[HN Gopher] Open source 'protestware' harms Open Source
___________________________________________________________________
Open source 'protestware' harms Open Source
Author : TangerineDream
Score : 303 points
Date : 2022-03-24 13:13 UTC (9 hours ago)
(HTM) web link (opensource.org)
(TXT) w3m dump (opensource.org)
| Mikeb85 wrote:
| Isn't NPM all malware anyway? /s
|
| Seriously though, adding malware to OSS code harms trust. I'm
| down with messages or comments in support of X cause though.
| cosmiccatnap wrote:
| cestith wrote:
| Bram Moolenaar famously uses Vim to raise awareness. A VPN
| package, dead drop website, steganography package, onion router,
| multi-point P2P routing mesh drivers, or other software and
| education on how to use them could really make a difference for
| dissidents. There are certainly productive ways to use software
| to support protests, organizing, workers' strikes, or even
| support targeted sabotage or insurrections without
| indiscriminately destroying people's data.
| alexb_ wrote:
| He uses it to help starving children by including a message on
| startup. That's a little more agreeable and less political than
| all of the things you listed. To try and compare it is fucking
| absurd.
| dspillett wrote:
| _> That 's a little more agreeable and less political_
|
| I don't think the difference is the message and how political
| it might be, but the way the message is delivered.
|
| A message, or even refusing to run1, is completely different
| to deleting or corrupting data.
|
| [1] though unless that is very precisely targetted I'd still
| think it a step too far.
| shkkmo wrote:
| Huh? It isn't really clear what you are arguin against. The
| commentor you are responding to is agreeing with the article
| that using your project to spread a message is ok and
| possibly even helpful.
|
| It is betraying that trust to make indescriminant attacks
| that harms. If peoole want to do more than just add a
| message, the author pointa out a number of types of software
| that people can cobtribute to that would have a more direct
| positive impact.
| twofornone wrote:
| I miss the golden age when people more or less adhered to a "no
| politics at work" rule. Yes it's not possible to be 100%
| apolitical in most decisions but that's not an excuse to inject
| unrelated political signaling into everything.
| young_unixer wrote:
| On one hand, I don't want to be anywhere near protestware when it
| comes to my work or the tools I use.
|
| On the other hand, Javascript developers have a whole different
| culture than the developer circles I like to frequent. In npm-
| land, the societal expectations of quality and solemnity (for
| lack of a better word) are lower, and this kind of behaviour is
| even celebrated if it favors the "right cause".
|
| The last two cases we've seen (faker/colors, node-ipc) just took
| it one step further, but we've seen a lack of seriosness from
| both the npm organization and the community during the last...
| what? 6 years?. At this point, if you stay in the whole npm
| ecosystem, it's understood that you do so at your own risk.
| duxup wrote:
| >Javascript developers have a whole different culture than the
| developer circles I like to frequent.
|
| Most Javascript developers I know are just writing code and
| that's what they're concerned with.
|
| Vocal voices on twitter or etc != most Javascript developers.
|
| I'd argue most vocal folks on forums or etc don't represent
| most developers of any given language.
| nimih wrote:
| > I'd argue most vocal folks on forums or etc don't represent
| most developers of any given language.
|
| Sure, but for some reason, this stuff seems to only happen in
| the JS community (at least to my knowledge and recollection,
| which admittedly may be faulty). Maybe it's the fault of the
| tooling or the language, but python is another popular
| language which has historically had quite a messy answer to
| dependency management, and I don't remember ever hearing
| about an open source python developer throwing a hissy fit
| and trying to wipe the hard drives of everyone who uses their
| software.
| duxup wrote:
| >this stuff seems to only happen in the JS community
|
| What stuff? Drama? That happens everywhere.
|
| Malware? That stuff happens a lot of places, maybe npm
| makes it more accessible but that's just a technical hurdle
| ... doesn't mean it wouldn't happen elsewhere if folks
| could do it easily.
| nimih wrote:
| I'm talking about the particular sort of incident
| mentioned in the grandparent post, where a dev gets a bee
| in their bonnet about something or other and decides to
| purposefully screw over their users. Other ecosystems
| have had supply chain attacks of course, but something
| about JS seems to really encourage turning run-of-the-
| mill internet drama into CVEs and broken software.
|
| Maybe, as you say, it's a technological problem. However,
| if that's the case, it's an eminently solvable one, as
| evidenced by the fact that I've never in my life had to
| avoid bumping my Java dependencies because I'm worried my
| CI pipeline will be overrun with heart emojis, and the
| fact that the JS community has _not_ solved it just
| points to a different kind of un-seriousness.
| HideousKojima wrote:
| Sure, just like most men aren't violent criminals but men are
| still statistically more likely to be violent criminals. The
| point is that JS devs seem (perhaps a proper statistical
| study will show otherwise) more likely per capita to shit up
| their ecosystem. There are several reasons contributing to
| this (the limited JS standard lib being a big one) but a
| major part of it really seems to be that JS devs are a
| different breed.
|
| I've never seen controversies like this in the .NET/Nuget
| ecosystem, the only controversies I've ever seen there are
| over libraries changing licenses to make the authors more
| money, and controversies over Microsoft exercising too much
| control over the ecosystem.
| devmunchies wrote:
| > men are still statistically more likely to be violent
| criminals
|
| I think your meant criminals are more likely to be men.
| HideousKojima wrote:
| No, I meant exactly what I said, more men are violent
| criminals per capita than women. What you said is also
| true, but it's not what I meant.
| devmunchies wrote:
| Oh you meant in relation to women. I misinterpreted that
| you were saying if you pick 10 men, then over 5 of them
| are violent criminals.
| NhanH wrote:
| Moreover, unless we are talking about a very unusual
| subset of the population, the ratio of men:women is
| always almost 1:1, which renders the two statement
| functionally equivalent
| lobocinza wrote:
| They're equivalent, in this case.
| gruez wrote:
| They're both talking about the same phenomena and are
| technically correct, but the framing is different.
| Specifically, the latter wording tries to defuse blame on
| males.
| krsrhe wrote:
| Tade0 wrote:
| > but a major part of it really seems to be that JS devs
| are a different breed.
|
| Can you really make such generalizations considering there
| are millions of JS devs, some of them not working
| exclusively in this language?
| pbourke wrote:
| > I've never seen controversies like this in the .NET/Nuget
| ecosystem
|
| Some .NET ecosystem projects have put political messages on
| their documentation over the past couple of years.
| gs17 wrote:
| I think they meant "controversies" more in the "adding
| malware to a common dependency" sense.
| edgyquant wrote:
| I don't think it is understood. Most people who write
| JavaScript aren't keeping up with the latest drama. I hadn't
| seen any of these political complaints before this thread and
| I'm a lead engineer on a full stack typescript stack. Not that
| I have an opinion either way I just don't think you can
| reasonably expect devs to keep up with stuff like this.
| ep103 wrote:
| I think keeping up on things like this is the bare minimum
| expectation I would have of any lead developer worth his or
| her salt, because keeping up on things like this is a
| fundamental aspect of knowing the technological ecosystem in
| which you claim to have the skills and knowledge in which to
| make decisions about things like which technical ecosystem
| your entire team should be using.
|
| Whether or not most engineers _do_ keep up on things like
| this, is a different question. But that's why there's a large
| range in salaries for similar positions across our industry.
| duxup wrote:
| >I think keeping up on things like this
|
| Keeping up on actual code related concerns yeah. Internet
| drama, no.
| ocdtrekkie wrote:
| I think if you pull in code from all sorts of random people
| across the Internet, you probably absolutely should have some
| idea what risks that entails, and stay aware of the "latest
| drama", so you know when running "npm update" is likely to
| ruin the rest of your day.
|
| Of course, the ideal solution is just to not use an ecosystem
| where pulling in code from all sorts of random people is
| common.
| edgyquant wrote:
| Hard disagree. Needing to follow the politics of every
| piece of your tech stack is a ridiculous way of doing
| things. We should have a system to verify if a module is
| malicious or not, that's an engineering problem,
| politicking about in open source communities is not.
| Engineers should be engineering things.
| ocdtrekkie wrote:
| You can not engineer away human problems. I agree that's
| a ridiculous way of doing things, but it's the only
| reasonable way to use Node! Which is to say, I think Node
| is not a great tech stack if you do not want to follow
| drama.
|
| Adding an antivirus scanner to your Node project is not
| going to fix this. It certainly hasn't solved the malware
| issue in the last few decades for PCs.
| edgyquant wrote:
| At the very least don't task your principle engineer with
| solving human problems then. I stand by my initial
| comment that that is a waste of a good engineers time and
| mental health.
| ekianjo wrote:
| > Instead of malware, a better approach to free expression would
| be to use messages in commit logs to send anti-propaganda
| messages and to issue trackers to share accurate news inside
| Russia of what is really happening in Ukraine at the hands of the
| Russian military, to cite two obvious possibilities
|
| How about not taking sides instead of acting like a kid believing
| one side is black and the other white with absolutely no gradient
| in the middle? Also, propaganda goes both sides, just like in
| absolutely every conflict in History. Stop being a tool of your
| own government.
| pvaldes wrote:
| Cut the BS. One part has been reported mass butchering newborns
| and pregnant women in hospitals. I hardly could think in
| anything more wrong than this.
|
| There is not 'I can explain it' or 'this is not what it seems'
| or 'they must have a reason' or 'just kidding' here. This is
| not normal behavior in humans.
|
| There is not any gray area about the war crimes of the Russian
| army. Had been videotaped, narrated, proven and reported
| extensively. Each building is a proof. And now they are talking
| about using chemical weapons to speed up this genocide.
| Seriously, what Russians were expecting? A clap?
|
| Not taking sides? We are animals brain-wired to develop a
| strong reaction of seek and destroy in this cases. In less
| civilized times the murderers would be hunted and mashed to
| grinded meat.
|
| Not more excuses. Don't call us kids, silly, ignorant,
| inconvenient or Russophobes. We are furious. We want this to
| stop. Right now.
| _Nat_ wrote:
| A lot of folks are just anti-war and are protesting the
| invasion for being an act of military-aggression.
| dmos62 wrote:
| > How about not taking sides instead of acting like a kid
|
| If you have the power to do something and you don't, that's
| taking a side. You either oppose something or you enable it. At
| least own that. If you're saying you're neutral, you either
| agree with the unpopular side and are scared to admit it, or
| you can't form an opinion because you're uninformed and thus
| uncivil, or you feel unaffected by what's happening and thus
| discompassionate. Either way, that's pretty much the definition
| of "acting like a kid".
|
| By the way, everything is not propaganda: anti-propaganda can
| just be the truth.
| ekianjo wrote:
| > If you have the power to do something and you don't, that's
| taking a side.
|
| Pushing political commit messages is not "power". If you like
| like everyone around you you are not a rebel, just a
| conformist.
|
| And using indiscriminate IP-location malware to annoy people
| is the textbook definition of evil child behavior. I'm not
| sure what exactly you are trying to defend here.
|
| > By the way, everything is not propaganda: anti-propaganda
| can just be the truth.
|
| How do you know what the truth is when you have no foot on
| the ground?
| dmos62 wrote:
| > Pushing political commit messages is not "power".
|
| I'm not debating whether it works or whether it's the right
| form of activism. I'm responding to your comment. Namely
| you saying that taking a side is childish.
|
| > If you like like everyone around you you are not a rebel,
| just a conformist.
|
| If your goal is to follow the herd, that's bad. If it's to
| go in the opposite direction, that's the same thing. I'd
| encourage a person like that to think about more than
| himself.
|
| > How do you know what the truth is when you have no foot
| on the ground?
|
| Are you disputing the recent Russia's invasion of Ukraine?
| mwcampbell wrote:
| > Are you disputing the recent Russia's invasion of
| Ukraine?
|
| Not the GP. I don't specifically dispute that. But in a
| time when many fictional stories can be told through
| video, I think it's reasonable to be unsure and neutral
| on things that we don't have direct knowledge about. Put
| another way, I think being neutral and silent by default
| is a necessary defense against manipulation.
| krapp wrote:
| >Put another way, I think being neutral and silent by
| default is a necessary defense against manipulation.
|
| But what if the purpose of the manipulation is to
| suppress dissent, or at least encourage passive
| acceptance of the status quo, by convincing people remain
| to neutral and silent?
| mwcampbell wrote:
| The people who have certain knowledge of something wrong
| in the world, through firsthand experience or domain
| expertise, should certainly speak out. For example, I'm
| vocal about accessibility for blind people, perhaps to a
| fault. But I think we should be silent about things that
| we don't have direct knowledge about. Otherwise, we're no
| better than computers in a botnet sending out spam.
| That's why, lately, I've unsubscribed from multiple
| political mailing lists that keep pestering me to sign
| this petition or talk to my legislator about that
| important issue. I realize that I don't know enough to
| have an informed opinion on these things, and I don't
| want to be manipulated. (Yes, the fact that I
| unsubscribed implies that I went through a period where I
| was more involved in things I don't have expertise about;
| I was wrong in that.)
| [deleted]
| krapp wrote:
| >The people who have certain knowledge of something wrong
| in the world, through firsthand experience or domain
| expertise, should certainly speak out.
|
| To whom? If everyone followed the rule you're proposing,
| the only people they could speak out to are people who
| share their firsthand experience or domain expertise.
| Communicating further would necessitate secondhand
| information or some form of media which can't be trusted,
| as it could possibly contain some manipulating element.
| Who could Ukrainians ask for help from? The Russians?
| Would everyone else be required to fly to Ukraine to try
| to verify the existence of the war firsthand before
| having an opinion?
|
| There are more important things than being made a fool of
| sometimes. The risk of being manipulated exists no matter
| what you do, or don't do, and you can never have perfect
| knowledge of any situation, even if you're an eyewitness,
| because human perception itself is fallible, limited to a
| single perspective and prone to self-deception.
| BaronVonSteuben wrote:
| > _If you have the power to do something and you don 't,
| that's taking a side. You either oppose something or you
| enable it. At least own that. If you're saying you're
| neutral, you either agree with the unpopular side and are
| scared to admit it, or you can't form an opinion because
| you're uninformed and thus uncivil, or you feel unaffected by
| what's happening and thus discompassionate. Either way,
| that's pretty much the definition of "acting like a kid"._
|
| I think this is an interesting argument, and I think it
| translates to a real world example quite well. For example,
| if my older kid hits younger kid I have to either:
|
| 1. Punish the older kid, taking the "side" of the younger kid
|
| 2. Not punish the older kid, thus taking the "side" of the
| older kid
|
| however I think there's more nuance here than just that,
| because either of the kids could be lying. I wasn't' there, I
| have no video footage or proof, so I can only investigate and
| interrogate, and at some point I have to make a decision.
| Often times it comes down to the question of which is worse?
| Punishing an innocent kid, or letting a crime go unpunished?
|
| The answer to that is far from clear to me. As an authority
| and neutral arbiter, I have a duty to administer justice, and
| I don't think taking a view that punishing an innocence can
| be worse than not punishing a guilty (obviously individual
| circumstances really matter here).
|
| I also have a full time job, and I can't arbitrate between my
| kids all day long. I have limited time/attention. Given that
| there are dozens of issues every day that come up, and I
| don't have enough bandwidth to handle them, some packets will
| by necessity have to drop.
|
| How do you know which position on which issue is the "right"
| one to default too when you don't have enough information?
| Given your argument, you must default to one of them. What
| criteria do you use when you have limited info?
| matsemann wrote:
| Not taking a side is agreeing with the oppressor.
| swat535 wrote:
| Estonia, Ireland, Latvia, Lithuania, Portugal, Spain, Sweden,
| and Switzerland,.. remained neutral during Wolrd War II.
|
| Are you saying they were agreeing with the oppressor? It must
| take some serious mental gymnastics on your part to write
| such statement.
| raxxorrax wrote:
| Then you better be a well informed person or otherwise you
| will quickly become the latter.
| ekianjo wrote:
| No, not taking sides is just not taking sides. There's no
| need to turn such a position into a shortcut to something
| else. It's as stupid as the kids saying "if you are not with
| us you are against us". Typical populist bullshit.
| slackfan wrote:
| matsemann wrote:
| How hard is it to just say "I think Russia is wrong for
| invading Ukraine and killing people"? That's all you have
| to do. Just write it.
|
| If you can't do that, but still want to engage in the
| discussion on the topic, your standpoint is clear. You're
| not some holier person not taking a stand. You have taken
| one, you just don't dare to spell it out.
| baud147258 wrote:
| I can still say that Russia is wrong for invading Ukraine
| and say that the protestware we're talking about in the
| thread is wrong too (a different, lesser wrong, though)
| matsemann wrote:
| Of course. What I take issue with is the "don't choose
| sides"-people often say both are wrong, as if they are
| _equally_ wrong. In these issues, it 's one part killing
| or denying others their way of living, and others
| protesting the oppressors.
| avgcorrection wrote:
| People with a contrarian streak are never going to
| performatively denounce something on command if they want
| to make a point which is unrelated to that denounciation.
| Turing_Machine wrote:
| Because if I spend my time writing down everything I
| think is wrong with the world, I literally will not have
| time to do anything else.
|
| Your cause is not more important than thousands of other
| causes, and my refusal to spend my time amplifying your
| viewpoint does not in any sense imply I agree with the
| opposing view.
| matsemann wrote:
| That's a fair point, but not when one intentionally
| enters a discussion about a conflict. Can't both claim no
| side and simultaneously pretend the aggressor is just as
| bad as the protester.
| mwcampbell wrote:
| If I'm not mistaken, though, the discussion here isn't
| about the Russia versus Ukraine conflict itself, but
| about appropriate ways to show support for a political
| cause in general, and whether it's even appropriate to do
| so in particular contexts. On that meta-issue, I think
| it's possible to state an opinion, without implying any
| position on the conflict of the moment. And if I'm not
| mistaken, some people _are_ saying that it 's obligatory
| to state an opinion on the conflict of the moment; that's
| what some of us are disagreeing with.
| ekianjo wrote:
| > If you can't do that, but still want to engage in the
| discussion on the topic, your standpoint is clear.
|
| That's not the topic at hand. The topic is, you don't
| need to pollute every thing you work on out there with
| your preachy opinions on every single topic, especially
| when you are whole-fully ignorant about what's actually
| happening, the in-and-outs of the conflict, because you
| are in a state of constant propaganda, whether you are in
| Russia or in the West.
|
| And this is not just about the conflict at hand, it's
| about this disgusting habit these days of bringing
| politics in all walks of life where it was not before.
| matsemann wrote:
| You can't blame people for doing whatever they can when
| they are literally being bombed. Same with BLM mentioned
| in another subthread, it's easy to don't care when the
| issues don't affect you, but for other's it's their daily
| life. Of course it colors what people do.
|
| People who claim there were no politics before, were just
| oblivious to others' struggle. Which is ok, but it still
| happened, you were just sheltered or privileged.
| baud147258 wrote:
| > You can't blame people for doing whatever they can when
| they are literally being bombed.
|
| Are the authors of the change in question actually in
| Ukraine? And I'm pretty sure that technical minded people
| there could find better uses for their talents, rather
| than petty vandalism
| ekianjo wrote:
| > You can't blame people for doing whatever they can when
| they are literally being bombed.
|
| I can't remember when people cared about the bombs
| falling everyday in Yemen. How absurd is it for people to
| suddenly care and cry publicly about one country's
| conflict while another much bloodier one, not too far
| away, is being completely ignored. Is their blood less
| red? Are their children worth less? Systemic racism
| maybe, since these are not white people?
|
| Mass media (including social media nowadays) is what
| shapes what people care and feel concerned about. It's
| not about people's values, this goes on to say a lot more
| about how easy people can be manipulated to project
| violence onto anything they had no clue about 5 minutes
| ago, as long as you repeat it all day long.
| gruez wrote:
| So by this logic, if your blog/commit logs doesn't
| contain:
|
| * russia invaded ukraine
|
| * vaccines work
|
| * wear a mask
|
| * black lives matter
|
| * trans women are women
|
| * abortion is a right
|
| then you're a pro-russian, vaccine-denying, anti-mask,
| white supremacist, transphobic, misogynist?
| matsemann wrote:
| No one said that. I'm saying that if you cannot answer
| which "side" you're on, but still engage in the
| discussion (and thus have knowledge / interest in the
| subject), it's obvious for everyone to see.
| gruez wrote:
| That's not what we were talking about though? In the
| context of this thread, we we talking about the behavior
| of open source projects, not people engaging in political
| debates.
| Cederfjard wrote:
| Are there limits to this, or do you think "not taking
| sides" is a morally defensible position to have regarding
| everything? Is it ethical to be neutral when it comes to
| the holocaust?
| mwcampbell wrote:
| I think it's OK to refrain from taking sides about
| anything that we don't have firsthand knowledge about.
