NPM implodes... again

hardworkingnewbie

hardworkingnewbie

Marak Squires is the author of two well known and used libraries on NPM, colors and faker. colors gets 20 million downloads a week with 19.000 projects relying on it, while faker has 2.8 million weekly downloads and 2.500 dependants.

Suddenly users were startled, because programs using these libraries were printing out garbage, LIBERTY or the American flag. So they thought that NPM might be compsomised - again.

This is not the case - the changes have been done by the author himself. He already warned last year about not "going to support" big corporations with his free work any longer, and these corporations should either fork his projects or compensate him with a six digit yearly job.

Since this didn't happen, Squires modified his libraries. VessOnSecurity called this action irresponsible, stating: "If you have problems with business using your free code for free, don't publish free code. By sabotaging your own widely used stuff, you hurt not only big business but anyone using it. This trains people not to update, 'coz stuff might break."

www.bleepingcomputer.com

Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of apps

Users of popular open-source libraries 'colors' and 'faker' were left stunned after they saw their applications, using these libraries, printing gibberish data and breaking. Some surmised if the NPM libraries had been compromised, but it turns out there's more to the story.
www.bleepingcomputer.com www.bleepingcomputer.com
 
hardworkingnewbie said:
He already warned last year about not "going to support" big corporations with his free work any longer
Click to expand...
Is there an open source license that has provisions for this? Something like, may only be used for non-commercial purposes, or something to that extend? But where do you draw the line? A small company with 10 persons is allowed to use it but not if you have 100 or more? Or should it be based on the profits that the company makes (a company with 10 people could make more profit than one with 100)?

I mean, if you slap a GPL or BSD license on it then you are allowing big corporations to use it, whether you like it or not. That is the nature of those licenses.
 
Nope, there's not such a thing. Which is probably why the business model of some open source projects is having an open core and offering premium addons on top of it which then are closed source.

On the other hand up to some degree I can understand him: his work gets used a lot by many companies, but he doesn't profit from it and they don't give back. In former times people with influential projects/stuff were often hired by companies like IBM, RedHat, Oracle, SuSE and such (which is in itself often a good and bad thing at the same time, given the contract and leeway your employer gives you).

Anyway, it's entirely his own fault for not coming up with a business model which supports his life. When giving stuff away for free people will use it for free, it's that simple.
 
The thing I stumbled on: It's called "sabotage".

If I modify my own code in a way I want - how can that be sabotage? Other have to check if my code fits their usage (and this of course for every new version!), and there is also no claim for future versions of my code. It's up to the users to take care; If I'm taking care for others it's just nice for them, but nothing the users can insist on. There is no contract that says "you've given us usable software once, so you have to do this till you die". At least I'm writing open source software for myself - others can use it, too, but: That's it. I can do whatever I want with it.

But hey, you have no clue if you program your code by yourself starting in the green field - use third party instead; Why inventing the wheel etc.; So, that's why: Control.
 
SirDice said:
is there an open source license that has provisions for this? Something like, may only be used for non-commercial purposes, or something to that extend?
Click to expand...
Not sure open source license, but isn't this the basic model that Qt used for a while? Over the years I've seen a lot of projects stating this (please don't ask for examples, I'm going by memory), but never gave thought as to how enforceable it would be.
I've seen lots of things released under things like BSD/MIT license then at some point get closed (roughly what Oracle did with Java, Solaris, etc) resulting a hard break. "before this point in time, open, after closed" so the community keeps the open part alive if it's worthwhile.
Owners of the copyright (code) can change the licensing terms at any point in time but it only affects "from now on" not the past.

My limited knowledge of NPM type of stuff leads me to believe users probably need to range check the version instead of minimum version number.

As for the owner of the code actions, I'm bemused and as jmos says he owns it, he can do whatever he wants with it.
 
Nobody forces you to use some "well-known" license, you can come up with your own licensing terms. I've seen projects in the past that just strictly forbid any commercial usage. Whether that's a good idea is a different discussion.

I think what we see here are symptoms of a "new generation" of opensource devs and users. A lot already went down the drain (software quality), and just throwing libs and frameworks on your own project is done mindlessly. In fact, "teaching people not to upgrade"? This already happened. You see more and more projects that just "bundle" tons of dependencies, cause not doing so would make everything fragile as hell. Nobody can overlook a dependency tree with thousands of packages and really have an idea whether all these packages follow good practices like e.g. semantic versioning. Oh, and many don't.

