| ensue.
|
| Not providing services to Russians is another thing and that
| could work. Limiting downloads by the country is okay in my
| books. After all, you block IPs that try to DDoS you, so banning
| IPs of an aggressor country that is fond of murdering civilians
| is fair game too. Radio silence their contributions. Don't
| respond to their support requests. Close the issues they open as
| if they never existed. Of course they can find alternative ways
| to download stuff, fork, implement the necessary changes
| themselves, but it's jumping through the hoops. Let them jump
| extra and then some.
|
| Stop providing documentation in Russian, kick some people off the
| team/mailing list. Make the OSS you're responsible for be, for
| all intents and purposes, unmaintained piece of software if the
| user is from an aggressor country.
|
| These are ways of sabotage I can stand behind. But putting in
| actual malware is rather where I draw the line.
| citizenpaul wrote:
| I was thinking about this in a different context a while back.
| Basically companies (amazon for sure) utilize open source then
| make some closed off fork of it while giving nothing or peanuts
| back to the original open source development foundations. For
| example Amazon has indisputably made Billions if not Trillions
| from monetizing Mozilla products. Yet has only donated a few
| paltry million back to the foundation. While at the same time
| using the FOSS products to create their own walled garden.
| mariusmg wrote:
| Their code, their rules ?
| the_af wrote:
| Yes, but said rules stop being FOSS compliant and so they lose
| the right to pretend they are FOSS.
| kube-system wrote:
| People absolutely have a right to disagree about what
| constitutes "FOSS". People have disagreed about it for 30+
| years and they continue to this day.
| LudwigNagasena wrote:
| It may be an odd idea to comprehend for someone whose culture
| stems from and still closely relates to mainline Protestantism,
| but you can actually believe that someone has a right to do
| something yet disagree with the action.
| dc-programmer wrote:
| Yes because in vs. out group behavior started in the 1500s..
| lostmsu wrote:
| You are free to fork their project.
| pmontra wrote:
| My first thought yesterday was that I really cannot trust NPM
| anymore because if someone sneaks in an anti Russian piece of
| code somebody else could sneak in code against any other country,
| or look at the content of files to get an idea of the kind of
| person running the code and decide what to do. People voting for
| the other party, thinking something different, etc.
|
| And why not Python, or Java, Ruby, anything. Maybe we'll all end
| up running Tails.
|
| Edit: if something like that happens, how long before
| certifications require that no unvetted code is used in projects
| or no open source at all?
| [deleted]
| redsummer wrote:
| aritmo wrote:
| Knee-jerk reaction and discrimination against the Russian people.
| sharken wrote:
| The author obviously thinks that open source that discriminates
| cannot be open source.
|
| In principle this is true given the current Open Source
| license.
|
| But i would argue that the clause about discrimination is out
| of touch with reality.
|
| Usage rights to Open Source should not by default be granted to
| oppressive regimes and the author should absolutely be allowed
| to state that within the license.
|
| If the west wants to send a clear signal to Putin, then matters
| such as the wording of the Open Source license needs to be
| adjusted accordingly.
| [deleted]
| HideousKojima wrote:
| https://www.gnu.org/philosophy/programs-must-not-limit-
| freed...
|
| "I've stated above some parts of my views about certain
| political issues unrelated to the issue of free software--
| about which of those activities are or aren't unjust. Your
| views about them might differ, and that's precisely the
| point. If we accepted programs with usage restrictions as
| part of a free operating system such as GNU, people would
| come up with lots of different usage restrictions. There
| would be programs banned for use in meat processing, programs
| banned only for pigs, programs banned only for cows, and
| programs limited to kosher foods. Someone who hates spinach
| might license a program to allow use for processing any
| vegetable except spinach, while a Popeye fan's program might
| allow only use for spinach. There would be music programs
| allowed only for rap music, and others allowed only for
| classical music."
|
| "The result would be a system that you could not count on for
| any purpose. For each task you wish to do, you'd have to
| check lots of licenses to see which parts of your system are
| off limits for that task. Not only for the components you
| explicitly use, but also for the hundreds of components that
| they link with, invoke, or communicate with."
|
| "How would users respond to that? I think most of them would
| use proprietary systems. Allowing usage restrictions in free
| software would mainly push users towards nonfree software.
| Trying to stop users from doing something through usage
| restrictions in free software is as ineffective as pushing on
| an object through a long, straight, soft piece of cooked
| spaghetti."
|
| "It is worse than ineffective; it is wrong too, because
| software developers should not exercise such power over what
| users do. Imagine selling pens with conditions about what you
| can write with them; that would be noisome, and we should not
| stand for it. Likewise for general software. If you make
| something that is generally useful, like a pen, people will
| use it to write all sorts of things, even horrible things
| such as orders to torture a dissident; but you must not have
| the power to control people's activities through their pens.
| It is the same for a text editor, compiler or kernel."
| sharken wrote:
| Richard Stallman talks about free software which is a
| different concept than Open Source.
|
| https://www.gnu.org/philosophy/open-source-misses-the-
| point....
|
| Open Source is right now defined as open for everyone by
| the license, ie. the paragraph about not discriminating.
|
| Perhaps the only sane way for Open Source to exist is to
| not discriminate.
| beny23 wrote:
| Hello, author here. I do think the open source licence is
| framed to be non-discriminatory and I think that's not a bad
| thing. Discrimination lends itself to politicisation and in
| turn division. And I think an ecosystem where we have lots of
| division is not good. What would happen if two interdependent
| projects suddenly had conflicting political requirements?
| beaconstudios wrote:
| I think that holding onto the idea that software is
| apolitical is untenable. Social media companies and large
| corporations try to toe this line and have been widely
| rebuked for it (Google trying to get ICE contracts, for
| example). I think the idea that "everything is political"
| is taking it too far, but so is the idea that providing
| material support to any comers is apolitical.
|
| Bear in mind that I'm talking descriptively rather than
| prescriptively here. I have my own opinions but I can also
| observe that political neutrality as a concept is waning.
| quinnjh wrote:
| Ok so its political, what if this political take where we
| encourage openness and interconnectivity is superior to
| the political take where we are reactionary? What if it
| literally is a winning strategy?
|
| Im not saying it is necessarily- but i think to get past
| the division you have highlighted (apolitical
| universality vs political conservatism) there is perhaps
| a way to look at the various approaches and determine
| what approach would be technologically, logistically, and
| politically advantageous.
|
| Let us let go of the idea it is apolitical, what now?
| beaconstudios wrote:
| I do think that we should look at these choices through a
| utilitarian lens and consider both the immediate and long
| term impact of such decisions. I do think that innocent
| Russian civilians will inevitably get caught in the
| crossfire with sanctions, which is unfortunate. I still
| believe that it is a moral good to penalise colonialism
| and other unethical activity through withdrawal of
| material support because this increases the cost of such
| actions. I'm not sure what justification there could be
| that continuing material support for an expansionist
| government during an invasion has positive utility, it
| smells like an argument for consistency to me but I'd be
| happy to be corrected.