| There's no shortage of political and moral busybodies in
| the world, especially now that we have the Internet. I'm
| sure I've been one at times. So I think it's not so bad
| if we start going in the other direction, just minding
| our own business and sticking to things we can actually
| do something about. I should get back to that.
| Turing_Machine wrote:
| It's perfectly ethical to not be loudly and publicly
| performing an anti-holocaust view 24/7/365, and failing
| to do that does not make one "pro-holocaust".
|
| The list of Bad Things is endless, and failing to address
| any one of them does not make you in favor of that Bad
| Thing. It just doesn't.
|
| You're just trying to bully people into spending their
| time amplifying your particular protest, and bullying in
| itself is a Bad Thing.
| slackfan wrote:
| cryptoegorophy wrote:
| Not silent when it is ukraine, but other non white part of
| the world - it is ok to be silent, right? BLM "peaceful "
| protest also ok to be silent? Since when do we switched
| from Covid experts to ukraine experts? Can you even find
| ukraine on the map? The only non silent thing should be
| engraved in anyones head is - war is bad.
| bitcharmer wrote:
| Russia's aggression is pretty one sided. Not taking sides is
| like turning you eyes away.
| slackfan wrote:
| Errancer wrote:
| How about taking sides instead of acting like a kid believing
| the existence of gray negates the existence of white and black.
| Perspectivism is the beginning of inquiry, not the end of it.
| Stop being a tool of your own social superstitions.
| boffinism wrote:
| Using the existence of shades of grey to deny the existence of
| black and white is equally childish in my opinion...
| GranularRecipe wrote:
| Open source is driven by many opioniated and idealistic people
| who also worry about the current geopolitical development. They
| might make their opinions known in a non-destructive manner.
|
| You might not like it, fair enough, but expressing one's
| opinion in commit messages is neither childish nor an
| instrumentalisation by any government.
| ekianjo wrote:
| > expressing one's opinion in commit messages is neither
| childish nor an instrumentalisation by any government.
|
| It's childish because it's incredibly naive to think that
| commit messages are going to change anyone's mind. Instead
| they will look like someone preaching for no reason. Next,
| how about doing an online petition as well? /s
| [deleted]
| cuteboy19 wrote:
| There are no "two sides" to imperialism.
| WesolyKubeczek wrote:
| Was this also your stance during BLM protests? Asking for a
| friend.
| foolzcrow wrote:
| CodeWriter23 wrote:
| This is why I file node_modules into the project's repo, so as to
| avoid the ever-expanding perils of npm install.
| makecheck wrote:
| One of the things I think protestware doesn't understand is that
| the "users" of something are not clear-cut, and that should be
| especially obvious for things like chains of dependencies in
| modules/libraries. In other words, some (if not many or even
| _most_ ) people have _no idea_ that something _else_ they use (or
| even need) is depending on your stupid module.
|
| For example, how would I know if my mouse driver software happens
| to use a certain Node module, and one of its auto-updates just
| starts breaking things? Yes, it would be a stupid technical
| decision on the part of the mouse driver company (and that
| company would ultimately be responsible for the fallout) but how
| does that help the person _actually_ affected, in the meantime?
| And did the protestware developer really not think that someone
| "downstream" like this could be affected by such decisions? Not
| everyone is sitting at a terminal seeing a message printed out.
|
| Of course there are other reasons too, e.g. you completely
| destroy your credibility as a project (or even potential employee
| in the industry) by pulling stunts like this, and how could that
| be worth it in the long run?
| merrywhether wrote:
| So company is making mice in bad place X, mice break after
| update, tech sleuths inevitably link mouse problem to
| protestware, people start asking questions about company? Isn't
| that potentially causing change? Doesn't that specifically rely
| on affecting downstream users? So you weigh the likelihood of
| positive vs negative outcomes against your risk tolerance and
| act accordingly.
|
| I'd personally think that working on Truth Social would
| permanently affect your credibility in the industry, yet they
| have some devs who probably feel proud to work there. So people
| have different priorities in their lives.
| _fat_santa wrote:
| > and how could that be worth it in the long run?
|
| fake internet points.
| akagusu wrote:
| The problem is not protestware, sabotage, or whatever. The
| problem is who does it.
|
| Suppose US government did this to sabotage Russia, since it
| cannot directly act against Russia because it would trigger
| WWIII. Nobody would care about.
|
| But this guy doing it, or you, or me? No. We are not allowed.
| shkkmo wrote:
| > Suppose US government did this to sabotage Russia, since it
| cannot directly act against Russia because it would trigger
| WWIII. Nobody would care about.
|
| I would care even more about it. I absolutely don't want our
| government destroying trust in open source in such a fashion.
| minerva23 wrote:
| Unpopular opinion: telling people they need to keep their
| protests non-disruptive is akin to telling them they can't
| protest. "Protest in a way where I can ignore you."
|
| Do I think "protestware" is a bad idea? Sure. Am I going to tell
| them to take their fight for human rights elsewhere? Not a
| chance.
| Traster wrote:
| >The "weaponization of open source" as Gerald Benischke calls it
| in his March 16 blog post is indiscriminate, and the collateral
| damage it causes damages the work of developers and operators
| solely because they have a Russia-assigned IP address. It harms
| peacemakers as much as the warmongers--even ethical hackers using
| a VPN to work against the invasion might become collateral
| damage.
|
| I think this is a weirdly bad argument. All the sanctions against
| Russia harm pretty much all Russians because they're in Russia
| even if they're peacemakers. That's just the price of using
| sanctions. You can absolutely apply that to open source - block
| all Russian IPs and say "Sorry, but we endorse the sanctions that
| our government has put on Russia, and we're going to boycott your
| country for that reason" - just the same way that hundreds of
| western countries have pulled their businesses out of China.
|
| Now they also make the argument that it's ineffective - that
| you're ruining your own codebase to try and make Russia suffer,
| but at the end of the day that's a judgement for the developer of
| the repo.
|
| It's also naive to think posting "anti-propaganda" in commit logs
| is in any way an effective way of circumventing censorship, at
| best you're just hoping that your obscurity prevents you being
| censored, but that's basically just playing by the censors rules.
| Aperocky wrote:
| > same way that hundreds of western countries have pulled their
| businesses out of China.
|
| First of all, there aren't 100s of western countries...
| Traster wrote:
| Sorry, meant companies not countries.
| duxup wrote:
| "proestware" is just malware.
| seanw444 wrote:
| I just don't understand what the node-ipc dev was expecting when
| he did that.
|
| "Hm, maybe if I put malware into a community-trusted module that
| destroys files of people in a certain geopolitical region, the
| countless innocent citizens that are affected will realize what
| they did wrong! Wait, who am I actually targeting again?"
| DoctorOW wrote:
| Surprised I didn't see this elsewhere in the thread but what
| they were thinking was totally different. From what I've heard
| the code wasn't meant to destroy files, it was buggy.
|
| Sure it was negligence with a bad outcome, but the intentions
| were good.
| Larrikin wrote:
| Probably hoped the effects would negatively effect people there
| so they could put pressure to stop the murder of other innocent
| civilians.
|
| Arguments like this are similar to the BLM protest that try to
| equate property with human lives.
| HideousKojima wrote:
| I have a legal (and moral) right to defend my property, often
| with deadly force. My property came into my possession by my
| own labors and time, i.e. by sacrificing part of my life to
| obtain it. Even if the property was gifted to me, that means
| that _someone else_ sacrificed part of their life to give it
| to me. When someone violates my rights in the process of
| "protesting" something, I am legally and morally justified in
| using force to protect my rights. This includes the right to
| the property that I own.
| Larrikin wrote:
| Where is this true? In the US you have the right to murder
| if the person is in your home and in some states you have
| the right to murder if you feel your life is being
| threatened, in this case because you're being robbed.
|
| If you left your car running while you ran into the store
| you don't have the right to shoot the guy in the back as he
| drives off. You file a police report and potentially sue
| for damages.
|
| You definitely don't have the right to shoot someone for
| burning down your local Target.
| HideousKojima wrote:
| If someone is trying to burn down my house with me in it,
| I have a right to shoot them in pretty much every
| jurisdiction in the US. If someone is burning down my
| store with me in it, I also have the right to use deadly
| force to defend it.
| SamoyedFurFluff wrote:
| Let's step back a little, please. This original context
| was about some BLM protests doing property damage, which
| included smashing storefronts and trash fires on the
| street.
| HideousKojima wrote:
| They also included burning down buildings, not just trash
| in the street.
| baud147258 wrote:
| > they could put pressure to stop
|
| In case you haven't checked, both targeted countries are
| authoritarian regimes where any kind of civil protest is
| ignored at best or actively suppressed at worst. And violent
| regime changes (aka revolutions) coming from the people don't
| work, at least not without the support of part of the
| governing elites (which aren't impacted by that kind of
| actions)
| wrycoder wrote:
| Revolutions have succeeded time and again. The problem is
| that in most cases, the kind of people who lead successful
| revolutions are not the kind who can form a non-autocratic
| government. It can take generations to correct the
| resulting chaos and totalitarian excesses.
| potta_coffee wrote:
| Arguments like this are superficial and justify bad behavior.
| Destruction of property isn't murder, but it's still not ok
| and it still causes harm to living people who have no
| influence over the issue.
| shadowgovt wrote:
| > who have no influence
|
| I believe the crux of the political theory is that in a
| representative democracy, nobody has _no_ influence over
| the issue.
| Miraste wrote:
| That is obviously not true, and even if it were, the
| country in question is Russia, an autocracy. What is our
| poor hypothetical node developer expected to do, march
| down to the Kremlin and beat Putin with his MacBook?
| mrguyorama wrote:
| This is Russia we are talking about right? A country that
| has had countless uprisings of literal serfs with farming
| implements replacing their government.
| shadowgovt wrote:
| Parent comment originally referred to Black Lives Matter;
| I had been responding to that part of the comment (and
| its relation to US politics).
| yyyk wrote:
| I can't agree with these arguments.
|
| A) IP geolocation is far from perfect, quite a few completely
| unrelated people could have been affected.
|
| B) There was a chance of massive collateral damage to stuff
| like hospitals, water company, etc. and therefore affecting
| civilians, including children. If you think Putin wouldn't
| use that to rally Russia and launch a massive war, you
| haven't observed Putin for long.
|
| We got very lucky this software equivalent of a warcrime was
| stopped early. Yet the punishment was absurdly light. I will
| staying away from NPM after that.
| FDSGSG wrote:
| > If you think Putin wouldn't use that to rally Russia and
| launch a massive war, you haven't observed Putin for long.
|
| Do you believe that node-ipc would do this but the current
| vastly more impactful sanctions regime wont?
|
| Also, everybody capable of thinking understands that Russia
| isn't capable of launching another "massive war" when it
| already has almost all of its conventional combat power
| committed to Ukraine.
|
| If you think Putin would launch a nuclear war over wiper
| malware, you're an idiot. There's no other kind of "massive
| war" he could launch at this point.
|
| > this software equivalent of a warcrime
|
| Why not call it software holocaust if we're gonna go there?
| What's wrong with you?
| yyyk wrote:
| >Do you believe that node-ipc would do this but the
| current vastly more impactful sanctions regime wont?
|
| >There's no other kind of "massive war" he could launch
| at this point.
|
| Russian society isn't anywhere near enthusiastic. That's
| why Putin has been searching for ever dumber excuses.
| Give him an actual indefensible incident to rally society
| around, and he'll get a lot more manpower. That could
| expand the war to Odessa and Moldova, and also
| 'retaliatory' cyberwar in the West.
|
| Now, there's a level of escalation I'm fine with risking
| - say, over stationing peacekeepers in parts of Ukraine.
| Stuff that actually helps Ukrainians. But over an self-
| appointed idiot's personal action which doesn't help
| anyone and nobody asked for? $#@! no.
|
| >Why not call it software holocaust if we're gonna go
| there? What's wrong with you?
|
| It's attacking civilians as to influence their government
| (except Russia is a dictatorship and the government
| doesn't even care). I have more pointed comparisons in
| mind, but I'll spare the thread.
| def_true_false wrote:
| What next? Is refusing doing business with Russia a war
| crime, too? After all, some civilians might lose their
| livelihoods and starve to death, right?
| yyyk wrote:
| There's an obvious difference between trying to hurt
| people and not trading with them yourself. If the
| distinction is difficult, there are laws to define this
| 'war crime' thing, you may wish to consult them.
|
| Also, Russia is relatively self-sufficient foodwise.
| There'll be shortages but no starvation. I'm sure though
| that if starvation was serious possiblity the West would
| exclude food imports.
| vkou wrote:
| I thought that food imports were already excluded from
| sanctions for this exact reason.
| vorpalhex wrote:
| It's not acceptable to burn down someone's house because you
| disagree with them. Even if you disagree with them a lot.
| Please don't burn people's houses down.
|
| If you burn down people's houses, you will be arrested and go
| to jail.
| bnt wrote:
| Or, you know, I'll never touch Vue.js again?
| JumpCrisscross wrote:
| Charitably, it creates a new friction for Russian business
| in deploying open-source software. That drag further
| diminishes Russia's economy, and thus, its warmaking
| ability.
| rrsmtz wrote:
| This is the line that every extremist group uses to
| justify their horrible acts.
|
| Weaponizing open source is such an awful precedent. There
| are extremist groups of every shade who harbor ill intent
| towards some other group or institution. For a rather
| mundane example: "My malicious npm module detects you are
| running the Brave browser? The evil Brendan Eich runs
| that, say goodbye to your filesystem!" Never mind if you
| are part of a group that is mired in controversy, chief
| among them at this time being Russian.
| vkou wrote:
| > This is the line that every extremist group uses to
| justify their horrible acts.
|
| And in this case the 'horrible act' is not wanting your
| free labour to be used in another country.
| [deleted]
| FerociousTimes wrote:
| At best, this operation could be construed as an act of
| vandalism or at worst an act of CYBER terrorism. This
| indiscriminate and malicious act of hostility was carried
| by what amounted to be a cyber weapon (think IED) housed
| in a very ordinary and non-suspicious package to cause
| the greatest damage to the users' data.
| JumpCrisscross wrote:
| > _this operation could be construed as an act of
| vandalism or at worst an act of CYBER terrorism_
|
| Could be. But by whom? To what effect?
|
| One of the downsides of losing credibility as a nation
| state is the concepts of deference, retaliation and
| proportionality lose weight. There is no indication that
| the facts on the ground would affect whether Putin deems
| something a cyber attack. Worse, one's own policing
| actions are likely to cause more damage as propaganda
| pieces than ignoring the issue.
|
| Yes, in an international law framework this would be
| prosecuted in the U.S. But in that framework Russia
| wouldn't be in Ukraine. Add to that it's tacit approval
| of its own hackers, and it's difficult--in a realpolitik
| frame--to find support for doing anything about this
| other than minor finger wagging.
| FerociousTimes wrote:
| > Could be. But by whom? To what effect?
|
| The general public. I speculate that publicity was one of
| the main objectives behind this operation to draw
| attention to his political grievances and maybe demands.
|
| Perhaps we should focus more on the issue of bragging
| rights. The perpetrator probably thinks he's some kind of
| a hero having conducted this operation and it was some
| kind of a heroic feat sticking up to Putin when he in
| fact is more of a lousy vandal destroying some poor guy's
| store window than an epic warrior conquering foreign
| lands and subduing evil emperors.
|
| The more people realize this and esp. people who are
| prone to commit these acts, the more innocent people
| would be spared the damage incurred by those reckless
| attacks.
| gruez wrote:
| >Arguments like this are similar to the BLM protest that try
| to equate property with human lives.
|
| Yeah, but the problem with this is that, taken to its logical
| conclusion, you end up with a nihilistic view that's
| basically "do you support The Cause? if yes then any protest
| action is acceptable, if no then any minor transgression
| should be cracked down by law enforcement". This works
| especially well when The Cause is something that could
| plausibly affect tens of millions of people, so you can
| excuse quite a lot of damage.
| FDSGSG wrote:
| I just don't understand what Western governments were thinking
| when they sanctioned Russian businesses.
|
| "Hm, maybe if I put laws into the books that destroy the
| economy of a country and drives people in a certain
| geopolitical region into poverty, the countless innocent
| citizens that affected will realize what they did wrong! Wait,
| who am I actually targeting again?"
|
| Oh wait.
| kbelder wrote:
| Poverty and economic distress, deliberately exacerbated by
| the West, was what took down the USSR... and the fall of the
| USSR was one of the great achievements of the 2nd half of the
| 20th century.
| AllegedAlec wrote:
| It's like they never looked at the effects of the Treaty of
| Versailles
| raxxorrax wrote:
| Worse, he also provides ammunition for Kremlin propaganda.
| Which already is easier because people don't trust the press.
| Which is also understandable because some write a lot of
| bullshit.
| joshstrange wrote:
| I don't buy this argument. It's the same argument used for
| "Well the Democrats can't talk about/attempt doing X because
| the Republicans will misrepresent it and twist their words"
| when at the end of the day the Republicans will manufacture
| whatever they want regardless of what the Democrats say.
| Better to be called a "socialist" while actively trying to do
| something that will help people verses still being called a
| "socialist" while doing nothing.
|
| Kremlin is going to Kremlin, aka lie and spread propaganda.
| Let's not pretend that protestware is making their job so
| much easier, it's a tiny drop in a tsunami of lies and
| disinformation that the Kremlin puts out daily.
| lioeters wrote:
| My guess is that they got caught up in the socially accepted
| "hate fest" against citizens of a certain country, particularly
| by private companies.
| pkulak wrote:
| If a company does business in Russia right now, they are
| giving money to the Russian government which will be used to
| kill Ukrainians. Let's not conflate wartime trade policy with
| Twitter wokeness marketing.
| AdrianB1 wrote:
| There are US companies still selling health products to
| Russian citizens. What is the expectation, to let them die?
| I fully understand that cars, fast food, liqueur or
| perfumes are things to stop selling, but essential products
| not. The average Ivan and Natasha should not receive a
| collective punishment (to death in some cases) for what
| some guy they may not have even voted for is doing.
| _whiteCaps_ wrote:
| Everyone selling pharmaceuticals should follow Pfizer's
| example and donate profits from sales in Russia:
|
| https://www.fastcompany.com/90731145/pfizer-is-donating-
| its-...
| blub wrote:
| They'll most likely use it to pay their employees, since
| employment costs are the biggest chunk of expenses for many
| companies. From the money that goes to the government, some
| will go to fund the war, but some will go towards social
| support, maintenance, etc just like any other country.
|
| Where does this black and white caricature of an idea come
| from if not twitter? Acting like all the money in Russia is
| used to make bullets which are sent directly to the front.
|
| Not to mention that there's quite a few countries killing
| people today and nearly nobody's boycotting them.
| whimsicalism wrote:
| I know this will get labeled as whataboutism, so to pre-
| empt that I am suggesting sanctions and Hague charges for
| all perpetrators, but what is uniquely bad about killing
| Ukrainians over Syrians, Libyans, or Iraqis?
| reaperducer wrote:
| I haven't seen anyone in this thread, or anywhere else,
| state that killing Ukrainians is uniquely bad. Do you
| have a source for this assertion?
| dunkelheit wrote:
| Actions speak louder than words and the reaction to the
| current conflict is certainly unique. I haven't heard of
| people pressuring companies to stop doing business with
| the US due to the Iraq war.
| whatshisface wrote:
| The simplest explanation is that US companies + media +
| government is the only group with enough clout to do
| this, and they will not sanction themselves.
|
| It's not like there's a Netherlands invasion of Germany
| for us to all use as a neutral reference.
| whimsicalism wrote:
| I think you are conflating things here. Sure, US govt is
| not going to sanction itself. But I don't perceive the
| general populace as being as outraged by lives lost when
| the US bombs a hospital in Afghanistan as opposed to when
| Russia bombs a theater in Ukraine.
| whatshisface wrote:
| I would posit that the ratio of the number of people who
| know about it to the number of people outraged about it
| is similar in both examples. It's really about which got
| the 24/7 coverage.
| whatshisface wrote:
| They are obliquely complaining that the US gets a free
| pass to blow up civilians in other countries in the
| course of pursuing its own geopolitical goals, an by
| extension the US armed forces are exempt from
| international prosecution.
|
| As for domestic prosecution, the record is mixed, but
| there was that high-profile case that got a presidential
| pardon.
| ensan wrote:
| Then, if you live in a western country, stop paying taxes
| because it supports killing innocent people, and to a
| much larger extent than what is going on in Ukraine.
|
| Leave your job because tech companies have contracts with
| the government/"defense industry" and also pay taxes.
|
| Don't buy anything from the grocery stores.
|
| Cancel your flight if it's on an Airbus/Boeing.
|
| Otherwise, it's all empty talk. To be clear, it
| absolutely is in my opinion.
