The Unclear Impact

This is amazing:
https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/

tl;dr:
1. a developer of a bunch of popular packages publishes new, intentionally broken versions of them as he doesn't want to support for-profit companies with his free work;
2. NPM *reverts* the packages to older versions against developer's wishes;
3. GitHub *blocks* the developer for acting "irresponsibly".

That story again: developer blocked by for making changes to his own code.

This is why and @forgefriends are so important!

Both npm projects were published under the MIT license. Publishing them under the would make Big Tech not touch it with a ten foot pole, while allowing other free software projects to still use them.

When publishing a project, consider using AGPL. I use it for basically all my public code.

Just to be absolutely clear, as @Gargron noted in a separate thread, this is absolutely shitty of the developer to pull the rug from under everyone (including plenty of FLOSS projects, I'm sure) using his npm packages. A breach of trust indeed.

But for me it is also worth noting GitHub blocking a developer for changes made by him to his own projects.

@rysiek I don't understand why these news article do a link between this action and a message from 2020 when the dev is currently only speaking about bizarre stuffs (conspiracy) about Aaron Swartz death. Do I miss something?

@Courgette the "faker" package now contains an Aaron Swartz related message:
https://www.npmjs.com/package/faker

@rysiek @forgefriends I recently learned that the forgefriends codebase itself is actually licensed :). Hope it stays that way. Gitea is MIT.

@gargron @rysiek If you don't want to support BigTech, then don't use "permissive" licenses. Use AGPL. The problem is: Most people don't understand Copyright and licences. So they find their way to choosealicense.com which is curated by Microsoft Github. It prominently advertises the MIT licence with "I want it simple and permissive". This phrase sounds fair and good to most people. But permissive actually means "I permit BigTech to run their profit-driven thing with my code".

@t0k @Gargron @rysiek I long changed my wording to "lax licenses" — or in German: Vogelfrei (free as in lawless — without rights).

@t0k I don't care if others make profit. I just care if they're destroying our living place, and that's why BigTech are a problem.

@Gargron @rysiek

@ffeth @gargron @rysiek Also the does allow to make profit. And that's fine. But it requires to play a fair game. That's what the BigTech companies fundamentally don't like. Because many fundamentally can't play such a fair game.

@t0k @ffeth @Gargron that's all correct. In practice, though, Big Tech will do anything they can to keep away from AGPL'ed code, as exemplified by Google's internal policies banning their employess and contractors from even having AGPL'ed code on their work laptops:
https://opensource.google/docs/using/agpl-policy/

> Do not install AGPL-licensed programs on your workstation, Google-issued laptop, or Google-issued phone without explicit authorization from the Open Source Programs Office.

@rysiek @ffeth @gargron I wonder if that's not somehow part of a smear campaign against the . Because technically, I see no problem for Google if its employees use some AGPL program on their laptops. They don't run publicly accessible services from their laptops.

To me feels like it's more about fighting the AGPL in general because it's bad for them. Imagine all FOSS would be AGPL: BigDisaster for BigTech.

@t0k @ffeth @Gargron oh absolutely, that's an important part of it I'm sure.

But the other, probably *more* important part is *legal risk*. The developer might not even notice that certain functionality is provided by an AGPL-licensed lib. Or, that certain products of AGPL'ed programs were checked into the work repository.

So they prefer to "play it safe" and ban developers from having any AGPL tools on their workstations.

@t0k @ffeth @Gargron and it's up to us to make that into a *feature* of AGPL.

We *can* make the fact that Google *outright bans it* from developer workstations into a selling point, so to speak, for the license.

@rysiek @ffeth @gargron AGPL - Anti-Google Public Licence

@rysiek @forgefriends what a hero. Great read. Fuck GitHub.
Npm I can understand their actions. Just trying to keep the tower of cards from collapsing.
But fuck GitHub, and fuck anyone calling him petty or irresponsible. If it's "responsible" to bend over for Fortune 500s then fuck responsibility.
Someone put this in this picture in the GitHub comments. Fucked if you do, fucked if you don't

@rysiek I wonder if he did it for some cash

@rysiek While GH obviously has the right to continue publishing an older version of the software, I wonder whether they retain the right to publish it *under the developer’s username*? That seems like something that should be covered by their TOS but perhaps they missed it?

@rysiek @forgefriends worth noting that the man was also previously arrested for trying to make bombs and assaulting his partner, so careful about cheering him on as some kind of righteous martyr

https://abc7ny.com/suspicious-package-queens-astoria-fire/6425363/

someone also noted he tried to run a fundraiser with some kind of sob story about funding FOSS to fund his legal costs after that there incident where his house went on fire while he was building a bomb and his insurance refused to cover it

@rysiek @forgefriends like there's Aaron Swartz and then there's the Unabomber %)

@outie @forgefriends dragging Aaron into this is absolutely crap move.

Nobody's cheering the developer. But him being a shitty jerk doesn't make everyone else here right. And the story should focus on the broader problem of how completely screwed dependency management is, and how Big Tech lives off of free work provided by FLOSS developers, rather than personal history of that dude.

@rysiek i'm honestly unsure why this gets reported with "breaks thousands of apps", are they truly running an auto-upgrade to @latest in production or something?? lockfiles are there for a reason??
And it's not a hidden change either, any developer running their software after upgrade would immediately run into this and revert the version

@t0k @rysiek @ffeth @Gargron

> Imagine all FOSS would be AGPL: BigDisaster for BigTech

Wasn't there talk of putting this “you must distribute even if over a network” AGPL thing into what would become the GPLv3? Obv that was not included in v3, hence why AGPL was created. It's a shame they didn't do that (maybe GPLv4 🤔), and instead put something against “Tivo-ization” which in retrospect was almost pointless...

