To be honest, I'm annoyed by the benign protestware messages when they start to get in the way of using the software, particularly on mobile. I was looking at the isomorphic git documentation the other day, and noticed that their "#BlackLivesMatter #DefundThePolice" banner scrolls under the rest of the content, leaving this annoying gap that takes up screen real estate, especially in landscape mode on a phone.[0] What's the point? Is a single person going to be persuaded to support either cause by seeing this banner on a relatively niche JS library that reduces readability of its documentation? Will anyone find the library any more useful because they support the cause? (I support neither cause, but find the library useful nevertheless.)
Recently, I saw a similar pattern with the Svelte REPL adding a pro-Ukraine message.[1] The banner along the bottom is so large that landscape mode becomes unusable, and non-trivial examples are hard to see even in portrait mode. Again, who does this help? (I support Ukraine, so feel like, "yeah, I get it; can I close the banner now?")
The worst part about these patterns is that they can't be disabled and seem to be deployed haphazardly without regard for the overall design.
While these aren't malware, they are still hostile for the majority of users who aren't so gung ho in their support for the current thing.
The Svelte banner looks ok on desktop, but yeah seriously problematic on mobile.
I think this is an outgrowth of the "use whatever power you have to push for change" culture. It has been highly effective in the past, particularly with gay marriage, and I think those victories gave it enough gas to run for many years even without success. There's also the social points that one gets from it as well. I know of at least one project that added a BLM banner to their site because of social pressure, even though they felt that much of the protesting had gone too far (burning businesses, looting, blocking traffic, etc). The whole "not to take a side is to take a side" is a powerful social pressure to conform. I know of one other project that added a BLM banner so they could get on an "awesome list of BLM supporting software" or something like that which drove them a lot of traffic. Anyway my point is that there are lots of motivations for such, and I suspect many if not most aren't because the person has a deep and abiding passion for the cause (though without a doubt, some do).
There was a package (that I won’t name) which completely removed their online documentation and replaced it with a BLM message for a period of time. I was floored at that unprofessional behavior. Now when I link to their docs, I always use archive.org to make sure other users don’t run into a similar issue in the future.
To be clear if you are not paying them, there should be no expectation of service. Open source is something they offer out of passion or goodwill, both of which can change at any time
It’s not the expectation, it’s the reputation of the project. If a project does dumb stuff like taking down existing documentation, that reflects poorly on the project. It shows poor judgement and unreliability.
I don’t require them to be smart and professional, but they should be or will lose users. Thanks to OSS, I can just fork. But being OSS doesn’t mean you can suck and be random and still stay useful to people.
Of course if it’s your project, you’re free to do whatever you would like.
Open source (and by extension a large chunk of software industry) runs on the expectation that people won't do random disruptive things even if it is plainly stated in the license that there is no such guarantee. Perhaps we should move away from this expectation (and events such as these will certainly accelerate the transition), but this is the current state of affairs.
> Open source (and by extension a large chunk of software industry) runs on the expectation that people won't do random disruptive things even if it is plainly stated in the license that there is no such guarantee.
Counterpoint: much of our industry is often described as being in the business of disruptive technology.
It's been educational for me to watch how developers are reacting when they're on the receiving end of the disruption.
The term professional is clearly applicable to software engineers working on open source projects, just as it is for lawyers doing pro bono work, and just like a plumber fixing his neighbors' sink for free is still performing his trade and expected to do work that upholds its standards.
No one is required to do any work for an open source project, but they are expected to behave in a professional manner and plenty of people have been rightly criticized here when they acted inappropriately as part of an open source team.
Its debatable whether OP is right, but there's at least a case to be made that taking down documentation that was not costing any money to host for the sole purpose of making an unrelated statement (not one targeted at their customers, just society in general) does damage the professional reputation of the team and its product.
I would agree that doing stunts is likely to damage a teams reputation, but I think you cast way too large a net to say that software engineers working on open source projects are professional, or even acting as professionals. The OSS ecosystem is filled with everything from large well run organizations to kids posting simple tools that are filled with bugs and vulnerabilities. There are no good expectations beyond use at your own risk. Even large professional organizations kill projects and leave people hanging.
How 'bout if I go one commit back, and get what they wanted to give me for free one commit ago?
Anyway, if we ignore for now the circularity of that definition of "professional" and take it at face value, then swapping out your open-source docs for a political message would fail the definition of professional, not just based on the "earn a living" part, but also on the "specified professional activity" part. Assuming we're using their repo because it's, like, for programming computers and shit, we might be surprised to find out they had changed their profession from computer-programmer and computer-program-explainer, to worked-up self-important opinion-haver. Which even fewer people would pay money for, by the way.
These actions can be classed as slacktivism and as impotent virtue-signaling, sure, but I believe that the actors of these methods of protest are trying to do what the left calls "creating safe spaces" and genuinely feel that they are "showing their support" and therefore somehow...helping.
The thing is, they may be achieving that first part - creating a safe space, perhaps unwittingly marginalising, demonising, and isolating the very people who can affect the most change (i.e. politicians, policemen, russian people, going by the examples of causes in OP's post alone), at a further cost of inconveniencing absolutely everyone - testing the resolve of existing allies, and likely creating new opponents out of those who were on the fence or apathetic.
It's basically taking the "Thoughts and prayers" under a Facebook post to the next level.
It would be fine if the banner was close-able or displayed once a day or something along the lines of that. The problem isn't that they're showing support. It's doing it a completely obnoxious way that's the issue.
If you are one of the people doing this, look around you. Literally everyone slapped a BLM banner on their website, when everyone has done that yours literally adds nothing. Sure, put that message up there, but make it close-able. Not something that takes up valuable screen real-estate permanently.
That doesn't have much to do with open source, though. Corporations selling proprietary stuff are more than happy to slap slogans and hashtags all over it to promote their devotion to some political cause of the day. Unlike open source "as-is no warranty clauses," their licenses tend to come with a guarantee saying they can't just stop working or break the rest of your system on purpose, though, and if they do, you get a support engineer helping you until it's fixed.
Really, even that doesn't have much to do with open source, since companies exist that develop entirely open source products but offer paid support and enterprise contracts with warranties and guarantees. What this really damages is the reputation of ecosystems that rely upon foundational libraries made by hobbyists and one-man operations as weekend side projects.
>>Is a single person going to be persuaded to support either cause by seeing this banner on a relatively niche JS library that reduces readability of its documentation?
The purpose of the banner is not to convert anyone, the purpose is to demonstrate that the author of the package subscribes to the correct opinions.
This is a bad take. The purpose is, at least partially, that the author of the package subscribes to these opinions rather than others, sure. But this doesn't necessarily have anything to do with them being "right" or not. I don't get a lot of capital at Hacker News by saying that I support Black Lives Matter, but if I do so (and I'm doing so) does that mean I only want to display that I subscribe to the "correct" opinions?
Plus, demonstrating what opinions are held is not the whole point. Part of it is telling others who support those causes that they're not alone. And it's also partially a "fuck you" to those who are triggered by mentions of causes like Black Lives Matter.
I think the person concerned is taking zero personal risk by displaying a view that is backed up by 99% all of media (even if no 99% of all people).
If they had a banner saying "Trump 2024" or "The AZOV Battalion are Nazis" I might not agree with them, but at least they are taking some personal risk of cancellation.
We appear to have burned 393... Wait, 394... User comments on the subject.
So if it's empty, so is commenting on HN, I'd extrapolate. Otherwise, it's gotten the attention of the sort of people who comment on HN, and that's something.
1. These political threads always bring out the most ideologically strident folk
2. Developer time/experience is impacted by these changes.
While I personally think these banners are fine and good to raise awareness, I do agree that there's a moral grandstanding element as well. I'm often puzzled why it's so controversial a belief to have. I don't see why folks are so annoyed at these banners though because I've been annoyed for years and years at crappy ASCII/figlet drawings that libraries/apps output that are garbled in my terminal's width/encoding and yet people still add those.
Fox News is part of the media, conservatives cancel people too, and calling the Azov Battalion Nazis is not exactly controversial. They're pretty open about that.
But mostly I'm wondering why it matters if they're taking a personal risk or not. How is that relevant to anything?
As a less cynical take: When it comes to Ukraine support, the banner could theoretically have an anti-propoganda effect. Russian and Chinese citizens are cut off or pushed away from world political discourse in a lot of ways, so using open source libraries as a vector for anti-Russia messaging could have a real effect on devs in those countries.
Two counterpoints: 1) the kind of people that use open-source libraries are one of the most plugged into the world political discourse parts of the population (BTW I am not sure that this is unequivocally a good thing, this "discourse" is just another brand of propaganda at this point) and 2) If some random open-source maintainer from across the ocean starts lecturing me that I am guilty of not overthrowing Putin or, worse, wipes my hard drive, I'm not going to be moved by this, I'm just going to think that this person is out of touch and be really annoyed.
The term “virtue signaling” is a pet peeve of mine. Like the word “problematic” it’s too vague and broad to be useful. The implication seems to usually be that it’s all talk and no action. But if we’re talking, as we are now, that’s completely separate from my actions. Like, if I say “pollution is bad” and don’t do anything in my life to reduce pollution that’s virtue signaling, but it’s not if I’ve dedicated my life to reducing global pollution? How are you supposed to know what I have or have not done in real life during this convo.
So either virtue signaling applies anytime someone expresses an opinion about something moral, in which case it’s a useless truism. Or it’s meant to express doubt or challenge someone to prove that they take action, in which case who owes you proof?
Putting a statement of support for a cause in your open source repo may or may not have any direct impact, but it is personal expression - and in general I am for personal expression.
I’m for signal, not noise. I don’t want stupid personal expressions, I want meaningful or beautiful or somehow useful.
I used to work with a person who would raise their hand in every presentation and say “security is important how is this software secure” even when it wasn’t anywhere remotely relevant. It was counterproductive and distracting and wasted valuable time that we could use to do something better.
> I don’t want stupid personal expressions, I want meaningful or beautiful or somehow useful.
I guess I feel that improving our world, ending war, making our society more just and fair, these are meaningful, useful, and beautiful things to do. They might be some of the most meaningful things actually.
> It was counterproductive and distracting and wasted valuable time that we could use to do something better.
This is an argument about context. Security IS important, I imagine we'd both agree, but maybe not in that specific situation. Like if I bring up climate change while we're rushing to the hospital after a car accident. Climate change is a real and important issue, but right now it's a distraction. So is an open source website an inappropriate context to indicate support for movements or disapproval of others? I don't think so, but if you do calling it "virtue signaling" isn't what you mean, and is actually a counterproductive distraction.
None of the signalling achieves anything. Its annoying, the signalling people really stand out. Seeing them doing the "Notice me, I'm standing for the right thing, im a good person!"-move makes me cringe. I wish they would stop.
This is just false. Some signaling achieves nothing, but there's plenty of signaling that has caused individuals to change their behavior, politicians to pass laws, and corporations to change their products. The thing is it's basically impossible to tell which is the useful signaling and which is shouting into the void, even as the person signaling the signals. Which drop filled the bucket?
You seem to find it annoying because you think it's being done just to SEEM good, rather than to BE good... but when it comes to issues we don't have direct control of, there's not much difference. I can ACT on my belief that texting and driving is a terrible thing to do all I want, but it doesn't stop anyone else from doing it. The only small piece of influence I have over others is to signal that I believe it's wrong whenever it's appropriate. That and lobby for tougher fines (by signaling to politicians) and technological solutions (again, by signaling to corporations).
None of this is to say you can't criticize specific gestures as being empty - but to say signaling is always empty is just false.
> I guess I feel that improving our world, ending war, making our society more just and fair, these are meaningful, useful, and beautiful things to do. They might be some of the most meaningful things actually.
I feel that way too. I want all those things. Adding “FreeUkraine” or “BLM” doesn’t do that. I don’t think virtue signaling is that big of a problem, but adding these phrases does nothing more than signal.
I don’t think it’s productive to call out virtual signaling in that I would never submit a PR to complain or remove. But I definitely notice it and it seems stupid. I don’t spend a lot of time thinking about it but a second or two while reading docs doesn’t make me think more highly of someone.
I think cynically it just seems like people say this instead of doing meaningful things.
One thing you might be coloring your perception, is the lack of visibility into other actions. Just because a person posts #blm and it’s largely a symbolic gesture and doesn’t have a big impact, doesn’t mean they didn’t take other more tangible steps - donations, calling their representatives, boycotts, etc. but you wouldn’t know about those. So every time you see the gesture you see inaction, when sometimes the gesture is just the tip of an iceberg of dedicated action.
I don't think signaling my beliefs ever will change anyone's mind.
However, I've gotten a lot of feedback from friends of mine that signalling my support for their cause or identity has made them feel more comfortable in the world.