| mrtranscendence wrote:
| What specifically is empty talk? Someone can support
| Ukraine for a number of reasons that don't require
| withdrawing from all life in a western nation. They might
| trust that their rulers have evaluated most alternatives
| before deploying military options and do not kill
| indiscriminately. You might scoff, but I suspect most
| people are at least somewhat in that boat; even if they
| think that the US shouldn't have invaded Iraq, for
| example, they probably think it wasn't _that_ bad and
| that murders of civilians were minimal. That doesn 't
| mean that they don't or shouldn't protest the invasion of
| Ukraine, though it probably does mean that they should
| reflect further.
|
| They might also believe that invading Ukraine is uniquely
| bad because it is a developed western nation within
| mainland Europe, setting a terrible precedent. Or they
| might simply not have thought very much about the
| contradiction. And I note that you're lumping every
| western nation under the same category when some are much
| less objectionable than others; in how many developing
| nations has Finland engaged in extralegal murder?
|
| That said, yes, the costs are lower to protesting the
| invasion of Ukraine than protesting everything the US
| government does overseas. So what? The costs are lower
| for me to buy Kroger brand soft drinks, too, that doesn't
| mean my opinions about the flavor is just empty talk.
| whimsicalism wrote:
| > murders of civilians were minimal.
|
| But nobody (AFAIK) is contesting that the US killed more
| civilians in Iraq or in Syria (or second-order in Libya)
| than Russia has killed in Ukraine.
|
| Your argument is that people perceive it as okay because
| the _intentions_ were good? Our government could not
| forsee that these people would die, it was unexpected?
|
| Or were they unintended consequences that were foreseen?
| I don't believe such a distinction is defensible, if you
| foresee the consequence and do it anyways, you intended
| such a consequence.
| pessimizer wrote:
| > Your argument is that people perceive it as okay
| because the intentions were good?
|
| Even worse, I think the argument is that the intentions
| were good because it was _our rulers_ who did it, not
| _theirs._ Our rulers are careful and thoughtful, while
| theirs are evil and cruel.
| dunkelheit wrote:
| It is kind of crazy when one remembers all the human
| rights abuses that companies providing popular products
| and services tolerate and benefit from, and where the tax
| money goes. It is almost as if if the goal is to be
| consistent and avoid hypocrisy, the only two options are
| abandoning modern lifestyle... or not protesting at all.
| def_true_false wrote:
| From the point of view of American isolationists, there
| is no difference. There is a difference for Europeans, in
| that Ukraine being engulfed by a full scale war will
| result in around 40M refugees in the EU, almost 10% of EU
| population. That's an order of magnitude bigger than the
| previous migration wave. It's also an order of magnitude
| faster. Over 10M people have been displaced already.
|
| Some numbers: https://en.wikipedia.org/wiki/2022_Ukrainia
| n_refugee_crisis , note the dates.
| whimsicalism wrote:
| I think you are reversing causality here. No doubt the EU
| could have seen similar numbers of refugees from Syria
| and Iraq and Afghanistan, had they allowed them in.
| tomjen3 wrote:
| After ISIS rose I gave up the idea that countries like
| Syria, Iraq etc can ever become anything more than
| "hellholes", at least in my lifetime. Certain areas like
| Kurdistan excepted (and I hope and support their
| recognization as a state), but in general there will
| always be one strongman or another.
|
| But Ukraine was different (and I hope it still will be),
| turning from the world of the strongman and toward Europe
| and modern freedoms. It was on the same trajectory that
| Poland went on 18 years ago: a massively better life for
| the average, ordinary person. Ukraine had troubles, but
| those were solvable because that is what they wanted.
|
| All of that is now ground up along with so many children
| under the ruble in the streets because Putin had to
| establish a slightly larger state.
|
| So when Ukraine was killed, not only was the civilians
| there massacered, so was the future of the entire country
| or at least pushed another generation into the future.
|
| I hope neither of the perpretators ever make it the
| Hague, a few years in prison is nowhere near enough
| punishment.
| whimsicalism wrote:
| All this comment shows to me is you knew very little
| about Syria & Iraq. The cultural & population centers of
| Syria were never taken by ISIS and Damascus prior to 2011
| would not have felt as "hellhole"-esque as I think you
| are imagining.
|
| > turning from the world of the strongman and toward
| Europe and modern freedoms
|
| Towards Europe, certainly, but also towards nationalism -
| undoubtedly. It is not a "modern freedom" to ban minority
| languages from schools and government, restrict regional
| autonomy, etc.
| geoka9 wrote:
| > to ban minority languages from schools
|
| Please, it's not a ban. The relevant law only applies to
| state-funded schools and makes sure that students who
| don't speak Ukrainian gradually learn it over the years
| and start using it in school:
|
| _https://ukrainian-studies.ca/2020/08/01/ukraines-
| russian-lan...
|
| If Ukraine hasn't been the target of Russian territorial
| expansionism, we could argue that this law is
| overreaching. However Russia had claimed the right to
| "defend Russian-speaking people" outside of Russia before
| invading Ukraine in 2014 (the law was passed in 2017).
| Under these conditions, passing such a law was
| practically a question of self-preservation.
| whimsicalism wrote:
| Your link is broken.
| geoka9 wrote:
| Thanks, updated.
| deltarholamda wrote:
| If a company shows support for the Ukraine, then they are
| giving aid and comfort to the Ukrainian military who was
| shelling civilians in the Donbass region for the past
| decade.
| zucker42 wrote:
| Your comment has the implication (intended or unintended)
| that Ukraine was the instigator as far as ceasefire
| violations go. As far as I can tell, that's not true.
| However, the real way to find out for sure would be to go
| through the OSCE SMM reports[1] about ceasefire
| violations and determine what percentage of them were
| likely from Ukranian-controlled territory versus
| separatist-controlled territory.
|
| [1] https://www.osce.org/ukraine-smm/reports
| deltarholamda wrote:
| Your comment has the implication (intended or unintended)
| that there are situations where civilian casualties are
| perfectly acceptable.
|
| My only real point was that who the Good Guys and who the
| Bad Guys are in Ukraine are predetermined by the set of
| assumptions you start with. Everybody who was paying
| attention isn't that surprised by the invasion. It's not
| even a puzzle as to why Russia would do it. They spelled
| it out quite clearly, and have been saying it for years.
|
| Which is why I find the media narrative annoying. It's an
| almost perfect example of gaslighting. The only response
| to Russia's complaints about NATO meddling in Ukraine
| being provocative is to make some kind of counter-offer
| to offset the provocation. To suggest that there wasn't
| any meddling, or that Russia just invaded out of the blue
| for no good reason other than sheer evilness, is either
| staggeringly wrong, or a deliberate lie.
| dwaltrip wrote:
| Are you saying Russia is not a bad actor here? I'm not
| very convinced by your arguments.
| [deleted]
| slig wrote:
| What about countries buying oil and gas from them?
| 542458 wrote:
| Yes, that is bad too. However, in some cases it is
| necessary to prevent people from freezing, so there is a
| balancing act. Note that fossil fuel dependency just
| became a much more common political discussion item in
| Europe.
| gruez wrote:
| While it's unreasonable to expect europeans to freeze to
| death to protect ukranians, I think there's a middle
| ground between "business as usual" and "protect ukraine
| at all costs" that's not being considered here.
| Specifically, turning the temperature down to 5-10degC
| and wearing a coat. I doubt you'll be freezing to death
| in those circumstances. Is there widespread effort by
| europeans to do this? If not, then the parent's is still
| mostly correct: europeans are not willing to endure
| slight discomfort to prevent "giving money to the Russian
| government which will be used to kill Ukrainians".
| def_true_false wrote:
| People in the EU are not going to freeze to death even if
| Russian gas and oil is banned. Germany would lose a few
| percent of GDP, equivalent to couple hundred bucks per
| capita. I would be surprised if they pull of the ban
| before this winter is over, though.
|
| FWIW people in Ukraine are already freezing to death,
| thanks to Russia's deliberate attacks on infrastructure.
| leaflets2 wrote:
| I'm in Europe and I'd happily wear a jacket and a winter
| cap indoors.
|
| And people could go by bus, subway, ride share, so less
| oil and gas needed for transportation.
|
| And energy intensive industries could close for a while.
| Is it really more important to continue producing more
| cars, for example, than to try to stop the war?
| def_true_false wrote:
| _> Is it really more important to continue producing more
| cars, for example, than to try to stop the war? _
|
| German policy of the last decade in a nutshell. Green
| feel-good crap for the masses while building more
| pipelines to Russia, literally planned to enable gas
| delivery even in case of conflict in Eastern Europe.
| leaflets2 wrote:
| It's annoying that the politicians don't seem to think
| about this. Are they worried that they'd get fever votes?
|
| What if everyone wrote to their politicians (in one's
| respective country) and said that they'd happy wear extra
| clothes indoors
| gruez wrote:
| > It's annoying that the politicians don't seem to think
| about this. Are they worried that they'd get fever votes?
|
| They're probably worried about stated preference vs
| revealed preference. People _say_ that they stand with
| ukraine and they 're willing to make tremendous
| sacrifices to help ukraine/hurt russia. That might be
| true, but they might not be willing to actually pay the
| cost (eg. higher gas prices).
| leaflets2 wrote:
| Good point.
|
| Maybe in some cases, people won't know until afterwards,
| if they actually want more sanctions or not -- until
| after they've gotten to try it and discover how it was.
| Especially problems with transportation could cause
| anger, I suspect. Whilst extra clothes is maybe simpler.
|
| Now I start thinking that more buses and bike lanes in a
| way can be seen as part of a military defense strategy,
| hmm. (If the population does mostly ok without oil)
| reaperducer wrote:
| _What about countries buying oil and gas from them?_
|
| They're almost all (except India) moving away from that.
| It's not something that can be done overnight. It's been
| in the news for almost a month now.
| ziml77 wrote:
| None of this is hate against the citizens. No one wants to
| hurt the innocent people in Russia. But pulling out of Russia
| is about the only thing that anyone can do to slow the flow
| of money that will be used to fund the invasion of Ukraine.
|
| The optimal thing would be to push the Russians out of
| Ukraine with military force, though that is also going to
| leave many dead. Just because they're soldiers doesn't mean
| they deserve death. But that's not an option anyway, because
| a NATO country joining the fight directly will cause World
| War 3. At best we end up with multiple countries from both
| sides joining the fight. At worst the nukes start flying.
| pessimizer wrote:
| > The optimal thing would be to push the Russians out of
| Ukraine with military force, though that is also going to
| leave many dead.
|
| And the primary victims will be Ukrainian. Even considering
| that Europe has its arms open to this particular class of
| refugee, the country that they left will be a smoking
| crater. I wish we'd stop pretending that we're arming the
| Ukrainians for the Ukrainians' sake; we're trying to extend
| the war as long as possible in order to economically
| destroy Russia. The end stage of that is Western and
| central Ukraine being reduced to dust.
|
| Russia has committed something like 15% of its military so
| far IIRC. This is just a matter of time. Ukrainians are
| being pushed through jingoistic nationalist propaganda
| (which is enforced at the borders if men who are old enough
| to carry a weapon try to leave) to destroy their country,
| and letting extreme-right minorities of the population (who
| are basically Banderaite lost-cause Nazis) lead. Those
| groups are happy to burn their country so the disgusting
| muslim commies won't rule it, and to die in glorious battle
| against them.
|
| The disgusting thing is Americans are parroting the Azov
| rhetoric, too. Fat slobs sitting on a couch watching
| MSNBC/FOX/CNN all day and yelling at the television are
| calling Ukrainians traitors for leaving, and demanding that
| they be armed and sent back in.
|
| The optimal thing is not to push the Russians out of
| Ukraine with military force, it's for Ukraine to give up.
| The world has shown it's willing to take white refugees, so
| those that fear Russian persecution can escape. Plenty
| would have happily emigrated without the Russian invasion,
| but the doors to Europe and the US were shut to them
| before. NATO re-promises not to put their alliance whose
| animating premise is anti-Russian on the borders of Russia.
| Ukraine rebuilds and normalizes.
|
| What have they lost anyway? They were dominated by the
| Russians (and hopelessly corrupt), then a Western-incited
| and funded coup used the extreme-right element to install a
| (hopelessly corrupt) puppet who left office with a 5%
| approval rating, so the public elected an _actor who played
| a president on television_ (also fully owned by an
| oligarch), which is an act so desperate, it would seem
| insane if the US hadn 't elected a guy who played a boss on
| television to be president, or Italy hadn't handed its
| politics to a comedian playing the wise fool, or Boris
| Johnson hadn't been. Russia and the US trashed Ukraine, and
| we're cheering them on while they finish the job.
|
| Even better, maybe we can push Russia into using some tiny
| nuke that we can't justify destroying the entire world
| over. Because the fact is, if they nuke Ukraine, we're not
| going to do shit. They know it. Lets make them feel so
| victimized to the man that they do it to reclaim some face,
| and piss the average Russian civilian off so much that they
| feel like there's nothing left to lose but their pride.
| zucker42 wrote:
| > No one wants to hurt the innocent people in Russia.
|
| The actions of the node-ipc maintainer's seem to provide
| evidence against this assertion.
| ailef wrote:
| And it's also well known that innocent people are those
| who eventually end up paying the highest price for the
| sanctions.
| [deleted]
| gruez wrote:
| >"Hm, maybe if I put malware into a community-trusted module
| that destroys files of people in a certain geopolitical region,
| the countless innocent citizens that are affected will realize
| what they did wrong! Wait, who am I actually targeting again?"
|
| "yeah but countless ukranian women and children are getting
| murdered by russians! surely a few wiped hard drives is worth
| it to raise awareness?"
|
| /s of course, but people who hold this view sincerely isn't
| hard to find.
| [deleted]
| rauli_ wrote:
| And he used third party service to do the geolocation, so that
| whoever maintains that could have caused significant damage by
| changing it to return fake responses.
| ryanmarsh wrote:
| I'm ok with it as long as the maintainer is consistent and does
| it for "the current thing" every time. That means Sudan,
| Darfur, Iraq war, ISIS, Assad's regime, etc... Heck why not
| even Florida after the "say gay" thing?
| KevinEldon wrote:
| Sounds like an opportunity to create a Protest Current Thing
| as a Service.
| abraae wrote:
| That's a great idea. The only problem would be determining
| the correct set of things to be protested at any given
| time. So I'd suggest grouping them into flavors - say US
| liberal or US conservative flavors. You just choose the one
| you subscribe to and then let the service decide whether to
| insert say BLM or anti-CRT messages at any given time.
| gadders wrote:
| NPC as a service.
| octopoc wrote:
| This is a cool idea. You would probably want to run the
| PCCaaS as a non-profit and donate some of the money (5%
| seems generous?) to appropriate causes. The main API would
| be for displaying an appropriate banner of course.
|
| Another API would be to determine if a specific domain
| subscribes to the service and how much they care about the
| appropriate topic (in terms of "points" which are partly
| correlated with how much they spend on the PCCaaS, but also
| with some human input). This would be useful to people
| looking to vote with their wallet. I bet there are plenty
| of artists who would love to make custom banners, kind of
| like Google's doodle of the day.
|
| A third API would be to get notified when a customer
| downgrades or terminates their plan with the Protest
| Current Thing as a Service. Journalists could subscribe to
| this last API to get ideas for news stories. /s
| a9h74j wrote:
| Pivoting now from Ad-Blocker development to
| CurrentThingBannerBlocker development.
| reaperducer wrote:
| Isn't that the whole point of "open source" software? The author
| gets to put out code that matches their will, and if you don't
| like it, you either don't use it, or you fork it and make your
| own.
|
| It's funny how every time there is an "open" project on the
| internet, from code to Wikipedia to whatever, there is always a
| group of people that forms to quantify, collate, tabulate, and
| regulate it into some imagined corporate structure.
|
| Don't like the protest? Fork away!
| baryphonic wrote:
| To be honest, I'm annoyed by the benign protestware messages when
| they start to get in the way of using the software, particularly
| on mobile. I was looking at the isomorphic git documentation the
| other day, and noticed that their "#BlackLivesMatter
| #DefundThePolice" banner scrolls under the rest of the content,
| leaving this annoying gap that takes up screen real estate,
| especially in landscape mode on a phone.[0] What's the point? Is
| a single person going to be persuaded to support either cause by
| seeing this banner on a relatively niche JS library that reduces
| readability of its documentation? Will anyone find the library
| any more useful because they support the cause? (I support
| neither cause, but find the library useful nevertheless.)
|
| Recently, I saw a similar pattern with the Svelte REPL adding a
| pro-Ukraine message.[1] The banner along the bottom is so large
| that landscape mode becomes unusable, and non-trivial examples
| are hard to see even in portrait mode. Again, who does this help?
| (I support Ukraine, so feel like, "yeah, I get it; can I close
| the banner now?")
|
| The worst part about these patterns is that they can't be
| disabled and seem to be deployed haphazardly without regard for
| the overall design.
|
| While these aren't malware, they are still hostile for the
| majority of users who aren't so gung ho in their support for the
| current thing.
|
| [0] https://isomorphic-git.org/docs/en/deleteBranch
|
| [1] https://svelte.dev/repl/hello-world?version=3.46.4
| amelius wrote:
| It's still better than ads, though.
| rnd0 wrote:
| It's indistinguishable from an ad.
| relativeadv wrote:
| I agree. I really do feel for these refugees and victims of
| social injustice. But when it mildly irritates me by having to
| scroll an extra inch or two to get to what i want to see i feel
| like their efforts are being misdirected. It makes more sense
| for these issues to simply solve themselves without
| inconveniencing me.
| cimi_ wrote:
| Do you genuinely think these banners help with anything?
| relativeadv wrote:
| You and I are here discussing it, right now.
| nonameiguess wrote:
| That doesn't have much to do with open source, though.
| Corporations selling proprietary stuff are more than happy to
| slap slogans and hashtags all over it to promote their devotion
| to some political cause of the day. Unlike open source "as-is
| no warranty clauses," their licenses tend to come with a
| guarantee saying they can't just stop working or break the rest
| of your system on purpose, though, and if they do, you get a
| support engineer helping you until it's fixed.
|
| Really, even that doesn't have much to do with open source,
| since companies exist that develop entirely open source
| products but offer paid support and enterprise contracts with
| warranties and guarantees. What this really damages is the
| reputation of ecosystems that rely upon foundational libraries
| made by hobbyists and one-man operations as weekend side
| projects.
| [deleted]
| celeritascelery wrote:
| There was a package (that I won't name) which completely
| removed their online documentation and replaced it with a BLM
| message for a period of time. I was floored at that
| unprofessional behavior. Now when I link to their docs, I
| always use archive.org to make sure other users don't run into
| a similar issue in the future.
| mpweiher wrote:
| > I was floored at that unprofessional behavior.
|
| Profession - "A professional is a member of a profession or
| any person who earns a living from a specified professional
| activity. "
|
| If you want professional behavior, _pay_ the person.
|
| If you want free, you get whatever the person wants to give
| you for free.
| rdiddly wrote:
| How 'bout if I go one commit back, and get what they wanted
| to give me for free one commit ago?
|
| Anyway, if we ignore for now the circularity of that
| definition of "professional" and take it at face value,
| then swapping out your open-source docs for a political
| message would fail the definition of professional, not just
| based on the "earn a living" part, but also on the
| "specified professional activity" part. Assuming we're
| using their repo because it's, like, for _programming
| computers and shit_ , we might be surprised to find out
| they had changed their profession from computer-programmer
| and computer-program-explainer, to worked-up self-important
| opinion-haver. Which even fewer people would pay money for,
| by the way.
| morpheuskafka wrote:
| The term professional is clearly applicable to software
| engineers working on open source projects, just as it is
| for lawyers doing pro bono work, and just like a plumber
| fixing his neighbors' sink for free is still performing his
| trade and expected to do work that upholds its standards.
|
| No one is required to do any work for an open source
| project, but they are expected to behave in a professional
| manner and plenty of people have been rightly criticized
| here when they acted inappropriately as part of an open
| source team.
|
| Its debatable whether OP is right, but there's at least a
| case to be made that taking down documentation that was not
| costing any money to host for the sole purpose of making an
| unrelated statement (not one targeted at their customers,
| just society in general) does damage the professional
| reputation of the team and its product.
| frumper wrote:
| I would agree that doing stunts is likely to damage a
| teams reputation, but I think you cast way too large a
| net to say that software engineers working on open source
| projects are professional, or even acting as
| professionals. The OSS ecosystem is filled with
| everything from large well run organizations to kids
| posting simple tools that are filled with bugs and
| vulnerabilities. There are no good expectations beyond
| use at your own risk. Even large professional
| organizations kill projects and leave people hanging.
| oauea wrote:
| If you want people to use your stuff, which you probably do
| because you put it out there, be professional.
|
| If you don't care, then do whatever the hell you want of
| course.