@ebel @t0k @ffeth @Gargron I'm just using AGPL instead of GPLv3 for my projects, even ones that are not providing network services.

I see no downsides, honestly.

@rysiek @ebel @ffeth @gargron Same. If there's no user interaction at a distance, then the AGPL is like the GPLv3 as I understand. So there's no reason not to use the AGPL. Except if you want to explicitly allow somebody to create a closed-source service.

@t0k @rysiek @ebel @ffeth @Gargron It might be a bit tricky to determine what counts as user interaction at a distance:

AGPLv3 requires a program to offer source code to “all users interacting with it remotely through a computer network.” It doesn’t matter if you call the program a “client” or a “server,” the question you need to ask is whether or not there is a reasonable expectation that a person will be interacting with the program remotely over a network.

(https://www.gnu.org/licenses/gpl-faq.html#AGPLv3ServerAsUser)

E.g., if I modified an AGPL browser and used it to chat with you via some website, would I need to offer the source code of my modifications to you? However, based on the previous opinions of the FSF (https://web.archive.org/web/20100630185154/https://www.gnu.org/licenses/gpl-faq.html#AGPLv3ServerAsUser ), the intention is likely no.

This wouldn’t stop me from licensing client code as AGPL, especially since it’ll likely prevent any google employee from ever using it. blobfoxdevil

replies
0
announces
2
likes
2

@f0x @rysiek
That's probably Microsoft's fault too. Since Dependabot was bought, it's pushed hard into repository settings, spamming you with petty "update foobar 3.17.1->3.17.3" PRs. People will just hit merge to rid of that crap.

@jollyrogue @ebel @t0k @ffeth @Gargron I tend to think of AGPL as GPLv4, in fact.

@rysiek @gargron
I have not followed this closely, but if the developer objected to the use of their code, why did they not delete it instead of crippling it?

@wim_v12e @rysiek My understanding is that after the left-pad incident, you can't delete NPM packages once they are posted for more than a short time. It is to prevent someone from basically deleting their coding and breaking everything.

@dmoonfire @rysiek

"The Left-Pad Incident"

sounds almost like a spy thriller ^_^

@rysiek @forgefriends

Wait, is that Marak the gamer gator who got caught trying to build a bomb?

Jesus Christ

@celesteh @forgefriends yes. And now he is becoming the poster child for media claiming "open source is so insecure".

Everything about this is fscked.

@wim_v12e @dmoonfire @rysiek it was a drama actually

@reto @wim_v12e @dmoonfire dunno, seemed like dark comedy to me

@rysiek @jollyrogue @t0k @ffeth @Gargron well sure, but many projects are “GPL v2 or later” so if GPLv4 really did have this clause, then lots of free software would suddenly have this clause

@bob very much this.

Additionally, they further fracture the commons of libre code. And that plays right into the hands of Big Tech and the like.

@ebel @t0k @rysiek @ffeth @Gargron Yeah, GPLv4 or v5 really need to go full commie. There are too many capitalist loopholes. Like, it doesn’t specify the project should be buildable by the general public or any changes have to be public regardless.

The GPL is not as fearsome as it could be.

@jollyrogue @ebel @t0k @rysiek @ffeth @Gargron GPLv2 actually does specify that it has to be buildable and installable: https://sfconservancy.org/blog/2021/mar/25/install-gplv2/

@jollyrogue @t0k @rysiek @ffeth

🤔 The OSI (& term “open source”) was created to be “business friendly Free Software” so obv. they'd never adopt that approach.

The /“Free Software” have always tried to distance themselves from Open Source, so “going full commie” (your words) *could* be a way to do that. 🤔

(But, given how the FSF stuck with RMS, I doubt FSF would change at all that way, so alas I don't think this'd happen)

@ebel @t0k @rysiek @ffeth I don’t see the FSF fixing the GPL either. They’re too capitalist.

@jollyrogue I long for an anticapitalist / anarchist FLOSS org/group...

@ebel What would that even look like?

@ebel Or better what should it be named? Software Liberation Front?

@jollyrogue I'm not sure... Mentally I've been calling it “third wave FLOSS” (1st = RMS & FSF founding (mid 80s), 2nd = OSI & “open source” (late 90s on)).

Have you seen “Ethical Source”? https://ethicalsource.dev/

@ebel @jollyrogue I don't see those as particularly anarchist of anti-capitalist. They do the same thing as center-social-liberal policy does for regulating the details of capitalism.

@clacke @ebel @jollyrogue the most promising direction i've seen is Kleiner's proposal of copyfarleft (Peer Production License, for ex, https://wiki.p2pfoundation.net/Peer_Production_License) and venture communism, which differentiate along class lines. This means full FOSS rights for workers and and licensing terms for organizations exploit other people's labour (pay to use). Not foss, yes, argues for the need to go beyond foss. http://telekommunisten.net/the-telekommunist-manifesto/
@bob @rysiek

@rysiek @forgefriends While I do not stand on either side, I also fail to see how AGPL would solve this particular problem. Not that I do not recommend the licnese for it's particular use case (preventing a probable big tech misuse), could you please detail of how it would be useful in this particular case?

In the end of the day, a code has to be hosted somewhere, no matter the license. Maybe it was related to the fact he was not happy with the misuse part?

@peterbabic @forgefriends the grievance that the developer had was that "Fortune 500 companies" are using his code effectively for free.

Such companies tend to keep away from AGPL. In fact, they avoid it like the plague. Case in point:
https://opensource.google/docs/using/agpl-policy/

So, licensing his code under AGPL would make them not use it (especially if the code was AGPLed from the start), while at the same time allowing many FLOSS projects to still use the code.