While I agree with you on broad strokes, I'm sure, somewhere, someday, somebodies concerns over the security implications of a logging framework (e.g. Log4J) were brushed under the table by a statement like that.
I think security is extremely important (as is BLM), my issue in this example is that the person brought up security as questions where it was not relevant. I think that actually hurts security as it made people tune out because it wasn’t relevant. So it was like the boy who cried wolf in that when security was important it wasn’t paid attention to.
I’m not saying that security reviews shouldn’t be performed. They should. Security should be part of design and code review. But it’s not a relevant question in every single situation.
Yes but pointing out that the emperor has no clothes is mean, so we need to pretend not to notice. Despite our modern day knowledge that most human behavior is almost entirely incentive-based (the hard part is identifying the incentive), we're still supposed to pretend that it's altrusim.
The good news, these people are easy to identify because their signalling is always in a very visible way. They want to be seen. And when you can identify them, you can avoid them.
Is you public signaling that youre cancelling virtue signalers virtue signaling?
"This is virtue signaling" is more of a dog whistle ingratiating yourself with a certain crowd instead of an argument. Don't know what youre trying to achieve besides that.
> is more of a dog whistle ingratiating yourself with a certain crowd
Genius move. Any concept that can be used to criticize you is implicitly outing me as part of your out-group. Now you can judge me not on my own merits, but on the merits of people you associate me with. And my posts can well-formulated and thought-out, you disregard them for factors i cannot possibly control.
This is the partisan thinking that i don't want to have business with. This is what i ghost people for. Call it cancelling if you want to, fact is, if you are walking through the world looking for friends, my place is the wrong address.
You just said "I'm cancelling virtue signalers", you didn't make any arguments I could judge based on their merit. Ergo, you're just whistling for your crowd to cheer you on. Pure virtue signaling.
What the fuck are you talking about? Who is my "crowd" you are talking of?
Judge me by my own merits, not by some other random people you picked.
Edit: After showing this to her, my wife straight out told me that you are psychotic ("einen an der Dattel haben") and that I should not argue with random internet people. Thinking about it, she is right.
I've experienced too much altruistic, generous, kind behavior to support this cynical view, unless you're defining "incentive" so widely as to be meaningless (sure, some people are incentivized to help others partially because they get good feelings by doing so -- I suppose Ayn Rand was right all along).
I don't think it's cynical at all, I think it's just accepting reality. Our advanced consciousness is just a very thin layer of abstraction on top of the same brain/mind that powers many other animals. Some of the best minds who study this, question if there's even any such thing as "free will" at all.
I don't think recognizing that is conflicting at all with a positive outlook, or the choice to be optimistic, or a humanist, etc. You can choose to believe it or choose not to believe it, and still value human life and try to progress humanity forward.
Also don't underestimate the value/incentive of following your conscience, acting out your beliefs etc. Cognitive dissonance (which results from not doing so) is deeply uncomfortable and a good motivator for being "altruistic."
I agree. I really do feel for these refugees and victims of social injustice. But when it mildly irritates me by having to scroll an extra inch or two to get to what i want to see i feel like their efforts are being misdirected. It makes more sense for these issues to simply solve themselves without inconveniencing me.
I took a look at the first site in responsive design mode and it looks like the "Branches" menu, which aims to be in a fixed spot, is getting pushed down by the extra content. the actual protest message scrolls up with the rest of it and does not get in the way of anything. Seems like a simple UX bug that could be fixed if you send the developers a bug report.
Rather they signal nothing, to be honest. I mean it is their perogative but makes one think twice about the future of the software. So it's another data point. Not all or nothing. I hate all or nothing types from all sides. 99% of things are on a spectrum and I think that life should be the same. Sure some things are 0 or 1 but they are relatively rare.
You’re at war. Maybe you don’t realize it because you can still go on with your life as if nothing was happening.
It’s not a trendy thing, it won’t go away because of some random trendy thing.
HNers annoyance couldn’t be more irrelevant. And people are still getting killed because the world has decided that this war , as bad as it is, shouldn’t interfere with business too much.
People are still getting killed because we don’t want our precious little irrelevant easy lives to be disturbed too much.
The world still hasn’t waked up. We should be alarmed and fully supporting freedom. But the world is just annoyed. I thought moral values were important to open source.
Are we still talking about BLM? Because I regret to inform you it has already gone away. The city where I lived published their provisional crimes stats for 2021 and it looks like murder rates have gone up. Most of that is gang related and black on black. Not only has the city not “defunded” the police department they’re looking to purchase what can only be described as a tank from a Homeland Security grant. There are good people working at the grassroots in the African-American community but they were there before the “awareness” and they will keep toiling after it.
It’s legitimate to ask what did all the Internet angst add to the solution? The answer it would seem is very little. I do hope it is different for Ukraine but I’m not holding my breath.
Precisely. We should not try things which, blatantly obviously, do not work, because it distracts and takes precious resources from things that actually do work. That applies to BLM in the same way as it applied to covid, as well as climate change and million other things. Virtue-signalling theater is distracting at best and harmful at worst.
I think virtue signalling should actually be happening more, not in the sense "I pretend to care", but in the sense "Those are the values I stand for".
I see a lot of ambiguous statements these days, from too many people. People not wanting to "take sides", but in reality not yet willing to say they only stand for their personal interests, if not for a return to the law of the fittest.
So will plastering banners all over the internet end the war? How is it raising awareness exactly? And why aren't we raising awareness about thousands of other political, social and economic issues around the world that actually need awareness, rather than pretending to do so about the most popular issue of the day?
Politics doesn't belong in software. Some software can be political, sure, but the only purpose of these banners is good PR and virtue signalling.
> why aren't we raising awareness about thousands of other political, social and economic issues around the world that actually need awareness
Our lives are going to change. Depending on how concerned and committed western people will be, we'll have to face a major energy crisis, or give up our democracies for cheap oil & gas. If trump is re elected, I see nothing good coming for the west. We are living crucial times, fascism is back in full force, our medias and politicians are being bought one by one with dirty russian money. And fascists don't feel the need to hide anymore.
But people fail to see why this war isn't yet another political, social or economical "issue". I looks like we're in for a very dark age...
The OSI article even encourages banners and other such thing in ones work. If code is speech, then speech shouldn't be frowned upon when the coder uses it in their project.
The OSI is specially calling out an incident where someone actually put malware in their code which targeted Belarus and Russia. Totally unacceptable and not a form of protected protest at all, and arguably not speech.
I honestly don't care that much if people want to put political messages in and amongst their code. The maintainer of SQLite is a devout Christian and had "the Rule of St Benedict" from the 4th century.[0] Or the person known as "Ciro Santilli," who has a bunch of anti-CCP content in various repos.[1] (I've actually considered putting some of his content into my repos as a sort of "kill switch" targeting CCP theft and misappropriation of copyright.) I fully endorse both, even though they earn me no brownie points, nor are they likely to convert the world to the one true faith nor overthrow a murderous, totalitarian regime. The only differences are that my opinions are a minority among the community, and that I simply wouldn't let the hashtag activism detract from the product. I'd certainly let people opt out of the banner, and would probably set a cookie to remember the preference for a while.
I feel that's because too many people still aren't seeing what their sites look like on mobile devices. I'm sure the perma-banner looked fine on desktop.
Not sure why this is downvoted. It was one of my personal hypotheses. It's a bit unusual to look at docs on mobile, or even the Svelte REPL (though using on mobile has helped me spot various UI/UX bugs with my own code).
There's a difference between providing information ("Someone significant to many members of this community has died recently") and providing a (arguably very superficial) signal of support for a cause dear to some of the developers.
Agree. I often have to click around to figure out why the black bar has shown up.
> less likely to stoke heated division amongst its users
This is interesting. Why does #BlackLivesMatter stoke heated division among HN users? And what does that say about the community that has been built here?
> and more relevant to the content of the site
I'm sure I don't agree. As the world moves further into automation, machine learning, machine analysis, and sousveillance, the interaction between technology and minorities in our communities is of vital importance to what we do. Questions of interaction between minority developers, customers, users, and community members and the majorities in those spaces impact on questions like hiring policy, behavior analysis and prediction (and the benefits and drawbacks of those tools), unequal treatment laid bare when the cameras are in the hands of the many and not the few (and the consequences of that knowledge), software that only works for a subset of users optimally because it was designed with only those users in mind, and other topics.
Software is growing to touch every part of human existence, and it's probably actually dangerous for hackers to traipse through life ignorant of that fact. We build things that impact people in a huge way, and if some groups are structurally invisible to the builders of those things, we really risk baking inequalities into the very engines of our society.
> Why does #BlackLivesMatter stoke heated division among HN users?
Simply because it is a political issue, on which people might have different opinions. And since that specific issue is not related to tech at all, it just causes conflict without any benefit.
While honoring the death of some generally respected figure in our field is hopefully less controversial and more informative.
> And since that specific issue is not related to tech at all
Black Lives Matter is heavily interwoven with the sousveillance effect... As cameras have moved from a luxury to a ubiquity, control of the narrative of how policing works has fallen out of the hands of the people who do it. It doesn't matter why multiple black men and women were shot to death... People have seen it happen, and they feel in their guts it was wrong. It's hard to get to that gut-level effect without visual stimulus; people have been writing for decades about the negative effects of violent-response-authorized policing.
Now that we know this, how will things change? Will people try to make the cameras go away, will procedures change to account for everyone having a camera, will we all adapt to being seen more often in public? And at present people generally know when they're being filmed... What of the near future, where the tech to film something could be attached to a drone flying too high or too quietly to see?
It's very, very hard to slice a clean cut between technology and its effect on societies.
> This is interesting. Why does #BlackLivesMatter stoke heated division among HN users? And what does that say about the community that has been built here?
It would stoke heated division because different users see that slogan has having different connotations. What it says about the community is that it's actually a fairly diverse community, at least in terms of their beliefs (and very likely in other respects).
> ...Software is growing to touch every part of human existence, and it's probably actually dangerous for hackers to traipse through life ignorant of that fact...
HN does not need to hang up a #BLM banner in a cheap act of virtue signaling for us as hackers to grapple with the impact we have on society. Indeed, such an act would impede productive conversations.
I just don't understand what the node-ipc dev was expecting when he did that.
"Hm, maybe if I put malware into a community-trusted module that destroys files of people in a certain geopolitical region, the countless innocent citizens that are affected will realize what they did wrong! Wait, who am I actually targeting again?"
If a company does business in Russia right now, they are giving money to the Russian government which will be used to kill Ukrainians. Let's not conflate wartime trade policy with Twitter wokeness marketing.
Yes, that is bad too. However, in some cases it is necessary to prevent people from freezing, so there is a balancing act. Note that fossil fuel dependency just became a much more common political discussion item in Europe.
While it's unreasonable to expect europeans to freeze to death to protect ukranians, I think there's a middle ground between "business as usual" and "protect ukraine at all costs" that's not being considered here. Specifically, turning the temperature down to 5-10°C and wearing a coat. I doubt you'll be freezing to death in those circumstances. Is there widespread effort by europeans to do this? If not, then the parent's is still mostly correct: europeans are not willing to endure slight discomfort to prevent "giving money to the Russian government which will be used to kill Ukrainians".
I'm in Europe and I'd happily wear a jacket and a winter cap indoors.
And people could go by bus, subway, ride share, so less oil and gas needed for transportation.
And energy intensive industries could close for a while. Is it really more important to continue producing more cars, for example, than to try to stop the war?
> Is it really more important to continue producing more cars, for example, than to try to stop the war?
German policy of the last decade in a nutshell. Green feel-good crap for the masses while building more pipelines to Russia, literally planned to enable gas delivery even in case of conflict in Eastern Europe.
> It's annoying that the politicians don't seem to think about this. Are they worried that they'd get fever votes?
They're probably worried about stated preference vs revealed preference. People say that they stand with ukraine and they're willing to make tremendous sacrifices to help ukraine/hurt russia. That might be true, but they might not be willing to actually pay the cost (eg. higher gas prices).
Maybe in some cases, people won't know until afterwards, if they actually want more sanctions or not -- until after they've gotten to try it and discover how it was. Especially problems with transportation could cause anger, I suspect. Whilst extra clothes is maybe simpler.
Now I start thinking that more buses and bike lanes in a way can be seen as part of a military defense strategy, hmm. (If the population does mostly ok without oil)
> I'm in Europe and I'd happily wear a jacket and a winter cap indoors.
That's the theory. Here is probably what would happen in practice: all the people that have disposable income will swallow the cost. All the people who can't swallow the cost will pour in their last savings for a few more hours of warmth. Those who can't will start rioting, especially when their children start coughing. It's hard to tell your child "put on a jacket, dad can't pay to keep you warm" when little Jimmy next door goes to a Safari next easter. There is only so much inequality you can accept before resorting to violence. I think it's better to ensure everyone can - at least - eat, sleep, keep warm and get some access to some entertainment.