| quinnjh wrote:
| Something that comes to mind is the argument against aid
| NGOs in places with dire poverty and hunger. When an NGO
| comes to your town, where you are trying to build a farm
| business, and delivers months worth of free rice, can you
| afford to run your business? Similarly, can any russians
| make successful software as a service that analogues FOSS
| offerings? No they cant, because the alternative is
| available and free.
|
| Remove the free rice and you satisfy your egos necessity
| for first order moral resolution via punishment- bad
| people dont get rice- but as for second order effects?
| Perhaps now it becomes feasible to build a sustainable
| farm (or apache competitor)
| beaconstudios wrote:
| The aid NGO question comes down to whether locals can
| build a self supporting economy and whether the aid is
| hampering economic development - but it isn't a binary
| question because you can subsidise farmers or reduce aid
| commensurate with local supply.
|
| I'm familiar with second order effects, and nth order
| effects and nonlinear causality. If we restrict Russia's
| access to Apache Web server, sure, they will eventually
| develop a local equivalent. So, over time they transition
| from being disadvantaged to simply leveling the playing
| field. That's a pretty good outcome, especially if many
| more open source projects could withdraw from Russia.
| shadowgovt wrote:
| Then we end up with a [citation needed] on providing
| material support to a badly-acting nation being a winning
| strategy.
|
| IBM is still notorious for their willingness to work with
| the Nazi regime.
| sharken wrote:
| Hi, must say that it's a thoughtful article that has valid
| points.
|
| Maybe as a European i feel more strongly about this, but
| every means possible must be employed to send a clear
| signal to Russia about the unacceptable state of affairs.
|
| Except destructive changes as in the second example, that
| behavior should not be allowed by the Open Source license.
|
| I'm still hopeful that a better wording can be found going
| forward.
| Delk wrote:
| Almost everyone's sympathies are with Ukraine now, and
| Russia under its current regime is rightly being
| sanctioned by measures that are _intended_ to hurt.
| Sanctions that aren 't felt are meaningless.
|
| When it comes to open source licensing, though, the
| problem with these kinds of exceptions tends to be that
| there are a lot of causes that would, at one time or
| another or from one perspective or another, seem to
| warrant similar exceptions.
|
| There are other wars going on, with more or less clear
| aggressors. Should we build a list, somewhat akin to the
| U.S. export restrictions, that forbade using the software
| by the aggressive states? How would we make sure that the
| lists aren't influenced by political leanings or cultural
| preconceptions? (Hint: you can't.)
|
| It would be objectively easy to argue that people who eat
| meat should be sanctioned to give them a "clear signal"
| that they shouldn't. It would be emotionally easy to
| argue that perhaps we should exclude people who violate
| human rights from using our software -- although what
| exactly constitutes such a violation would be pretty hard
| to delineate. In a different culture, objectively or not,
| entirely different acts might be considered morally
| contemptible or even unforgivable.
|
| Allowing exceptions to open source terms based on
| individual reasons would lead to a jungle of rules that
| would end up ruining open source, even if each exception
| by itself can be easy to argue for. You could no longer
| build a Linux distribution or any kind of a large
| collection of software, or even an open source
| application that relied on lots of open source libraries
| for its functionality.
|
| That is, unless you decided not to include any software
| that had licenses with any such exceptions. That's
| exactly what drawing the line for the meaning of "open
| source" is. If you only take one of those exceptions and
| not the others, that's no longer an objective choice, and
| others are going to have different exceptions; if you
| take them all, you create an untenable mess, or at least
| a walled garden with really tight walls.
|
| At any given time it may feel like _this_ is the one
| exception we should make, and it feels right at that
| moment. It just can 't be done with any consistency
| without massive collateral damage in the big picture.
|
| By all means, let's cause trouble to Russia (under its
| current regime) as long as it restricts their ability to
| wage war. Let's do that even if it costs us. But let's
| not do it in such a way that it creates a massive moral
| or legal conundrum in the long run. Even if it feels
| right at the moment.
|
| - Another European, living less than 200 km from Russia
| mistrial9 wrote:
| long-term OSS author here - strong agree "the open source
| license is framed to be non-discriminatory" is the "right
| thing" for Intelligent Humans of every color, creed and
| mother-language
| shadowgovt wrote:
| > What would happen if two interdependent projects suddenly
| had conflicting political requirements?
|
| The same thing that happens when two countries have
| irreconcilable differences.
|
| Software is a human artifact and subject to the same
| principles as all such artifacts.
| rectang wrote:
| You're welcome to license your software under terms that
| discriminate against oppressive regimes. Just don't call it
| "open source".
|
| The argument that software licenses should exclude certain
| people or fields of endeavor has been around for decades.
| Such licenses are outside the scope of Open Source.
| Specifically, such licenses do not conform to the Open Source
| Definition clauses 5 and 6:
|
| https://opensource.org/osd
|
| > _5. No Discrimination Against Persons or Groups_
|
| > _The license must not discriminate against any person or
| group of persons._
|
| > _6. No Discrimination Against Fields of Endeavor_
|
| > _The license must not restrict anyone from making use of
| the program in a specific field of endeavor. For example, it
| may not restrict the program from being used in a business,
| or from being used for genetic research._
| FooBarWidget wrote:
| Such discrimination is a form of sanction. It has been shown
| over and over again that sanctions do nothing to change
| governments -- all they succeed in is to harm the lives of
| ordinary people. This makes license discrimination on such
| grounds nothing more than virtue signalling at best, and a
| punishment to ordinary people at worst.
|
| Furthermore, the label "oppressive regime" is sometimes more
| propaganda than fact. Many western countries weaponize human
| rights by labeling enemy states as oppressive regimes, while
| either ignoring/muffling their own human rights abuses, or
| (more likely) having systems that allow one to protest
| against domestic human rights abuses while failing to change
| a single thing about them no matter how much people protest;
| and at the same time, turning a blind eye on actual
| oppressive regimes that happen to be allied states (until
| they fall out of grace, after which they will once again be
| labeled "oppressive regimes").
|
| This makes license discrimination on the grounds of the
| "oppressive regime" label highly problematic and prone to
| geopolitical propaganda games. At worst, you can even say
| that such license discriminations become willing tools of
| geopolitical propaganda.
| tomjen3 wrote:
| The current sanctions are doing a great job of hurting the
| Russian economy and, by extension, its ability to rip apart
| the flesh of 6 year old girls hiding in hospitals in
| Mariupol.