| cuteboy19 wrote:
| To be clear if you are not paying them, there should be no
| expectation of service. Open source is something they offer
| out of passion or goodwill, both of which can change at any
| time
| dunkelheit wrote:
| Open source (and by extension a large chunk of software
| industry) runs on the expectation that people won't do
| random disruptive things even if it is plainly stated in
| the license that there is no such guarantee. Perhaps we
| should move away from this expectation (and events such as
| these will certainly accelerate the transition), but this
| is the current state of affairs.
| shadowgovt wrote:
| > Open source (and by extension a large chunk of software
| industry) runs on the expectation that people won't do
| random disruptive things even if it is plainly stated in
| the license that there is no such guarantee.
|
| Counterpoint: much of our industry is often described as
| being in the business of disruptive technology.
|
| It's been educational for me to watch how developers are
| reacting when they're on the receiving end of the
| disruption.
| prepend wrote:
| It's not the expectation, it's the reputation of the
| project. If a project does dumb stuff like taking down
| existing documentation, that reflects poorly on the
| project. It shows poor judgement and unreliability.
|
| I don't require them to be smart and professional, but they
| should be or will lose users. Thanks to OSS, I can just
| fork. But being OSS doesn't mean you can suck and be random
| and still stay useful to people.
|
| Of course if it's your project, you're free to do whatever
| you would like.
| shadowgovt wrote:
| What's the point of the thin black bar we put at the top of HN
| periodically?
|
| It sounds like the underlying issue is insufficient testing of
| the UI layout with the new content, not the fact that there is
| new content.
| AQuantized wrote:
| There's a difference between providing information ("Someone
| significant to many members of this community has died
| recently") and providing a (arguably very superficial) signal
| of support for a cause dear to some of the developers.
| shadowgovt wrote:
| I'm afraid I don't see the difference. Can you clarify?
| lliamander wrote:
| What HN does is less obtrusive, less likely to stoke
| heated division amongst its users, and more relevant to
| the content of the site.
| shadowgovt wrote:
| > What HN does is less obtrusive
|
| Agree. I often have to click around to figure out why the
| black bar has shown up.
|
| > less likely to stoke heated division amongst its users
|
| This is interesting. Why does #BlackLivesMatter stoke
| heated division among HN users? And what does that say
| about the community that has been built here?
|
| > and more relevant to the content of the site
|
| I'm sure I don't agree. As the world moves further into
| automation, machine learning, machine analysis, and
| sousveillance, the interaction between technology and
| minorities in our communities is of vital importance to
| what we do. Questions of interaction between minority
| developers, customers, users, and community members and
| the majorities in those spaces impact on questions like
| hiring policy, behavior analysis and prediction (and the
| benefits and drawbacks of those tools), unequal treatment
| laid bare when the cameras are in the hands of the many
| and not the few (and the consequences of that knowledge),
| software that only works for a subset of users optimally
| because it was designed with only those users in mind,
| and other topics.
|
| Software is growing to touch every part of human
| existence, and it's probably actually dangerous for
| hackers to traipse through life ignorant of that fact. We
| build things that impact people in a huge way, and if
| some groups are structurally invisible to the builders of
| those things, we really risk baking inequalities into the
| very engines of our society.
| Double_a_92 wrote:
| > Why does #BlackLivesMatter stoke heated division among
| HN users?
|
| Simply because it is a _political_ issue, on which people
| might have different opinions. And since that specific
| issue is not related to tech at all, it just causes
| conflict without any benefit.
|
| While honoring the death of some generally respected
| figure in our field is hopefully less controversial and
| more informative.
| shadowgovt wrote:
| > And since that specific issue is not related to tech at
| all
|
| Black Lives Matter is heavily interwoven with the
| sousveillance effect... As cameras have moved from a
| luxury to a ubiquity, control of the narrative of how
| policing works has fallen out of the hands of the people
| who do it. It doesn't matter why multiple black men and
| women were shot to death... People have _seen_ it happen,
| and they feel in their guts it was wrong. It 's hard to
| get to that gut-level effect without visual stimulus;
| people have been writing for decades about the negative
| effects of violent-response-authorized policing.
|
| Now that we know this, how will things change? Will
| people try to make the cameras go away, will procedures
| change to account for everyone having a camera, will we
| all adapt to being seen more often in public? And at
| present people generally know when they're being
| filmed... What of the near future, where the tech to film
| something could be attached to a drone flying too high or
| too quietly to see?
|
| It's very, very hard to slice a clean cut between
| technology and its effect on societies.
|
| https://www.wtkr.com/news/technologys-role-in-the-black-
| live...
| HWR_14 wrote:
| I feel that's because too many people still aren't seeing what
| their sites look like on mobile devices. I'm sure the perma-
| banner looked fine on desktop.
| BaronVonSteuben wrote:
| The Svelte banner looks ok on desktop, but yeah seriously
| problematic on mobile.
|
| I think this is an outgrowth of the "use whatever power you
| have to push for change" culture. It has been highly effective
| in the past, particularly with gay marriage, and I think those
| victories gave it enough gas to run for many years even without
| success. There's also the social points that one gets from it
| as well. I know of at least one project that added a BLM banner
| to their site because of social pressure, even though they felt
| that much of the protesting had gone too far (burning
| businesses, looting, blocking traffic, etc). The whole "not to
| take a side is to take a side" is a powerful social pressure to
| conform. I know of one other project that added a BLM banner so
| they could get on an "awesome list of BLM supporting software"
| or something like that which drove them a lot of traffic.
| Anyway my point is that there are lots of motivations for such,
| and I suspect many if not most aren't because the person has a
| deep and abiding passion for the cause (though without a doubt,
| some do).
| iosono88 wrote:
| goodpoint wrote:
| > noticed that their "#BlackLivesMatter #DefundThePolice"
| banner scrolls under the rest of the content, leaving this
| annoying gap
|
| People get killed and a HNer is annoyed by a gap around a
| banner.
| joshcryer wrote:
| The OSI article even encourages banners and other such thing
| in ones work. If code is speech, then speech shouldn't be
| frowned upon when the coder uses it in their project.
|
| The OSI is specially calling out an incident where someone
| actually put malware in their code which targeted Belarus and
| Russia. Totally unacceptable and not a form of protected
| protest at all, and arguably not speech.
| jaldhar wrote:
| The banner wavers have moved on to the next trendy thing and
| people are still getting killed. What was achieved by
| annoying HNers?
| qsdf38100 wrote:
| You're at war. Maybe you don't realize it because you can
| still go on with your life as if nothing was happening.
|
| It's not a trendy thing, it won't go away because of some
| random trendy thing.
|
| HNers annoyance couldn't be more irrelevant. And people are
| still getting killed because the world has decided that
| this war , as bad as it is, shouldn't interfere with
| business too much.
|
| People are still getting killed because we don't want our
| precious little irrelevant easy lives to be disturbed too
| much.
|
| The world still hasn't waked up. We should be alarmed and
| fully supporting freedom. But the world is just annoyed. I
| thought moral values were important to open source.
| zzzeek wrote:
| I took a look at the first site in responsive design mode and
| it looks like the "Branches" menu, which aims to be in a fixed
| spot, is getting pushed down by the extra content. the actual
| protest message scrolls up with the rest of it and does not get
| in the way of anything. Seems like a simple UX bug that could
| be fixed if you send the developers a bug report.
| heavyset_go wrote:
| > _Seems like a simple UX bug that could be fixed if you send
| the developers a bug report._
|
| Something tells me that they don't want to actually fix
| anything and are just virtue signalling on HN.
| auxfil wrote:
| These actions can be classed as slacktivism and as impotent
| virtue-signaling, sure, but I believe that the actors of these
| methods of protest are trying to do what the left calls
| "creating safe spaces" and genuinely feel that they are
| "showing their support" and therefore somehow...helping. The
| thing is, they may be achieving that first part - creating a
| safe space, perhaps unwittingly marginalising, demonising, and
| isolating the very people who can affect the most change (i.e.
| politicians, policemen, russian people, going by the examples
| of causes in OP's post alone), at a further cost of
| inconveniencing absolutely everyone - testing the resolve of
| existing allies, and likely creating new opponents out of those
| who were on the fence or apathetic.
| BigJ1211 wrote:
| It's basically taking the "Thoughts and prayers" under a
| Facebook post to the next level.
|
| It would be fine if the banner was close-able or displayed
| once a day or something along the lines of that. The problem
| isn't that they're showing support. It's doing it a
| completely obnoxious way that's the issue.
|
| If you are one of the people doing this, look around you.
| Literally everyone slapped a BLM banner on their website,
| when everyone has done that yours literally adds nothing.
| Sure, put that message up there, but make it close-able. Not
| something that takes up valuable screen real-estate
| permanently.
| cameronfraser wrote:
| they're virtue signaling, not trying to create change
| NoGravitas wrote:
| Would you rather they signal vice?
| stjohnswarts wrote:
| Rather they signal nothing, to be honest. I mean it is
| their perogative but makes one think twice about the future
| of the software. So it's another data point. Not all or
| nothing. I hate all or nothing types from all sides. 99% of
| things are on a spectrum and I think that life should be
| the same. Sure some things are 0 or 1 but they are
| relatively rare.
| Inityx wrote:
| Wow, why is that the only alternative?
| prepend wrote:
| I'd rather they do. Focus that energy into productive
| action rather than just signaling.
|
| It's like those people who do 50 commits instead of one to
| look busy. Just put that mental energy into real stuff.
| gadders wrote:
| >>Is a single person going to be persuaded to support either
| cause by seeing this banner on a relatively niche JS library
| that reduces readability of its documentation?
|
| The purpose of the banner is not to convert anyone, the purpose
| is to demonstrate that the author of the package subscribes to
| the correct opinions.
| LunaSea wrote:
| So basically virtue signalling
| kennywinker wrote:
| The term "virtue signaling" is a pet peeve of mine. Like
| the word "problematic" it's too vague and broad to be
| useful. The implication seems to usually be that it's all
| talk and no action. But if we're talking, as we are now,
| that's completely separate from my actions. Like, if I say
| "pollution is bad" and don't do anything in my life to
| reduce pollution that's virtue signaling, but it's not if
| I've dedicated my life to reducing global pollution? How
| are you supposed to know what I have or have not done in
| real life during this convo.
|
| So either virtue signaling applies anytime someone
| expresses an opinion about something moral, in which case
| it's a useless truism. Or it's meant to express doubt or
| challenge someone to prove that they take action, in which
| case who owes you proof?
|
| Putting a statement of support for a cause in your open
| source repo may or may not have any direct impact, but it
| is personal expression - and in general I am for personal
| expression.
| michaelt wrote:
| _> The implication seems to usually be that it's all talk
| and no action._
|
| That's the implication. But I'm pretty sure the critics
| would be _even angrier_ if the open source project had
| taken action.
| kennywinker wrote:
| hah, yup - that's literally why this is news right now,
| somebody went past talk and acted - and people are upset
| gunfighthacksaw wrote:
| Using the term 'virtue signalling' is itself virtue
| signalling.
|
| The virtue in this case being an implied rejection of
| groupthink.
| prepend wrote:
| > general I am for personal expression.
|
| I'm for signal, not noise. I don't want stupid personal
| expressions, I want meaningful or beautiful or somehow
| useful.
|
| I used to work with a person who would raise their hand
| in every presentation and say "security is important how
| is this software secure" even when it wasn't anywhere
| remotely relevant. It was counterproductive and
| distracting and wasted valuable time that we could use to
| do something better.
| stragies wrote:
| While I agree with you on broad strokes, I'm sure,
| somewhere, someday, somebodies concerns over the security
| implications of a logging framework (e.g. Log4J) were
| brushed under the table by a statement like that.
| prepend wrote:
| I think security is extremely important (as is BLM), my
| issue in this example is that the person brought up
| security as questions where it was not relevant. I think
| that actually hurts security as it made people tune out
| because it wasn't relevant. So it was like the boy who
| cried wolf in that when security was important it wasn't
| paid attention to.
|
| I'm not saying that security reviews shouldn't be
| performed. They should. Security should be part of design
| and code review. But it's not a relevant question in
| every single situation.
| scarecrowbob wrote:
| I don't think signaling my beliefs ever will change
| anyone's mind.
|
| However, I've gotten a lot of feedback from friends of
| mine that signalling my support for their cause or
| identity has made them feel more comfortable in the
| world.
|
| That's both useful and beautiful.
| kennywinker wrote:
| > I don't want stupid personal expressions, I want
| meaningful or beautiful or somehow useful.
|
| I guess I feel that improving our world, ending war,
| making our society more just and fair, these are
| meaningful, useful, and beautiful things to do. They
| might be some of the most meaningful things actually.
|
| > It was counterproductive and distracting and wasted
| valuable time that we could use to do something better.
|
| This is an argument about context. Security IS important,
| I imagine we'd both agree, but maybe not in that specific
| situation. Like if I bring up climate change while we're
| rushing to the hospital after a car accident. Climate
| change is a real and important issue, but right now it's
| a distraction. So is an open source website an
| inappropriate context to indicate support for movements
| or disapproval of others? I don't think so, but if you do
| calling it "virtue signaling" isn't what you mean, and is
| actually a counterproductive distraction.
| blueflow wrote:
| None of the signalling achieves anything. Its annoying,
| the signalling people really stand out. Seeing them doing
| the "Notice me, I'm standing for the right thing, im a
| good person!"-move makes me cringe. I wish they would
| stop.
| kennywinker wrote:
| > None of the signalling achieves anything
|
| This is just false. Some signaling achieves nothing, but
| there's plenty of signaling that has caused individuals
| to change their behavior, politicians to pass laws, and
| corporations to change their products. The thing is it's
| basically impossible to tell which is the useful
| signaling and which is shouting into the void, even as
| the person signaling the signals. Which drop filled the
| bucket?
|
| You seem to find it annoying because you think it's being
| done just to SEEM good, rather than to BE good... but
| when it comes to issues we don't have direct control of,
| there's not much difference. I can ACT on my belief that
| texting and driving is a terrible thing to do all I want,
| but it doesn't stop anyone else from doing it. The only
| small piece of influence I have over others is to signal
| that I believe it's wrong whenever it's appropriate. That
| and lobby for tougher fines (by signaling to politicians)
| and technological solutions (again, by signaling to
| corporations).
|
| None of this is to say you can't criticize specific
| gestures as being empty - but to say signaling is always
| empty is just false.
| [deleted]
| [deleted]
| dwaltrip wrote:
| How do you know that it achieves nothing? Genuinely
| curious.
| blueflow wrote:
| Can you solve any problem just by expressing your will to
| solve it? I mean like, thats 0% of the required work. Its
| like demanding a fictional other to solve it for you, but
| not putting pressure on anyone to fullfill that role if
| everyone is just joining you in shouting what you want.
| rnd0 wrote:
| >I guess I feel that improving our world, ending war,
| making our society more just and fair, these are
| meaningful, useful, and beautiful things to do.
|
| They would be, if they actually made meaningful strides
| to accomplish those objectives beyond stroking the dev's
| ego.
| prepend wrote:
| > I guess I feel that improving our world, ending war,
| making our society more just and fair, these are
| meaningful, useful, and beautiful things to do. They
| might be some of the most meaningful things actually.
|
| I feel that way too. I want all those things. Adding
| "FreeUkraine" or "BLM" doesn't do that. I don't think
| virtue signaling is that big of a problem, but adding
| these phrases does nothing more than signal.
|
| I don't think it's productive to call out virtual
| signaling in that I would never submit a PR to complain
| or remove. But I definitely notice it and it seems
| stupid. I don't spend a lot of time thinking about it but
| a second or two while reading docs doesn't make me think
| more highly of someone.
|
| I think cynically it just seems like people say this
| instead of doing meaningful things.
| qsdf38100 wrote:
| You can say this whenever someone speaks out about
| something.
|
| You can always dismiss what they say by saying they don't
| actually care, it's just to look good.
|
| It tells more about _your_ beliefs and what _you_ stand for
| than anything.
|
| It seems a lot of HNers don't stand for freedom too much.
| They stand for not being annoyed by the fallouts of this
| war.
| BaronVonSteuben wrote:
| Yes but pointing out that the emperor has no clothes is
| mean, so we need to pretend not to notice. Despite our
| modern day knowledge that most human behavior is almost
| entirely incentive-based (the hard part is identifying the
| incentive), we're still supposed to pretend that it's
| altrusim.
| mrtranscendence wrote:
| I've experienced too much altruistic, generous, kind
| behavior to support this cynical view, unless you're
| defining "incentive" so widely as to be meaningless
| (sure, some people are incentivized to help others
| partially because they get good feelings by doing so -- I
| suppose Ayn Rand was right all along).
| BaronVonSteuben wrote:
| I don't think it's cynical at all, I think it's just
| accepting reality. Our advanced consciousness is just a
| very thin layer of abstraction on top of the same
| brain/mind that powers many other animals. Some of the
| best minds who study this, question if there's even any
| such thing as "free will" at all.
|
| I don't think recognizing that is conflicting at all with
| a positive outlook, or the choice to be optimistic, or a
| humanist, etc. You can choose to believe it or choose not
| to believe it, and still value human life and try to
| progress humanity forward.
|
| Also don't underestimate the value/incentive of following
| your conscience, acting out your beliefs etc. Cognitive
| dissonance (which results from not doing so) is deeply
| uncomfortable and a good motivator for being
| "altruistic."
| blueflow wrote:
| The good news, these people are easy to identify because
| their signalling is always in a very visible way. They
| want to be seen. And when you can identify them, you can
| avoid them.
| Brotkrumen wrote:
| Is you public signaling that youre cancelling virtue
| signalers virtue signaling?
|
| "This is virtue signaling" is more of a dog whistle
| ingratiating yourself with a certain crowd instead of an
| argument. Don't know what youre trying to achieve besides
| that.
| blueflow wrote:
| > is more of a dog whistle ingratiating yourself with a
| certain crowd
|
| Genius move. Any concept that can be used to criticize
| you is implicitly outing me as part of your out-group.
| Now you can judge me not on my own merits, but on the
| merits of people you associate me with. And my posts can
| well-formulated and thought-out, you disregard them for
| factors i cannot possibly control.
|
| This is the partisan thinking that i don't want to have
| business with. This is what i ghost people for. Call it
| cancelling if you want to, fact is, if you are walking
| through the world looking for friends, my place is the
| wrong address.
| leaflets2 wrote:
| Seems you're doing the same thing, when you claim that
| others who try to do sth about something are just virtue
| signaling.
| [deleted]
| kdmccormick wrote:
| As a less cynical take: When it comes to Ukraine support, the
| banner could theoretically have an anti-propoganda effect.
| Russian and Chinese citizens are cut off or pushed away from
| world political discourse in a lot of ways, so using open
| source libraries as a vector for anti-Russia messaging could
| have a real effect on devs in those countries.
| dunkelheit wrote:
| Two counterpoints: 1) the kind of people that use open-
| source libraries are one of the most plugged into the world
| political discourse parts of the population (BTW I am not
| sure that this is unequivocally a good thing, this
| "discourse" is just another brand of propaganda at this
| point) and 2) If some random open-source maintainer from
| across the ocean starts lecturing me that I am guilty of
| not overthrowing Putin or, worse, wipes my hard drive, I'm
| not going to be moved by this, I'm just going to think that
| this person is out of touch and be really annoyed.
| kdmccormick wrote:
| [deleted]
| mrtranscendence wrote:
| This is a bad take. The purpose is, at least partially, that
| the author of the package subscribes to _these_ opinions
| rather than others, sure. But this doesn 't necessarily have
| anything to do with them being "right" or not. I don't get a
| lot of capital at Hacker News by saying that I support Black
| Lives Matter, but if I do so (and I'm doing so) does that
| mean I only want to display that I subscribe to the "correct"
| opinions?
|
| Plus, demonstrating what opinions are held is not the whole
| point. Part of it is telling others who support those causes
| that they're not alone. And it's also partially a "fuck you"
| to those who are triggered by mentions of causes like Black
| Lives Matter.
| gadders wrote:
| I think the person concerned is taking zero personal risk
| by displaying a view that is backed up by 99% all of media
| (even if no 99% of all people).
|
| If they had a banner saying "Trump 2024" or "The AZOV
| Battalion are Nazis" I might not agree with them, but at
| least they are taking some personal risk of cancellation.
| Brotkrumen wrote:
| Criticising the silent majority when they try not to be
| silent anymore with "youre not taking any risks, so stay
| silent" is a bad take.
| gadders wrote:
| I'm highlighting the emptiness of the moral
| grandstanding.
| shadowgovt wrote:
| We appear to have burned 393... Wait, 394... User
| comments on the subject.
|
| So if it's empty, so is commenting on HN, I'd
| extrapolate. Otherwise, it's gotten the attention of the
| sort of people who comment on HN, and that's something.