> And people could go by bus, subway, ride share, so less oil and gas needed for transportation.
In practice, many people just can't do that. Either because those transport options do' not work or aren't ready yet. Think of Mr. Electrician who goes around the city in his van fixing peoples home. If he is forced to take the bus, he needs to reduce his client base to what's accessible by bus, he can do less client per day. Or he can pay for the gas and keep his activity. Or he can just let it go and ask for welfare, increasing the burden on social security for someone who is perfectly willing, able and qualified to work if not for high gas prices. Many low earning workers will have to make a choice between going to work, and going to unemployment. We have already started to see people making that choice with the current gas prices.
Of course, highly qualified profile who are already well paid will negotiate with their employers so that the companies swallow those added costs. Most companies will have no choice but to agree. So the people on the roads will be in the "already rich" category.
All in all, this would just increase the disparity between the upper and lower class. The upper class will swallow those cost by just saving a bit less, but generally keeping their lifestyle. The lower class will be hit the hardest, by having their spending power reduced and/or being moved to unemployment. One of these groups will benefit more of the economic recovery if/when prices goes down - you can guess which one.
Thanks for the reply -- seems there's some misunderstandings. Details below.
> people who can't swallow the cost will pour in their last savings for a few more hours of warmth
Where I live, people aren't that short sighted. They bought all the toilet paper, planning months ahead.
> Those who can't will start rioting,
Eh, no. Not when they know the higher prices are for saving people in Ukraine.
But if they didn't know why, then, yes maybe.
> It's hard to tell your child "put on a jacket, dad can't pay to keep you warm" when little Jimmy next door goes to a Safari
It's easy. The parents tell the kids: "we're doing this, to save the lives of people in Ukraine, who are hiding in basements without food and water. This is how we build a society -- taking care of each other and others, as best we can."
If the politicians make it clear that it's for stopping the war, then, there'd be some social pressure for saving energy.
> > could go by bus, subway, ride share, so less oil and gas needed for transportation.
> In practice, many people just can't do that.
Seems I wasn't detailed enough.
There would be subsidies for people on the countryside, who needed their cars (no buses or subways nearby). And for farmers and public transport, and other for society important things, like, like you mentioned, electricians. And ambulances, plumbers, some others.
But most people aren't farmers or electricians.
> Many low earning workers will have to make a choice between going to work, and going to unemployment.
I wonder where you live. If it's in the US? In Europe, there are more buses and subways, and fewer people have cars.
> would just increase the disparity between the upper and lower class
Yes a bit. You could say that about the covid restrictions as well -- hit poor restaurant workers.
Seems like insignificant, a luxury problem, __compared to__ tens of thousands dying in the war.
>Where I live, people aren't that short sighted. They bought all the toilet paper, planning months ahead.
1. While I acknowledge that people you talk about exist, I suspect that they're predominantly middle class, not the poor (ie. "people who can't swallow the cost"). If you don't have a baseline amount of wealth, then it's hard to have a car to go to costco to buy those 48 packs of toilet paper, and if your home is a shoebox 1bd apartment, you'll have a hard time finding place to store all the stuff you bought in advance.
2. there's only so much you can do "planning months ahead". You can hoard toilet paper but not gas.
>Eh, no. Not when they know the higher prices are for saving people in Ukraine.
>If the politicians make it clear that it's for stopping the war, then, there'd be some social pressure for saving energy.
Why's that not happening right now?
>I wonder where you live. If it's in the US? In Europe, there are more buses and subways, and fewer people have cars.
Doesn't that argument work in the opposite direction? ie. "there are more buses and subways, and fewer people have cars", so people are already taking public transit. From there, it's pretty hard to reduce fuel consumption even further as the people who are driving probably really need it?
Sorry for the late reply. Maybe you'll never read this?
>> They bought all the toilet paper
> 1. While I acknowledge that [...]
> 2. You can hoard toilet paper but not gas.
Yes that's true. Actually my comparison here wasn't totally serious. But you're right that the state and energy companies, and the citizens, would need to co-operate a bit for this to work. Or the state could raise the gas and oil prices, for a household that has used too much. And the state could calculate the prices, so heating would work out okay I believe. Combined with jeans and sometimes a jacket and winter cap, indoors.
>> [People wouldn't get angry when] they know the higher prices are for saving people in Ukraine
> see my other comment on revealed preferences vs stated preferences
Hmm. Two things: 1) revealed preferences, for example by saying one would care about the environment, but continuing buying environmentally destructive things. This is "passive aggressive", in that they aren't actively trying to sabotage anything -- they're just continuing life as usual, in the old more comfortable ways, not doing what they said they would.
Or 2) revealed preference, by actively protesting against the new policies -- demonstrations, even riots and smashing windows etc. But this is lots of effort. Personally, I'd be surprised if people were willing to spend time demonstrating, instead of just accepting the fact: gas and oil now cost more, so I'll put on another jumper. -- If they go outdoors to protest, they'll need to put on even more clothes! And travel somewhere. That's more work.
Meaning, raising the gas prices, and explaining why, could work pretty well I'm thinking. -- Even if people are dissatisfied, although they said they were ok with it, they are unlikely to protest or riot -- because that's more work, than just accepting the new situation?
>> If the politicians make it clear that it's for stopping the war, then, there'd be some social pressure for saving energy.
> Why's that not happening right now?
I don't think people see a relationship between their cars and indoor temperature, and how much bombs Putin has. Most humans are already poor at abstract thinking and seeing anything else than what's in front of their nose -- and this, with cars and bombs, is a slightly complex relationship? Plus, humans being a bit lazy and selfish, they wouldn't want to think in this direction at all?
I think the government and newspapers, would need to explain for and motivate the people.
>> In Europe, there are more buses and subways, and fewer people have cars.
> Doesn't that argument work in the opposite direction? ie. "there are more buses and subways, and fewer people have cars", so people are already taking public transit. From there, it's pretty hard to reduce fuel consumption even further as the people who are driving probably really need it?
I'd think it's simpler to reduce fuel consumption -- there're subway lines built already, and possible to increase the subway train frequency, without having to spend 20 years building new subway lines.
Most, or everyone, I know with a car, use it for convenience, to save time. Probably I'd done this me too, if I had kids to drive from and to school. And I would have been happy if the city where I live, introduced school buses, or built a ride sharing website, so I could let others go with me in my car and save fuel.
(I also replied to a sibling comment of yours, maybe you're interested: https://news.ycombinator.com/item?id=30803577 -- did you know that there's just 1.1 - 1.2 people on average, in a car on the way to work. But if people shared their cars, 50% or more fuel could be saved.)
> Where I live, people aren't that short sighted. They bought all the toilet paper, planning months ahead.
Where you live, people chose to ensure that their comfort would be safeguarded, above all else, even if that lead to shortages for other people. "I don't care if I have too much and other people don't have enough, as long as I am confortable" was their motto. That has to tell you something.
> Not when they know the higher prices are for saving people in Ukraine.
Some might care, and some will accept that. Many won't. It's easy to accept some sort of disturbance when overall you don't need to worry about putting food on the table, or when a few less degrees means putting your thermostat on 21 instead of 23. When it means not being able to sleep because of cold, your view change quickly. And you start wondering why Ukraine just doesn't accept Putin offer, which after all does not sound that bad. Are people in Crimea that much worse ? And do you care so much ?
> It's easy.
No, it's not. Some will manage. Many won't.
> There would be subsidies for people on the countryside
So the solution is to subsidise people on the countryside, subsidise people needing vans or trucks, subsidise people working during nightshift, subsidise people living far away from a public transportation hub, subsidise people working far away from a transportation's hub, subsidise people who adapt to other people schedule, ... the list goes on. Creating a society where people depend on the state subsidies to just maintain their activity is not exactly sustainable.
> In Europe, there are more buses and subways, and fewer people have cars.
I live in Benelux. I can tell you that people are stopping to work because it does not financially make sense any more with current gas price. Today !.
And Benelux is the poster child for a society built for bicycles, in practice it only works for 5~10% of the population. That number is increasing, but very slowly and we are going to hit a ceiling sooner rather than later.
Anecdotal evidence, but in my social circle, almost everyone moved from "bicycle and public transport" to "cars only" in the past 5 years. Trigger points are : getting a child, changing jobs to something further away from their homes, promotion that gave access to a company car: when you are taxed > 50% taking the cash makes little sense.
None are remotely considering letting go of their car, the value is simply too big to ignore. We are very far away from a carless world despite what politician want you to believe. And this is in a country that is usually considered to be a cycler dream
> Yes a bit. You could say that about the covid restrictions as well
You are acknowledging that what you are proposing puts the biggest amount of the weight on the poor. I don't find that acceptable: if we need to have measures, the more fragile part of the population should not be the one paying for it.
The upper/lower class gap is a ticking time bomb. COVID has increased it. We need to find ways to close it, not extend it even more.
I wasn't completely serious with that comparison (that they bought all the toilet paper). But saving energy, turning down the heating, isn't that mentally advanced? And people do plan a bit ahead, otherwise people couldn't have survived in the cold parts of Europe (if they didn't plan for the winter).
> When it means not being able to sleep because of cold
Seems to me that the state and municipalities should be able to save some gas and oil, for the coldest days.
But I'd say it's not that cold. Where I live (in northern Europe), I frequently wear extra jumpers, instead of using the heaters at all -- works also with snow outdoors and the lake frozen to ice (did you try? Put on a jacket and a winter cap, if it doesn't seem to work, and double trousers and 3 x socks).
> So the solution is to subsidise people on the countryside, subsidise people needing vans or trucks [...] subsidise [...] subsidise [...] subsidise ... the list goes on [...]
Sounds like too much subsidies.
Instead, look at society's covid response: Public transport drivers, and health care workers, and teachers -- all of them got to continue working, in spite of the virus. Such job roles could be prioritized, now as well.
> Benelux is the poster child for a society built for bicycles, in practice it only works for 5~10% of the population
That's interesting. What about buses and subways? Where I live, few people go by bike. Instead, buses and subways.
Couldn't the state hire more bus drivers, in Benelux, so fewer people needed cars. And people could do ride sharing, so there wasn't just 1 person per car. There could be ride sharing websites, and the state could ask everyone to use them.
But one can fit 5 people in a car. This indicates that by coordinating traveling to / from work, the gas needed for commuting, could be reduced (theoretically almost 80% but I suppose 50% would be more realistic).
> Trigger points are : getting a child, changing jobs to something further away [...]
Interesting.
> We are very far away from a carless world
Hmm, what you describe sounds like a careless world to me? I mean, people prioritizing their cars and gas, and being okay with others then more likely getting bombed, elsewhere. (Don't know if you meant to write something else)
> puts the biggest amount of the weight on the poor. I don't find that acceptable
Do you find it acceptable, though, to give money to Putin so he can continue bombing? That sounds like a greater evil to me.
It's about choosing the least bad thing, I think.
There's also rationing -- controlled distribution of gas and oil, so everyone got the same amount. Or, prices could be low, until one's household had consumed X amount of gas -- then, the prices would rise, sharply, for that household. A bit like progressive taxes, but for gas and oil.
People in the EU are not going to freeze to death even if Russian gas and oil is banned. Germany would lose a few percent of GDP, equivalent to couple hundred bucks per capita. I would be surprised if they pull of the ban before this winter is over, though.
FWIW people in Ukraine are already freezing to death, thanks to Russia's deliberate attacks on infrastructure.
There are US companies still selling health products to Russian citizens. What is the expectation, to let them die? I fully understand that cars, fast food, liqueur or perfumes are things to stop selling, but essential products not. The average Ivan and Natasha should not receive a collective punishment (to death in some cases) for what some guy they may not have even voted for is doing.
If a company shows support for the Ukraine, then they are giving aid and comfort to the Ukrainian military who was shelling civilians in the Donbass region for the past decade.
Your comment has the implication (intended or unintended) that Ukraine was the instigator as far as ceasefire violations go. As far as I can tell, that's not true. However, the real way to find out for sure would be to go through the OSCE SMM reports[1] about ceasefire violations and determine what percentage of them were likely from Ukranian-controlled territory versus separatist-controlled territory.
Your comment has the implication (intended or unintended) that there are situations where civilian casualties are perfectly acceptable.
My only real point was that who the Good Guys and who the Bad Guys are in Ukraine are predetermined by the set of assumptions you start with. Everybody who was paying attention isn't that surprised by the invasion. It's not even a puzzle as to why Russia would do it. They spelled it out quite clearly, and have been saying it for years.
Which is why I find the media narrative annoying. It's an almost perfect example of gaslighting. The only response to Russia's complaints about NATO meddling in Ukraine being provocative is to make some kind of counter-offer to offset the provocation. To suggest that there wasn't any meddling, or that Russia just invaded out of the blue for no good reason other than sheer evilness, is either staggeringly wrong, or a deliberate lie.