| HideousKojima wrote:
| Actually they've done a great job driving up oil and gas
| prices, which actually helps the Russian economy because
| European countries are too dependent (and spineless) to
| cut off Russian gas pipelines.
| sharken wrote:
| Sad but true, I'm still hopeful that Europe will drop
| Russian oil and gas soon, regardless of the consequences.
| nix23 wrote:
| And sanctions who target the "normal" citizen give Putin
| a really sharp knife to proof that the "west" really
| wants to harm Russians....what else then sanctions can be
| done? I honestly don't know.
| jahewson wrote:
| Firstly what even is an "oppressive regime" can we agree on a
| definition? I don't think so. Certainly not in the boundary
| cases.
|
| Secondly, why would any such oppressive regime care about
| your license? What are you going to do, sue them?
| pie_flavor wrote:
| A principle being out of touch with reality doesn't mean you
| get to redefine what the principle means; if you view its
| out-of-touchness as a mark against the principle, reject the
| principle. What you're really saying is that you want the
| social benefit of claiming to adhere to the principle, while
| not actually adhering the principle. 'The west' does not own
| open-source any more than Putin does, and if you
| intentionally make your software non-open-source to send a
| message to Putin, that's your right, but you can't keep
| pretending to be open-source if you do.
| [deleted]
| pageandrew wrote:
| I agree its a kneejerk reaction.
|
| But to be fair, its not discrimination against the Russian
| people, its discrimination against a particular ideology that
| is predominantly held by the Russian people.
| nyolfen wrote:
| did any of these actions select their targets by ideology?
| BaseballPhysics wrote:
| > But to be fair, its not discrimination against the Russian
| people, its discrimination against a particular ideology that
| is predominantly held by the Russian people.
|
| To be even more fair, it's both.
|
| There are plenty of Russians that absolutely do not agree
| with what the Russian leadership is doing, but have no choice
| in the matter.
|
| Speaking as a Canadian, there was a time when we were
| similarly fighting an adversary and chose to indiscriminately
| treat all people from that nation as enemies. The result was
| the internment of Japanese Canadians, one of the most
| shameful periods in our nation's history.
|
| I cannot help but be very concerned that we're heading down a
| very familiar and dangerous path, here...
| beebmam wrote:
| Speaking as someone who was vehemently against the Iraq war
| and lived in the US, I welcomed discrimination against my
| own people. The United States was responsible for war
| crimes in that war, and for sure we deserved sanctions,
| boycotts, divestment, and bad international relations due
| to it.
|
| I was treated extremely rudely for being American when I
| went to France in late 2003, and I totally understood why.
| I hated my own country and my countrymen for it as well. I
| still do, in a sense. We owe the Iraqi people an enormous
| debt of reparations
| joe_the_user wrote:
| _I was treated extremely rudely for being American when I
| went to France in late 2003, and I totally understood
| why._
|
| It seems too easy to say "uh discrimination is fine" when
| the only thing you have to fear is people being rude to
| you on vacation. If you face the loss of your livelihood,
| like the owner of a small Russian restaurant somewhat, I
| don't think you'd be as sanguine.
| beebmam wrote:
| I was spit on, had two of my hotel reservations
| cancelled, and was robbed
| rossvor wrote:
| And you applaud this? How is this a good thing?
| cartesius13 wrote:
| One would think that after going through this you would
| become more empathetic and understanding of the ordinary
| citizens side. But no, somehow the takeaway was that
| discrimination against innocent people based where
| they're from is OK
| HideousKojima wrote:
| >I was treated extremely rudely for being American when I
| went to France in late 2003
|
| That's just the French being the French, would have been
| the same in the 90's lol. And if you think that's bad,
| try going there as a French Canadian like my grandfather
| did. He got treated way waaaay better when he spoke
| English instead of the his "dirty" (what the Frenchies
| called it) Quebecois French.
| FpUser wrote:
| >"We owe the Iraqi people an enormous debt of
| reparations"
|
| Which will never happen. For very obvious reasons.
| Hypocrisy is our first and last name. And the examples of
| it are countless.
| pie_flavor wrote:
| No, it's discrimination against anyone with a Russian IP
| address, as clearly described in the article.
| croes wrote:
| Which ideology?
| toss1 wrote:
| >>political discourse has turned to be very divisive and tribal.
| You are either with us, or against us.
|
| This is because much of politics is currently driven by a global
| set of fascist/authoritarian govts and sponsored 'movements'
| pushing to destroy democracy. This is, IMO, back to the pre-cold
| war days, but stripped of all the "--isms" and ideologies.
|
| It is now either self-determination for the people via democracy,
| or live under rulers like Putin, stripped of any cloking
| ideology. This is being strongly pushed/sponsored globally by
| Putin's govt; the Chinese are going about it differently with the
| 'Belt & Road' initiative and other exploitative agreements.
|
| The grand experiment has been tried. It was thought that free
| trade exchanges and greater information flow from free nations
| would cause freedom, self-determination, & democracy to the
| former Communist nations. It did not. In trying to prove the
| thesis, the test proved the opposite, and enriched the
| authoritarian states.
|
| Russia's ongoing assault on Ukraine since 24-Feb-2022, and the
| ongoing blatant war crimes including specific instructions to
| ignore civilian care[0], cluster munitions on civilian
| targets[1], or bombing a theater/shelter with "Children" written
| on the pavement outside [2], and it's support by ~70% of the
| deluded RUS population, show what can be expected from yielding
| to or appeasing authoritarianism.
|
| It now really _IS_ you are with us, or against us.
|
| You are either in favor of democratic self-rule for all people,
| or you are against it.
|
| This is war, and we are fighting against those who are happy to
| be war criminals.
|
| It is important to take every measure, and "weaponizing" open
| source is among the least of the things that can be done to help.
|
| [0]
| https://twitter.com/cnsnews/status/1504494016137555968?cxt=H...
|
| [1] https://www.bellingcat.com/news/rest-of-
| world/2022/03/11/the...
|
| [2] https://www.npr.org/2022/03/17/1087164709/ukraine-
| mariupol-t...
| walrusfromspace wrote:
| >You are either in favor of democratic self-rule for all
| people, or you are against it.
|
| So can I assume that you were protesting against Spain's
| suppression of the Catalan independence referendum in 2017?
|
| https://en.wikipedia.org/wiki/Catalan_independence_movement#...
| emodendroket wrote:
| We've pretty quickly decided to throw out decades of norms in
| favor of anti-Russia moves all the time. Not ideal.
| pie_flavor wrote:
| This is the culmination of about a decade of reinforcing the
| idea that political actions don't count as violating norms if
| the actions are against someone who violates other norms of
| yours.
| whatshisface wrote:
| Or maybe just the culmination of internet libertarians who
| stick to principles being out-populated by more average
| people who stick to each other (that is a nice way of
| phrasing the practice of putting popularity before ideals but
| it's also true to its real nature).
