"THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE."
People keep placing obligations on maintainers in the FOSS ecosystem.
Maintainers don't have to do jank in this situation, except don't fraudulently distribute their software.
If they want to publish their upstream as malware, okay.
It's the end user's fault for continuing to pull that source code and integrate it into their system.
That's like saying "it's your fault for giving them your password" when someone opens a phishing link. Yeah, all the scammers did was host a website and send emails, you chose to provide them your information. It doesn't make them not liable.
I think you'll find that argument will not be very persuasive to a judge if the case is that the author of the software knowingly adds code in after people have integrated it into their systems that on purpose damages those systems.
Intention will often carry weight, and no claiming of rights and purity and see I wrote here you can't do anything to me! is going to persuade a judge that you can just go around destroying property because you want to.
NPM's terms explicitly disallow malware. They're free to put the raw source on say GitHub, but the author isn't permitted to package and distribute it on NPM.
Like, okay, you can't expect a doctor to save the life of every person who comes into the ER, but you can hopefully expect them not to start stabbing patients to death, and something should probably happen if they do, right?
Your argument makes sense for inaction (and is important and not brought up enough, honestly; there is a lot of entitlement in the open source world and people treat library developers in some pretty nasty ways), but not for action, as is the case here. The only obligation anyone expected here was the obligation to hold yourself back from making your project that gets millions of downloads per week point to malware.
I reject that interpretation entirely. Sure, maybe the author isn't legally liable for any harm here (though I'm not entirely convinced that's the case), but we are all well within our rights to tell him he's an asshole for doing this.
I don't think this comes down to an "obligation" of open source maintainers. I think it's pretty evil of ANYONE to market software pretending it's one thing, when it reality it's malware. Open Source or not doesn't change that.
> It's the end user's fault for continuing to pull that source code and integrate it into their system. More than one party can be at fault.
But now that the maintainer became a malicious actor, I hope they are booted from the FOSS world and their github gets shutdown for illegal behaviour. This behaviour cannot go on unpunished.
"Some people in my country were victimized by organized crime in another country, and that country's government didn't try to stop the criminal activity, so it's turnabout, and hence fair play, for me to victimize other people in that country"?
Wasn't that about Cyrillic keyboard layout? Russia don't own neither Cyrillics, nor Russian language.
One hand, this is a seemingly non-violent and subtle way to protest. On the other, the potential collateral damage is huge and just burns all trust with this developer, and is a net harm to the ecosystem as a whole.
FOSS is great, because we were actually able to track the changes here. But it also points out how many packages go un-checked and just installed into a container running with root permissions.
> One hand, this is a seemingly non-violent and subtle way to protest.
You can't be serious. Being non-violent and subtle is no excuse for deliberately making software have real side effects on a computer that it's not advertised to do, especially a node library. Node modules for some reason tend to be very small and have trivial tasks like checking if something is a number. Imagine if everything shipped with it's own political malware.
No matter how you want to spin it this is completely unacceptable and nobody should ever trust this developer again.
> But it also points out how many packages go un-checked and just installed into a container running with root permissions.
The fact that "packages go unchecked" doesn't make this okay either.
Then people could write their own code to check if something is a number.
Anny assumptions or claims beyond that are your own delusions.
Doesn’t necessarily make it OK, but this will only affect the sloppy.
I would imagine web developers over there, being more educated, technical, and exposed to the West, would be the ones less likely to support the war.
There's nothing subtle about wiping files, why not provide news and information that's being blocked? This could have been an information bridge that would be hard to censor. Hell, run a crypto miner on their machine and donate to Ukraine if you're trying help, that'll have more of an impact then wiping some poor dev's files.
I don't know how to feel about this because it's not much different than sanctions in theory (very different in execution). Cause pain for people so they "force internal change."
It's not something to root for gleefully.
It's not really an issue to bypass blocks (how do you think Russians access rutracker). Especially not for a person who is capable of doing something with NPM packages.
> why not provide news and information that's being blocked?
Radio free europe style. I like it
If this move broke some key software used on the battlefield, would we all be so quick with our positions?
What ukraine needs is advanced weaponry, financial and political support. Not this batshit insane vigilantism that will not end well and do absolutely nothing to hurt the Russian state. I cant even imagine if this happened to a more visible minority, say if China invaded taiwan? It's just scary.