All I'm saying is that they have legitimate national concerns here. There are distinct parallels to the Soviets trying to put missiles in Cuba. I don't have to be a big fan of Putin to recognize this.
Interestingly, at least I am making arguments. The media narrative of Putin simply being crazy is deeply unserious.
But if Russia is the bad actor here for invading a neighboring country that was attacking ethnic Russians in their territory and was flirting with joining a specific international coalition that was anti-Russian, what does that make the United States with all of our foreign adventurism?
They’ll most likely use it to pay their employees, since employment costs are the biggest chunk of expenses for many companies. From the money that goes to the government, some will go to fund the war, but some will go towards social support, maintenance, etc just like any other country.
Where does this black and white caricature of an idea come from if not twitter? Acting like all the money in Russia is used to make bullets which are sent directly to the front.
Not to mention that there’s quite a few countries killing people today and nearly nobody’s boycotting them.
I know this will get labeled as whataboutism, so to pre-empt that I am suggesting sanctions and Hague charges for all perpetrators, but what is uniquely bad about killing Ukrainians over Syrians, Libyans, or Iraqis?
From the point of view of American isolationists, there is no difference. There is a difference for Europeans, in that Ukraine being engulfed by a full scale war will result in around 40M refugees in the EU, almost 10% of EU population. That's an order of magnitude bigger than the previous migration wave. It's also an order of magnitude faster. Over 10M people have been displaced already.
I think you are reversing causality here. No doubt the EU could have seen similar numbers of refugees from Syria and Iraq and Afghanistan, had they allowed them in.
Before the current crisis, there were >1M Ukrainian workers in Poland, hundreds of thousands in Slovakia, Czechia, etc. The world where Polish, Slovak or Baltic people watch dying Ukrainians through their border fences was never going to exist. The possibility only ever existed in the minds of some confused Americans and maybe western Europeans. German policy in the previous refugee crisis (especially with regard to non-Syrian migrants) literally made the present course the only possible one -- something along the lines of "If we are letting random Africans in, how can we not let the Ukrainians in." is hard to argue with.
On the other hand, accepting even less refugees in the previous crisis is something that was definitely (politically) possible at the time.
After ISIS rose I gave up the idea that countries like Syria, Iraq etc can ever become anything more than "hellholes", at least in my lifetime. Certain areas like Kurdistan excepted (and I hope and support their recognization as a state), but in general there will always be one strongman or another.
But Ukraine was different (and I hope it still will be), turning from the world of the strongman and toward Europe and modern freedoms. It was on the same trajectory that Poland went on 18 years ago: a massively better life for the average, ordinary person. Ukraine had troubles, but those were solvable because that is what they wanted.
All of that is now ground up along with so many children under the ruble in the streets because Putin had to establish a slightly larger state.
So when Ukraine was killed, not only was the civilians there massacered, so was the future of the entire country or at least pushed another generation into the future.
I hope neither of the perpretators ever make it the Hague, a few years in prison is nowhere near enough punishment.
All this comment shows to me is you knew very little about Syria & Iraq. The cultural & population centers of Syria were never taken by ISIS and Damascus prior to 2011 would not have felt as "hellhole"-esque as I think you are imagining.
> turning from the world of the strongman and toward Europe and modern freedoms
Towards Europe, certainly, but also towards nationalism - undoubtedly. It is not a "modern freedom" to ban minority languages from schools and government, restrict regional autonomy, etc.
Please, it's not a ban. The relevant law only applies to state-funded schools and makes sure that students who don't speak Ukrainian gradually learn it over the years and start using it in school:
If Ukraine hasn't been the target of Russian territorial expansionism, we could argue that this law is overreaching. However Russia had claimed the right to "defend Russian-speaking people" outside of Russia before invading Ukraine in 2014 (the law was passed in 2017). Under these conditions, passing such a law was practically a question of self-preservation.
> Please, it's not a ban. The relevant law only applies to state-funded schools and makes sure that students who don't speak Ukrainian gradually learn it over the years and start using it in school:
Really? Reading your source it seems that it explicitly states "Ukrainian as the only means of instruction in schools after the primary division." Saying that this only applies to "state-funded schools" may be true, but you're papering over the fact that your own source indicates that fewer than 1% of students attend non-public schools.
From your own source:
> The Law determines three patterns for Ukrainian-language instruction in secondary schools of Ukraine. The first concerns indigenous peoples such as the Crimean Tatars, who have the right to be educated in their own language, with Ukrainian taught as a separate subject, at any school stage. The second pattern addresses Ukraine’s national minorities whose languages are official languages of the EU. The primary school division is available for them in their minority language (with Ukrainian as a separate subject), while higher divisions see a graduated expansion of Ukrainian-language instruction—from twenty percent in fifth year to forty percent in ninth year of middle (junior high) school and to sixty percent of all subjects during the three years of high school. The third pattern applies to “other minorities,” i.e., Russians and Russian-speaking Ukrainians who attend Russian-language secondary schools. For them, Ukrainian-language instruction should be at a minimum of eighty percent in both middle and high schools, with the opportunity to have Russian taught as a subject or elective. The Law also clearly states that these provisions apply to state-funded schools only and entitles all private schools to a free choice of their language of instruction; nevertheless, private schools must teach the Ukrainian language and ensure that their students acquire the fluency standard defined by the state.
Seems from reading this that Russian is specifically targeted and proscribed from being taught in schools. Keep in mind there are entire regions of Ukraine where Russian is the predominant language. And we wonder why people in Crimea wanted to leave after Euromaidan...
> Under these conditions, passing such a law was practically a question of self-preservation.
By eliminating Russian speaking people in Ukraine? Not a great justification.
> Seems from reading this that Russian is specifically targeted and proscribed from being taught in schools
Seems to me you cited the part where it is explicitly allowed to be taught in schools, both private and public, contradicting your claim that it is “proscribed from being taught in schools”.
This law was passed in 2017, 3 years after the Euromaidan, because Russia invaded Ukraine giving the mere existence of the Russian language in Ukraine as the reason for the invasion.
> And we wonder why people in Crimea wanted to leave after Euromaidan...
> By eliminating Russian speaking people in Ukraine? Not a great justification.
I see. I made the mistake of assuming you were arguing in good faith. Won't happen again; have a nice day!
> This law was passed in 2017, 3 years after the Euromaidan, because Russia invaded Ukraine giving the mere existence of the Russian language in Ukraine as the reason for the invasion.
Russia also invaded Ukraine in 2014. The parliament voted to ban Russian language in schools immediately after 2014, it was only vetoed by the president at the time.
> I see. I made the mistake of assuming you were arguing in good faith. Won't happen again; have a nice day!
I am arguing in good faith - you claimed that the reason they stopped teaching Russian in schools was due to the Russian invasion, but there is ample evidence of attempts to do this prior to the Russian invasion.
Then, if you live in a western country, stop paying taxes because it supports killing innocent people, and to a much larger extent than what is going on in Ukraine.
Leave your job because tech companies have contracts with the government/"defense industry" and also pay taxes.
Don't buy anything from the grocery stores.
Cancel your flight if it's on an Airbus/Boeing.
Otherwise, it's all empty talk. To be clear, it absolutely is in my opinion.
What specifically is empty talk? Someone can support Ukraine for a number of reasons that don't require withdrawing from all life in a western nation. They might trust that their rulers have evaluated most alternatives before deploying military options and do not kill indiscriminately. You might scoff, but I suspect most people are at least somewhat in that boat; even if they think that the US shouldn't have invaded Iraq, for example, they probably think it wasn't that bad and that murders of civilians were minimal. That doesn't mean that they don't or shouldn't protest the invasion of Ukraine, though it probably does mean that they should reflect further.
They might also believe that invading Ukraine is uniquely bad because it is a developed western nation within mainland Europe, setting a terrible precedent. Or they might simply not have thought very much about the contradiction. And I note that you're lumping every western nation under the same category when some are much less objectionable than others; in how many developing nations has Finland engaged in extralegal murder?
That said, yes, the costs are lower to protesting the invasion of Ukraine than protesting everything the US government does overseas. So what? The costs are lower for me to buy Kroger brand soft drinks, too, that doesn't mean my opinions about the flavor is just empty talk.
But nobody (AFAIK) is contesting that the US killed more civilians in Iraq or in Syria (or second-order in Libya) than Russia has killed in Ukraine.
Your argument is that people perceive it as okay because the intentions were good? Our government could not forsee that these people would die, it was unexpected?
Or were they unintended consequences that were foreseen? I don't believe such a distinction is defensible, if you foresee the consequence and do it anyways, you intended such a consequence.
> Your argument is that people perceive it as okay because the intentions were good?
Even worse, I think the argument is that the intentions were good because it was our rulers who did it, not theirs. Our rulers are careful and thoughtful, while theirs are evil and cruel.
> But nobody (AFAIK) is contesting that the US killed more civilians in Iraq or in Syria (or second-order in Libya) than Russia has killed in Ukraine.
That's missing the point. Nobody with knowledge of the matter is contesting that, but plenty of people lack that knowledge. This means that they're not willfully ignoring the kind of contradiction that would make their opinions about Ukraine "empty talk".
> Your argument is that people perceive it as okay because the intentions were good?
No, my opinion is that many people don't realize how objectionably the US has behaved in the past (and currently), so it's not apropos to call them out on a contradiction that invalidates their outlook on Russia's invasion. Call them out on ignorance all you like, though.
It is kind of crazy when one remembers all the human rights abuses that companies providing popular products and services tolerate and benefit from, and where the tax money goes. It is almost as if if the goal is to be consistent and avoid hypocrisy, the only two options are abandoning modern lifestyle... or not protesting at all.
Actions speak louder than words and the reaction to the current conflict is certainly unique. I haven't heard of people pressuring companies to stop doing business with the US due to the Iraq war.
The simplest explanation is that US companies + media + government is the only group with enough clout to do this, and they will not sanction themselves.
It's not like there's a Netherlands invasion of Germany for us to all use as a neutral reference.
I think you are conflating things here. Sure, US govt is not going to sanction itself. But I don't perceive the general populace as being as outraged by lives lost when the US bombs a hospital in Afghanistan as opposed to when Russia bombs a theater in Ukraine.
I would posit that the ratio of the number of people who know about it to the number of people outraged about it is similar in both examples. It's really about which got the 24/7 coverage.
They are obliquely complaining that the US gets a free pass to blow up civilians in other countries in the course of pursuing its own geopolitical goals, an by extension the US armed forces are exempt from international prosecution.
As for domestic prosecution, the record is mixed, but there was that high-profile case that got a presidential pardon.
None of this is hate against the citizens. No one wants to hurt the innocent people in Russia. But pulling out of Russia is about the only thing that anyone can do to slow the flow of money that will be used to fund the invasion of Ukraine.
The optimal thing would be to push the Russians out of Ukraine with military force, though that is also going to leave many dead. Just because they're soldiers doesn't mean they deserve death. But that's not an option anyway, because a NATO country joining the fight directly will cause World War 3. At best we end up with multiple countries from both sides joining the fight. At worst the nukes start flying.
> The optimal thing would be to push the Russians out of Ukraine with military force, though that is also going to leave many dead.
And the primary victims will be Ukrainian. Even considering that Europe has its arms open to this particular class of refugee, the country that they left will be a smoking crater. I wish we'd stop pretending that we're arming the Ukrainians for the Ukrainians' sake; we're trying to extend the war as long as possible in order to economically destroy Russia. The end stage of that is Western and central Ukraine being reduced to dust.
Russia has committed something like 15% of its military so far IIRC. This is just a matter of time. Ukrainians are being pushed through jingoistic nationalist propaganda (which is enforced at the borders if men who are old enough to carry a weapon try to leave) to destroy their country, and letting extreme-right minorities of the population (who are basically Banderaite lost-cause Nazis) lead. Those groups are happy to burn their country so the disgusting muslim commies won't rule it, and to die in glorious battle against them.
The disgusting thing is Americans are parroting the Azov rhetoric, too. Fat slobs sitting on a couch watching MSNBC/FOX/CNN all day and yelling at the television are calling Ukrainians traitors for leaving, and demanding that they be armed and sent back in.
The optimal thing is not to push the Russians out of Ukraine with military force, it's for Ukraine to give up. The world has shown it's willing to take white refugees, so those that fear Russian persecution can escape. Plenty would have happily emigrated without the Russian invasion, but the doors to Europe and the US were shut to them before. NATO re-promises not to put their alliance whose animating premise is anti-Russian on the borders of Russia. Ukraine rebuilds and normalizes.