| Karrot_Kream wrote:
| I think HN folks are commenting because:
|
| 1. These political threads always bring out the most
| ideologically strident folk
|
| 2. Developer time/experience is impacted by these
| changes.
|
| While I personally think these banners are fine and good
| to raise awareness, I do agree that there's a moral
| grandstanding element as well. I'm often puzzled why it's
| so controversial a belief to have. I don't see why folks
| are so annoyed at these banners though because I've been
| annoyed for years and years at crappy ASCII/figlet
| drawings that libraries/apps output that are garbled in
| my terminal's width/encoding and yet people still add
| those.
| noelsusman wrote:
| Fox News is part of the media, conservatives cancel
| people too, and calling the Azov Battalion Nazis is not
| exactly controversial. They're pretty open about that.
|
| But mostly I'm wondering why it matters if they're taking
| a personal risk or not. How is that relevant to anything?
| commandlinefan wrote:
| I'm in Texas. A LOT of Californians disagree with some of the
| laws that Texas has passed. How long will it be until my hard
| drive gets reformatted by some protestor in San Francisco who
| localizes my IP address?
| matsemann wrote:
| Is those laws that you should airstrike California? If not, why
| are you downplaying the significance of what's happening in
| Ukraine? Context matters in how proportional a response can be.
| bastardoperator wrote:
| LOL, Texans scared of activist hippy hackers in SF, pure gold.
| Most people know Texas is a joke when it comes to meaningful
| legislation and politicians which is why reasonable folks
| disagree. Most of your tech comes from CA, including this site
| you're on today so be careful out there.
| naoqj wrote:
| trentnix wrote:
| "I'm not a biologist."
|
| It's an answer good enough for the Supreme Court of the
| United States, but I'll bet it wont be good enough for
| Wokeware.
| KyeRussell wrote:
| [deleted]
| slackfan wrote:
| In a perfect world, everybody's hard drive gets reformatted.
| A4ET8a8uTh0 wrote:
| I have long argued that there are things that should remain
| agnostic of politics ( as hard it may sometimes be ). This
| trend is genuinely destructive to opensource and I can't help
| but wonder if it is not done to undermine it by design.
| KyeRussell wrote:
| "Politics" Is often what people call serous issues that don't
| affect them. So, maybe you'd just like open-source to be the
| domain of privileged people.
| A4ET8a8uTh0 wrote:
| I dislike this characterization ("privilege") as it is part
| of the new double-speak that is intended to stop the
| conversation, because, after all, how do you argue against
| that.
|
| Yeah, I can do some things some people can't, but I can't
| do some people can. You can make a reasonable argument that
| everything is politics, but it is slippery slope, because
| tomorrow I might find myself with files deleted, because I
| did not read fine print with vegan inclinations of the
| developer and his stance on this subject.
|
| It can bad really fast. It is already bad. Previously dumb
| pipes are being coerced to be 'smarter' and it is breaking
| the basic foundations of society. It is a privilege to live
| in a society. I think it would help if some naive activist
| did not undermine its foundations.
| XorNot wrote:
| ksec wrote:
| You pretty much summarise what is wrong with the title.
|
| It is not "Protestware" that harms open source. It is politics
| and ideology harms open source.
|
| And the rate things are going may be Open Source will not only
| be split between permissive and copyleft, but progressive and
| libreRight.
|
| Edit: Now I remember Douglas Crockford's "The Software shall be
| used for Good, not Evil." license. I wonder if there are still
| any open source that uses it.
| zucker42 wrote:
| > It is politics and ideology harms open source.
|
| The movement towards free and open source software was
| created in no small part do to activists with a very strong
| ideology. Open source would not exist to the same extent
| without the ideology espoused by the FSF. The problem is that
| abandoning a key tenant of the free software movement,
| neutrality towards different uses (part of freedom 0 of the
| free software definition), does far more harm than good and
| contravenes FLOSS ideology.
| beaconstudios wrote:
| yeah it's kind of ironic to call for "no politics" in a
| movement that is essentially based in digital anarchism.
| pelasaco wrote:
| That's exactly what I would write here. FLOSS is basically
| a political movement against the software industry since
| 1960...
| seneca wrote:
| > The movement towards free and open source software was
| created in no small part do to activists with a very strong
| ideology.
|
| This is true, and an argument that keeps getting repeated,
| but isn't the same issue. The politics of open source
| software are about software. How it's made and how it's
| used.
|
| The modern push is about injecting outside ideology into
| software (and everywhere else). Bringing geo, gender, and
| racial politics into software is a whole lot different than
| software politics in software.
| BaronVonSteuben wrote:
| Either you or I misread GP, because I don't see any
| disagreement. GP points out that FLOSS movement was and
| is inclusive by design, while this modern development is
| exclusive by design against people who disagree with the
| person's opinions.
| seneca wrote:
| Yep, not disagreeing with them at all on their overall
| point. I just see this "FLOSS is inherently political"
| line floated a lot, and wanted to point out that it's a
| false equivalence. I probably could have made that
| clearer.
| mohanmcgeek wrote:
| > The movement towards free and open source software was
| created in no small part do to activists with a very strong
| ideology
|
| They did have a strong ideology and they worked towards
| building the world they wished to see. Not by breaking
| existing things to virtue signal their support for "the
| current thing"
| zucker42 wrote:
| Yeah, but that means the problem is in fact protestware
| and not "ideology" in some vague sense.
| iaml wrote:
| And then all of the effort spent on "building the world
| they wished to see" gets used to also build a world that
| goes against everything they wished, against their
| ideology. Due to openness of their efforts they also
| don't have an option on influencing that, unlike
| commercial products who can simply stop doing business
| with precise companies/people/territories. What if the
| very idea of open source gets used against itself? What
| would you advise those people to do? Shut up about "the
| current thing"?
| XorNot wrote:
| "protestware" is just malware. The punchline is: do you
| understand your supply chain? Can you audit your software? Do
| you have security controls for potentially hostile packages?
|
| This is nothing new: this is a problem which has always
| existed.
| unethical_ban wrote:
| It isn't ideology, it's malware for political purposes.
|
| https://xkcd.com/605/
|
| No, at the rate things are going, OSS will not be as you
| describe.
| BaronVonSteuben wrote:
| Thanks for the perspective and the laugh. It's very easy to
| see a trend that isn't there in an aberration.
| beaconstudios wrote:
| you can't really escape politics and ideology. What you can
| do, is to not be petty with your public contributions. As the
| parent example states, while somebody /could/ embed malware
| into their software that targets Texans, this falls under the
| pre-existing social doctrine of a "dick move". These things
| exist on a scale from "exclude government/corporate entities
| from your software license" to "try to fuck up random
| people's hard drives" and vary widely in terms of validity.
| BaronVonSteuben wrote:
| I think the main problem is that we are increasingly
| operating with different definitions of "dick move."
|
| To many people, the idea that a small business owner would
| have their store burned to the ground because someone else
| in their town (or on the other side of their country) did
| something bad, is a massive dick move. Yet, this happened
| numerous times during the summer of BLM in 2020 and it was
| widely defended with things like, "everything is political"
| and "not to take a side is to take a side" and "you're
| either with us or you're against us" and "mostly peaceful
| protests." There was even a famous "looting is reparations"
| in articles and at least one book called "In Defense of
| Looting."
| nsxwolf wrote:
| alexb_ wrote:
| It's your fault for not giving me the money. If you had done
| that sooner you'd still have your brain intact.
| gruez wrote:
| I think this recent comment is relevant here:
|
| >I don't want to hear anyone in this country [the US]
| complain about the Electoral College or gerrymandering the
| next time we decide to pull another Iraq War but they're
| opposed to it.
|
| >Just like, overthrow the government - it's so easy!
|
| >And if you don't have the guts - well, don't be mad when
| someone deletes all your files, you collaborator!
|
| https://news.ycombinator.com/item?id=30727720
| zamadatix wrote:
| The problem is the logic goes both ways so there is no "just
| do <x>" because <x> differs per group.
| bjt2n3904 wrote:
| I have legitimately argued against using NodeJS as the
| foundation of our next product for this very reason.
|
| NodeJS' culture is very much "move fast and break things", and
| "all software is political". Look at the TSC drama. Leftpad.js.
|
| This isn't an ecosystem that you want to build and maintain a
| product on.
| dewey wrote:
| Isn't this mostly a problem of auto-updating and non-pinned
| dependencies? If you vendor and audit your dependencies this
| isn't really a problem.
| mushyhammer wrote:
| Yes true but have you audited your thousands of modules? If
| you have a build tool that wasn't born in 2020 chances are
| it pulls a hundred dependencies from 20 separate vendors.
|
| I saw this as a JS developer who scarily runs npm installs
| multiple times a day.
| ComradePhil wrote:
| That reminded me of the whole Ayo.js thing:
| https://github.com/ayojs/ayo
|
| The NodeJS community somehow tends to attract the worst kind
| of people.
| pelasaco wrote:
| again, nothing blocks you to have a better supply chain to
| your software:
|
| Download all dependencies and freeze them, fork the
| dependencies and groom your fork or have dependantbot or
| depfu managing your dependencies for you and keep a delay
| between merging the PRs, have manual review, etc..
|
| You shouldn't be pulling stuff from internet and pushing to
| production without take a look into that anyway...
| devmunchies wrote:
| I'll be using Deno for new projects from now on.
| staticelf wrote:
| Basically all big js front ends have the same issue. Most of
| them had banners or whole pages for the BLM movement which
| made no sense to anyone outside of the US like myself.
|
| I mean a framework or library with a global audience
| shouldn't push american politics. Vue, React, Preact, Nodejs,
| Ember (had a whole page and made documentation unavailable
| for some time), Go lang, ExpressJS (still has the banner up),
| Typescript, a lot of python projects etc etc. The list can be
| made very long.
|
| I try to avoid any framework and library that pushes
| political agendas onto their sites because that signals what
| type of people are in charge of them. They must think that
| their political views are so important it must infiltrate
| every aspect of life even if the thing has nothing to do with
| it. Unfortunately, there is such a large amount of them doing
| this it's practically impossible to avoid it.
|
| The funny thing is, now when Russia has invaded Ukraine there
| is no banners on the same websites so it's obvious some lives
| matters more than others in their views..
| dragonwriter wrote:
| > Most of them had banners or whole pages for the BLM
| movement which made no sense to anyone outside of the US
|
| pretty sure they made sense to quite a few people outside
| the US:
|
| https://blacklivesmatter.uk/
|
| https://tribunemag.co.uk/2020/06/frances-black-lives-
| matter-...
|
| https://www.americamagazine.org/politics-
| society/2020/06/22/...
| staticelf wrote:
| Comparing europe with the US when it comes to the police
| killings is ridicolous. Sure there was attempts to bring
| it to europe but that is besides the point. There are a
| lot of countries in the world, many without any issues in
| which the BLM protested against. Why should we get pushed
| american politics for? What is the point?
|
| The UK as an example had something like 6 people killed
| that year when protests arrived. Most of which wasn't
| black if I remember correctly. Do you really think it's
| comparable to the issues that exists in the US?
|
| My critique is still valid tho, doesn't ukrainian lives
| matter? Why are there no banners for them?
| bjt2n3904 wrote:
| It's not even that a software project can't (or shouldn't)
| have political causes that it supports.
|
| It's the arrogant attitude that "if you aren't for me, then
| you're against me". That their views are so righteous, that
| the only people who could possibly object are bad actors.
| lucasmullens wrote:
| > The funny thing is, now when Russia has invaded Ukraine
| there is no banners on the same websites so it's obvious
| some lives matters more than others in their views..
|
| Supporting one issue publicly does not mean you think it's
| more important than every issue you don't support publicly.
| staticelf wrote:
| > Supporting one issue publicly does not mean you think
| it's more important than every issue you don't support
| publicly.
|
| There is a big difference with war and people being
| systematically killed and a potential unjust legal
| system. War is obviously many times worse in every aspect
| and I think it's hilarious on what these people publicly
| support and what they don't.
|
| It's hypocritical, unfair which makes it a big irony
| since that was what the BLM movement was all about
| (unfair treatment).
| vorpalhex wrote:
| It would seem to.
|
| That was literally the whole thing of "inclusive
| language" right? It wasn't about what the words actually
| mean, just how people felt about them. If they felt the
| word was discriminatory, then it should be fixed.
|
| If you're going to throw up banners on every JS site for
| one cause and not another, you're saying very loudly you
| don't care as much about the other. You, under the logic
| of "discriminatory language" even be engaging in
| discrimination.
| KyeRussell wrote:
| Again, you're calling this "political" because it doesn't
| matter to you, and it certainly sounds like it doesn't
| personally affect you. To other people, BLM is a serous
| existential threat. You'd lose your mind if someone chalked
| the question of your existence up to "politics". You're
| really showing your hand. And no, I'm not American either,
| but that doesn't somehow make me blind to the fact that BLM
| is a big deal.
| staticelf wrote:
| So why doesn't the same sites have banners for Ukrainian
| lives? Russias invasion is for sure a bigger existential
| threat to them since they got invaded by a foreign state.
|
| I think you're showing your hand, I am arguing for
| treating everyone the same and that the people in charge
| of these sites appears to care more about American lives
| than Ukrainian ones.
|
| If you're gonna have banners, then having them for
| ukraine is an obvious choice for me. OR.. maybe you could
| decide not to involve politics into tech with a global
| audience at all and skip all this bullshit.
| unmole wrote:
| > Most of them had banners or whole pages for the BLM
| movement which made no sense to anyone outside of the US
| like myself.
|
| It isn't limited to JS frameworks. I remember seeing
| banners on Kubernetes docs too.
| extheat wrote:
| So you're basically saying, don't use X tool chain because
| the 3rd party software doesn't move on your pace? Or they
| have different "views" than yours? I don't see how that makes
| any sense. Why do you have to be beholden 3rd party
| developers and the pace they work at?
| trentnix wrote:
| I'm not sure if you being purposely obtuse, but the idea
| that you'd build your software on top of a technology or
| platform that might introduce instability due to the whims
| or politics of its stewards is absolutely and obviously a
| risk worth considering.
| bmj wrote:
| Did you read the parent article?
|
| _But, in at least one case--the peacenotwar module in the
| node-ipc package--an update sabotages npm developers with
| code intended to wipe data stored in Russia and Belarus. In
| a March 16 blog post on the malicious code, Liran Tal at
| Snyk said, "This security incident involves destructive
| acts of corrupting files on disk by one maintainer and
| their attempts to hide and restate that deliberate sabotage
| in different forms."_
|
| This has nothing to do with pace of development, or even
| the political views of the developers. It has to do with
| inserting what is essentially malware into open source
| packages that affect users based on geo-location.
| extheat wrote:
| OK, and how is this something unique to the Node.js
| package ecosystem? What's stopping someone on PyPI/some
| other PM from doing the same thing? I personally view
| these more as malicious copycat acts than anything
| inherent with the ecosystem. Should NPM start manually
| reviewing all of the packages that go through them,
| because the handful of abusers? I'm not so sure. The
| situation on languages without a widely used package
| manager/ecosystem like C++ I don't think is any better.
| marcosdumay wrote:
| Well, do you think doing what you said is a bad policy? It
| looks pretty sane and effective to me.
|
| > Why do you have to be beholden 3rd party developers and
| the pace they work at?
|
| You don't "have to", you only are beholden to them if you
| use their software.
| slackfan wrote:
| I use software to build stuff, not to subscribe to a set of
| political ideologies.
| trentnix wrote:
| A small, extremely loud, and extremely sanctimonious part
| of the population will not accept that. They will
| consider your lack of political motivation for your work
| distasteful and eventually immoral. You'll be asked to
| support movements, participate in ritual, and publicly
| proclaim your allegiance. Eventually, they'll demand it.
|
| _"Of all tyrannies, a tyranny sincerely exercised for
| the good of its victims may be the most oppressive. It
| would be better to live under robber barons than under
| omnipotent moral busybodies. The robber baron 's cruelty
| may sometimes sleep, his cupidity may at some point be
| satiated; but those who torment us for our own good will
| torment us without end for they do so with the approval
| of their own conscience. They may be more likely to go to
| Heaven yet at the same time likelier to make a Hell of
| earth. This very kindness stings with intolerable insult.
| To be "cured" against one's will and cured of states
| which we may not regard as disease is to be put on a
| level of those who have not yet reached the age of reason
| or those who never will; to be classed with infants,
| imbeciles, and domestic animals." - C.S. Lewis_
| beaconstudios wrote:
| not every politics-adjacent thread needs to devolve into
| "the wokes are coming for us all". You can disagree with
| the actions of progressives without making it this all-
| encompassing threat. Hell, I'm pretty left-wing and I'm
| fairly critical of some of the factions.
|
| Either way, I can't see anybody putting "must add a BLM
| banner to their website" to the licensing conditions of
| their FOSS code.
| slackfan wrote:
| That would be a wonderful thing to able be do, if the
| woke brigade wasn't screaming "YOU'RE WITH US OR YOU'RE
| AGAINST US" a parent over. ;) Ignoring that isn't an
| option, unfortunately, believe me, that's been tried.
| beaconstudios wrote:
| Yeah but so what? Disagreements are going to happen in
| politics. Other people disliking your politics and vice-
| versa is not an existential threat.
|
| Anybody who legitimately makes a "liberals only" stand in
| their license will get forked and their usage will drop
| off.
| slackfan wrote:
| >yeah but so what
|
| Being silent about shitty behavior is the same as
| condoning it, don't you know? Just because you don't like
| the playbook doesn't mean it doesn't work.
|
| >Anybody who legitimately makes a "liberals only" stand
| in their license will get forked and their usage will
| drop off.
|
| Considering that the developer just pulled a "no
| russians" stand with their software...
| beaconstudios wrote:
| > Being silent about shitty behavior is the same as
| condoning it, don't you know? Just because you don't like
| the playbook doesn't mean it doesn't work.
|
| my point is that it doesn't matter. Condemn or not,
| regardless you can still fork earlier versions.
| Materially, it's not a threat to you.
|
| > Considering that the developer just pulled a "no
| russians" stand with their software...
|
| Yeah and look at how much shit they're catching for it.
| People are forking and freezing earlier versions, he's
| getting raked through the coals, etc. Is this really the
| outcome conservatives are afraid of?
| [deleted]
| slackfan wrote:
| >materially it is not a threat to you
|
| Kind of crappy whataboutism there don't you think? What
| if I'm a VPN user and my hard drive was wiped?
|
| >Conservatives
|
| What does this have to do with conservatives?
| beaconstudios wrote:
| > Kind of crappy whataboutism there don't you think? What
| if I'm a VPN user and my hard drive was wiped?
|
| Yeah it obviously sucks to be a victim of this behaviour,
| but the developer is being roundly condemned by
| everybody. I thought you were worried about this type of
| behaviour being encouraged by progressives?
|
| > What does this have to do with conservatives?
|
| Just a guess, it's usually conservatives that hand-wring
| this much about "woke" people.
| slackfan wrote:
| Oh there's no eventually. They've been demanding it for
| years. There's a very good reason why some software on my
| machines is already pinned to specific versions, and will
| not under any circumstances be upgraded.
|
| Thankfully the field of software development has
| stagnated to the point that there really hasn't been any
| significant improvements to actual non-web software in
| about 15 years, so I'm looking forward to the brand new
| world with a stack of ancient machines, a bunch of boxes
| of capacitors, and a few hard drives' worth of
| abandonware, because frankly, fuck that noise _THE AMISH
| WERE RIGHT_.
| shuntress wrote:
| All things are inherently "political" just not always
| significant enough to be worth considering.
|
| The trite ways to say it (ie: _" we live in a society"_ or _"
| actions have consequences"_) don't really capture the full
| complexity of human interaction but do somewhat describe the
| notion that everything you do as an individual affects and is
| affected by everything everyone else does. Being "political"
| really means just believing that those effects are too
| significant to ignore.
| raxxorrax wrote:
| What makes everything political? Of course something I do
| or say can influence others, but it is still not political
| in the vast majority of instances. Not even non-
| significantly.
|
| Political action is shaping my environment to my desire.
| Via compromise or war perhaps. What is your definition of
| it that it applies to everything?
| BlueTemplar wrote:
| That's just action. What makes it political is if happens
| to have an effect outside of your home. (And technically
| even those restricted to the inside will usually end up
| having some sort of effect outside of your home.)
| EnKopVand wrote:
| It's a problem in any ecosystem. It's not like there haven't
| been attacks in nuget packages or the recently famous Log4j
| vulnerability. I'm not going to pretend there aren't some
| pretty deep flaws with nested dependencies in Node modules,
| but it's really more an issue with unprofessionalism in my
| eyes.
|
| I've never worked a place that would auto-magically roll out
| things like windows or chrome updates without having them
| vetted first. If you can't trust those, then you certainly
| can't trust some random NPM package, and if your organisation
| doesn't have a strategy for how you handle something that
| unsafe then you really need to step up your professionalism.
