FLOSS developer intentionally corrupts his libraries and has multiple depending applications print out garbage, stating that "I am no longer going to support Fortune 500s [...] with my free work."

bleepingcomputer.com/news/secu

#FLOSS #labor

@fcr If you don't want to support fortune 500s with your free work, don't publish your work under the MIT license

I can't fathom people in this thread are siding with him. This is a breach of trust in the open source world. The updates were purposefully malicious.

He was allegedly also making a bomb and set his house on fire:

abc7ny.com/suspicious-package-

@Gargron @fcr yeah, I am not siding with the developer. His actions were shitty.

I am underlining the fact that:
1. Microsoft GitHub will block your account if it doesn't like the changes you make to your own code;
2. AGPL is a way better choice of license if one doesn't want to support Big Tech.

@rysiek @fcr Regardless of if it's your code or not, if you upload malware into a widely used software package you deserve to have your account blocked.

@Gargron @fcr I do not see them as *malicious*. these were not cryptominers, no data stealing code, it just rendered the libraries unusable.

"Mischievous" is the word used in the original story, and I think that's a way more accurate description.

@rysiek @fcr It didn't just make the library output the wrong value, it introduced an infinite loop, which in my view constitutes a denial of service attack.

@Gargron @fcr I can see why you feel that way. Personally, to me it does not cross the "malicious" line -- partly because this is something that should be trivially caught in any pre-deployment testing.

We can agree that this is not an acceptable behavior for a FLOSS developer, and it is in fact irresponsible.

That said, I do think focusing on the developer's (shitty) action is less useful than focusing on the bigger problem of open-source software developers doing free work for Big Tech.

Follow

@rysiek it is malicious because the intent of the action was to harm whoever uses the project by affectively causing a DoS. There is no question in that. The motivation is what makes it malicious, it could have been a bug, if it was unintentional, but it wasn't.

@Gargron @fcr

Sign in to participate in the conversation
Sheogorath's Microblog

This is my personal microblog. It's filled with my fun, joy and silliness.