I'm not saying this is on the same level at all, but I'm starting to understand how it got to the point where the internement of Japanese Americans was supported by a majority of Americans back in ww2. As a minority it just gives me this weird unsettling feeling that is a bit hard to explain, even if I'm not russian.
When your government uses hospital locations as a target list and drop bombs on shelters, I don’t care if your files gets deleted.
You have participated in too many instances of two minutes hate and were gaslighted by propaganda.
I laugh hysterically (in a very sad way), as I scroll through /r/Ukraine and see yet another video headlined as "Another Russian war-crime in Ukraine", that I had already seen few years ago headlined as "Ukrainian war-crime in Donetsk".
There is no truth anymore, literally every man for himself.
I imagine that they are scientists, engineers, and colleagues, and will treat each other with support, as people of goodwill.
There are other people who are active combatants right now, whether or not they want to be, and it is tragic beyond words.
I believe that one of the ways that we non-combatants can help is to set an example -- or to leave a door open -- to how we can treat each other when the current conflict is ended.
That doesn't include lashing out angrily and hurting our fellow open source community members, most of whom presumably want no part of the tragedy, and instead want the same things we do (e.g., to develop good software, collaborate and share with others, pursue careers and businesses, support families, etc.).
When the US invaded Iraq in 2003, I was very much against it, but felt powerless to change the course of my government. (And the US government kept on doing what it felt like, no matter how unjust its actions.) While I was ashamed of my country's actions, I didn't think it would be fair for people in other countries to punish me personally for them.
And this is in the US, a supposed liberal democracy! What chance does your average Russian citizen have of getting a dictator like Putin to change his mind here?
Theoretically though in representative democracy you choose the government to represent you and be an agent for making your decisions. You are responsible for what your government does in part that equals 1/Population
>It is documented what it does and only writes a file if it does not exist. You are free to lock your dependency to a version that does not include this until something happens with the war, like it turns into WWIII and more of us wish that we had done something about it, or ends and this gets removed.
from https://github.com/RIAEvangelist/node-ipc/issues/233#issueco...
Could someone verify which statement is true?
The old version erased files, the new one leaves a file on the desktop.
- @vue/cli-ui
- node-ipc@^9.2.1
- @vue/cli-shared-utils
- node-ipc@^9.1.1
- pinning the dependencies
- running something like renovate
- merging the resulting MR’s with quite a delay from when they were opened
as some basic steps in mitigating this sort of silly, but potentially expensive, stuff.
The mistake was fixed within 6 minutes: https://github.com/vuejs/vue-cli/commit/b0d931668e7e8450a285...
It looks like the malware version of @vue/cli has been downloaded a total of 170 times.[1] That's 0.13% of all downloads of that package this week. It's also important to note that @vue/cli has been deprecated for months. If you're making a new Vue project today[2] you'll use create-vue[3] which doesn't depend on node-ipc at all.
1. https://www.npmjs.com/package/@vue/cli?activeTab=versions
The solution is to audit all code you rely on, the unviability of that solution is the fault of the npm micro package ecosystem.
I've tried to get rid of micro packages in the dependency tree of popular libraries, but because it's a turf war, PRs get closed, and the problem continues.
The npm ecosystem distributing yet another malicious module is more serious though.
What would you call an operation that has nearly 0 effect on enemy combatants and only deals damage to civilians?
I've got some bash scripts on GitHub that would delete files on the local machine if run. Today I don't care if anyone else runs them. If however the winds are blowing towards people doing themselves harm with my code is my problem, I guess I should delete the code I've published.
Bad precedent to see here.
If the former counts as distributing malware, my bash script that clobbers local directories to put the machine back into a sane default state might be too. It does rm -rf ~/$DIR and similar. It's just not as successfully deployed.
Or software that wastes resources, maybe it goes into an infinite loop and DoS the local CPU. I've got one of those called 'heater' or similar that I used to warm up a macbook in a cold office. If someone ran that on cluster it would be unhelpful.
Maybe the change in functionality to malware from a widely shipped useful product is the key distinction, coupled with limited disclosure of the behaviour change.
Western politicians and public media have been bashing and portraying Russia as "a haven for hackers" for some time now, but it's not like the US is any better from Russian perspective.
Russian law enforcement has huge stacks of unsolved cybercrime cases, that are essentially blocked by lack of cooperation from a foreign counterpart.
