GitHub suspended access to their account for a commit to their own software, because it caused a problem for all these companies. For one it shouldn't have, like pinning a dependency and auditing all changes should be done ideally. These libraries are always licensed in a way that excludes warranty of any kind.
But I honestly don't care if companies "exploit" open-source software by making money using them and not donating to the developer. That may be unhealthy for the ecosystem, but neither side is entitled to anything. I would donate, but not expect a donation, and poisoning the well the way these developers did is not going to help any of us.
That seems like a bit of a shaky ground to stand on for GH.
If someone publishes code for themselves, and at no time asks anyone to take it as a dependency, then at a later date they change that code in a way that breaks other people's use of it, do GH then take over the account?
Sure, trying to find exactly where the malicious line gets crossed is pretty hard and subjective, and maybe that will bite GH one day. But this specific case is not anywhere near that line, the sole intent of those commits was to break others, and he admitted so himself.
This is like arguing about whether the james webb telescope really is in space since we don't have a precise consensus about what altitude is considered the frontier with space.
I'm sure this case is clear, my point was around the wider principal that by going down this line GH set themselves up as arbiter of "malice"
To take a trickier example, say a GH user has a lib, then decides to re-architect it, breaks the API and for their own purposes pushes it to an existing version, breaking all other use of it. Now that's a nasty thing to do, but is it malice?
Another, real-world, example is I know of a user who publishes "honey PoCs" for security issues, where the repo. appears to be a exploit code but actually isn't. He's been accused of malice in doing this, but his intent is research for a talk on how people use code blindly without testing.
Is that malice, should GH take his account down?
By stepping into this area GH are going to have to find answers to this and also the problem of who maintains the repos of accounts they nuke?
> By stepping into this area GH are going to have to find answers to this a
I think they already have, those 2 examples you mentioned already happened and were dealt with.
I think intent is important to take into consideration, since after all that is the definition of malicious: intent to cause harm.
Your first example clearly has no intent to cause harm. That case probably happened thousands of time already since not everyone is willing/able to follow semver cleanly and strictly. Never heard about GH taking any measure against that. And I would definitely not expect them to as a user/maintainer.
For the second case, I think GH policy is that you can host that kind of PoCs, but the repo has to be clearly documented as doing such (e.g. you can't just add some vuln into some unrelated code "for research"), and the vulnerability cannot be an active one: "We understand that the publication and distribution of proof of concept exploit code has educational and research value to the security community, and our goal is to balance that benefit with keeping the broader ecosystem safe. In accordance with our Acceptable Use Policies, GitHub disabled the gist following reports that it contains proof of concept code for a recently disclosed vulnerability that is being actively exploited." - GitHub." [1]
Back to Marak's case, my opinion is that GH did the right thing: If he just had his code in a repo, with no semver, no other contributors/maintainers, and such, and decides to nuke it, then I hope GH would not have done anything.
But when you are using all the tools and trust of open source: Other people contributing to your repo, other people being active maintainers/admins and spending times out of their days to fix bugs on it, when you leverage NPM to make it easier for you to distribute your package to others widly etc, you give up the privilege being able to act unilaterally like an asshole without consequences.
The thing is, intent isn't always clear and oftentimes Github are unlikely to have all the context needed. It's easy to determine with simple examples, the real world is often messier.
For example in that first case, say all they had was a wave of people saying "x broke my application" it would look a lot like the case in the article, and they'd have to dig in to find out it was just a bad API change without semver being followed.
Also requires Github to have a staffed department to deal with this, now they've established themselves as the arbiters.
For me, there's a split between a repository (NPM) and a hosting company (Github). For this case I'd have forked the repo, rolled back the malicious change in the fork, and hooked the fork up to NPM, and leave the original GH account alone. That solves the problem of the breakage, without getting in to banning whole GH accounts.
I happened to create an infinite loop in some of my programs but not intentionally like the author did. Furthermore he intentionally pushed the infinite loop with the result to DoS everybody knowingly or unknowingly using his software. This is malicious behavior IMHO.
Why would the developer of any software that comes explicitly without warranty be hold responsible for downstream breakages? It's not as if one could force people to upgrade to newer versions and they can always keep depending on the old releases.
In this case, the developer's behavior was malicious: they intentionally caused damage. This is very different than some good faith change that breaks stuff downstream. Sure, the license says "no warranty". But github can decide that they won't tolerate vandals on their platform. It would be within their right to revert the bad change from the git database they hold, go back to the last good change and lock the developer out.
Broke cli tools (firebase for me), computer crashed because of some weird infinite loop out of memory error that I wasn't able to recover from. Anyway good wake up call not relaying on million of deps for npm works hopefully.
No, you broke your CLI tools. By unthinkingly pulling in stuff from someone else's repository without vetting it. Or using other tools which did, which amounts to the same thing.