| SamoyedFurFluff wrote:
| Internet libertarians definitely also stick it to each
| other in dumb ways whenever they think their cause is
| right. Let's not kid ourselves; an average person wouldn't
| know how to wield open source for their personal political
| nonsense. It would precisely be a technocrat who thinks
| they're enlightened.
| whatshisface wrote:
| > _an average person wouldn't know how to wield open
| source for their personal political nonsense_
|
| I am close to an average person in this regard because I
| am a free-rider on other people's enlightened steering:
| all I do is install stuff and in exchange I get privacy
| and security.
| jollybean wrote:
| This is disturbing to read.
|
| This notion that somehow 'FOSS' is a moral ideal that
| stands above others is rubbish.
|
| If you're helping Russians drop bombs on Mauripool that's a
| choice.
|
| You can also choose not to do that.
|
| That concerns an 'ideal'.
|
| There are issues at hand of _much greater_ consequence and
| idealism that 'internet librarians' pretending that they
| are consequential in this context.
|
| 'More Average People', like accountants and teachers, are
| literally right now upholding their 'ideals' by learning
| how to use a weapon and defending their homes with their
| lives against literally the Russian Empire. That is an
| 'ideal' thankfully none of us will ever have to contemplate
| upholding.
| [deleted]
| emodendroket wrote:
| I think it is a little bit more complicated than that
| when you're taking sweeping actions like banning Russians
| from sport (something we managed to avoid in the Cold War
| but apparently not this time). I also wonder if you'd
| take the same line about someone seizing your bank
| account, because every American, by the standard we are
| now using, is culpable for the Iraq War.
| malka wrote:
| It's not that they are guilty. It is impossible to harm a
| state without harming its citizen in the process.
| emodendroket wrote:
| How is the state being harmed by stuff like people
| vandalizing shops for having Cyrillic letters on the
| storefront, I wonder.
| LudwigNagasena wrote:
| The culture of those "average people" stems from the
| beliefs of Calvinist fanatics that fled England because it
| wasn't radical enough.
| whatshisface wrote:
| What's Calvinism got to do with Russia?
| LudwigNagasena wrote:
| It has nothing to do with Russia. It has to do with stuff
| like inherent sinfulness, the promotion of social
| righteousness, the exhibition of the Kingdom of Heaven to
| the world, double predestination and whatever else
| Puritans and other Calvinists who became the American
| elite believed in and promoted. The views of those people
| who were considered fanatics back in Europe became the
| norm in the US.
| emodendroket wrote:
| I think people get a little carried away with this. I'd
| bet money that the average American cannot even describe
| the difference between Protestantism and Catholicism
| besides something facile like "they have a pope." There
| aren't even any Protestants sitting on the Supreme Court.
|
| In a historical sense, it's very geographically
| dependent. Before states got rid of established churches,
| Virginia, for instance, established the Episcopal church,
| while Massachusetts established the Congregational
| church.
| LudwigNagasena wrote:
| > I'd bet money that the average American cannot even
| describe the difference between Protestantism and
| Catholicism besides something facile like "they have a
| pope." There aren't even any Protestants sitting on the
| Supreme Court.
|
| The modern American culture simply _descends_ from
| Calvinist culture, by no means it is the same. Just like
| you wouldn't expect a fish to explain its ancestry to
| you, you wouldn't expect an American to do the same.
|
| Some people seem to believe that if you remove a belief
| in God, a sudden discontinuous cultural gap appears. But
| there is no reason to assert such thing. An absence of
| belief in God doesn't make Americans culturally more
| similar to Buddhists than to their ancestors, they still
| inherit similar values and social practices. The American
| culture experienced an abrupt shift from the British
| culture due to the founder effect, but from that point it
| pretty much developed continuously. (Well, of course like
| all cultures, it experienced outside influence but it
| wasn't as impactful.)
|
| > In a historical sense, it's very geographically
| dependent. Before states got rid of established churches,
| Virginia, for instance, established the Episcopal church,
| while Massachusetts established the Congregational
| church.
|
| There is a book called The Faiths of the Founding Fathers
| by David L. Holmes, it covers explanation of the sheer
| influence Calvinism had in the US.
|
| By the way, is it surprising that (1) Harvard originally
| had a Calvinist church. (2) Harvard is located in New
| England, the land of radical Protestants aka Puritans.
| (3) Harvard is the most prestigious university.
|
| My point is simply that American "average people" are in
| no way simply average people if such thing even exists.
| mordero wrote:
| I don't think his point was directly related to people's
| religious views today, but the type of people who
| originally came to the US and how their views and norms
| have impacted the culture up to today.
| emodendroket wrote:
| Well I'd go a little further and say that it's getting
| too clever to act like the most important thing to
| understand how Americans think is the details of a
| dispute that happened before most of their ancestors came
| and that they can't even describe in broad strokes.
| [deleted]
| ninth_ant wrote:
| Almost like "the norms" don't apply when the situation is not
| normal?
|
| Authoritarians pursuing military conquest and territorial
| expansion hasn't been "the norm" for the past few decades. The
| world is changing with Ukraine and Hong Kong, and soon Taiwan.
|
| Not saying these examples in the article are all models of how
| we should design things in the future. But the world is
| changing and norms will change alongside it.
| dkjaudyeqooe wrote:
| > We've pretty quickly decided to throw out decades of norms
|
| So did Putin. Dying isn't ideal.
| a-dub wrote:
| it's pretty gross if you ask me. i don't think that throwing
| stones at the people in a nation where the government is
| misbehaving helps much anything at all. on the contrary, all it
| can do, is harm.
| obert wrote:
| That will keep happening if we build solutions on top of
| obviously unsafe platforms, ignoring incident after incident.
| It's not like this is the first time and it's not like people
| will now suddenly learn from this. Blind software updates like
| yarn upgrade, brew upgrade etc, happen every single day.
| jeroenhd wrote:
| I don't see what's wrong with Mongo cutting ties with Russia.
| There are practical problems receiving payment from Russian
| territories, and companies are allowed to choose which countries
| they do and don't do business with.
|
| In a similar fashion, developers may choose who can and cannot
| use their code. In fact, depending on how your government's
| sanctions are structured, you may even be obligated to not
| license code to developers in some countries.
|
| Using malware to overwrite random files against random Russian
| IPs is obviously stupid. I'm sure the dev will get to explain his
| case to a judge at some point. The Terraform thing, though, is
| different; it's not malicious, merely political.
|
| However, I think the assertion that software "should not be
| political" is silly. All software is political. Open source
| licenses stem from American ideals of freedom, for example, and
| are designed to work in the American legal system above all else.
| Then there are the implied cultural contexts; the list of
| software that only works in left-to-right configuration or even
| fail to just accept standard unicode input is laughably huge. The
| amount of times I've had to adjust software to work with
| alternative decimal separators...
