Indeed, it's common nowadays to label things (ideas, people, etc.) in order to frame them in a way that's convenient to the labeler and helps him advance his agenda. I think given the global situation, some people become more sensitive to this kind of tactic (which is often used), while others have shown just how susceptible they are to it.
The author of the software didn't attack anything. He just pushed some code into a place he had legitimate control of.
Some irresponsible (see what I did?) developers downloaded and executed this code without checking, and as a result their stuff broke.
Windows contains the rm -rf code, but you, as a user, would have to knowingly trigger it and confirm. It's not like windows tricks you into formatting your drive.
Directing the argument into windows is just whataboutism.
Intent doesn't matter. The only person who cares about intent is the agent who acts.
The repository contains the console.log code, but you, as a user, would have to knowingly download it and run it. It's not like pushing code into a repository tricks you into running the code.
Trying to "win" by labeling something as "whataboutism" is just idiotism.
Knowingly?! Clearly every developer of an app breaking because of these packages had no idea their app is going to break, and clearly it was exactly the intention. They _were_ tricked.
Can you not see a difference between this and between releasing a new package with a README saying "this module will print 'liberty liberty liberty' to your console in an infinite loop!"?
So you're saying he also had to document his code? Maybe make a pull request.
Every developer is responsible for what goes into his project, including dependencies. When a developer wants to update a dependency, he is responsible for the appropriateness of the update. In order to get an idea, he should audit the changes. For personal code, such an audit may constitute of a quick skim to determine that nothing breaks. For production code, it may also include a security audit.
When a dependency that used to do X now does Y and therefore breaks your stuff, you are the one responsible for dealing with it. The author disclaimed any warranty and any fitness of purpose for his project, and whether his intentions make sense or not is of no consequence.
My point was that there is no such thing as "malicious code". Code is code, and it's your responsibility to determine whether it fits the context. That someone put it out there with an MIT license means the responsibility is yours.
P.S. Ata nishma bachur magniv, lama macharta et ha'autobus? OK, ro'e she'ata gar be-Sverige achshav (Scandinavia ze ha'chalom sheli) az mevin.
You are saying "scary", but I think "alarming" is more appropriate.
It's an alarm that should be buzzing through sleepy programmer skulls. It should alert them to the fact that it's no longer the small company that respected programmers, where you felt your account was yours, and your repositories were yours.
The rules have changed with that acquisition, and Microsoft exploited the good reputation of that small company and the inertia of its users. Step by step, the site became more "social", and started suffering from the usual issues. Step by step, we see the same bigco policies that treat users as worker ants. When an ant starts making up a mind of its own, queen ant sends some soldier ants to cannibalize it.
Now, I realize here on HN the tired old rants of Moxie are considered gold. But if you want to skip being treated like an ant, run your own server, maybe support upcoming federation protocols to kill this centralization and bring down the nest, or at least migrate to some place that respects its users in the meantime.
GitHub has always been about "social coding". This is a quote on their homepage on May 2008 (three months after GitHub was founded):
> What’s amazing about Github is how it really brings the social aspect into play. Chris and Tom are showing us all visually how git development is supposed to work. I know I personally had some bing moments once I started pulling in commits from external git repos.
Yeah, I was a GitHub user in 2008. Though it obviously had a social aspect, it wasn't considered a "social network" type of site. Its ongoing transformation into one is a result of the acquisition by Microsoft.
I have always considered it a social network, 'the social network for young programmers' as I called it, which turned free software into social networking (portfolio for first employment(s), etc.), and that's why I always refused to create an account over there as I don't want to push those things even further, and got gradually more appalled as I watched projects following the trend and moving there one after the other, making themselves more and more dependent of the tools conveniently provided by that silo, and cutting other ways to interact with them. Long before Microsoft entered the picture.
Yeah, you're right: they weren't "one of the good guys" even before the acquisition. Microsoft were only the biggest and most well-known proponent, but never a monopolist of EEE.
There should probably be a way to merge project lists on various forges into a potentially huge index that can be browsed and searched, independently of each particular forge. Maybe it already exists?
Federating software projects so they can be interacted with from any forge frontend is the main focus. But federating the search engines internal to each forge is another important aspect. When federated search becomes a reality, looking for a project B on forge A will give an answer even when it is hosted on forge B.
Nowadays, with over 90% of the search run by Google, it does not matter much. Discoverability is whatever Google decides it is. But this is not desirable and more importantly it should not considered to be a solution to the discoverability problem. On the contrary dominance of Google is the main problem of discoverability and the only way to solve it is to provide sound alternatives.
imho the fediverse will have to come to be much more than social media type exchange of messages via activitypub. federated search is a major additional pillar that is currently largely absent (and is technically very different)
Well, there's sepia search for Peertube, possibly something like that could be built into a forge server software one day. I don't believe it is in the ForgeFed spec though and IMO it doesn't belong there.
At some point ISLANNDs (Internet Small Local Authority for Name and Number Designations) could override it. That way, you could link to http://google.lol/posts/39-put-google-in-the-can and your cohort will enjoy this and the rest of those posts making fun of google, while the rest of the world is disappointed over dead links.
It doesn't mean everyone is making a request to a website every minute. I use http://gwene.org/ for example. To me RSS or Atom are a major success, as the blogs I want to read almost always seem to have them. Those that don't, well, I used to scrape, but after a while stopped and forgotten about them.
If gwene goes under, it'll suck but I'll have a gwene like on my own server. If RSS goes under, it'll go under here and there, and not wholesale. Good technology is resilient like that.
Solutions involving companies paying directly to the people whose code they use miss the point.
The reason is that software shared with the world is often shared out of passion and idealism. If only code that's useful to some companies is paid for, the world of free (as in beer or otherwise) software as we know and love is still unsustainable, and not just because fledgling projects tend to be inferior in many ways to everything that came before.
Some software is written simply for the fun of it. Future Crew were kids writing demos and putting them out (by the way, an executable for a program that's written in assembly is not so far removed from its source code; so whether they put out the source code or not is immaterial, here the point is "free as in beer"). These demos were unlikely to be directly useful to companies, but we were still amazed by them and some of us got into programming because of them. Do you want to live in a world where only people who produce software that's useful to some company can sustain themselves?
Their parents provided them with food and shelter, so they didn't have to think too hard about writing and releasing it. People in this thread claim that they don't feel exploited, probably for similar reasons. They probably have an income or enough money to make them feel comfortable giving something away. What happens when circumstances don't go your way, though? Then, while you live off your savings, see them shrink day by day, you realize that society doesn't give you the basic stuff that's needed for living, so why the hell should you give anything away? If you already gave stuff away while you were fat and healthy, and this stuff is being used profitably by others, the resentment can only grow.
No one accepts liability for software problems. Not free software developers, not Microsoft, not Google, not Oracle.
Mostly only OEMs of non-computer equipment, such as Boeing, warranty physical products that include software. For code that doesn't run in planes or cars or other machines -- there is no warranty.
Anyway, since such requests are apparently ignored here, my password is "bluewave".
Have fun.