What have they lost anyway? They were dominated by the Russians (and hopelessly corrupt), then a Western-incited and funded coup used the extreme-right element to install a (hopelessly corrupt) puppet who left office with a 5% approval rating, so the public elected an actor who played a president on television (also fully owned by an oligarch), which is an act so desperate, it would seem insane if the US hadn't elected a guy who played a boss on television to be president, or Italy hadn't handed its politics to a comedian playing the wise fool, or Boris Johnson hadn't been. Russia and the US trashed Ukraine, and we're cheering them on while they finish the job.
Even better, maybe we can push Russia into using some tiny nuke that we can't justify destroying the entire world over. Because the fact is, if they nuke Ukraine, we're not going to do shit. They know it. Lets make them feel so victimized to the man that they do it to reclaim some face, and piss the average Russian civilian off so much that they feel like there's nothing left to lose but their pride.
>"Hm, maybe if I put malware into a community-trusted module that destroys files of people in a certain geopolitical region, the countless innocent citizens that are affected will realize what they did wrong! Wait, who am I actually targeting again?"
"yeah but countless ukranian women and children are getting murdered by russians! surely a few wiped hard drives is worth it to raise awareness?"
/s of course, but people who hold this view sincerely isn't hard to find.
Worse, he also provides ammunition for Kremlin propaganda. Which already is easier because people don't trust the press. Which is also understandable because some write a lot of bullshit.
I don't buy this argument. It's the same argument used for "Well the Democrats can't talk about/attempt doing X because the Republicans will misrepresent it and twist their words" when at the end of the day the Republicans will manufacture whatever they want regardless of what the Democrats say. Better to be called a "socialist" while actively trying to do something that will help people verses still being called a "socialist" while doing nothing.
Kremlin is going to Kremlin, aka lie and spread propaganda. Let's not pretend that protestware is making their job so much easier, it's a tiny drop in a tsunami of lies and disinformation that the Kremlin puts out daily.
And he used third party service to do the geolocation, so that whoever maintains that could have caused significant damage by changing it to return fake responses.
I just don't understand what Western governments were thinking when they sanctioned Russian businesses.
"Hm, maybe if I put laws into the books that destroy the economy of a country and drives people in a certain geopolitical region into poverty, the countless innocent citizens that affected will realize what they did wrong! Wait, who am I actually targeting again?"
Poverty and economic distress, deliberately exacerbated by the West, was what took down the USSR... and the fall of the USSR was one of the great achievements of the 2nd half of the 20th century.
Exactly, demonstrating how laughable the comments here are. Malware is somehow supposed to be worse than the far more painful sanctions, it's fascinating to see how detached from reality many commenters here are.
Both the sanctions and wiper malware targeting Russia are good things.
Surprised I didn't see this elsewhere in the thread but what they were thinking was totally different. From what I've heard the code wasn't meant to destroy files, it was buggy.
Sure it was negligence with a bad outcome, but the intentions were good.
“Actors in this geopolitical region are killing people and destroying infrastructure, and I am going to do everything in my power to disrupt them”
“If more people stood up like this, then either bad actors would have to abandon open-source and pay a dramatic penalty in cost and speed of IT, or they would have to pay open-source maintainers to ensure the . Either way is a win”
“People who don’t like this don’t share my values - they can prioritize the lives of Ukrainians and get on board, or they can maintain a project and provide an alternative, or they can get out of my way while I do something I think is very important”
I’m ok with it as long as the maintainer is consistent and does it for “the current thing” every time. That means Sudan, Darfur, Iraq war, ISIS, Assad’s regime, etc… Heck why not even Florida after the “say gay” thing?
This is a cool idea. You would probably want to run the PCCaaS as a non-profit and donate some of the money (5% seems generous?) to appropriate causes. The main API would be for displaying an appropriate banner of course.
Another API would be to determine if a specific domain subscribes to the service and how much they care about the appropriate topic (in terms of "points" which are partly correlated with how much they spend on the PCCaaS, but also with some human input). This would be useful to people looking to vote with their wallet. I bet there are plenty of artists who would love to make custom banners, kind of like Google's doodle of the day.
A third API would be to get notified when a customer downgrades or terminates their plan with the Protest Current Thing as a Service. Journalists could subscribe to this last API to get ideas for news stories. /s
That's a great idea. The only problem would be determining the correct set of things to be protested at any given time. So I'd suggest grouping them into flavors - say US liberal or US conservative flavors. You just choose the one you subscribe to and then let the service decide whether to insert say BLM or anti-CRT messages at any given time.
>Arguments like this are similar to the BLM protest that try to equate property with human lives.
Yeah, but the problem with this is that, taken to its logical conclusion, you end up with a nihilistic view that's basically "do you support The Cause? if yes then any protest action is acceptable, if no then any minor transgression should be cracked down by law enforcement". This works especially well when The Cause is something that could plausibly affect tens of millions of people, so you can excuse quite a lot of damage.
I have a legal (and moral) right to defend my property, often with deadly force. My property came into my possession by my own labors and time, i.e. by sacrificing part of my life to obtain it. Even if the property was gifted to me, that means that someone else sacrificed part of their life to give it to me. When someone violates my rights in the process of "protesting" something, I am legally and morally justified in using force to protect my rights. This includes the right to the property that I own.
Where is this true? In the US you have the right to murder if the person is in your home and in some states you have the right to murder if you feel your life is being threatened, in this case because you're being robbed.
If you left your car running while you ran into the store you don't have the right to shoot the guy in the back as he drives off. You file a police report and potentially sue for damages.
You definitely don't have the right to shoot someone for burning down your local Target.
If someone is trying to burn down my house with me in it, I have a right to shoot them in pretty much every jurisdiction in the US. If someone is burning down my store with me in it, I also have the right to use deadly force to defend it.
Let’s step back a little, please. This original context was about some BLM protests doing property damage, which included smashing storefronts and trash fires on the street.
Arguments like this are superficial and justify bad behavior. Destruction of property isn't murder, but it's still not ok and it still causes harm to living people who have no influence over the issue.
That is obviously not true, and even if it were, the country in question is Russia, an autocracy. What is our poor hypothetical node developer expected to do, march down to the Kremlin and beat Putin with his MacBook?
This is Russia we are talking about right? A country that has had countless uprisings of literal serfs with farming implements replacing their government.
It's not acceptable to burn down someone's house because you disagree with them. Even if you disagree with them a lot. Please don't burn people's houses down.
If you burn down people's houses, you will be arrested and go to jail.
Charitably, it creates a new friction for Russian business in deploying open-source software. That drag further diminishes Russia’s economy, and thus, its warmaking ability.
This is the line that every extremist group uses to justify their horrible acts.
Weaponizing open source is such an awful precedent. There are extremist groups of every shade who harbor ill intent towards some other group or institution. For a rather mundane example: "My malicious npm module detects you are running the Brave browser? The evil Brendan Eich runs that, say goodbye to your filesystem!" Never mind if you are part of a group that is mired in controversy, chief among them at this time being Russian.
At best, this operation could be construed as an act of vandalism or at worst an act of CYBER terrorism. This indiscriminate and malicious act of hostility was carried by what amounted to be a cyber weapon (think IED) housed in a very ordinary and non-suspicious package to cause the greatest damage to the users' data.
> this operation could be construed as an act of vandalism or at worst an act of CYBER terrorism
Could be. But by whom? To what effect?
One of the downsides of losing credibility as a nation state is the concepts of deference, retaliation and proportionality lose weight. There is no indication that the facts on the ground would affect whether Putin deems something a cyber attack. Worse, one's own policing actions are likely to cause more damage as propaganda pieces than ignoring the issue.
Yes, in an international law framework this would be prosecuted in the U.S. But in that framework Russia wouldn't be in Ukraine. Add to that it's tacit approval of its own hackers, and it's difficult--in a realpolitik frame--to find support for doing anything about this other than minor finger wagging.
The general public. I speculate that publicity was one of the main objectives behind this operation to draw attention to his political grievances and maybe demands.
Perhaps we should focus more on the issue of bragging rights. The perpetrator probably thinks he's some kind of a hero having conducted this operation and it was some kind of a heroic feat sticking up to Putin when he in fact is more of a lousy vandal destroying some poor guy's store window than an epic warrior conquering foreign lands and subduing evil emperors.
The more people realize this and esp. people who are prone to commit these acts, the more innocent people would be spared the damage incurred by those reckless attacks.
This isn't a charitable take, you have reinvented total war from the first principles. If all of the currently in war countries start engaging in total war, the world wouldn't be worth living in.
A) IP geolocation is far from perfect, quite a few completely unrelated people could have been affected.
B) There was a chance of massive collateral damage to stuff like hospitals, water company, etc. and therefore affecting civilians, including children. If you think Putin wouldn't use that to rally Russia and launch a massive war, you haven't observed Putin for long.
We got very lucky this software equivalent of a warcrime was stopped early. Yet the punishment was absurdly light. I will staying away from NPM after that.
> If you think Putin wouldn't use that to rally Russia and launch a massive war, you haven't observed Putin for long.
Do you believe that node-ipc would do this but the current vastly more impactful sanctions regime wont?
Also, everybody capable of thinking understands that Russia isn't capable of launching another "massive war" when it already has almost all of its conventional combat power committed to Ukraine.
If you think Putin would launch a nuclear war over wiper malware, you're an idiot. There's no other kind of "massive war" he could launch at this point.
> this software equivalent of a warcrime
Why not call it software holocaust if we're gonna go there? What's wrong with you?
>Do you believe that node-ipc would do this but the current vastly more impactful sanctions regime wont?
>There's no other kind of "massive war" he could launch at this point.
Russian society isn't anywhere near enthusiastic. That's why Putin has been searching for ever dumber excuses. Give him an actual indefensible incident to rally society around, and he'll get a lot more manpower. That could expand the war to Odessa and Moldova, and also 'retaliatory' cyberwar in the West.
Now, there's a level of escalation I'm fine with risking - say, over stationing peacekeepers in parts of Ukraine. Stuff that actually helps Ukrainians. But over an self-appointed idiot's personal action which doesn't help anyone and nobody asked for? $#@! no.
>Why not call it software holocaust if we're gonna go there? What's wrong with you?
It's attacking civilians as to influence their government (except Russia is a dictatorship and the government doesn't even care). I have more pointed comparisons in mind, but I'll spare the thread.
There's an obvious difference between trying to hurt people and not trading with them yourself. If the distinction is difficult, there are laws to define this 'war crime' thing, you may wish to consult them.
Also, Russia is relatively self-sufficient foodwise. There'll be shortages but no starvation. I'm sure though that if starvation was serious possiblity the West would exclude food imports.
>Ah yes, because seizing Russian assets overseas is the same as "not trading with them".
Your bank account is held under terms. There are cases where freezing withdrawals is allowed.
If you wish to avoid that, you are entitled to store your money under your mattress (or use the latest crypto fad and be subject to absurd exchange rate variations).
>Russian society isn't anywhere near enthusiastic. That's why Putin has been searching for ever dumber excuses. Give him an actual indefensible incident to rally society around, and he'll get a lot more manpower. That could expand the war to Odessa and Moldova, and also 'retaliatory' cyberwar in the West.
That's just absurd fanfic. Sending in untrained "manpower" with no equipment would not help advance Russian goals.
"Cyberwar"? Russia has never before needed any excuses to unleash wiper worms like NotPetya onto the whole world.
>It's attacking civilians as to influence their government
Exactly like sanctions. Are you against sanctions too? If not, how do you explain that inconsistency?
>That's just absurd fanfic. Sending in untrained "manpower" with no equipment would not help advance Russian goals.
Some of them probably have military training, and quantity has a quality of its own. Regardless, Russia will not be able to subdue Ukraine, but there's nothing good coming from a more enthusiastic Russian society.
>"Cyberwar"? Russia has never before needed any excuses to unleash wiper worms like NotPetya onto the whole world.
Our tolerance for that was absurd. As is our tolerance for this action.
>Exactly like sanctions. Are you against sanctions too? If not, how do you explain that inconsistency?
I'm for sanctions. It's not inconsistent. There's a law for these things. That law allows sanctions but not attacking random civilians. It also prefers actions by legitimate authorities and not random vigilants. It also states that any possible harm to civilians must be incidental to the method, and that any harm be proportional to the possibility of achieving a legitimate goal (kicking Russia out).
This action was by a random person (not even an Ukrainian), unauthorized by anyone (definitely not any Ukrainian authority), and was at best counterproductive (nobody has given me any way where this advances kicking Russia out), so any possibility of civilian harm is criminal.
> Regardless, Russia will not be able to subdue Ukraine, but there's nothing good coming from a more enthusiastic Russian society.
You are mistaken if you believe that Russian society isn't already enthusiastic. But this isn't a country with the warrior culture US has, dying for your country isn't cool in Russia, it just means that you were too poor and/or stupid to dodge the draft.
> There's a law for these things. That law allows sanctions but not attacking random civilians.