|
| Independent developers can (and probably should) decide to mostly
| focus on the problem they themselves are trying to solve. If that
| doesn't work for someone else, they can either ask (and possibly
| be denied) alterations to extend the solution to their problem
| space, or suggest additions by extending the software themselves,
| but in essence, cultural and political assertions are everywhere
| throughout "open source".
|
| Protestware has been around for quite a while, but I think this
| is one of the first times we're seeing high profile developers
| take a stance. Whatever risk this is exposing was always there;
| we can try to hide the risks of open source, but in the end,
| that's just covering them up.
|
| I agree that protestware should not be considered open source,
| but any open source project can turn into protestware at any
| time, and it always could have. This is why groups like Debian
| and companies like Canonical are important: they use their
| organization to produce a unified view that you can rely on.
| Debian applies patches to align software with their views in
| several ways. The result is that software is often re-packaged
| and is deployed slower than upstream, but stuff like this doesn't
| get into your systems. The Python/Pip/Cargo/Go way of
| distributing dependencies directly, rather than using some kind
| of unified repository, exposes you to the risk of open source
| software becoming protestware, but it doesn't have to be that
| way.
|
| Developers scrutinize Debian and Ubuntu for packaging old
| software, but you can safely develop against their dependencies.
| This is the open source that can be trusted, to a usual extent.
| In my opinion, the trust developers place in random usernames on
| NPM is misplaced, and the extensive dependency graphs modern
| frameworks require make that problem so much worse.
|
| To those saying that it's bad that innocent Russians are getting
| hit by this: that's the point. It's also why sanctions are only
| applied in extreme circumstances. Foreigners can't tell other
| governments what to do, the best the rest of the world can do is
| hope or incentivize a country's citizens to make their government
| change their minds.
| quantum_state wrote:
| This is a sad thing for FOSS ... why should developers from
| Russia be penalized for no reason of their own?
| scotty79 wrote:
| So they can get of their chairs and dethrone the dictator. It's
| kind of more important right now than writing software.
| brandonmenc wrote:
| I don't want to hear anyone in this country [the US] complain
| about the Electoral College or gerrymandering the next time
| we decide to pull another Iraq War but they're opposed to it.
|
| Just like, overthrow the government - it's so easy!
|
| And if you don't have the guts - well, don't be mad when
| someone deletes all your files, you collaborator!
| scotty79 wrote:
| Yes. Exactly. US citizens are responsible for that corrupt
| systems that there are in place there. And all the war
| profiteering those systems allowed.
|
| Many average Americans directly benefited from US wars as
| military employees and contractors.
| cartesius13 wrote:
| Average Americans most definitely benefited from US
| military shenanigans but that kinda besides the point
| here I think. The main point is that "just overthrow your
| government, bro" is not a thing people can go out and
| just do and these comments make it seem that they're
| negligent if they don't start doing it right now. "Just
| do it, bro. It's so easy"
| brandonmenc wrote:
| > Many average Americans directly benefited from US wars
| as military employees and contractors.
|
| True, but the Iraq War was a net negative for the vast
| majority of Americans, even just financially.
| ridiculous_leke wrote:
| Not sure if that will motivate them to dethrone the dictator.
| But this will most likely impact their work and may as well
| make them more nationalist in the process. And at the same
| time open source's reputation suffers in the process.
| croes wrote:
| Dethroning nowadays needs software. No arabian spring without
| messengers.
|
| People like Putin don't need software but people who oppose
| him do.
| vkou wrote:
| Same reason that you shoot at enemy conscripts in a war, drop
| bombs on enemy cities. Same reason why Russia is now being
| subjected to sanctions. To undermine the Russian economy in a
| non-violent manner.
|
| Whether or not it results in political change is irrelevant - a
| crippled Russia is a sufficient end all in itself, just like
| dead soldiers is a sufficient end all in itself during a war.
| Wars rarely end with a government being overthrown, but they do
| often end when a government decides that peace is the better
| option. Bombed cities, dead soldiers, and starving children are
| the calculus that pushes governments towards making that
| decision.
| HideousKojima wrote:
| >drop bombs on enemy cities
|
| Unless you're targeting military forces or infrastructure in
| those cities, bombing civilians is a war crime. Of course,
| who gets tried as a war criminal or not mostly depends on who
| wins
| jollybean wrote:
| Why do you think we are sanctioning Russia? To degrade their
| ability to project war in Ukraine.
|
| 'Russian Developers' are material to the development of the
| Russian economy, which is the basis for which the war is
| projected.
|
| Sanctions could very well spread into software in which FOSS
| would likely be a part of it, and the terms of the licensing
| may not really matter.
|
| It's for the same reason that Intel, Nvidia and a host of
| others have dropped shipments, at least for the time being.
| exizt88 wrote:
| By that logic, any harm to any Russians, even those living
| outside of Russia but e.g. sending money back home, would
| also negatively affect the development of the Russian
| economy.
|
| How far would you follow that logic? Which Russians should be
| harmed, in your opinion, and how much?
| defen wrote:
| Who is going to enforce terms like "Russians aren't allowed
| to use this"? Russian courts?
| dgan wrote:
| Such precedents simply indicate immaturity of the developer
| behind it.
|
| I hate XXX (insert any English speaking politician from Western
| World), yet I am speaking in English. Shock! Tools are
| a-political. Could you believe that?
| cartesius13 wrote:
| I'm currently studying and trying to learn the russian language
| and I think this argument is a bit of a straw man. I don't
| think people in general would suggest you're evil for learning
| a language. Obviously you would find such people on Twitter or
| Reddit but not in the real world I don't believe
| dgan wrote:
| just like sometimes we prefer to reason on limits rather than
| on concrete values, I believe some straw mans are "useful
| limits" to reason about some concepts
| bjt2n3904 wrote:
| Certain things should be a-political. Like the international
| space station, football, and open source software.
|
| But a software development has yielded to demands that it adhere
| to causes. Redis isn't just a key value store, it's engaging in
| anti-racism by removing terms of whiteness, like "master" and
| "slave".
|
| And here we are. Uninstall nginx, unless you're a fascist that
| supports Putin! Did you hear? Russia is using leftpad.js! Quick,
| unpublish the repository in solidarity with... We have to reduce
| harm! No one is neutral! You're for us, or against us!
|
| Lending software to "social progress" leads to the insane place
| we are today. (And not to mention, it hasn't achieved much.)
|
| No, my software isn't a tool for your social goals, noble as they
| may be. And that doesn't make me a bad person.
| frozenlettuce wrote:
| States will never allow a-political things to last for long,
| there's just too much money and power involved. Even the
| Olympics has been coopted - the event was created on the
| premise of reuniting warring nations around sport.