Hey you're the one stating they caused damage. They printed some zaglo strings. Hard to see how that damages anything other than making a few CI jobs fail.
Thanks for stating the obvious. It isn't silly at all to publish malware and vaporize your reputation, right?; maybe it was good after all, people will become careful.
Maybe he wanted libraries that printed blather in an infinite loop. Then it can't be "malware" to put that in his own repositories.
If other people don't want that, then they shouldn't pull from his repositories. If they do that anyway, then that's their own fault. Nobody forced them to.
> the author themselves said in this case, that the reason to submit the malware was to give a "fuck you" to the big corps.
Yeah, so obviously he did want libraries that give a "fuck you" to the big corps (by printing blather in an infinite loop). Then it still can't be "malware" to put that in his own repositories.
And my point still stands: If other people -- you, big corps, whoever -- don't want that, then they shouldn't pull from his repositories. If they do that anyway, then that's still just as much their own fault. Because, still, nobody forced them to.
Was the author aware that "hoobs and its security camera plugins" were going to break from this push? Or any prod servers, for that matter?
I see no code in there that checks if it is running in production. In fact, it is a reasonable expectation that people don't throw code into production blindly, but rather test any changes out first.
malware is malware. You don't have a right to change ur software to malware. "wElL yOu ShOuLd HaVe Tested" no you shouldn't push software in bad faith designed to crash apps that use it.
> You don't have a right to change ur software to malware.
Yes, I do. I may not have a right to push malware onto unwilling victims, but I absolutely have a right to change _my_ software however I want.
> "wElL yOu ShOuLd HaVe Tested"
Please, no need to be childish here. I have not taken that tone, nor will I respond to it in kind here.
> no you shouldn't push software ... designed to crash apps that use it.
Show me where a `git push` == "push[ing] software ... to ... apps that use it". When the `git push` is to my own repository, mind you, not someone else's app.
> ... in bad faith ...
Finally, I agree with you on something.
Of course this was in bad faith! That was clearly the point. When I write software and put it out there, and somebody comes and uses it, and I break my software to spite them, I am obviously acting in bad faith towards my users.
But that does not make it malice, or my software malware. I did not reach down into other people's computers/apps and change what they run.
"Kind of" is doing some pretty heavy lifting there. No, you don't "have to"; you're perfectly free to write your own software in stead. Or even just use a prior version of his code that does what you want it to, in stead of blindly updating to one that doesn't. He didn't force you (or the writers of whatever software you're using) to update, now did he?
He didn't force anyone to update to the new version, right? So how is it his problem? Some other entity had to go and update the version they depend on.
And if you now say "well, that happens automatically", I say; suites them right. They should have tested the stuff.
The warranty issue is a red herring. A warranty is an affirmative guarantee of quality: you are (in essential concept of not in precise detail) agreeing to be held to a "strict liability" standard. If I buy real estate and I am granted a warranty deed, and the title to the property comes into question, the seller can be brought to account to make me whole or indemnify me, regardless of who is at fault for the title defect.
Without a warranty, you're not held to strict liability, but you can probably be held liable under the default legal regime. If I buy real estate and get a quit-claim deed, there is no promise that the seller has unencumbered rights to the property. However, if I can show the seller intentionally defrauded me, they can still be held civilly and criminally liable for the fraud.
I don't think he pushed malware, did he? He just broke his own project and published the broken version. That's not pushing malware.
I don't get why people don't just pin versions, honestly.
I'm not saying he did a good thing. But neither did he push malware nor has he any obligation to publish unbroken packages. If you're using FOSS projects without a service contract, don't whine if something breaks.
Let's say I set up a lemonade stand in my neighborhood every weekend, where I pour a bunch of cups for people to take, put up a sign that says it's free, and I set out a tip jar.
After a few weeks, I get upset that people have been taking the lemonade without
leaving tips, so the next time I set up the stand I add a toxin that I know will cause immediate damage to anyone who ingests it. To protect myself, I have of course been posting a sign every weekend that says the lemonade is provided as-is.
So – did I do something wrong, or not? Will a court look at this situation and say, "gee, he just poisoned his _own_ lemonade and set it out for public use, it's not like he forced anybody to drink it"?
This feels like 100% black-and-white criminal conduct, and I would hope anyone who pulls a malicious stunt like this would be held liable for it.
I'm really struggling to see how either of those two sentences fits into this conversation. "Code is speech" seems to be pointing in the direction of a spurious First Amendment argument, "stop listening" seems counterproductive, and the example of someone defacing their own Facebook page is at the very least incomplete without you saying whether or not you think Facebook would be obliged to continue hosting the defaced page.
But I honestly don't care if companies "exploit" open-source software by making money using them and not donating to the developer. That may be unhealthy for the ecosystem, but neither side is entitled to anything. I would donate, but not expect a donation, and poisoning the well the way these developers did is not going to help any of us.