> In my view, there’s a social contract around OSS and its sustainability. My wording of this social contract is essentially:
> You get to expect things of an OSS project to the extent that you contribute to that OSS project or are willing to help. Everything else should be gratitude or grace.
I do think there is another inherent part of this contract, which is that if you put something out there as "Hey I made this cool thing, you can use it for free if you think it's useful" and that thing becomes a production dependency for folks via automatic package managers (npm, nuget, etc.), that you avoid changing the terms of that deal in a way that affects people automatically.
I think it's totally cool if a dev wants to make a new major version with different licensing terms, or a new major version that is a big breaking change, or step away from a project altogether and let it break with future platform updates. They have no obligation to keep supporting and updating the thing they put out there. But to update that thing in a minor automatic point release and change the terms of the deal seems not cool.
In this case the change is also a security concern, adding a closed-source, obfuscated dll that executes local commands and makes network connections, without obtaining any new consent from users to do these things.