| SamoyedFurFluff wrote:
| I think this is a straw man. It takes the relatively lukewarm
| "master/slave terminology should be moved away from" and
| somehow uses it as an example for "if you use ngix you support
| Putin". Please consider actually looking at reality how it is,
| instead of how it might be if it was convenient to bash.
| [deleted]
| fhaltmayer wrote:
| The terraform changes just seem so unprofessional and a prime
| example of virtue-signaling.
| pavlov wrote:
| I agree about it being unprofessional. But does "virtue
| signalling" now mean simply any form of protest?
|
| Were the Canadian truckers protesting in Ottawa virtue
| signalling? Are people posting "Let's Go Brandon" online also
| virtue signalling? If not, what's the difference between their
| form of protest and this Terraform stunt?
| BuyMyBitcoins wrote:
| My personal sense of the word is that "virtue signaling" is
| when people intentionally seek recognition from a group by
| visibly supporting something that group _already_ endorses or
| considers normal. Going a step further, the support is often
| exaggerated, not totally sincere, or not congruent with that
| person's previous behavior.
|
| There is also a sense that whatever thing someone is "virtue
| signaling" about is acceptable enough that there is no real
| downside for taking the stance.
|
| It would be like an American proudly declaring how much he
| loves the United States on Independence Day. He would go out
| of his way to emphasize just how much of a patriot he is,
| hoping to be rewarded for doing so.
| teddyh wrote:
| I believe "virtue signalling" means any form of protest which
| will not, and does not really try to, have any actual effect
| on that which it protests against. Any small actor protesting
| and boycotting something which they are unlikely to affect
| and even come into contact with, therefore qualifies. The
| protest is not done to affect any real change, only to signal
| virtue.
| asoneth wrote:
| My understanding is that "virtue signaling" implies that the
| primary goal is performative with minimal personal risk and
| minimal commitment to productive action. The example that
| comes to mind is a company that spends far more money
| informing the public of their charitable works than they do
| on the works themselves.
|
| So an in-person march, trucker protest, sit-ins, having a
| private conversation, calling your representative, making
| personal sacrifices, attempting to bring attention to lesser-
| known issues, donating money, engaging in dialog to convince
| someone of your position, etc would not be virtue signaling.
|
| But things like posting "Let's Go Brandon" online, or
| changing your profile picture with no further action, or
| unironically using terms like "virtue signaling" for internet
| points might qualify as virtue signaling.
| stonemetal12 wrote:
| Just about all of your examples of not virtue signaling
| could or could not be depending on the context. Going in
| person to march, posting selfies on facebook, marching two
| blocks and leaving would be an in-person march and virtue
| signaling for example. Virtue signaling is more about
| intent and advertising of the act.
|
| To paraphrase the bible "Jesus said The pious pray in their
| closet. Those who make big shows of praying in public are
| nothing but douchebags."
| hguant wrote:
| You just successfully moved the goalposts by redefining
| what "going to a march" means...and even then didn't
| address how "all the examples" don't count. Even then,
| showing up for a mere two blocks still involves more risk
| than staying at home.
|
| To me, it's the element of risk that differentiates
| virtue signaling from meaningful action. Posting "Let's
| go Brandon" on parlour or "Black Lives Matter" or Tumblr
| aren't risky actions. Saying "I think gay marriage is ok"
| in a conservative church is. Just because you can imagine
| a situation where the context lessens the impact of the
| action, doesn't mean the example is weak or wrong.
| [deleted]
| [deleted]
| BaseballPhysics wrote:
| > My understanding is that "virtue signaling" implies that
| the primary goal is performative with minimal personal risk
| and minimal commitment to productive action.
|
| And it's based on the flawed assumption that stating public
| support for something without doing anything else is
| useless.
|
| But people moderate their behaviour based on perceived
| social norms.
|
| When people publicly state their support for a given issue,
| they are communicating what they understand social norms to
| be.
|
| When a lot of people do that, that _becomes_ the norm.
|
| So "virtue signalling" could just as easily be labelled
| "showing support", which is the way that we share and align
| on those norms.
|
| But, of course, folks who _don 't like_ people voicing
| their support for those values, for fear that they will
| become normalized, needed to find a label to apply to
| insult those people and, hopefully, stop people from
| voicing their support for these social movements.
|
| And thus the term "virtue signalling" was born. Suddenly
| saying out loud what you believe becomes itself a social
| moray.
|
| Now flying a pride flag, or calling for increased diversity
| in the workplace, has become "virtue signalling" and
| something to be embarrassed about.
|
| It's quite clever as a means of controlling the narrative.
| And it appears a shocking number of people have bought into
| the BS.
| jacobr1 wrote:
| There are a few more dimensions to this.
|
| 1) Does "showing support," actually do anything? Are we
| really aligning on norms or just scoring points with
| people who already agree the same position? I suspect the
| detail matter and that there is continuum, where for
| uncommon positions maybe it does something, but for
| widely held views, it really is just "virtue signalling."
|
| 2) When does "showing support," become a substitute for
| more substantive action. Maybe I post a pride flag on my
| social media avatar, but don't bother to vote in a local
| election with discriminatory ballot initiative. Or
| consider any number of incidents of corporate
| "greenwashing."
|
| But sure, plenty of virtue signalling, isn't _just_
| signalling. And we shouldn't dismiss it on those terms,
| but rather ask about impact.
| monkeybutton wrote:
| What would you classify wearing poppies around remembrance
| day as?
| grubsong wrote:
| AlexAndScripts wrote:
| "Western imperialism"? How exactly was fighting against
| Germany in WW2 "Western imperialism"?
| tedunangst wrote:
| Remembering?
| [deleted]
| Turing_Machine wrote:
| At least here in the United States, those are usually
| sold by charities that benefit various veteran's
| organizations, so there's some actual skin in the game
| there.
| Apocryphon wrote:
| That's not virtue signaling. That's slacktivism.
| DonHopkins wrote:
| I thought Slacktivism was when Slack bans Russia, and
| BigMactivism was when McDonalds pulls out of Russia.
| sharkjacobs wrote:
| If you support a cause, "virtue signal" describes an action
| which doesn't do a lot to materially support the cause, to
| encourage people to take more concrete action.
|
| If you oppose a cause, "virtue signal" is a term of
| denigration for any public action on behalf of the cause to
| discourage people showing support for it.
| kodah wrote:
| I think people virtue signal when they dominate conversation
| with pet political topics. This is especially evident if they
| continually find non-sequitur ways to include moral and pet
| topics in regular conversation. I don't think that either of
| the examples you've brought up are virtue signaling, but
| introducing the topic of Starbucks cups to redirect a
| conversation into how "the country has lost its way" is a
| good example. An example of this on the left is how certain
| folks will redirect any conversation into one about
| oppression.