Just recently, I had to fix something at work. It turned out an opensource package introduced a really hefty breaking change in a patchlevel-release(!), without prior warning. To add insult to injury, there was NO documentation about it, and the commit introducing it was one huge mess with millions of code lines changed. I had to work through this behemoth to understand what's going on. This wasn't possible in github's web interface, the commit was large enough to stall my browser.

I think any sense for quality is slowly getting lost 😔
 
drhowarddrfine said:
Users need to learn how to write their own software. Too many people rely on npm and other software that they could write on their own.
Click to expand...
I don't disagree with this at all. But here I am relying on FreeBSD that someone else wrote :) I'm kidding, that was just a joke, sarcasm, making fun of all of us. Over reliance on third party software simply because "it's easier" is the bane of writing software. There is a balance between the "Not Invented Here" mindset and the "use whatever you find" that may be different for every project. And some folks may not actually be able to write what they need but they at least need to understand how to vet what they use from others.

Zirias said:
I think any sense for quality is slowly getting lost
Click to expand...
I'm not so sure "slowly" is accurate anymore. I think in general "quality" has been redefined downwards and "as quick as you can" is the operative phrase.
 
While I have mixed feeling to what the person did; it is the part later on in the article that is worrying. The part I am referring to, is wherer it is said Github and NPM effectively took over the dev's work while also locking the dev's account.
 
ct85711 said:
While I have mixed feeling to what the person did; it is the part later on in the article that is worrying. The part I am referring to, is wherer it is said Github and NPM effectively took over the dev's work while also locking the dev's account.
Click to expand...
I mean it's Microsoft, what else to expect?
 
hardworkingnewbie said:
I mean it's Microsoft, what else to expect?
Click to expand...
I think that somewhere at at least one of these corporations the risc assesment department is now thinking as I did before, putting a price tag on the malware dropper case, guestimating the probability of that case and passing the result to the bean counters as "cost of using all the free stuff without giving anything back". If it can happen, it will happen.
 
Hypocrisy and possibly criminal ...

Bait-and-switch - Wikipedia

en.wikipedia.org en.wikipedia.org

I don't think this meets the threshold but it's dangerously close.

fraud.laws.com

What Makes Bait and Switch Fraud

What Makes Bait and Switch Fraud - Understand What Makes Bait and Switch Fraud, Fraud, its processes, and crucial Fraud information needed.
fraud.laws.com fraud.laws.com

Here's the original license straight off GH:

github.com

colors.js/LICENSE at master · Marak/colors.js

get colors in your node.js console. Contribute to Marak/colors.js development by creating an account on GitHub.
github.com github.com
 
SirDice said:
Is there an open source license that has provisions for this?
Click to expand...
Closest I can think of is the Server Side Public License. Elasticsearch went to it recently, and Opensearch was born:
www.elastic.co

What is OpenSearch and the OpenSearch Dashboard?

OpenSearch and Elasticsearch are not the same. Learn about the differences between OpenSearch & Elasticsearch and OpenSearch Dashboards & Kibana.
www.elastic.co www.elastic.co
opensearch.org

Frequently Asked Questions

opensearch.org opensearch.org

I think this analysis is spot on:
Pure OSS vendors are under constant pressure since their business model needs to subsidize their development and their margins are tight. Indeed, many OSS vendors are forced to an open core approach while they hold back functionality from the community (Cloudera), provide some of the closed-source functionality as a service (Databricks) or even making a complete U-turn, back to closed-source software (DataStax).
Click to expand...

I have no idea how this is going to fall out, but will be following developments with interest.
 
I get this guy's frustration, but there is no technical solution for a social problem. You don't "own" your NPM or GitHub accounts and the license plus their control over the platforms allows them to do what they did.

For people saying fraud. What fraud? It's in very big capital letters in the MIT License that you can't claim anything of the sort. "npm update" doesn't guarantee any rights.

If he had chosen a different license as people are ruminating about in here, the packages would never have been as popular as they are now. QT tried and eventually converted over. They leveraged success in business in order to get where they are now.