Which law is that?
> It also states that any possible harm to civilians must be incidental to the method
Many of the sanctions are specifically targeting civilians, civilian businesses.
> and that any harm be proportional to the possibility of achieving a legitimate goal (kicking Russia out).
Oh no, you're deeply mistaken. The sanctions will not go away even if Russia gets kicked out of Ukraine, they're very much intended to be punitive.
>You are mistaken if you believe that Russian society isn't already enthusiastic.
It's a society where showing up for what the authorities do is common.
>Which law is that?
A long codicil of war conventions (Geneva, Hague) and anti-terrorism conventions. What I wrote is a common exegesis.
>Many of the sanctions... The sanctions will not go away.
As I wrote, there's a difference between 'we won't trade with you' and actively harming someone. Also, if Russia withdraws completely and lets Ukraine join NATO, I'm pretty sure the West will drop sanctions. There'll be no point in maintaining them - if you want to change Russia, you'll need a finer instrument.
>It's a society where showing up for what the authorities do is common.
For a variety of reasons much of my circle of friend consists of Russians living abroad, you're mistaken if you believe that they support Russian leadership out of fear of what might happen if they didn't.
>A long codicil of war conventions (Geneva, Hague) and anti-terrorism conventions. What I wrote is a common exegesis.
But sanctions do exactly that. Attack random civilians.
> As I wrote, there's a difference between 'we won't trade with you' and actively harming someone.
It's not "we won't trade with you", that's a dishonest way of putting it. It's "we won't allow others to trade with you", which is very much actively harming someone.
In case you haven't checked, both targeted countries are authoritarian regimes where any kind of civil protest is ignored at best or actively suppressed at worst. And violent regime changes (aka revolutions) coming from the people don't work, at least not without the support of part of the governing elites (which aren't impacted by that kind of actions)
Revolutions have succeeded time and again. The problem is that in most cases, the kind of people who lead successful revolutions are not the kind who can form a non-autocratic government. It can take generations to correct the resulting chaos and totalitarian excesses.
Yeah well most software developers, just like most people, would rather engage in warfare with their fellow working-class man than the man, which is unfortunate because that should be everyone's target - not one another. We should be asking ourselves how can we write software the frees us from the tyranny of government, and instead helps us to foster self-reliant, communities of support and mutual-aid, which serve the best interests of those who participate in them.
These are the tenants of anarcho-communism and FOSS - not sticking it to Russia and cheering on the dumping of weapons into a war zone...
It harms all of technology and by extension anyone who participates in the modern world. Just like any malware or other antisocial behaviour.
It's a bit too indiscriminate to be a good protest, unless the thing you want to tear down IS the whole modern development process, which is based on the idea that most people are somewhat trustworthy and you can get the risk down to an acceptable level through the usual means.
It doesn't quite work if malware is not only a threat, but a semi-mainstream thing sometimes made by people you would think you could trust. The normal social process of trust breaks down if malware is included in the scope of normal things people sometimes do, as opposed to purely being something by the more criminal types.
I almost wonder if these people don't actively want to tear down tech itself, or not care, given how many coders dislike the fact that society is tech dependant.
> It harms all of technology and by extension anyone who participates in the modern world. Just like any malware or other antisocial behaviour.
Sure but the problems are in order of significance are:
Putin invading Ukraine
Trusting things from NPM
This author adding malware to his package
I'm disappointed by the chorus of "keep politics out of tech" that seems so prevalent on HN, though not surprised. In general I'm in the "don't be a dick or cause problems" camp but when things are this completely broken I think anything goes. Countries are made up of people, people en masse can effect change, but often times the vibe of that one poem holds true, doesn't effect me so I don't care. It's wrong to stay silent. Every bit counts, it's only death by a thousand cuts if you actually make all of the thousand cuts, if everyone who's social responsibility to make a cut thinks "this doesn't matter anyway and i don't wanna be a dick" well... look around you at everyone who's got theirs and doesn't care.
I believe pretty strongly in some of Taleb's theories. That some people are antifragile, they gain from chaos, and that the people in the strongest positions are the ones who do so.
What I don't agree with is the idea of structuring society to benefit antifragile people and encourage more to become such.
Indiscriminate sabotage is a type of chaos. I expect it to always benefit those who are already in the strongest positions, and harm those in the weakest positions.
If one is going to do hacktivism, I'm sure they can think of something better than just randomly attacking computers supposedly in one country but probably all over the world because of IP weirdness.
An attack on tech in general is somewhat of a political statement that you would like to side with the less tech dependent people, at the expense of the more technical side.
This could destroy records at a Children's hospital. It could affect peace protesters.
I'm not sure that anything that preferentially targets technical people while leaving those with analog-first lives unaffected is useful.
It's stirring up chaos, giving power to those who benefit from chaos.
Does that not include those who benefit from war?
Maybe I'm wrong and this is actually going to being about world peace.
But to me, it seems pretty random and poorly thought out.
> But to me, it seems pretty random and poorly thought out.
I agree with this, it's not a move I personally would do, but yet I can't condemn it either. Lashing out like this when faced with the horrors of war makes sense to me.
> What I don't agree with is the idea of structuring society to benefit antifragile people and encourage more to become such.
I agree with the sentiment here, but on some level I feel that an increase in antifragility is necessary to combat the centralization of power. It strikes me as the only way to prevent bad actors in positions of power for ruining it for everyone else.
> Putin's invasion of Urkaine doesn't justify doing other bad things
Yes it absolutely does. Killing is bad, killing invaders in defense of your country is justified. Collapsing Russia's economy is bad, but in light of Putin's actions it's justified. Putting malware in your packages is an extension of that concept.
It's unclear to me whether putting malware in your packages is effective, but it's certainly worth trying, and I absolutely can't condemn someone for that. If you wield power you are responsible for it's effects, and to some lesser extent you are responsible for the effects of your inaction.
100%. I've already seen articles in non-tech media that explain what happened to a non-technical audience, and the explanation sounded a lot like open source is the problem and that proprietary software would never have these problems.
It wasn't that long ago that using open source software required a lot of politicking inside my clients, and we could easily go back there with enough spooked executives.
While the prior post was talking about reticence to trust OSS code in commercial environments, the problem is not limited to that arena. This change hit national news here, albeit very temporarily, not just tech and business news.
If an OSS developer can drop a logic bomb on Russian interests, one could do it to anyone else they disagree with, and that might understandably make people uncomfortable.
Furthermore, the “attack” was indiscriminate, hitting out at a geographical area potentially damaging the data of many innocent bystanders not just those responsible for, taking part in, or supporting, the invasion. Or is it OK for a code bomb to affect civilian targets? I know physical protests often inconvenience bystanders, intentionally so, a lot of the point is to do so in order to draw attention to the matter being protested, but wilful destruction of property is usually considered bad form for such protests (arguably at that point you have a riot, not a protest) and that is essentially what node.ipc change did.
Putting commercial interests off OSS is a symptom of a deeper wrong here.
* Even for those that do something might slip through the cracks, particularly given how deep and wide some dependency trees go in the current JS ecosystem.
* Such attacks would still cause you problems once your audit spots one: you now have to hold back a version, perhaps back-porting security fixes, at least until you can migrate to another package or create your own (or, rather than creating fresh, decide to continue maintaining a fork of the affected one). And you may need a deeper audit, checking to see if anything else slipped by earlier that has left dangerous traces.
And the existence of dependency audits doesn't make damaging protest updates like this right any more than the existence of secure zips makes pick-pocketing those without them fine.
> Such attacks would still cause you problems once your audit spots one: you now have to hold back a version
That's not a problem caused by this "attack". You should assume that any open source project you use is unmaintained unless you have a support contract and that it will never get any updates again. A lot of these packages have a bus factor of 1 with no backup plan.
The problem I see is that there is no way to discern a "corporate customer" versus a guy in his bedroom building an app. The whole fakerJS fiasco really pissed me off because the developer seemed to assume that the only folks using his software were greedy F500 companies.
And that's the problem I see with many of these political statements. There seems to be this politically driven assumption that the only users of OSS are greedy companies that won't pay to support it. So they make a political statement, take down their package or make it malicious. All this does is creates a minor headache for the big corps that have resources and fucks over the little guy.
Because open source is idealistic and altruistic to a fault; it is the antithesis to "got mine, fuck you", or that of the capitalist "fuck you, pay me". If you limit access to anyone it is, by definition, no longer open source. I mean there's probably plenty of licenses that restrict commercial usage of open source software.
That said, I'm all for open source software monetization; include messages in the README, code, or logging that basically says something to the tune of "If you are using this for commercial purposes, please consider donating / sponsoring / hiring". I think Github and co can do a lot more as well to encourage big corporations to pay open source contributors.
Counter point: if bigcos are so damn stupid they avoid open source & Free software for idiotic reasons that creates space for less stupid startups who will do and be better. Why do we need to save the rich ignorant and prejudiced from themselves? They're not worthy object of charity.
Most people, certainly productive people, are employed by companies. Take an extremist position on who your product works for and you limit the developer pool. An agnostic competitor would be expected to replace you.
It's not an extremist position to say you don't have to do much about big companies feelings about using Free software. You don't have to expend your scarce resources to make them feel comfortable. Note well here I am talking about nothing whatever of substance, this is all pure marketing. If big cos turn from Free software due to prejudice and ignorance about what it is, what it does and how to manage it, rather than riding it like Google, Facebook, Apple etc to untold riches (that were not obtainable to those companies without Free software), that's not any Free software developers' problem.
The GPL, LGPL, BSD, Apache licenses have not changed. A rogue actions by any supplier comes directly under bargaining powers of suppliers in your corporate strategy risk analysis. If it happens you deal with it and you've already thought about it or you have no business in making decisions in a large company. If any big company runs away scared from Free software, bye.
Google literally shot to glory when they went extra hard at using Free software when established big companies were scared. It's not a sufficient condition for their success but it was absolutely a necessary one. They don't get going if they have to pay for operating systems alone.
> I am talking about nothing whatever of substance, this is all pure marketing
This is fair. Would note that one advantage to teams that do the outreach and accommodation can be support, financial and contributions. But that's speculative and not the right move for every team.
>It wasn't that long ago that using open source software required a lot of politicking inside my clients, and we could easily go back there with enough spooked executives.
That's what this discussion is about. You want to monetize your Free software project? That's a very different discussion to this one, about which nobody writing Free software need care. Note also the "protestware" or whatever nonsense this is didn't hit anyone with a support contract from the developer, or am I wrong with that guess? So big co.s are using a metric ship load of code that they didn't pay a cent for and don't bother even reading once. Just hit the auto-update while paying and contributing nothing,, then claim this is the fault of Free software somehow? Yeah. Ok. Bye. The value proposition sucks for them, apparently so they'll pay someone a lot of money to solve that. Nobody else need care - unless you're sliding into that space to solve that problem for them.
I'm pretty sure the reference is just to the "no discrimination against people/groups/fields-of-endeavor" ethos. See OSI's Open Source Definition clauses 5 and 6. https://opensource.org/osd
> Part of being idealistic is standing up for what is right but without causing more harm than necessary.
Exactly. Setting off a logic bomb targetted at whole countries is not “without causing more harm than necessary”. Add wilful destruction to a protest, especially if that destruction is such that is affects innocent bystanders, and you no longer have a protest, you have a riot.
I work for a company, Red Hat, who's entire business model is getting companies to provide ongoing monetary support for our engineers to work on open source software. We spend a lot of our time advocating for open source, we started well before open source was broadly accepted, and this kind of action could be a setback.
It strikes me as kind of an odd position that given political advocacy in open source software, closed source would be safer.
Proprietary software provided by a single vendor is much easier for a government to lock down via actual sanctions. Hypothetically, they can outlaw your company doing business with that vendor.
On one hand, I don't want to be anywhere near protestware when it comes to my work or the tools I use.
On the other hand, Javascript developers have a whole different culture than the developer circles I like to frequent. In npm-land, the societal expectations of quality and solemnity (for lack of a better word) are lower, and this kind of behaviour is even celebrated if it favors the "right cause".
The last two cases we've seen (faker/colors, node-ipc) just took it one step further, but we've seen a lack of seriosness from both the npm organization and the community during the last... what? 6 years?. At this point, if you stay in the whole npm ecosystem, it's understood that you do so at your own risk.
Sure, just like most men aren't violent criminals but men are still statistically more likely to be violent criminals. The point is that JS devs seem (perhaps a proper statistical study will show otherwise) more likely per capita to shit up their ecosystem. There are several reasons contributing to this (the limited JS standard lib being a big one) but a major part of it really seems to be that JS devs are a different breed.
I've never seen controversies like this in the .NET/Nuget ecosystem, the only controversies I've ever seen there are over libraries changing licenses to make the authors more money, and controversies over Microsoft exercising too much control over the ecosystem.