|
| The impact of virtue signalling is pretty evident. Ever seen
| how in order to make a statement on something you have to
| first identify yourself _as part of that something that you
| 're criticising?_ That's a direct byproduct of virtue
| signaling.
|
| More or less, it's a form of manipulation.
| JulianChastain wrote:
| The goals/motivations of the action is what matters here.
| Changing a few lines of code to state your stance on an issue
| won't cause any level of change whatsoever. It was clearly
| done to show which side of the war the author supported, more
| about the author than the conflict. A Canadian protestor that
| spent most of the time publishing their involvement on social
| media is virtue signaling, but one that merely occupied the
| capital is not. Saying "Let's go Brandon" is virtue
| signaling, unless the signal is meant only for your group,
| then it is dog whistling
| _jal wrote:
| > If not, what's the difference
|
| Political valence. It is a term a certain flavor of culture
| warrior likes to employ in attempts to devalue public
| statements by their opponents.
| ghostpepper wrote:
| Like all politically-charged terms, the original meaning
| has been long lost as the context in which it was coined is
| forgotten.
|
| I think the term 'virtue signalling' was originally
| intended to point out a perceived hypocrisy - that it's
| much easier to gain public support for an
| idea/cause/campaign if that campaign is perceived to be
| helping some disenfranchised group - even if the campaign
| also benefits the organizer, and even if the campaign is
| not necessarily wanted by some or even all of the
| allegedly-aggrieved group.
| beaconstudios wrote:
| It did start out that way (an attack by conservatives
| against progressives) but has since become ubiquitous. It
| just refers to immaterial forms of protest that don't
| accomplish anything except signaling support for a cause.
| tomjen3 wrote:
| When you protest something not because you care, but in order
| to signal that you care it is virtual signal (literally, you
| are trying to signal your virtue).
|
| When you protest for gay rights in 2020 it is a virtue
| signal. When you protest for gay rights in 1987, it is
| because you believe in it and are willing to take the cost of
| it.
|
| Since public trade companies only care about money, when
| those companies support some course it has become safe enough
| that it is now virtue signalling.
| SamoyedFurFluff wrote:
| > When you protest for gay rights in 2020 it is a virtue
| signal.
|
| I don't think this is the case; it's still legal to
| discriminate on the basis of sexuality in many states and
| contexts such as housing in the United States. You may not
| be able to fire someone for being gay but in many places
| you can evict them for it.
|
| Additionally I don't think it's virtue signaling to protest
| for gay rights beyond the small number of countries that
| recognize marriage. There are still countries where gay
| behavior is illegal, marriage isn't recognized, and gay
| panic is a legal defense.
| aaron695 wrote:
| LudwigNagasena wrote:
| I think it means something like grandstanding and
| slacktivism.
| [deleted]
| ksjnq wrote:
| fxtentacle wrote:
| In my opinion, these changes are effectively supply-chain attacks
| in their execution. That would make them bad regardless of how
| correct their expressed positions are about the Ukraine war.
|
| The fact that there has not been a strong push back confirms my
| suspicion that by now, everyone has gotten used to Node and NPM
| being insecure and silently accepted it as a way of life.
| Similarly, those Terraform scripts are apparently esoteric enough
| to only be used by a tiny minority of software developers, or
| else we would have heard about it in a different way.
|
| Thank god nobody did similar shenanigans to open source projects
| that are actually in wide use :)
| ajross wrote:
| > In my opinion, these changes are effectively supply-chain
| attacks in their execution. That would make them bad regardless
| of how correct their expressed positions are about the Ukraine
| war.
|
| Well, yeah. War is bad. On the spectrum of war badness,
| obviously, these pranks are pretty mild. But they're bad. It's
| a bad situation. When at war, people are forced to do bad
| things to prevent worse things. That's why _starting wars is
| very bad_.
|
| Now, sure, you can argue about the semantics about "who" is at
| war, or whether these npm authors are "really" at war, or why
| they "think" they're at war, or whether they "should" be at
| war. You could also get into a discussion about whether or not
| this tactic is effective (and I'd agree it's hurting more than
| helping, btw). Go nuts.
|
| But that doesn't change the fact that this is an action in
| support of a war effort. In wars, principled stands don't win.
| If you want a particular outcome, you have to pick a side.
| hulitu wrote:
| > But that doesn't change the fact that this is an action in
| support of a war effort. In wars, principled stands don't
| win. If you want a particular outcome, you have to pick a
| side.
|
| I picked a side. I will take care that npm is not installed
| on my computers. Take your political sh*t out of my computer.
| jollybean wrote:
| "principled stands don't win."
|
| Fighting against bad actors is definitely a 'principled
| decision'.
|
| Ignoring the situation and not taking action is an
| 'unprincipled decision'. Though it might disguised as
| principled action, on the basis of supporting some other
| principle, such 'open source', but ignoring one at the
| expense of another implies serious lack of self awareness.
|
| This war, plus COVID, and the recently released documents
| indicating a planned invasion of Taiwan (though we don't know
| for sure) - represent major geopolitical shift of the order
| of WW1/WW2/End of Cold War, the stakes and consequences are
| enormous.
| ajross wrote:
| That's sort of a semantic argument. To be clear: I was
| contrasting "choosing a side" (in this case by senselessly
| pranking your npm customers) as being a "practical" choice,
| vs. the "principled" stand taken to avoid the conflict out
| of a general sense of open source decorum. Obviously in
| some sense all decisions are based on "principle".
|
| And the point is that it's a war. We've crossed the "bad
| things are going to happen" Rubicon already. You can't make
| principled arguments like that against people who have
| chosen to engage in a war out of the hope or desire for one
| side to win. They already did that moral calculus. It's
| like telling someone they shouldn't defend their home
| because pacifism is more important. You might be right, but
| you won't change anyone's mind.
| [deleted]
| AeroNotix wrote:
| What rights are you inaliably afforded from open source?
| armchairhacker wrote:
| iirc npm has support for pinning dependencies, you just have to
| remove the "^" at the start of the dependency version. Is there
| a global option in npm or yarn or pnpm? Why don't they make
| this the default?
| roenxi wrote:
| There is so much wrong with this situation. Are developers who
| do something like delete-based-on-IP liable for some sort of
| civil or criminal penalty? Attempting to do active harm to a
| computer surely can't be legal.
| feross wrote:
| We're building Socket to stop this exact type of attack. See
| https://socket.dev
|
| Socket turns the whole npm security problem on its head and
| asks: what if we assume all open source may be malicious? Can
| we proactively detect indicators of compromised packages?
| What's the simplest way to mitigate this risk without hurting
| usability?
| jollybean wrote:
| " That would make them bad regardless of how correct their
| expressed positions are about the Ukraine war."
|
| ? 'Supply chain attacks' are exactly the kind of thing we would
| want to wage on a nation possibly in this current situation.