|
| I personally consider NPM packages to be sort or nice, in the
| very cynical way, that the community tends to beta test
| updates for you much faster than with any other dependency
| system.
| nonameiguess wrote:
| Not all ecosystems are the same in the extent to which
| auditing and maintaining dependency chains is a burden. All
| of Linux from Scratch consists of something like less than
| 90 distinct dependencies, for instance. When I went to add
| a token-replacement library to mdbook so I can interpolate
| variables in a book, Cargo pulled in 287 dependencies. For
| better or worse, the newer, hotter languages of the day
| seem to be predicated on extremely small, something single-
| function, libraries, and thus enormous and arguably
| intractable dependency trees.
| rsstack wrote:
| The only good news I have for you is that _perhaps_ in that
| case the FBI and CISA will investigate, because there will be a
| US resident victim.
|
| IP-based geolocation is garbage but there aren't many
| Russian/Belarusian-attributed IPs in the US so the intersection
| of those with people using node-ipc was empty, and the US
| Government couldn't be pressured to investigate/enforce.
| slackfan wrote:
| Putting such trust in state actors in the year 2022 seems
| optimistic to the point of naievety.
| seanw444 wrote:
| gruez wrote:
| This administration might be D, but the next one might not
| be. What's the statue of limitations on CFAA?
| rectang wrote:
| Or that someone in Texas would come after Californians.
| lostmsu wrote:
| What about Californians throwing Molotov at your house?
|
| My point is analogy is not a valid tool of criticism when
| talking about policies, because their inputs and outcomes are
| not simple bool -> bool functions.
|
| Would you be satisfied with 1000000 years on average as the
| answer?
| jddil wrote:
| FredPret wrote:
| You are part of the problem
| HideousKojima wrote:
| Congratulations, you're part of the problem. Enjoy creating a
| world in which open source cannot be relied upon for any
| purpose: https://www.gnu.org/philosophy/programs-must-not-
| limit-freed...
| grnmamba wrote:
| I'm sure your state/country has not a single unjust law on
| the books.
| grnmamba wrote:
| Another fun scenario: your project has two dependencies, made
| by two different developers: `left-pad` and `right-pad`. `left-
| pad` will format your hard drive if it geolocates you being in
| a state that allows X. `right-pad` will format your hard drive
| if it geolocates you being in a state that criminalizes X.
| Aperocky wrote:
| Dependency hell but with more politics!
| throwaway889900 wrote:
| Write a wrapper project that changes your location before any
| left-pad or right-pad function calls. Or just fork both and
| fix them how you see fit if they're open source.
| [deleted]
| temp-dude-87844 wrote:
| I get why the OSI published this post. They have a vested
| interest in the conversation and I agree with their points.
|
| But the battle for the narrative has already been lost when
| people consider this to be a problem with 'open source'. Rather,
| it's a problem with software that's being given away for
| reputation brownie points. Here, the author showed exceedingly
| poor judgment towards users of their software, and this should
| result in the loss of goodwill and respect towards the author and
| the forking of their works if the license allows.
|
| Open Source didn't enable this behavior. The author's poor
| judgement and the author's lack of need to care for the users of
| one's software is what didn't dissuade this behavior. In this
| case, it was giveaway software causing harm. In other cases, it's
| commercial software pushing hamfisted changes users don't want,
| because the users aren't empowered enough to fight it. The reason
| commercial software would avoid _this particular_ type of stunt
| is because it 's poor business sense to harm one's direct
| customers.
|
| So what of Open Source? Open Source allows anyone to review or
| modify the software that engages in this behavior. So the
| community can salvage the author's good contributions and better
| custodians can carry the software forward.
|
| Open Source also allows anyone to discover these cases
| proactively. Of course, almost nobody does this, because we as an
| "industry" have gotten used to four troubling trends, and
| ridicule those who aren't on this "bleeding edge":
|
| * thinking that software that costs $0 to obtain incurs no
| additional costs
|
| * not auditing our dependencies
|
| * being unconcerned about the sheer quantity of dependencies
|
| * blindly updating dependencies
|
| It's a sad but predictable development that the field of Open
| Source software has basically merged with the community of
| authors actively looking to give away software for $0 (for fame
| or to upsell advanced features). Basically, the Open Source
| movement was too successful (in its advocacy and in raising the
| demands of the customers of software), and it has largely
| subsumed and supplanted the formerly-separate fields of shareware
| and trialware software.
|
| This development is what truly hurts Open Source: so much
| software but too little emphasis on (or even demand for)
| curation, massive imbalance of contributors to users, the
| decreasing influence programming-language-specific spaces, and
| increasing dominance of the "move-fast-and-break-things" culture.
|
| The way forward is to achieve stronger curation, more focused
| maker spaces, tighter (as opposed to larger) communities, and an
| outreach effort to re-establish the philosophical distinctions
| between Open Source and freeware.
| throw7 wrote:
| I don't think "protestware" is fully correct. Destructive
| behavior is more than just protest (my understanding is the dev
| deleted and changed user files to "heart emojis") and is
| something that shouldn't be tolerated. It's malware.
| JasonFruit wrote:
| I think a lot of efforts to support one or the other side in a
| war overlook that governments often do things that are supported
| by only a small portion of their people, and that support is
| often achieved only through dishonest propaganda. And while the
| governments have the resources to weather economic and social
| pressure, their people frequently do not, the more so the more
| repressive the government. If we can't very directly target the
| government, not the people, we should keep out of wars that are
| not an attack on us.
| anoncow419 wrote:
| Feels like we always come back to this xkcd comic.
|
| https://xkcd.com/2347/
| noirchen wrote:
| In the past the big multinational corporations did not give a
| shit about ethics. IBM happily sold Hitler machines to categorize
| jews gipsies slavs and gay people. Now programmers 'protest', or
| more accurately, attack what they conceive as evil, and it
| suddenly become a thing. Which one is better? Of course neither
| is good enough, but I certainly think programmers can express
| their views and values. Sometimes you have to admit that
| fairytale concepts, such as open source, or the internet that
| every person can get access to, or globalization, or the end of
| history, are hitting a hard wall. Maybe none of these thing from
| the last few decades are everlasting in the time scale of human
| history. If I have to choose between freedom of speech which
| proves true for like several hundreds of years and decades old
| open source, I would not hesitate.
| cpitman wrote:
| 100%. I've already seen articles in non-tech media that explain
| what happened to a non-technical audience, and the explanation
| sounded a lot like open source is the problem and that
| proprietary software would never have these problems.
|
| It wasn't that long ago that using open source software required
| a lot of politicking inside my clients, and we could easily go
| back there with enough spooked executives.
| shadowgovt wrote:
| It strikes me as kind of an odd position that given political
| advocacy in open source software, closed source would be safer.
|
| Proprietary software provided by a single vendor is much easier
| for a government to lock down via actual sanctions.
| Hypothetically, they can outlaw your company doing business
| with that vendor.
| Palomides wrote:
| a disagreeable take: why should open source projects make any
| effort to be accessible to corporations that will never donate
| or support them?
| Cthulhu_ wrote:
| Because open source is idealistic and altruistic to a fault;
| it is the antithesis to "got mine, fuck you", or that of the
| capitalist "fuck you, pay me". If you limit access to anyone
| it is, by definition, no longer open source. I mean there's
| probably plenty of licenses that restrict commercial usage of
| open source software.
|
| That said, I'm all for open source software monetization;
| include messages in the README, code, or logging that
| basically says something to the tune of "If you are using
| this for commercial purposes, please consider donating /
| sponsoring / hiring". I think Github and co can do a lot more
| as well to encourage big corporations to pay open source
| contributors.
| harry8 wrote:
| Counter point: if bigcos are so damn stupid they avoid open
| source & Free software for idiotic reasons that creates
| space for less stupid startups who will do and be better.
| Why do we need to save the rich ignorant and prejudiced
| from themselves? They're not worthy object of charity.
| JumpCrisscross wrote:
| > _not worthy object of charity_
|
| Most people, certainly productive people, are employed by
| companies. Take an extremist position on who your product
| works for and you limit the developer pool. An agnostic
| competitor would be expected to replace you.
| harry8 wrote:
| It's not an extremist position to say you don't have to
| do much about big companies feelings about using Free
| software. You don't have to expend your scarce resources
| to make them feel comfortable. Note well here I am
| talking about nothing whatever of substance, this is all
| pure marketing. If big cos turn from Free software due to
| prejudice and ignorance about what it is, what it does
| and how to manage it, rather than riding it like Google,
| Facebook, Apple etc to untold riches (that were not
| obtainable to those companies without Free software),
| that's not any Free software developers' problem.
|
| The GPL, LGPL, BSD, Apache licenses have not changed. A
| rogue actions by any supplier comes directly under
| bargaining powers of suppliers in your corporate strategy
| risk analysis. If it happens you deal with it and you've
| already thought about it or you have no business in
| making decisions in a large company. If any big company
| runs away scared from Free software, bye.
|
| Google literally shot to glory when they went extra hard
| at using Free software when established big companies
| were scared. It's not a sufficient condition for their
| success but it was absolutely a necessary one. They don't
| get going if they have to pay for operating systems
| alone.
| JumpCrisscross wrote:
| > _I am talking about nothing whatever of substance, this
| is all pure marketing_
|
| This is fair. Would note that one advantage to teams that
| do the outreach and accommodation can be support,
| financial and contributions. But that's speculative and
| not the right move for every team.
| harry8 wrote:
| >It wasn't that long ago that using open source software
| required a lot of politicking inside my clients, and we
| could easily go back there with enough spooked
| executives.
|
| That's what this discussion is about. You want to
| monetize your Free software project? That's a very
| different discussion to this one, about which nobody
| writing Free software need care. Note also the
| "protestware" or whatever nonsense this is didn't hit
| anyone with a support contract from the developer, or am
| I wrong with that guess? So big co.s are using a metric
| ship load of code that they didn't pay a cent for and
| don't bother even reading once. Just hit the auto-update
| while paying and contributing nothing,, then claim this
| is the fault of Free software somehow? Yeah. Ok. Bye. The
| value proposition sucks for them, apparently so they'll
| pay someone a lot of money to solve that. Nobody else
| need care - unless you're sliding into that space to
| solve that problem for them.
| PartiallyTyped wrote:
| Part of being idealistic is standing up for what is right
| but without causing more harm than necessary.
|
| > If you limit access to anyone it is, by definition, no
| longer open source
|
| Licensing disagrees. Not everything opensource is
| permissive.
| dspillett wrote:
| _> Part of being idealistic is standing up for what is
| right but without causing more harm than necessary._
|
| Exactly. Setting off a logic bomb targetted at whole
| countries is not "without causing more harm than
| necessary". Add wilful destruction to a protest,
| especially if that destruction is such that is affects
| innocent bystanders, and you no longer have a protest,
| you have a riot.
| rectang wrote:
| I'm pretty sure the reference is just to the "no
| discrimination against people/groups/fields-of-endeavor"
| ethos. See OSI's Open Source Definition clauses 5 and 6.
| https://opensource.org/osd
| _fat_santa wrote:
| The problem I see is that there is no way to discern a
| "corporate customer" versus a guy in his bedroom building an
| app. The whole fakerJS fiasco really pissed me off because
| the developer seemed to assume that the only folks using his
| software were greedy F500 companies.
|
| And that's the problem I see with many of these political
| statements. There seems to be this politically driven
| assumption that the only users of OSS are greedy companies
| that won't pay to support it. So they make a political
| statement, take down their package or make it malicious. All
| this does is creates a minor headache for the big corps that
| have resources and fucks over the little guy.
| dspillett wrote:
| While the prior post was talking about reticence to trust OSS
| code in commercial environments, the problem is not limited
| to that arena. This change hit national news here, albeit
| very temporarily, not just tech and business news.
|
| If an OSS developer can drop a logic bomb on Russian
| interests, one could do it to anyone else they disagree with,
| and that might understandably make people uncomfortable.
|
| Furthermore, the "attack" was indiscriminate, hitting out at
| a geographical area potentially damaging the data of many
| innocent bystanders not just those responsible for, taking
| part in, or supporting, the invasion. Or is it OK for a code
| bomb to affect civilian targets? I know physical protests
| often inconvenience bystanders, intentionally so, a lot of
| the point is to do so in order to draw attention to the
| matter being protested, but wilful destruction of property is
| usually considered bad form for such protests (arguably at
| that point you have a riot, not a protest) and that is
| essentially what node.ipc change did.
|
| Putting commercial interests off OSS is a symptom of a deeper
| wrong here.
| MrStonedOne wrote:
| ahtihn wrote:
| > one could do it to anyone else they disagree with, and
| that might understandably make people uncomfortable
|
| That's why you audit your dependencies and have tests
| right? Right?
| dspillett wrote:
| It is one of the reasons why you _should_. But...
|
| * Many don't.
|
| * Even for those that do something might slip through the
| cracks, particularly given how deep and wide some
| dependency trees go in the current JS ecosystem.
|
| * Such attacks would still cause you problems once your
| audit spots one: you now have to hold back a version,
| perhaps back-porting security fixes, at least until you
| can migrate to another package or create your own (or,
| rather than creating fresh, decide to continue
| maintaining a fork of the affected one). And you may need
| a deeper audit, checking to see if anything else slipped
| by earlier that has left dangerous traces.
|
| And the existence of dependency audits doesn't make
| damaging protest updates like this right any more than
| the existence of secure zips makes pick-pocketing those
| without them fine.
| ZeroGravitas wrote:
| Poorly chosen headline.
|
| As the text makes clear, 'protestware' as a concept is fine,
| destroying random people's data is not.
|
| > When deployed, this 'protestware' expresses the maintainer's
| opposition to the Russian government's invasion of Ukraine. Most
| protestware simply displays anti-war or pro-Ukrainian messages
| when run. This is a non-violent, creative form of protest that
| can be effective.
| laurent123456 wrote:
| I wonder is protestware as a concept is fine. It's a form of
| ads, just people pushing their opinion in front of everybody
| just because they can.
|
| Sure, everybody's against the war, but what if the message was
| a more controversial anti-this or pro-that topic - do we really
| want to have these messages popup during installation and even
| after?
| alexb_ wrote:
| If a large project had "unpopular" opinions in the commit
| messages, it would be top of HN instantly and companies
| everywhere would be pressured into not using the project in
| the future. Software should do what you want, only what you
| want, and do that thing well. Political messages are horrible
| additions that accomplish nothing but isolate people and make
| free software look bad.
| manofmanysmiles wrote:
| I'm probably going to start sounding like a broken record here,
| but what I have realized is I am living here as a man. I am not a
| citizen, or another entity, and my morality is is between my
| myself, and my "creator". This creator could be God, could be
| nature/natural selection, just whatever process brought the "I
| am" here.
|
| I am also aware that with this knowledge I chose to not harm any
| other living entities. The "problem" is that people calling
| themselves "agents of governments" go around asking other people
| initiate violence on other people, using words such as "laws" and
| "orders", and these other people, believing that "the government"
| i a real entity, and that these "laws" somehow overwrite our
| natural sense of morality and free will decided to act and
| initiate violence.
|
| In this current conflict, people who call themselves the
| government on both "sides" are instructing people to go initiate
| violence, and people thinking the authority is real do so, and go
| murder other people.
|
| We, as people who are mostly "uninvolved", acting in the role of
| "citizens", are seeing this evil occur, and want it to stop.
| However, we are still supporting this idea that government is
| real, that "Russia" is doing something to "Ukraine", when there
| is no "Ukraine", or "Russia" or "United States", but simply
| people who act as if these entities exist. We give power to these
| egregores, or intersubjective entities, and by doing so believe
| we are somehow absolved from making our own moral decisions.
|
| All of this stops when each and every one of us (or at least a
| big enough percentage) takes individual moral responsibility for
| our actions, and learns to be moral for its own sake.
|
| A big part of this that a lot of people I've talked to seem to be
| missing is the role of "money", and how people with free will
| thinking that pieces of paper, or numbers on a computer have
| power or value. The only value that exists is us as conscious
| entities. Every aspect of reality, from this computer I am typing
| this response on, to buildings, art, and technology is the output
| of consciousness acting on matter on its own free will.
|
| When we believe that having money in our possession gives us
| power and freedom, it gives us a false sense of security. If I
| have some sum of money, I believe I can use this money to
| influence reality by giving it to other conscious entities. For
| now this is somewhat true, because you, and other entities agree
| to do thing in exchange for these imaginary numbers. However,
| what is true is that each and every one of us acts on our own
| free will, and we use money because we are too afraid to admit we
| are dependent on each other. As we continue believing this, we
| allow other people who know how to manipulate the numbers in
| clever ways, such as those people controlling central banks, and
| printing money to exert large influence on the direction of the
| world. During the last two years, a very large number of money
| was printed, and used to reshape reality. The value of every
| dollar decreased, as suddenly the equation was out of balance,
| but again, those in control of the money supply use this new
| money, and we, believing it represents value change our behavior
| trying to capture the value, forgetting it is us who are the real
| value the whole time.
|
| So my message to other people who want to hear it is: you are the
| value. There are no governments, companies or money. There is
| only us, and we are the value.
| darepublic wrote:
| Keep dependencies low and use only the really crucial and well
| vetted ones. i.e. on recent web application I'm using next.js
| react and styled components, express and knex.js. you don't need
| anything else
| eternityforest wrote:
| It harms all of technology and by extension anyone who
| participates in the modern world. Just like any malware or other
| antisocial behaviour.
|
| It's a bit too indiscriminate to be a good protest, unless the
| thing you want to tear down IS the whole modern development
| process, which is based on the idea that most people are somewhat
| trustworthy and you can get the risk down to an acceptable level
| through the usual means.
|
| It doesn't quite work if malware is not only a threat, but a
| semi-mainstream thing sometimes made by people you would think
| you could trust. The normal social process of trust breaks down
| if malware is included in the scope of normal things people
| sometimes do, as opposed to purely being something by the more
| criminal types.
|
| I almost wonder if these people don't actively want to tear down
| tech itself, or not care, given how many coders dislike the fact
| that society is tech dependant.
| spicybright wrote:
| It sucks because it only targets individuals, not companies that
| have actual power to change things.
|
| A big site has production, testing, dev servers spun up by docker
| or whatever. So to fix this you just need to roll back the node
| package version and redeploy.
|
| A person learning code/developing locally now just lost
| everything.
| PeePeePooPooMan wrote:
| whatever1 wrote:
| Whatever it takes to bring that dictator down.
| marginalia_nu wrote:
| This may actually be counterproductive to that end, as it
| disrupts the ability of the Russian grass roots to develop
| their own software. That capacity is fairly important to
| provide the technical ability to avoid state surveillance and
| to communicate without ending up in the cell next to Navalny.
| jcadam wrote:
| Or it results in a balkanization of the FOSS community. Also
| bad.
| scohesc wrote:
| It's eye-opening to see the amount of unexpected changes we're
| going to go through as a result of the west deciding to
| completely remove an entire country from their economic systems
| and encouraging/allowing their citizens to harass the (mostly
| innocent) populace trying to just survive.
|
| I don't like how open source is being co-opted by people
| supporting _ANY_ political ideology or belief to cause harm to
| other people around the world. It's not _your_ code, so why are
| people openly advocating to modify it to cause harm to others?
|
| It's a net negative all around, in my mind.
| rd07 wrote:
| I have never disappointed by open source projects until this
| recent weeks. The acts of some OSS maintainers that blatantly use
| the tools they maintained as a platform to show their support for
| one side has disappointed me. Especially because they have never
| took side nor notice other bloody conflict before this. I won't
| be as disappointed if they always use their tools to promote
| peace and stand with whichever nation being invaded and
| oppressed. But no, they only care when a western/western-aligned
| country being invaded. This just shows their hiprocricy and
| racism.
| fattless wrote:
| Was talking with a friend about the peacenotwar thing. I think
| its pretty interesting to view so many of the decisions like this
| through the "we have to do something" mindset so many people
| have, especially on social media.
|
| All of these companies shutting down in Russia, people pressuring
| others to take a stand or shut down their services, upset the
| population. On HN I remember the namecheap thing and the service
| that allows westerners to call random Russians and inform them.
| On paper these seem like solid moves, but I cant help but feel
| like its only harming the citizens, and potentially irresponsible
| in a place where someone faces consequences for speaking out. I
| dont think anyone is going to risk their lives and take notable
| action because they need to find another service for their
| website, or some random foreigner telling them their government
| is lying. Of course these issues are more complicated, and taking
| these actions isnt a bad thing necessarily, namecheap has offices
| in Ukraine so they are going to take it personally, but there
| have been many cases where the company does it out of nowhere.
| These actions are inconveniencing the population, and when taken
| to the extreme like with peacenotwar, potentially very harmful.
| And I dont know if its doing much else. Yet too many people are
| acting like inaction is unacceptable.