Finally, did they determine if this was or was not the same guy who got arrested for bomb stuff in his house? That would explain a lot.
 
hardworkingnewbie said:
Marak Squires is the author of two well known and used libraries on NPM, colors and faker. colors gets 20 million downloads a week with 19.000 projects relying on it, while faker has 2.8 million weekly downloads and 2.500 dependants.

Suddenly users were startled, because programs using these libraries were printing out garbage, LIBERTY or the American flag. So they thought that NPM might be compsomised - again.

This is not the case - the changes have been done by the author himself. He already warned last year about not "going to support" big corporations with his free work any longer, and these corporations should either fork his projects or compensate him with a six digit yearly job.

Since this didn't happen, Squires modified his libraries. VessOnSecurity called this action irresponsible, stating: "If you have problems with business using your free code for free, don't publish free code. By sabotaging your own widely used stuff, you hurt not only big business but anyone using it. This trains people not to update, 'coz stuff might break."

www.bleepingcomputer.com

Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of apps

Users of popular open-source libraries 'colors' and 'faker' were left stunned after they saw their applications, using these libraries, printing gibberish data and breaking. Some surmised if the NPM libraries had been compromised, but it turns out there's more to the story.
www.bleepingcomputer.com www.bleepingcomputer.com
Click to expand...
... and mostly - not to rely on this library anymore, because it's author is unpredictable.
 
roccobaroccoSC A lot of things with NPM are unpredictable or can be. Unfortunately, too many things, like online payments, rely on them. Stripe and Braintree payments require their usage though with their own API. But the whole of their usage is through NPM.
 
msplsh said:
Finally, did they determine if this was or was not the same guy who got arrested for bomb stuff in his house? That would explain a lot.
Click to expand...
Yes, judging by what the press says this is the same person as the QAnon follower and amateur bombmaker. To be honest, assuming that what was written about his bomb-making stuff is true, I'm amazed he's not in jail.

ct85711 said:
While I have mixed feeling to what the person did; it is the part later on in the article that is worrying. The part I am referring to, is wherer it is said Github and NPM effectively took over the dev's work while also locking the dev's account.
Click to expand...
On the contrary, I find that completely reasonable. In a nutshell, his software is open sourced. All GitHub and/or NPM did was to create a new forked version of his software (which he explicitly allowed to happen when he released it under an OSS license, in this case the MIT license), and the substitute the forked version for the version he is maintaining.

Each part of this is reasonable and ethical. I can fork any software I want ... the BSD license for example allows me to create a new OS, and call it DSBeerF (just spelling things backwards). All I need to do is to retain the original copyright notice. Nothing prevents me from uploading the new DSBeerF product to GitHub (other than the fact that I don't actually have a GitHub account). Nothing prevents Microsoft=GitHub from renaming the original copy of FreeBSD that is stored on GitHub to old_ugly_FreeBSD_do_not_use and store my new DSBeerF in a directory named FreeBSD. And nothing prevents a packaging/upgrade tool such as NPM to install/deploy my new DSBeerF when people request FreeBSD. Now, if I did that, would Kirk ever talk to me again? Probably not. But I don't think he could stop me (or Microsoft or Github). By the way, I'm obviously not planning to do anything like that.

The important part is this. Lots of people rely on a huge ecosystem of open source software. We can argue that people rely on it too much, that people who use open source need to do a better job of performing quality control on the things they use, but those arguments don't change that today we need this stuff. Given the health of the whole computer software ecosystem, Microsoft/Github and NPM did the right thing, by rejecting certain changes (made by a person of at best questionable mental state and ethics) and publishing a different version.
 
mer said:
Yep that is pure evil, but seems to the the trend in hosting companies.
Click to expand...
I can't agree. This guy should be perfectly okay with it. If he feels it's within his right to basically fuck everyone using his free code, code that he's free to do whatever he likes with, then he should be happy that Github is doing whatever they like with the account they graciously allowed him to use for free. And what they're choosing to do with their own platform is remove him from it. If he wants to keep distributing his broken code, he can do it from his own server.
 
ralphbsz said:
Nothing prevents Microsoft=GitHub from renaming the original copy of FreeBSD that is stored on GitHub to old_ugly_FreeBSD_do_not_use and store my new DSBeerF in a directory named FreeBSD.
Click to expand...
Registered trademarks should prevent them :-/

But apart from that, fully agreed. Nothing "evil" here, just making sure there's no deliberate harm done on their platforms.
 
You must log in or register to reply here.
Back
Top