|
| We would definitely wage a supply chain attacks against a
| theoretical Hitler, and this situation approaches that.
|
| 'Open Source Contracts' ideals a bit moot during a war, which
| we have been dragged into given the fact the world is
| interconnected. FOSS is an ideal of economic civility which
| doesn't exist during a war.
|
| The 'consideration' that we might use right now is not one of
| legality or civility but pragmatism - an attack directly on
| Russia might be contemplated as a act of war. 'Not Doing
| Business' with them is something else.
| fxtentacle wrote:
| Apparently I didn't make that part clear enough: This is a
| supply-chain attack against EVERYONE using their project.
| Those users will be 99% innocent civilians.
|
| I might one day have an IP that is accidentally mis-
| classified as Russia. I mean those Geo-IP services are only
| like 95% accurate and they go out of date pretty quickly and
| updates are expensive. Plus .RU VPN services used to rent
| subnets in the US all the time. But then all of my files get
| deleted because someone wanted to make a point. So then I'm
| collateral damage in someone's remote fight in a war that
| neither of us were actually involved in.
|
| Your argument is a bit like saying "It's OK to use chemical
| weapons because we're the good guys." They are not banned to
| protect soldiers, they are banned to protect civilians. And
| most likely, node-ipc's patch will hurt much more innocent
| civilians than it'll hurt Russian soldiers. It's the software
| equivalent of indiscriminate bombing.
| toss1 wrote:
| >>'Open Source Contracts' ideals a bit moot during a war
|
| THIS!!
|
| Russia's govt is happy to commit multiple war crimes in it's
| unprovoked assault on Ukraine, and Putin just signed a bill
| expropriating $10 billion in leased airplanes that are
| stranded in Russia.
|
| This is war. With a country that clearly hasn't gone past the
| amorality of that Axis powers in WWII, yet now has 21st
| century weapons.
|
| And some dolts here think the sanctity of Open Source
| contracts is more important?
|
| There is a lot of brilliance here on HN, but this is also a
| display of some of the insane levels of myopia here. The fact
| that this is even considered anything more than trivia and
| you are downvoted to a very light gray is evidence of that.
|
| Wow.
| samwillis wrote:
| This is exactly the problem with "uncurated" package managers
| like NPM and PyPi and where a curated package system like APT and
| RPM offer such a strong advantage. Far fewer people for you to
| have to put your trust into, but still a trust based system. They
| have gone so completely out of favour though.
|
| It's understandable why people moved to the uncurated systems,
| it's so much easier to publish and so the variety of what's
| available is brilliant. But I don't think the tooling is there
| yet with all the languages that use them. Really we should have
| the ability to control permissions at the library level, choosing
| specifically what they can do.
|
| Deno is doing some interesting things at the app level but has
| any language done anything with library level permissions?
|
| Maybe we will see a movement back to the curated package
| managers, there may even be an opportunity to provide a curated
| service layer over the uncurated package managers like PyPi and
| NPN, possibly a paid service?
| zokier wrote:
| > there may even be an opportunity to provide a curated service
| layer over the uncurated package managers like PyPi and NPN,
| possibly a paid service?
|
| Anaconda comes to mind, and I've heard that for Haskell there
| is Stackage
| asiachick wrote:
| I don't really think it has anything to do with curated. It has
| to do with popularity/accessibility. There are more JS
| programmers than just about anything (my belief) and they have
| an easy to use and contribute package manager. (unlike say
| C/C++). Curation, IMO, would crumble under the pressure.
|
| Also AFAICT, Rust's package manager is uncurated? So is Swift's
| but AFAIK Swift doesn't really have an "official" manager and
| so doesn't have the conditions for the same level of
| popularity/accessibility.
|
| Maybe that suggests no package manager is better? The C/C++
| way? Because spreading malware is harder? Of course conversely,
| excepting exploit fixes is harder.
| malka wrote:
| I think a better solution would be to never execute anything
| unsandboxed.
| zokier wrote:
| > has any language done anything with library level
| permissions?
|
| Java Security Manager?
| Dove wrote:
| We have parallel problems in science and in software.
|
| My faith in science was never in the moral character of
| scientists and their organizations - individuals and
| organizations are always vulnerable to corruption. My faith was
| in the principle of replication. If anyone can repeat an
| experiment, we can all see for ourselves what is true, and a
| community dedicated to that (and individuals with a healthy fear
| of the process) is reliable.
|
| Only, we don't replicate experiments. We got so busy and excited
| building on what had gone before that we've built some huge
| houses of cards on questionable foundations, because who wants to
| spend time and money doing replication? Distracted by the free
| riches, we neglected what had always been the source of our
| strength, and here we are - arguing over who funded studies and
| fuming over the replication crisis.
|
| Where are the critics who say, "I can't trust that paper - it's
| impossible to replicate!" Where are our Poppers who insist on
| falsifiability? An entire community that frowned on complexity
| and opaqueness and walled gardens of data, a community that
| trusted things insofar as they had been replicated and re-
| examined from many angles and proven sound, would force us
| towards a level of simplicity, honesty, and reliability that
| science should have. Instead, a general agreement to pursue
| individual and institutional glory at the expense of upholding
| foundational principles has rotted the foundation of the
| endeavor.
|
| Put simply, I trust science because you can replicate it. But for
| whatever reason, (and I can't propose a specific solution, but),
| to the degree our community is not devoted to replication, it
| loses its trustworthiness.
|
| Software has a parallel problem.
|
| I don't trust open source software because I trust the character
| of developers or institutions. I trust it because it can be
| examined and fixed. Because of reproducible builds. Because
| anyone can examine it, anyone can build it, no trust of
| individuals or organizations is needed. A community that insists
| on such features and abhors offerings that offend these
| principles will steer us towards a level of simplicity,
| comprehensibility, reproducibility that open source software
| should have.
|
| But we are all so excited to build things on top of other things
| that we spend much more time multiplying dependencies and
| layering on complexity than worrying about foundational
| principles. We are now seeing the rotting foundations.
|
| There are people who complain about whether code can be examined,
| or factors that make it difficult. It is becoming increasingly
| important to listen to them! A community that celebrated open
| source software, not only for what it can functionally do, but
| for how _open_ it is, is what is needed to maintain those
| foundations. A community that has trust issues with unexaminable
| long dependency chains, that is sensitive to the difference
| between software that has been around the block and examined for
| a long time, and software that some guy just put out last night.
|
| Put simply, I trust open source because you can examine it. But
| for whatever reason, (and I can't propose a specific solution,
| but), to the degree our community is not devoted to examination,
| it loses trustworthiness.
|
| Reserve your trust for communities that take seriously the
| principles that trust is built on.
___________________________________________________________________
(page generated 2022-03-18 23:00 UTC)