The blast radius is monstrously giant. We seem to be still very naive in the way we approach, use, and implement those type of system, with an assumption that maintainers are working in good-faith and reliable.
I don’t know how things should be, and I don’t like to think of contributors and maintainers as a threat, but we have enough examples now to know ignore that risk is a fundamental issue.
It's insane how much legal liability a company is at for agreeing to so many unread licenses. And how much attack surface they're exposing themselves to with their sprawling dependency chains.
Why stop at countries? How hard would it be to use ML to detect if the user has the wrong politics? Why stop at just deleting files? How about downloading as much illegal content as possible, sending embarrassing emails, etc? There's so many possibilities here.
If the Western FOSS ecosystem demands KYC from me I'm dumping them for the Non-Aligned Movement.
As a developer who wants to sandbox your own (recursive) dependencies, this is wrapped and made accessible today in Lavamoat[2]. Basically a package or app can provide a policy manifest specifying which capabilities (e.g. network or filesystem access) should be granted for each sandboxed dependency. Also comes with a tool that will auto-generate a starting point from your existing dependency tree.
IMO this is the future. Currently Lavamoat does come with a performance penalty but hopefully this idea will catch on and make it into language runtime implementations.
Lavamoat is still marked as "preprod" on npm but talking to the original author, the API is practically stable and it will shortly have its first stable release.
[0]: https://github.com/tc39/proposal-ses
[1]: https://github.com/endojs/endo/tree/master/packages/ses
peacenotwar is explicitly GPLv3 but was added to node-ipc which still claims to be MIT licensed. Suddenly, any user shipping code dependent on node-ipc or Vue could be in violation of that license.
IANAL and don’t know if unknowing breach of the GPL would be enforceable… but zooming out, it’s worth noting that deep software supply chains can carry risk beyond just the risk of an explicit coded attack.
If you want to sabotage all Russians for some weird reason, just introduce a race condition that's masqueraded as a compatibility fix for the Russian locale.
If you want to send out a message, take a more peaceful approach. Create file or print out a translated message like "<Citizen name>, age <age>, was killed in the illegal Russian invasion of Ukraine on <date>" in Russian. Add a link to a picture or a news article if you want. Still a pretty annoying move, probably universally considered in bad taste by most people, but not illegal or destructive. Add something like "the economic recession is because the Western world opposes the Russian government" to make that clear as well, because the immense inflation will probably hit random citizens hardest. Best case scenario you're informing some ignorant Russians stuck behind state propaganda, worst case scenario you piss off some Russian nationalists who will stop using your library.
In the end, this is just another demonstration of how dangerous modern dependency management is. NPM has been through leftpad, colors, now node-ipc, and there's still no way to prevent it from happening again.
I don't know of any language ecosystem with a package manager that doesn't have this problem as well. Perhaps the more boring/slow software dev requiring OS package managers, because Debian maintainers tend to be a little more level-headed than random Github users? Take your pips, cargos, gems, gradles, composers, and you'll find exactly this vulnerability.
The general consensus seems to be "it's impractical to validate all the code we're pulling in, so there's nothing we can do", which is kind of crazy in my opinion. Yes, modern dev does pull in a billion dependencies for every framework, but doing nothing just isn't a problem.
We're one NPM hack away from global catastrophe as long as we don't find a solution for problems like these.
It's 'funny' and hypocritical (as many folks here work for Google and other companies related to aforementioned issues) that we're condemning a dude for getting emotional and causing limited damage on cyberspace while a crazy dude is wrecking destruction on meatspace, killing thousands and threatening the World with nuclear war.
I understand the fears that this can undermine this nice thing we have that is opensource. Though the nice thing is that individuals voluntarily share code for whatever intrinsic reasons they have. MIT provides no warranty of any kind and there's no moral obligation to serve and make it corp-friendly. As developers our code is generally the only 'real' power we have and we can't deny that guy his agency.
RIAEvangelist was sloppy and probably will suffer consequences for his activism. Being banned from Github and NPM registry are expected and fair due to probable ToS violations and the interest of the organizations in preserving trust. But I fail to see how what he did is more or less ethical than financial sanctions like those recent applied to Russia. If he were to make it look like a mistake it would save him the trouble because ignorance/incompetence are socially accepted.