Moreover, unless we are talking about a very unusual subset of the population, the ratio of men:women is always almost 1:1, which renders the two statement functionally equivalent
They're both talking about the same phenomena and are technically correct, but the framing is different. Specifically, the latter wording tries to defuse blame on males.
> I'd argue most vocal folks on forums or etc don't represent most developers of any given language.
Sure, but for some reason, this stuff seems to only happen in the JS community (at least to my knowledge and recollection, which admittedly may be faulty). Maybe it's the fault of the tooling or the language, but python is another popular language which has historically had quite a messy answer to dependency management, and I don't remember ever hearing about an open source python developer throwing a hissy fit and trying to wipe the hard drives of everyone who uses their software.
>this stuff seems to only happen in the JS community
What stuff? Drama? That happens everywhere.
Malware? That stuff happens a lot of places, maybe npm makes it more accessible but that's just a technical hurdle ... doesn't mean it wouldn't happen elsewhere if folks could do it easily.
I'm talking about the particular sort of incident mentioned in the grandparent post, where a dev gets a bee in their bonnet about something or other and decides to purposefully screw over their users. Other ecosystems have had supply chain attacks of course, but something about JS seems to really encourage turning run-of-the-mill internet drama into CVEs and broken software.
Maybe, as you say, it's a technological problem. However, if that's the case, it's an eminently solvable one, as evidenced by the fact that I've never in my life had to avoid bumping my Java dependencies because I'm worried my CI pipeline will be overrun with heart emojis, and the fact that the JS community has not solved it just points to a different kind of un-seriousness.
I don’t think it is understood. Most people who write JavaScript aren’t keeping up with the latest drama. I hadn’t seen any of these political complaints before this thread and I’m a lead engineer on a full stack typescript stack. Not that I have an opinion either way I just don’t think you can reasonably expect devs to keep up with stuff like this.
I think if you pull in code from all sorts of random people across the Internet, you probably absolutely should have some idea what risks that entails, and stay aware of the "latest drama", so you know when running "npm update" is likely to ruin the rest of your day.
Of course, the ideal solution is just to not use an ecosystem where pulling in code from all sorts of random people is common.
Hard disagree. Needing to follow the politics of every piece of your tech stack is a ridiculous way of doing things. We should have a system to verify if a module is malicious or not, that’s an engineering problem, politicking about in open source communities is not. Engineers should be engineering things.
You can not engineer away human problems. I agree that's a ridiculous way of doing things, but it's the only reasonable way to use Node! Which is to say, I think Node is not a great tech stack if you do not want to follow drama.
Adding an antivirus scanner to your Node project is not going to fix this. It certainly hasn't solved the malware issue in the last few decades for PCs.
At the very least don’t task your principle engineer with solving human problems then. I stand by my initial comment that that is a waste of a good engineers time and mental health.
I think keeping up on things like this is the bare minimum expectation I would have of any lead developer worth his or her salt, because keeping up on things like this is a fundamental aspect of knowing the technological ecosystem in which you claim to have the skills and knowledge in which to make decisions about things like which technical ecosystem your entire team should be using.
Whether or not most engineers _do_ keep up on things like this, is a different question. But that's why there's a large range in salaries for similar positions across our industry.
There is a very very very big difference between low quality and straight up malware, though.
I would never get angry because of a package which doesn't work properly. I didn't pay for it and I treat it as essentially a social media post. It should be assumed broken until proven functional.
But there is no "right cause" for spreading actual malware.
Do people think the people protesting like this don't know that this is damaging? They presumably feel that the issue at hand is more important than that damage.
Every protest every has been met with "but this protest is being done the wrong way, don't inconvenience me", but that's the point: protest has to disrupt things to make people take notice and make changes.
Would I do this? No. I don't think it's effective or right (it really isn't going to harm Putin, even indirectly, in any meaningful way), but I think it's silly to pretend people don't know what they are doing. The intent is to disrupt.
As a Russian, you already notice this and you already have many things in your everyday life disrupted. Someone deleting your files as an act of shoving politics where it doesn't belong helps absolutely nothing. If anything, it's not an act of protest, it's an act of vandalism. Causes don't matter here — vandalism is simply never okay.
Vandalism can be a form of protest. Again, every protest ever has had people saying that the disruption to them is over the line.
It draws attention and coverage to the issue. It forces people to listen. Protest has to be disruptive to the norm to achieve that, and there will always be people who don't like that. That's the point.
As I say, I don't think this one is effective or proportional given the lack of control someone in Russia has over the situation, but just saying "nothing should ever be damaged in protest" is, I think, naïve at best.
If Russia were a state with a reasonable guarantee of a fair legal process, I would argue a moral obligation to disruptive protest to end the war. If the UK (where I am) were to invade another country like this, I would hope for a general strike, and civil disobedience of all kinds, including vandalism. The fact that Russia has such a hard line against dissidence makes this obviously more morally difficult, although I greatly respect those that still choose to protest, I can't expect it of anyone.
People will disagree about how effective a thing is, and how justified it is. What the Russian state is doing is monstrous, and that increases the level of justified disruption to me. That doesn't mean this was justified—I feel it wasn't—but pretending that all "vandalism" is inherently never reasonable as protest is, in my view, wrong.
“Every protest ever has had people saying that the disruption to them is over the line”
So which crimes would not be acceptable in a protest? And if people will always complain about the line being crossed, does this mean there can be no line at all?
I don't think there is a clear-cut line, no. Context matters, and people will disagree about what is proportional or justified.
Clearly that doesn't mean all protest methods are always justified, and I even said I think that this is over the line given this particular set of circumstances, but I reject the premise that it would always be over the line.
Why not pick, say, the Boston Tea Party (And the war that followed) as a better example of an effective protest?
Highly illegal and immoral, destructive and violent, killed some five-digit number of press-ganged soldiers and civilians, met all of its political goals...
Oh absolutely. The reason the Boston Tea Party is celebrated is because their side won the war. Had the British won, it would have been one of the many wicked/evil "rebellions" against the King that got crushed.
But I'm not really seeing the connection here or why it invalidates the Unabomber example.
Unabomber is a worse example because while the ideas of his manifesto have taken root, he can't solely be credited for them, and his acolytes (both people pushing back on tech, and pundits screeching about woke politics ruining society) tend to condemn him (Again, because he wasn't the only person raising these ideas.)
The long and short of it is - just about any destructive, devious, and murderous form of protest is considered acceptable, as long as you can convince a large enough segment of society that it's end justifies the means.
It's circular logic, of course, but that's all there is to it. There are no involatile, unbreakable taboos when it comes to seeking political ends - you just have a harder time convincing some people that your cause is worthwhile, when you are using more extreme ones. And even if you win, you might still be condemned by history for your methods.
On the scale of extremes of methods, this thread's subject is notable, novel, interesting, but is more on the 'misdemeanour hooliganism' side of that spectrum.
Given how influential Ted Kaczynski's manifesto has been within the tech community, and how many people agree with his views (particularly regarding leftism,) if not his methods, I think that's objectively true.
Someone didn't delete the files. You deleted them yourself by blindly trusting 3rd party software that you got for free with no guarantees of anything.
Indeed. Except, did I elect this president? No I did not (and elections in Russia are more of an illusion anyway). Can I do something to stop him? No I can't. What's the point of this act then? Putin and his allies don't use npm. This can't affect them by any stretch of imagination.
> Someone didn't delete the files. You deleted them yourself by blindly trusting 3rd party software that you got for free with no guarantees of anything.
Yes, of course, npm is at fault here for downloading untrusted code and running it with no sandboxing whatsoever on behalf of your OS user. This kind of stuff used to be called an RCE vulnerability and used to cause people to issue urgent security patches, but somehow, now it's considered a perfectly normal way of doing things. At the very least, there should be a permission request if this untrusted code tries to access anything outside of the project directory.
For some people, a world that they relate to is coming to an end, and anything they could do, however insignificant, no matter what the side-effects or personal reputation cost, is worth doing. This isn't some brainy impact-analysis based action. "Something must be done".
The disruptions caused by these rogue packages will make it to newspapers and the media, and maybe, just maybe, parrying the news of war and destruction.
I don't support having this. But I can see how a single-contributor package author would feel emotionally compelled to "Do something, anything".
In that case, targeting only Russians is sub-optimal, They could as well have targeted everybody, it would have had more impact. There's no reason to target Russia inhabitants in particular, who, I would guess, are mostly against the war.
It is not OK to go out and find Russian Americans and go vandalize their property to make a point. If you do so, you should face criminal charges.
I similarly think that the node module maintainers who deliberately abused their trust to make an indiscriminant attack of people's digital property should face criminal charges and civil liability.
Yes, people affected should absolutely go to court. Let the courts decide if this activity of this nature in violation of the law. I absolutely support that.
Package authors who did this are also going to be ostracised by the community. So they will most likely pay a price.
This isn't so much of a protest as much as an nonviolent indiscriminate vigilante terrorist attack.
> The intent is to disrupt.
Presumably the intent is to help Ukraine. People need to stop and think about how their disruptive "protest" is actually going to help their cause rather than blindly chase awareness.
A lot of protest is more about emotion than logic. Most individual actions of protest are not logical, like each of the individual protesting Russians who know they are likely to go to jail. But when enough “illogical” people do enough “illogical” things visibly enough, the Overton window (as it were) can start to shift as they prompt others to ask why they see more and more “illogical” acts in favor of a position. Some will go to far, some not enough, but it’s hard to predict what acts will move the needle.
Once your hard drive is wiped, you're supposed to automatically realize it must be a legitimate open source developer protesting the war, rather than some other type of malware. Then, rather than the natural human instinct to blame the person who did it, you're supposed to realize that your government must be lying to you and must actually be evil, and you're supposed to start a revolution to overthrow Putin.
Are they? I don't see surprise: I see people defending the action (to some degree), but I can't find a single case of anyone who is surprised at people reacting negatively to it.
A good question I don't think there is an easy answer to, and one that depends on how you perceive the action being protested and the protest action.
A recent case in the UK involved people vandalising (throwing into a river) a statue. It was charged as a crime but they were found not guilty by a jury (in what most believe was an act of jury nullification).
There are a lot of loud people who felt this was disproportionate, but when it came down to it, a randomly selected jury from the UK clearly felt it was justifiable.
If my government was doing something morally abhorrent, that justifies greater disruption in the name of trying to stop it. Given there is no obvious way to judge the objective moral value of things, let alone one consistent across people, there will never be a hard rule about what is correct.
If we say there can be no justification for disruptive protest, then we lose the ability of the people to fight back against a tyrannical government doing things against the will of the population.
The problem is that that the node.js filesystem deletion "protests" was an indiscriminate digital attack that harmed people who are doing a much better job of actively opposing the invasion.
I believe that the developer who implemented that attack should face criminal charges. Our ability to trust our open source is a critical part of our economy. People who abuse that trust to directly harm others should know they will face criminal charges for their actions.
I disagree. Users are responsible for the open source software they use. If they want to blindly execute software from the internet without auditing it first, that's their problem.
I agree, to some extent. I think it was largely ineffective and poorly targeted protest. The media coverage is not really necessary as it's already highly reported on, and the people harmed have no control over it.
With that said, disruptive protest can be (and often is) illegal. I may think it's justified in some cases, but also if I do something illegal I expect to face legal punishment for it. Some people lay down their lives to protest: to some people committing a crime is a cost worth paying.
Again, my point isn't that I agree with the action, just that the idea that protest should disrupt no one is counter to the whole point of protest.
I think that blocking your software from running on some computers would be very disruptive but should be legal. (Edit: not endorsing this, just trying to clarify where the line lies)
Actively trying to harm those computers is simply not OK and goes beyond "disruptive" protest into harmful.
To analogize, if your protest blocks traffic, it is disruptive. If you protest goes looking for property owned by Russian speakers to burn down...you have moved beyond disruptive protest an into being a harmful attack.
I do not think the latter is anywhere even close to justifiable.
I agree that the "any Russian person" aspect of this makes it unjustified, in my eyes, but harming property more generally?
Well, denying someone their property is certainly harm of a sort, and if I were asked if it was justified to seize or destroy an oligarch supporting Putin's property or yacht or whatever, then I'd say absolutely.
In a similar way, there was a case in the UK recently where a statue of a man who was both a philanthropist and a slave trader was thrown into a river. This was charged as a crime, but the accused were found not guilty (commonly believed to be jury nullification).
Was this right? Well, the guy had actively limited his philanthropy where anyone was anti-slavery, people had tried getting a plaque added to the statue to explain context, but this had been blocked. I think this was a reasonable act of protest, and clearly a jury of their peers agreed.
More directly, what if they found their software was being used in a Russian weapons factory that was being used to produce munitions killing Ukranian people? In my mind, that would significantly raise the justification to cause damage to that property.