|
| I understand, you feel powerless in situations like these, but
| that shouldn't stand in the way of making smart decisions. The
| need to do something has been pressuring people to take actions
| without considering the actual consequences vs the intent.
| fattless wrote:
| Somewhat related, but I have talked about this twitter thread a
| few times recently
|
| Essentially, this someone was working at a homeless community
| shelter, and often found the bathroom completely destroyed.
| Paper everywhere, missing the toilet, intentional destruction
| and trying to make it as messy as possible. Every time they
| would clean it it would just get trashed once again
|
| They had a theory that being trapped in that kind of situation
| gives them so little control that their brain wanted to take
| control over something however it can, which lead to the
| bathroom situations. They related this to "cancel culture",
| needing to call out people for the littlest things, or the loss
| of direction in social justice, but I find it applies to a lot
| more than that.
|
| My device is freaking out rn, cant pull up a link, but if you
| search for "the trashed bathroom thread" you should be able to
| find it.
|
| Maybe got it?:
| https://twitter.com/tercicatrix/status/1376210092492791809?l...
| [deleted]
| eckesicle wrote:
| Sanctions and boycotts are unfortunately blunt. Yet, every
| citizen in Russia pays russian taxes. Tax rubles funds the war.
| Taxes are paid equally by those who support the war, and by
| those who oppose it. The end result is the same - bombs on
| Ukrainian maternity wards.
|
| It is a shame that the innocent have to suffer, but I'd rather
| impose sanctions and boycotts and see a smaller number of bombs
| rain down over Ukraine.
|
| For this reason, I support every move to cut off anyone in
| Russia from any and all foreign products and services (perhaps
| with the exception of medical supplies and children's toys, but
| the principle stands).
|
| In aggregate all these small actions are having a very real
| impact on Russia's ability to conduct the war.
| KyeRussell wrote:
| I would say that I can't believe that this thread turned into
| people complaining about BLM banners, but I guess that this is
| HN.
|
| We don't need more whinging by men opining about the way things
| used to be when software was dominated by a few guys on the west
| coast of the US. Also, there's certainly a subset of people with
| genuinely shitty views that don't like that tech circles are
| becoming less of a save haven. You can even see it in these
| replies. Software being more reflective of the rest of the world
| is a good thing. The fact that there's such uproar about this is
| only indicative of how skewed Hacker News is.
|
| Open source / free software philosophy's demand for apolitical
| stoicism is dripping with privilege and the way people treat the
| ramblings of RMS et al as inherently infallible just because it
| helped push this industry through its infancy shows how immature
| this industry is.
| lliamander wrote:
| > We don't need more whinging by men...
|
| What if the "whinging" is done by women? Or non-white men? Do
| Ukranian men get a pass for now, considering it's their country
| that is being invaded?
|
| Seriously, this is a sexist qualifier. It speaks volumes about
| your ideology that it is important what _kind of people_
| believe something, rather than just evaluating the idea on it
| 's merits.
|
| > Also, there's certainly a subset of people with genuinely
| shitty views that don't like that tech circles are becoming
| less of a save haven.
|
| Is it so wrong to want feel a sense of belonging somewhere?
| Especially if many of those people with "shitty views" actually
| helped make tech such a desirable industry to work in?
|
| In general a person's ideology is not the best filter of their
| quality or whether they should be included in a community. A
| lot of toxic people hold the "correct" beliefs.
|
| > Open source / free software philosophy's demand for
| apolitical stoicism is dripping with privilege and the way
| people treat the ramblings of RMS et al as inherently
| infallible just because it helped push this industry through
| its infancy shows how immature this industry is.
|
| FOSS is far from apolitical. What it is, is relentlessly
| focused on its mission. Many of these virtue signaling acts do
| nothing for their claimed political goals and at the same time
| undermine the great good FOSS had brought to the world. That
| you don't understand this is a sign of your own immaturity.
| kekebo wrote:
| Could (/should) this be mitigated on the repository host side by
| scanning for and flagging malicious commits?
|
| A paper from last year evaluating this on Github achieves a ~50%
| success rate[0].
|
| Given Github already training ml models across all repositories
| for Copilot I would guess higher rates would be possible.
|
| [0] https://arxiv.org/abs/2103.03846
|
| Edit: add link
| tjpnz wrote:
| IIRC the recent examples of genuine "protestware" included a
| modification to the license. There are already tools on the SCM
| side which will detect that (Whitesource being one).
| mannykannot wrote:
| The broader issue here is the security problem that this article
| highlights, which was present before the invasion. If the thesis
| of this article is correct now, it was correct then, and will
| continue to be correct. Even if you could put the cat back in the
| bag, we would still have the cat.
| ComradePhil wrote:
| I think there needs to be a counter effort against these people.
| Some entity like the EFF should maintain a database of people who
| have engaged in protestware so that there can exist APIs which
| will check for whether any of your dependencies come from these
| blacklisted people... or if you are about to hire them.
| raxxorrax wrote:
| Not really a fan of exorcism, but it would pose a security
| risk. The probability it will hit the wrong people is immense
| to almost certain. Maybe even someone organizing protest within
| Russia. But random acts against Russian developers is an
| infantile form of protest in my opinion.
| spamizbad wrote:
| While I am personally disgusted with what transpired with node-
| ipc and am also completely gutted and outraged at Russias violent
| invasion of Ukraine - I don't like the idea of us trying to "tone
| police" open source projects. If some idiot maintainer wants to
| pull a stupid stunt like that they should have the right to do
| so. In my view it's the software equivalent of "hate speech"
| which, while vile, should be protected.
|
| This could quickly devolve into a nasty slippery slope where
| people who simply disagree with a direction of an open source
| project try to strip it of its licenses or eject it from various
| package managers.
| gruez wrote:
| >I don't like the idea of us trying to "tone police" open
| source projects. If some idiot maintainer wants to pull a
| stupid stunt like that they should have the right to do so. In
| my view it's the software equivalent of "hate speech" which,
| while vile, should be protected.
|
| I don't understand your characterization of this issue as
| "trying to "tone police" open source projects". In this case
| it's quite likely breaking the law (ie. CFAA), and for good
| reason. It's one thing to start a website with racist content.
| It's another to actually damage people's property. Not even US,
| home of the most liberal free speech laws (at least when it
| comes to "hate speech") allows this.
| TeeMassive wrote:
| This is a false comparison. Speech is not software in the sense
| it can't harm critical infrastructure as malicious software
| can. And by the way, malicious code violates most OSS licenses
| because they are not made "in the hope that it will be useful".
| slackfan wrote:
| The modern OSS scene where people file DMCA notices and other
| legal actions against forks because, well, because, does not
| jive with that view.
| slackfan wrote:
| 1. I agree, as much as I think the maintainer of node-ipc is a
| flipping idiot and should be given an atomic wedgie, it's their
| project to do with as they wish.
|
| 2. That being said, forking a project due to maintainer
| disagreements is a time-honored open source thing to do.
|
| 3. The last point you made is already happening on both sides
| of the political aisle.
|
| Conclusion: Maybe software being political isn't a great thing,
| but that's what everybody chose, and that's what everybody gets
| to live with. I am looking forward to the +NOPOLITICS licensing
| clauses.
|
| E: Bring on the downvote brigade, I'm just happy knowing that
| in the end this too will inevitably burn itself out.
| alexb_ wrote:
| He has the legal right to, of course. And that right won't be
| stripped from free software ever. He also has the freedom to be
| called a dumbass who is harming open source on a massive scale.
| vimacs2 wrote:
| "Hate speech" (which I don't really agree should be protected
| in the first place) does not have the capability to cripple
| infrastructure and destroy personal data. This is an act of
| property damage and should be prosecuted as such.
|
| Trying to paint this as "tone policing" is completely
| ridiculous.
| slackfan wrote:
| Arguments about protesting aside, isn't this not the first time
| npm has been hit with what is basically an injection attack that
| screwed up the day for a lot of people?
|
| And people ask me why I refuse to use *.js.
| shadowgovt wrote:
| Open source, at its core, depends on cooperation and a mutual
| expectation of benefit from that cooperation.
|
| When those expectations break down, the open source software
| process becomes but one of many casualties.
| renewiltord wrote:
| You can say what you want but this is a risk in remote unpinned
| dependencies.
|
| As platforms it is important to protect against this making
| artifacts immutable. As people we can only protect against it by
| auditing upgrades depending on risk.
|
| I much preferred the old world, where I could pick pretty much
| any software package and it would be safe but that is not today's
| world. It's entirely possible that a colorizer scans my disk for
| ethereum keys.
|
| In practice I rely on social validation but it is not a safe
| thing in general. Unhappy about the outcome but this tends to
| happen in time.
|
| In the end, it's true. If you bomb my house, I will strike back
| in whatever way I can. If the only thing I can do is burn you and
| your children, I will. If the only thing I can do is destroy your
| hard disk, I will. I am limited in retaliation not by morality
| but by ability.
|
| And if I am like this, then I must assume that others are, too.
| And that I might get caught in the collateral blast zone.
| Ajedi32 wrote:
| I personally think this kind of thing is just a symptom of a
| larger problem; the modern open source software ecosystem is
| highly vulnerable to supply chain attacks.
|
| Frankly, given how normal it is to just blindly download
| unverified, unsandboxed code from random developers and execute
| it on our machines it's surprising this sort of incident isn't
| more common.
|
| What we need are better tools and processes to detect and block
| malicious code in dependencies _before_ it has a chance to
| execute. I wrote up a few suggestions for that several months ago
| and I think they 're still applicable:
| https://news.ycombinator.com/item?id=29266992
| rectang wrote:
| Quorum publishing would help a lot, and is doable. It would
| guard against supply chain attacks where the identity of a
| publisher is taken over by an attacker, by multiplying the
| difficulty and requiring multiple takeovers. However, it would
| not fully guard against a conspiracy by people willing to burn
| their reputations, as in the "peacenotwar" attack.
|
| Per-dependency sandboxing and permissions might mitigate things
| to a degree, just as it has on iOS etc with apps. But it would
| require a different software module architecture than we have
| today for common languages.
| tomjen3 wrote:
| It could certainly have been done better: if it has instead ran a
| torrent client that downloaded actual video from Ukraine it might
| actually have done something.
|
| I get the author, it is impossible to see what is actually going
| on and not want to eviscerate Russia but the way he did it was
| counter productive.
| gurkendoktor wrote:
| A curious inverse of this headline from last year:
|
| > Code in huge ransomware attack written to avoid computers that
| use Russian, says new report
|
| Edit, a better reference than the NBC article:
| https://krebsonsecurity.com/2021/05/try-this-one-weird-trick...
| JumpCrisscross wrote:
| > _harms peacemakers as much as the warmongers--even ethical
| hackers using a VPN to work against the invasion might become
| collateral damage_
|
| This line of criticism could be blunted by targeting government
| IP blocks. Would that make it okay? (I don't think so. But it's
| less black and white.)
| DeathArrow wrote:
| Open source malware? That's a new one!
| BaronVonSteuben wrote:
| Perhaps I'm overthinking this, but open source malware is
| absolutely not new. It's been around basically as long as the
| internet has (and I mean pre-www). You could even argue that it
| pre-exists the internet since phone phreakers were sharing
| "code" earlier than that.
| waoush wrote:
| I work in the banking industry which has a bit of regulation, and
| is a bit risk-averse. People are expected to engage in risk
| management at all levels. If sabotaging became more common, OSS
| adoption would likely become unacceptable at these organizations.
| Mine already blocks Github and you need to request permission
| just to view it, and even then you can't pull code via command
| line.
|
| Putting in code that is destructive like that, for any reason, is
| a good and fast way to scare management away from using your
| code. If you are going to insist on doing that stuff, just engage
| in hacking on the side lol.
| pimterry wrote:
| > Instead of malware, a better approach to free expression would
| be to use messages in commit logs to send anti-propaganda
| messages and to issue trackers to share accurate news inside
| Russia of what is really happening in Ukraine at the hands of the
| Russian military, to cite two obvious possibilities. There are so
| many outlets for open source communities to be creative without
| harming everyone who happens to load the update.
|
| For anybody looking for an easy way to do this,
| https://infowarship.pages.dev/howto-en may be interesting.
|
| Add a single script tag to your project website, and all visitors
| from Russian IPs see a popup providing real information about the
| war in Russian, and links to accurate Russian-language reporting
| & Telegram groups, from outside the Russian state propaganda
| bubble.
|
| Not malicious or damaging, no problem for anybody in Russia
| visiting who doesn't support the war, but a quick & easy way to
| inform those who do, and to push back against Russia's internal
| propaganda & censorship.
| oauea wrote:
| Isn't it likely for Russian ISPs to start blocking
| infowarship.com, if they haven't already? Since the script is
| loaded from their domain this would be easy to censor.
| pimterry wrote:
| Eventually, sure, but I think this would have to become very
| widespread before that happened - they've only just blocked
| Google News today.
|
| The instructions above do encourage self-hosting the script
| though, for both avoiding-block & security reasons.
| shkkmo wrote:
| I certainly hope people don't just load this random website's
| script directly from their website frontend. That seem super
| insecure. If people want to use that popup they should
| download the code, give it a quick review, then host it
| themselves. This also solves the issue with that domain
| getting blocked.
| aspenmayer wrote:
| > That seem super insecure. If people want to use that
| popup they should download the code, give it a quick
| review, then host it themselves.
|
| If the node devs did the same thing, this whole story would
| have been a nonstarter. I don't recall if you suggested for
| node devs to also do this.
|
| Ironically, if the dev who made the hard drive wiping
| changes had said that it was a protest against the bad
| practices of the node ecosystem which allowed for their
| hard drive wiping code to work as intended, I think that
| the dev would be getting just as much ire cast their way,
| if not more. This way, they get to perform two protest
| actions at once.
|
| I'm impressed. I don't approve of his methods, but I do
| find the causes justifiable.
| julienfr112 wrote:
| You are right, but economic sanctions harms also the countries
| that are making these sanctions. Shell leaving Russia harms also
| Shell. Banning Russian airlines harms aviation as a whole. And
| it's not a reason not to do them.
|
| I think also that's it's better to focus on propaganda, like
| displaying a ascii-art of the old woman threatening a Russian
| soldier or whatever.
|
| But at the end, maintainers have the right to do anything they
| see fit. And disruptive actions are in my view better than apathy
| and just ignoring the whole thing.
| x3c wrote:
| Withdrawing a service is very different from delivering a
| malignant service. McDonalds is withdrawing from Russia instead
| of serving contaminated Burgers.
| cosmiccatnap wrote:
| ltbarcly3 wrote:
| I think almost anything that makes corporations realize they are
| exposed to the whims of people contributing most of the labor to
| build their businesses is a good thing. They should be careful
| about what open source code they use, and more open to paying for
| support contracts or other contracts that provide some warranty
| of functionality. Right now they are freeloading, and THAT
| actually does hurt open source.
| ISL wrote:
| There is an argument to be made in the opposite direction. One of
| the key benefits to open source software is the opportunity to
| inspect the code that you're running... before you run it.
|
| At issue here isn't open source as a concept, but rather an
| emergent ecosystem in that blindly trusts package uploaders not
| to be malevolent. It points to a need for improved testing
| coverage. Indeed, since open source is open, it is also amenable
| to static analysis of uploaded package revisions, something one
| cannot readily do with closed-source software.
| shkkmo wrote:
| There were deliberate attempts to hide the file deletion
| payload in obfuscated d code. Running your tests would have
| resulted in your files being deleted or the test passing and
| would have done nothing to protect you from this particular
| instance.
| io23joi wrote:
| TeeMassive wrote:
| I never understood why any maintainer worth his salt would admit
| logic bombs into his own turf. This is literally putting a wolf
| in the sheepfold in the hope he only eats the black sheep.
|
| OSS is built on hard earned collective trust. Once this is gone,
| the golden age we are surfing on right now will be gone.
| meken wrote:
| This is crazy.
|
| The monetary system is fracturing, now the open source system
| could be fracturing.
|
| If I was Russia, I might start seeing the need to develop in-
| country versions of open source packages, as a matter of national
| security.
| ScoobleDoodle wrote:
| It's open source: If the government's are willing to pay people
| to fork the original and vet and merge all the future deltas
| then they just need to host their own package manager. But
| would developers trust a government managed set of packages? In
| the US that is doubtful (I'd assume at some point FBI, CIA,
| NSA, DOD do something dishonest with it at some point.)
| FredPret wrote:
| At least they'd have an incentive to make it work reliably
| and not nuke your files. Sounds like an improvement already
| quantified wrote:
| In any country, really.
| Latty wrote:
| Do people think the people protesting like this don't know that
| this is damaging? They presumably feel that the issue at hand is
| more important than that damage.
|
| Every protest every has been met with "but this protest is being
| done the wrong way, don't inconvenience me", but that's the
| point: protest has to disrupt things to make people take notice
| and make changes.
|
| Would I do this? No. I don't think it's effective or right (it
| really isn't going to harm Putin, even indirectly, in any
| meaningful way), but I think it's silly to pretend people don't
| know what they are doing. The _intent_ is to disrupt.
| mohanmcgeek wrote:
| Digital arsonists who do it for the attention
| abnry wrote:
| But what is the limiting principle? Once you allow yourself to
| cause disruption and hurt people, when is it too far?
| Latty wrote:
| A good question I don't think there is an easy answer to, and
| one that depends on how you perceive the action being
| protested and the protest action.
|
| A recent case in the UK involved people vandalising (throwing
| into a river) a statue. It was charged as a crime but they
| were found not guilty by a jury (in what most believe was an
| act of jury nullification).
|
| There are a lot of loud people who felt this was
| disproportionate, but when it came down to it, a randomly
| selected jury from the UK clearly felt it was justifiable.
|
| If my government was doing something morally abhorrent, that
| justifies greater disruption in the name of trying to stop
| it. Given there is no obvious way to judge the objective
| moral value of things, let alone one consistent across
| people, there will never be a hard rule about what is
| correct.
|
| If we say there can be _no_ justification for disruptive
| protest, then we lose the ability of the people to fight back
| against a tyrannical government doing things against the will
| of the population.
| slackfan wrote:
| If the intent is to disrupt, why be surprised at people being
| pissed off about it? Seems like a natural progression of the
| conversation.
| Latty wrote:
| Was anyone surprised people were pissed off?
| 46Bit wrote:
| Indeed, judging by the response it seems like a very
| successful protest (aside from the reports of lost NGO
| files.)
|
| Not something I'd have done, but I understand the idea.
| krsrhe wrote:
| slackfan wrote:
| About half of the comments here appear to be.
| Latty wrote:
| Are they? I don't see surprise: I see people defending
| the action (to some degree), but I can't find a single
| case of anyone who is surprised at people reacting
| negatively to it.
| slackfan wrote:
| I suppose condescending smugness can read like surprise
| in certain cases.
| duxup wrote:
| I don't know what the next step is after "I've deleted your
| files... now listen to what I have to say."
|
| That makes no sense. It sounds more like an excuse for acting
| out.
| BaronVonSteuben wrote:
| Once your hard drive is wiped, you're supposed to
| automatically realize it must be a legitimate open source
| developer protesting the war, rather than some other type of
| malware. Then, rather than the natural human instinct to
| blame the person who did it, you're supposed to realize that
| your government must be lying to you and must actually be
| evil, and you're supposed to start a revolution to overthrow
| Putin.
|
| I guess that's the thinking?
| grishka wrote:
| As a Russian, you already notice this and you already have many
| things in your everyday life disrupted. Someone deleting your
| files as an act of shoving politics where it doesn't belong
| helps absolutely nothing. If anything, it's not an act of
| protest, it's an act of vandalism. Causes don't matter here --
| vandalism is simply never okay.
| Latty wrote:
| Vandalism can be a form of protest. Again, every protest ever
| has had people saying that the disruption to them is over the
| line.
|
| It draws attention and coverage to the issue. It forces
| people to listen. Protest has to be disruptive to the norm to
| achieve that, and there will always be people who don't like
| that. That's the point.
|
| As I say, I don't think this one is effective or proportional
| given the lack of control someone in Russia has over the
| situation, but just saying "nothing should ever be damaged in
| protest" is, I think, naive at best.
|
| If Russia were a state with a reasonable guarantee of a fair
| legal process, I would argue a moral _obligation_ to
| disruptive protest to end the war. If the UK (where I am)
| were to invade another country like this, I would hope for a
| general strike, and civil disobedience of all kinds,
| including vandalism. The fact that Russia has such a hard
| line against dissidence makes this obviously more morally
| difficult, although I greatly respect those that still choose
| to protest, I can 't _expect_ it of anyone.
|
| People will disagree about how effective a thing is, and how
| justified it is. What the Russian state is doing is
| monstrous, and that increases the level of justified
| disruption to me. That doesn't mean this was justified--I
| feel it wasn't--but pretending that all "vandalism" is
| inherently never reasonable as protest is, in my view, wrong.
| FredPret wrote:
| "Crime X can be a form of protest"
|
| "Every protest ever has had people saying that the
| disruption to them is over the line"
|
| So which crimes would not be acceptable in a protest? And
| if people will always complain about the line being
| crossed, does this mean there can be no line at all?
| BaronVonSteuben wrote:
| Indeed, by this logic, the Unabomber was a pretty
| effective "protester."
| vkou wrote:
| Why not pick, say, the Boston Tea Party (And the war that
| followed) as a better example of an effective protest?
|
| Highly illegal and immoral, destructive and violent,
| killed some five-digit number of press-ganged soldiers
| and civilians, met all of its political goals...
| BaronVonSteuben wrote:
| Oh absolutely. The reason the Boston Tea Party is
| celebrated is because their side won the war. Had the
| British won, it would have been one of the many
| wicked/evil "rebellions" against the King that got
| crushed.
|
| But I'm not really seeing the connection here or why it
| invalidates the Unabomber example.
| vkou wrote:
| Unabomber is a worse example because while the ideas of
| his manifesto have taken root, _he can 't solely be
| credited for them_, and his acolytes (both people pushing
| back on tech, and pundits screeching about woke politics
| ruining society) tend to condemn him.
|
| The long and short of it is - just about any destructive,
| devious, and murderous form of protest is considered
| acceptable, as long as you can convince a large enough
| segment of society that it's end justifies the means.
|
| It's circular logic, of course, but that's all there is
| to it. There are no involatile, unbreakable taboos when
| it comes to seeking political ends - you just have a
| harder time convincing some people that your cause is
| worthwhile, when you are using more extreme ones.
| krapp wrote:
| Given how influential Ted Kaczynski's manifesto has been
| within the tech community, and how many people agree with
| his views (particularly regarding leftism,) if not his
| methods, I think that's objectively true.
| Latty wrote:
| I don't think there is a clear-cut line, no. Context
| matters, and people will disagree about what is
| proportional or justified.
|
| Clearly that doesn't mean all protest methods are
| _always_ justified, and I even said I think that this is
| over the line given this particular set of circumstances,
| but I reject the premise that it would _always_ be over
| the line.
| ahtihn wrote:
| > vandalism is simply never okay
|
| Neither is invading another country.
|
| Someone didn't delete the files. You deleted them yourself by
| blindly trusting 3rd party software that you got for free
| with no guarantees of anything.
| grishka wrote:
| > Neither is invading another country.
|
| Indeed. Except, did I elect this president? No I did not
| (and elections in Russia are more of an illusion anyway).
| Can I do something to stop him? No I can't. What's the
| point of this act then? Putin and his allies don't use npm.
| This can't affect them by any stretch of imagination.
|
| > Someone didn't delete the files. You deleted them
| yourself by blindly trusting 3rd party software that you
| got for free with no guarantees of anything.
|
| Yes, of course, npm _is_ at fault here for downloading
| untrusted code and running it with no sandboxing whatsoever
| on behalf of your OS user. This kind of stuff used to be
| called an RCE vulnerability and used to cause people to
| issue urgent security patches, but somehow, now it 's
| considered a perfectly normal way of doing things. At the
| very least, there should be a permission request if this
| untrusted code tries to access anything outside of the
| project directory.
| Aunche wrote:
| This isn't so much of a protest as much as an nonviolent
| indiscriminate vigilante terrorist attack.
|
| > The intent is to disrupt.
|
| Presumably the intent is to help Ukraine. People need to stop
| and think about how their disruptive "protest" is actually
| going to help their cause rather than blindly chase awareness.
| merrywhether wrote:
| A lot of protest is more about emotion than logic. Most
| individual actions of protest are not logical, like each of
| the individual protesting Russians who know they are likely
| to go to jail. But when enough "illogical" people do enough
| "illogical" things visibly enough, the Overton window (as it
| were) can start to shift as they prompt others to ask why
| they see more and more "illogical" acts in favor of a
| position. Some will go to far, some not enough, but it's hard
| to predict what acts will move the needle.
| shkkmo wrote:
| The problem is that that the node.js filesystem deletion
| "protests" was an indiscriminate digital attack that harmed
| people who are doing a much better job of actively opposing the
| invasion.
|
| I believe that the developer who implemented that attack should
| face criminal charges. Our ability to trust our open source is
| a critical part of our economy. People who abuse that trust to
| directly harm others should know they will face criminal
| charges for their actions.
| Latty wrote:
| I agree, to some extent. I think it was largely ineffective
| and poorly targeted protest. The media coverage is not really
| necessary as it's already highly reported on, and the people
| harmed have no control over it.
|
| With that said, disruptive protest can be (and often is)
| illegal. I may think it's justified in some cases, but also
| if I do something illegal I expect to face legal punishment
| for it. Some people lay down their lives to protest: to some
| people committing a crime is a cost worth paying.
|
| Again, my point isn't that I agree with the action, just that
| the idea that protest should disrupt no one is counter to the
| whole point of protest.
| shkkmo wrote:
| I think that blocking your software from running on some
| computers would be very disruptive but should be legal.
| (Edit: not endorsing this, just trying to clarify where the
| line lies)
|
| Actively trying to harm those computers is simply not OK
| and goes beyond "disruptive" protest into harmful.
|
| To analogize, if your protest blocks traffic, it is
| disruptive. If you protest goes looking for property owned
| by Russian speakers to burn down...you have moved beyond
| disruptive protest an into being a harmful attack.
|
| I do not think the latter is anywhere even close to
| justifiable.
| Latty wrote:
| I don't think the line is so simple.
|
| I agree that the "any Russian person" aspect of this
| makes it unjustified, in my eyes, but harming property
| more generally?
|
| Well, denying someone their property is certainly harm of
| a sort, and if I were asked if it was justified to seize
| or destroy an oligarch supporting Putin's property or
| yacht or whatever, then I'd say absolutely.
|
| In a similar way, there was a case in the UK recently
| where a statue of a man who was both a philanthropist and
| a slave trader was thrown into a river. This was charged
| as a crime, but the accused were found not guilty
| (commonly believed to be jury nullification).
|
| Was this right? Well, the guy had actively limited his
| philanthropy where anyone was anti-slavery, people had
| tried getting a plaque added to the statue to explain
| context, but this had been blocked. I think this was a
| reasonable act of protest, and clearly a jury of their
| peers agreed.
|
| More directly, what if they found their software was
| being used in a Russian weapons factory that was being
| used to produce munitions killing Ukranian people? In my
| mind, that would significantly raise the justification to
| cause damage to that property.
|
| Harm, especially when it comes to property rather than
| people, is tricky. I don't think it can always be ruled
| out when it comes to justifiable protest.
| shkkmo wrote:
| > if I were asked if it was justified to seize or destroy
| an oligarch supporting Putin's property or yacht or
| whatever, then I'd say absolutely.
|
| Those are targeted actions taken against specific
| individuals, not an indiscriminate attack.
|
| Causing indescriminant harm to random people as an
| attempt to protest is not acceptable. Targeted harm has
| to be assessed on a case by case basis.
| Latty wrote:
| I mean, as I said, I think that's a core factor in this
| instance, and culpability increases the justification.
|
| I don't think that means that targeting random people in
| protest is wrong universally. A common example might be
| blocking roads, which can harm random people disrupted
| from being able to go to work, for example. I think there
| are cases that can be justified.
|
| I mean, right now the sanctions put in place to try and
| cripple Russia's ability to wage war are hurting random
| Russian people. That's essentially state-level protest.
| It sucks for the Russian people who don't support their
| government, but I think it's the lesser of two evils
| rather than funding and enabling a regime that is
| invading Ukraine.
|
| It's a combination of factors, I think trying to draw
| hard lines universally is just the wrong way to think
| about it: protest should be proportional and justified,
| and each case has to be judged on its own merits as to
| whether it is, something people won't ever agree on
| universally.
| ahtihn wrote:
| > an indiscriminate digital attack
|
| I disagree. Users are responsible for the open source
| software they use. If they want to blindly execute software
| from the internet without auditing it first, that's their
| problem.
| ndiddy wrote:
| An excerpt from node-ipc's license:
|
| THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY
| KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
| WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
| PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
| COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
| LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
| OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
| SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
| mannerheim wrote:
| How many Russian cyberattacks on Americans go unpunished by
| Russia? I don't see any reason for America to bother
| prosecuting American attacks on Russia as long as Russia
| isn't prosecuting Russian attacks on Americans.
| shkkmo wrote:
| This wasn't just an attack on Russia and other people's bad
| behavior doesn't excuse your own.
| mannerheim wrote:
| Whether or not they're excused is orthogonal to whether
| or not America should prosecute. If Russia doesn't
| prosecute cyberattacks on Americans, then the logical
| leverage to get them to do so is to not prosecute
| American cyberattacks on Russians.
| shkkmo wrote:
| Again, this wasn't just an attack on Russians.
| sirius87 wrote:
| This is exactly it.
|
| For some people, a world that they relate to is coming to an
| end, and anything they could do, however insignificant, no
| matter what the side-effects or personal reputation cost, is
| worth doing. This isn't some brainy impact-analysis based
| action. "Something must be done".
|
| The disruptions caused by these rogue packages will make it to
| newspapers and the media, and maybe, just maybe, parrying the
| news of war and destruction.
|
| I don't support having this. But I can see how a single-
| contributor package author would feel emotionally compelled to
| "Do something, anything".
| shkkmo wrote:
| Not everything people feel compelled to do is OK.
|
| It is not OK to go out and find Russian Americans and go
| vandalize their property to make a point. If you do so, you
| should face criminal charges.
|
| I similarly think that the node module maintainers who
| deliberately abused their trust to make an indiscriminant
| attack of people's digital property should face criminal
| charges and civil liability.
| sirius87 wrote:
| Yes, people affected should absolutely go to court. Let the
| courts decide if this activity of this nature in violation
| of the law. I absolutely support that.
|
| Package authors who did this are also going to be
| ostracised by the community. So they will most likely pay a
| price.
| jraph wrote:
| In that case, targeting only Russians is sub-optimal, They
| could as well have targeted everybody, it would have had more
| impact. There's no reason to target Russia inhabitants in
| particular, who, I would guess, are mostly against the war.
| hippich wrote:
| From polling results (both Russian and western) majority of
| Russians are supporting the war.
| jddil wrote:
| Oh good we're discussing this again.
|
| The rancor this protest has caused in certain tech circles has
| really shown that we believe we're somehow different or better
| than the rest of the world.
|
| In the real world 1 specific region has violated the norms the
| rest of us have agreed to ... you don't get to indiscriminately
| kill innocents while taking their land and has accted
| appropriately by cutting them off.
|
| In the tech world we are screaming about how the people in that
| region are getting inconvenienced by the free tools we provide
| because we are supposed to be above "politics"
| shkkmo wrote:
| > In the tech world we are screaming about how the people in
| that region are getting inconvenienced by the free tools we
| provide because we are supposed to be above "politics"
|
| It isn't about being above politics. It is about abusing and
| destroying trust.
|
| If you want to add messaging to your project, that is not
| harmful to the ecosystem and will just cause some people to
| view you as unprofessional. If you try to actively destroy
| people's file, you have stepped up at over that line are
| attacking and harming people, not just "inconveniencing" them.
| mothsonasloth wrote:
| Thankfully none of my Java deps have turned my files into digital
| swiss cheese.... yet!
|
| What is it with some people wanting to "make the world a better
| place", but end up starting fires and making it worse. Is it just
| middle class western liberal arrogance manifesting through a
| software developer's actions?
|
| I don't want to make the world a better place, I just want to
| keep it from burning.
| FredPret wrote:
| I just want to use Javascript to display the odd modal!
| meken wrote:
| It's crazy how much trust plays a factor in the success of open
| source.
|
| And if that trust is eroded, the whole system comes crumbling
| down.
| vladvasiliu wrote:
| I'd say this is the case in the broader society, too.
|
| Companies paying after the service is rendered, delivery
| services not having to be escorted by armed guards, being sure
| that a random worker won't poison the food on the production
| chain, etc
| acomjean wrote:
| When I worked on Radar software (over a decade ago) they were
| very hesitant to use open source packages and such. Like
| everything there, there was a process that had to be followed.
| We'd have to vet the source and such and then bring it over to
| the development network. I don't think anyone did.
|
| When I was leaving they were looking to run new projects on
| Linux (from the proprietary unixes we were running) so I'm not
| sure how that would work. I'm guessing that's where the linux
| vendors fees come in.
| avereveard wrote:
| what they doing matches literally with the definition of
| terrorism: "use of violence and intimidation, especially against
| civilians, in the pursuit of political aims." so let's not dilute
| that into "protestware"
| moonchrome wrote:
| And this is why I hate the JS ecosystem. Everything is monkey
| patched by a bunch of randoms who published a package that
| scratched their itch and you have 0 assurances of their intent or
| stewardship. If you want to vet dependencies- good luck - the
| standard library is so shit that pulling one dependency might
| bring in a 100+ packages with it. Even the "big corporate
| sponsored" libraries depend on random crapware - like the leftpad
| incident clearly demonstrated.
|
| Returning to .NET Core recently I'm very fond of the ecosystem in
| this regard - everything is open source - but so many things are
| provided by Microsoft you rarely have to venture out, even stuff
| that's not under their repo/umbrella has people paid by Microsoft
| working on it (eg. npgsql).
| lostmsu wrote:
| Why do you think .NET's NuGet is immune?
|
| Are you aware, that Microsoft bought NPM (or at least tried
| to)?
| moonchrome wrote:
| Because most nuget packages I get are from Microsoft, and if
| I use something that's not there is usually a Microsoft
| employee on the team or it's a trusted community package
| without random third party dependencies. Meanwhile half of
| npm was broken because of left pad.
|
| It's got nothing to do with npm as a repository - I don't
| trust the community.
| jraph wrote:
| npm install is such a scary command these days (or yarn install,
| same thing). I never liked it because of the shitload of
| dependencies it usually pulls but now I would hesitate running it
| outside a well isolated container.
|
| This event added to the strong distrust I came to have on NPM
| these last months. The NPM ecosystem seems incredibly immature
| and unreliable and any Javascript project depending on NPM is now
| a potential future malware.
|
| By the way, does anyone know an easy way to use Svelte without
| depending on NPM? Because if not I might reconsider my choice of
| using it in a side project despite me liking it.
|
| In theory the same things could happen for PIP, Maven, Gradle,
| their Rust and Go counterpart and any such package manager. Any
| data on this?
| q3k wrote:
| Go at least will never run arbitrary package code as part of a
| go get / go build / go install.
|
| Only the resulting binary might contain malicious code, but the
| build and package management part is guaranteed safe.
|
| In addition, go installs the oldest viable version that matches
| constraints - dependencies are thus not only locked, but also
| don't automatically update to the newest available version
| during relocking unless explicitly requested by the user or
| another dependency.
| grishka wrote:
| > Maven, Gradle
|
| It's very uncommon to specify the "latest" version in Java
| package managers. The capability is there, but everyone always
| specifies something exact. And there aren't nearly as many
| transitive dependencies. Many popular Java libraries don't have
| any dependencies at all. And, at least on Maven Central, you
| can't overwrite an already released version of a package, you
| can only add a new one.
| cyberpunk wrote:
| > In theory the same things could happen for PIP, Maven,
| Gradle, their Rust and Go counterpart and any such package
| manager. Any data on this?
|
| Supply chain attacks, such as these, can definitely happen to
| any language. NPM seems to be a nice target simply because the
| volume of deps your avg 'simple' node project has (I mean, 'npm
| generate'ing a simple strapi-backed static site for us and
| there's ~300mb of node_modules...).
|
| There's not really a cure. You can peg your deps to a version,
| but with that much code in there, you're never going to really
| know if that version is compromised.
|
| If you can come up with a solution, there's money to be made..
|
| Edit: The best we really have atm is just scanning for known
| vulns with stuff like xray/lifecycle/dependabot. Better than
| nothing, but for sure there are malicious packages out there
| yet to be discovered.
| [deleted]
| potta_coffee wrote:
| It can be a problem in any language or package manager but in
| my Golang project, I have a single dependency outside of the
| standard library, in my Javascript project I conservatively
| have 200+ (if I consider all the packages installed by my
| primary dependencies). The surface area is just that much
| bigger and the packages change so frequently.
| cyberpunk wrote:
| So you recon a better (bigger?) node stdlib would solve a
| lot of this?
| ocdtrekkie wrote:
| Probably, yes. I'd say most mature tech stacks provide
| most of what you are likely to need first party. .NET is
| an incredible ecosystem for this: Nearly everything the
| standard developer needs is available from Microsoft,
| most common third party packages you might want to pull
| in were authored by an enterprise company with support
| available, and if you're pulling in something by an
| individual, it's probably pretty niche.
| merrywhether wrote:
| That Golang project also likely isn't trying to be a
| highly interactive UI running on thousands of different
| runtime configurations.
| smoldesu wrote:
| > In theory the same things could happen for PIP, Maven,
| Gradle, their Rust and Go counterpart and any such package
| manager. Any data on this?
|
| Rust employs version locking for it's builds, so you'll only be
| able to propagate malware with it if:
|
| 0. The developer's cargo definition auto-grabs the latest
| dependencies (trust me, very few do this)
|
| 1. The developer has deliberately updated the version of their
| dependency
|
| 2. The developer doesn't notice any significant changes when
| debugging/staging the new release
|
| 3. The package passed through testing without identifying any
| malware or malicious changes
|
| In theory, it's possible to distribute malware with Rust's
| dependency system, but doing so would be pretty difficult. I'd
| say there's some pretty good roadblocks in place to prevent it
| from happening.
| stonemetal12 wrote:
| The only real change from the NPM case is speed of
| distribution of the end results, users don't need to
| consciously update. NPM has package and package-lock just
| like there is cargo and cargo-lock, so devs are just as in
| control of the dependency versions they are shipping.
| aulin wrote:
| > In theory the same things could happen for PIP, Maven,
| Gradle, their Rust and Go counterpart and any such package
| manager. Any data on this?
|
| in theory, but why is it always node.js/npm? I work on
| completely different things... is it a different community
| culture? is it the thousands of tiny low quality packages
| people include to do the most basic things?
| robocat wrote:
| A perfect example is webpack. Indirectly depends on many
| thousands of different packages, is run during development,
| and has 225k packages that depend upon it.
| https://github.com/webpack/webpack/network/dependencies i.e.
| even if you are careful about dependencies, your build tools
| are not.
|
| I also checked esbuild which is written in go, but it still
| has a dependency on babel and webpack (via
| scripts/package.json fuse.js at least).
| https://github.com/evanw/esbuild/network/dependencies
| azornathogron wrote:
| esbuild doesn't depend on babel or webpack if you're just
| using esbuild (maybe it does if you want to build esbuild
| from source?) My pet project uses esbuild and the relevant
| part of the dependency tree only shows 'esbuild@0.14.27'
| which depends on 'esbuild-linux-64@0.14.27' (which is the
| binary package) - it doesn't extend any further than that.
| extheat wrote:
| I think in large part is there's a higher focus on
| modularization in Node.JS which leads to lots more
| dependencies. That increases the attack vector and makes a
| supply chain attack easy because all it takes is a single
| malicious author to break trust in a chain of hundreds of
| packages. For example a code base I work on currently has
| over 250+ 3P dependencies, not because we import that many
| deps but because the dep tree expands that far. Combine that
| with copycat attacks, where one person does one thing and
| others feel motivated to push their button, it exasperates
| the problem.
| jcadam wrote:
| Major projects are going to need to add a clause to their CLA
| and/or vet their contributors. Sad we've come to this place, but
| everything is politics now.
|
| Time to start paying for closed source and/or curated/vetted OS
| libraries now?
| seqizz wrote:
| But on the other hand, these people are not promising anything,
| do they? Check the MIT/BSD/GPL etc, all of them explicitly state
| that the software does _not_ come with any kind of guarantee.
|
| Harsh reality is: It's user's responsibility to test for those.
| Noone is forcing you to use this piece of code which is given as-
| is without any guarantees. Noone is forcing you to update. It
| might be a dependency, but still it's not the problem of the code
| owner.
|
| Or am I missing something?
| phreezie wrote:
| I think what you're missing is that this discussion is not
| about the legal consequences of these individuals, but about
| ethical decisions that will have a negative impact on the
| ecosystem as a whole.
| UltraViolence wrote:
| I absolutely agree with this premise. Software (open source or
| not) should be usable and perform a useful function, not swarm
| users with spam to protest this or that.
|
| The developer of the software that made the protestware was
| rightfully banned by Github. I haven't heard if he ever regained
| access to his account.
___________________________________________________________________
(page generated 2022-03-24 23:02 UTC)