Harm, especially when it comes to property rather than people, is tricky. I don't think it can always be ruled out when it comes to justifiable protest.
I mean, as I said, I think that's a core factor in this instance, and culpability increases the justification.
I don't think that means that targeting random people in protest is wrong universally. A common example might be blocking roads, which can harm random people disrupted from being able to go to work, for example. I think there are cases that can be justified.
I mean, right now the sanctions put in place to try and cripple Russia's ability to wage war are hurting random Russian people. That's essentially state-level protest. It sucks for the Russian people who don't support their government, but I think it's the lesser of two evils rather than funding and enabling a regime that is invading Ukraine.
It's a combination of factors, I think trying to draw hard lines universally is just the wrong way to think about it: protest should be proportional and justified, and each case has to be judged on its own merits as to whether it is, something people won't ever agree on universally.
How many Russian cyberattacks on Americans go unpunished by Russia? I don't see any reason for America to bother prosecuting American attacks on Russia as long as Russia isn't prosecuting Russian attacks on Americans.
Whether or not they're excused is orthogonal to whether or not America should prosecute. If Russia doesn't prosecute cyberattacks on Americans, then the logical leverage to get them to do so is to not prosecute American cyberattacks on Russians.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
npm install is such a scary command these days (or yarn install, same thing). I never liked it because of the shitload of dependencies it usually pulls but now I would hesitate running it outside a well isolated container.
This event added to the strong distrust I came to have on NPM these last months. The NPM ecosystem seems incredibly immature and unreliable and any Javascript project depending on NPM is now a potential future malware.
By the way, does anyone know an easy way to use Svelte without depending on NPM? Because if not I might reconsider my choice of using it in a side project despite me liking it.
In theory the same things could happen for PIP, Maven, Gradle, their Rust and Go counterpart and any such package manager. Any data on this?
> In theory the same things could happen for PIP, Maven, Gradle, their Rust and Go counterpart and any such package manager. Any data on this?
Supply chain attacks, such as these, can definitely happen to any language. NPM seems to be a nice target simply because the volume of deps your avg 'simple' node project has (I mean, 'npm generate'ing a simple strapi-backed static site for us and there's ~300mb of node_modules...).
There's not really a cure. You can peg your deps to a version, but with that much code in there, you're never going to really know if that version is compromised.
If you can come up with a solution, there's money to be made..
Edit: The best we really have atm is just scanning for known vulns with stuff like xray/lifecycle/dependabot. Better than nothing, but for sure there are malicious packages out there yet to be discovered.
It can be a problem in any language or package manager but in my Golang project, I have a single dependency outside of the standard library, in my Javascript project I conservatively have 200+ (if I consider all the packages installed by my primary dependencies). The surface area is just that much bigger and the packages change so frequently.
Probably, yes. I'd say most mature tech stacks provide most of what you are likely to need first party. .NET is an incredible ecosystem for this: Nearly everything the standard developer needs is available from Microsoft, most common third party packages you might want to pull in were authored by an enterprise company with support available, and if you're pulling in something by an individual, it's probably pretty niche.
> In theory the same things could happen for PIP, Maven, Gradle, their Rust and Go counterpart and any such package manager. Any data on this?
in theory, but why is it always node.js/npm? I work on completely different things... is it a different community culture? is it the thousands of tiny low quality packages people include to do the most basic things?
I think in large part is there’s a higher focus on modularization in Node.JS which leads to lots more dependencies. That increases the attack vector and makes a supply chain attack easy because all it takes is a single malicious author to break trust in a chain of hundreds of packages. For example a code base I work on currently has over 250+ 3P dependencies, not because we import that many deps but because the dep tree expands that far. Combine that with copycat attacks, where one person does one thing and others feel motivated to push their button, it exasperates the problem.
A perfect example is webpack. Indirectly depends on many thousands of different packages, is run during development, and has 225k packages that depend upon it. https://github.com/webpack/webpack/network/dependencies i.e. even if you are careful about dependencies, your build tools are not.
esbuild doesn't depend on babel or webpack if you're just using esbuild (maybe it does if you want to build esbuild from source?) My pet project uses esbuild and the relevant part of the dependency tree only shows 'esbuild@0.14.27' which depends on 'esbuild-linux-64@0.14.27' (which is the binary package) - it doesn't extend any further than that.
Go at least will never run arbitrary package code as part of a go get / go build / go install.
Only the resulting binary might contain malicious code, but the build and package management part is guaranteed safe.
In addition, go installs the oldest viable version that matches constraints - dependencies are thus not only locked, but also don’t automatically update to the newest available version during relocking unless explicitly requested by the user or another dependency.
> In theory the same things could happen for PIP, Maven, Gradle, their Rust and Go counterpart and any such package manager. Any data on this?
Rust employs version locking for it's builds, so you'll only be able to propagate malware with it if:
0. The developer's cargo definition auto-grabs the latest dependencies (trust me, very few do this)
1. The developer has deliberately updated the version of their dependency
2. The developer doesn't notice any significant changes when debugging/staging the new release
3. The package passed through testing without identifying any malware or malicious changes
In theory, it's possible to distribute malware with Rust's dependency system, but doing so would be pretty difficult. I'd say there's some pretty good roadblocks in place to prevent it from happening.
The only real change from the NPM case is speed of distribution of the end results, users don't need to consciously update. NPM has package and package-lock just like there is cargo and cargo-lock, so devs are just as in control of the dependency versions they are shipping.
It's very uncommon to specify the "latest" version in Java package managers. The capability is there, but everyone always specifies something exact. And there aren't nearly as many transitive dependencies. Many popular Java libraries don't have any dependencies at all. And, at least on Maven Central, you can't overwrite an already released version of a package, you can only add a new one.
And this is why I hate the JS ecosystem. Everything is monkey patched by a bunch of randoms who published a package that scratched their itch and you have 0 assurances of their intent or stewardship. If you want to vet dependencies- good luck - the standard library is so shit that pulling one dependency might bring in a 100+ packages with it. Even the "big corporate sponsored" libraries depend on random crapware - like the leftpad incident clearly demonstrated.
Returning to .NET Core recently I'm very fond of the ecosystem in this regard - everything is open source - but so many things are provided by Microsoft you rarely have to venture out, even stuff that's not under their repo/umbrella has people paid by Microsoft working on it (eg. npgsql).
Because most nuget packages I get are from Microsoft, and if I use something that's not there is usually a Microsoft employee on the team or it's a trusted community package without random third party dependencies. Meanwhile half of npm was broken because of left pad.
It's got nothing to do with npm as a repository - I don't trust the community.
Bram Moolenaar famously uses Vim to raise awareness. A VPN package, dead drop website, steganography package, onion router, multi-point P2P routing mesh drivers, or other software and education on how to use them could really make a difference for dissidents. There are certainly productive ways to use software to support protests, organizing, workers' strikes, or even support targeted sabotage or insurrections without indiscriminately destroying people's data.
He uses it to help starving children by including a message on startup. That's a little more agreeable and less political than all of the things you listed. To try and compare it is fucking absurd.
Huh? It isn't really clear what you are arguin against. The commentor you are responding to is agreeing with the article that using your project to spread a message is ok and possibly even helpful.
It is betraying that trust to make indescriminant attacks that harms. If peoole want to do more than just add a message, the author pointa out a number of types of software that people can cobtribute to that would have a more direct positive impact.
One of the things I think protestware doesn’t understand is that the “users” of something are not clear-cut, and that should be especially obvious for things like chains of dependencies in modules/libraries. In other words, some (if not many or even most) people have no idea that something else they use (or even need) is depending on your stupid module.
For example, how would I know if my mouse driver software happens to use a certain Node module, and one of its auto-updates just starts breaking things? Yes, it would be a stupid technical decision on the part of the mouse driver company (and that company would ultimately be responsible for the fallout) but how does that help the person actually affected, in the meantime? And did the protestware developer really not think that someone “downstream” like this could be affected by such decisions? Not everyone is sitting at a terminal seeing a message printed out.
Of course there are other reasons too, e.g. you completely destroy your credibility as a project (or even potential employee in the industry) by pulling stunts like this, and how could that be worth it in the long run?
So company is making mice in bad place X, mice break after update, tech sleuths inevitably link mouse problem to protestware, people start asking questions about company? Isn’t that potentially causing change? Doesn’t that specifically rely on affecting downstream users? So you weigh the likelihood of positive vs negative outcomes against your risk tolerance and act accordingly.
I’d personally think that working on Truth Social would permanently affect your credibility in the industry, yet they have some devs who probably feel proud to work there. So people have different priorities in their lives.
You are right, but economic sanctions harms also the countries that are making these sanctions. Shell leaving Russia harms also Shell. Banning Russian airlines harms aviation as a whole. And it's not a reason not to do them.
I think also that's it's better to focus on propaganda, like displaying a ascii-art of the old woman threatening a Russian soldier or whatever.
But at the end, maintainers have the right to do anything they see fit. And disruptive actions are in my view better than apathy and just ignoring the whole thing.
Withdrawing a service is very different from delivering a malignant service. McDonalds is withdrawing from Russia instead of serving contaminated Burgers.
Was talking with a friend about the peacenotwar thing.
I think its pretty interesting to view so many of the decisions like this through the “we have to do something” mindset so many people have, especially on social media.
All of these companies shutting down in Russia, people pressuring others to take a stand or shut down their services, upset the population. On HN I remember the namecheap thing and the service that allows westerners to call random Russians and inform them. On paper these seem like solid moves, but I cant help but feel like its only harming the citizens, and potentially irresponsible in a place where someone faces consequences for speaking out. I dont think anyone is going to risk their lives and take notable action because they need to find another service for their website, or some random foreigner telling them their government is lying. Of course these issues are more complicated, and taking these actions isnt a bad thing necessarily, namecheap has offices in Ukraine so they are going to take it personally, but there have been many cases where the company does it out of nowhere. These actions are inconveniencing the population, and when taken to the extreme like with peacenotwar, potentially very harmful. And I dont know if its doing much else. Yet too many people are acting like inaction is unacceptable.
I understand, you feel powerless in situations like these, but that shouldn’t stand in the way of making smart decisions. The need to do something has been pressuring people to take actions without considering the actual consequences vs the intent.
Sanctions and boycotts are unfortunately blunt. Yet, every citizen in Russia pays russian taxes. Tax rubles funds the war. Taxes are paid equally by those who support the war, and by those who oppose it. The end result is the same - bombs on Ukrainian maternity wards.
It is a shame that the innocent have to suffer, but I'd rather impose sanctions and boycotts and see a smaller number of bombs rain down over Ukraine.
For this reason, I support every move to cut off anyone in Russia from any and all foreign products and services (perhaps with the exception of medical supplies and children's toys, but the principle stands).
In aggregate all these small actions are having a very real impact on Russia's ability to conduct the war.
Yeah, I probably should have clarified. I'm 100% for the sanctions and they are effective given the state if their economy rn. That directly effects the way they fight the war, with the civilian harm being an unfortunate side effect.
I was referring to the more meaningless actions that don't effect the Russian government or military to any significant degree, to attempt to upset the people and encourage them to speak out.
Somewhat related, but I have talked about this twitter thread a few times recently
Essentially, this someone was working at a homeless community shelter, and often found the bathroom completely destroyed. Paper everywhere, missing the toilet, intentional destruction and trying to make it as messy as possible. Every time they would clean it it would just get trashed once again
They had a theory that being trapped in that kind of situation gives them so little control that their brain wanted to take control over something however it can, which lead to the bathroom situations.
They related this to “cancel culture”, needing to call out people for the littlest things, or the loss of direction in social justice, but I find it applies to a lot more than that.
My device is freaking out rn, cant pull up a link, but if you search for “the trashed bathroom thread” you should be able to find it.
I'm in Texas. A LOT of Californians disagree with some of the laws that Texas has passed. How long will it be until my hard drive gets reformatted by some protestor in San Francisco who localizes my IP address?
Another fun scenario: your project has two dependencies, made by two different developers: `left-pad` and `right-pad`. `left-pad` will format your hard drive if it geolocates you being in a state that allows X. `right-pad` will format your hard drive if it geolocates you being in a state that criminalizes X.
Write a wrapper project that changes your location before any left-pad or right-pad function calls. Or just fork both and fix them how you see fit if they're open source.
You pretty much summarise what is wrong with the title.
It is not "Protestware" that harms open source. It is politics and ideology harms open source.
And the rate things are going may be Open Source will not only be split between permissive and copyleft, but progressive and libreRight.
Edit: Now I remember Douglas Crockford's "The Software shall be used for Good, not Evil." license. I wonder if there are still any open source that uses it.
The movement towards free and open source software was created in no small part do to activists with a very strong ideology. Open source would not exist to the same extent without the ideology espoused by the FSF. The problem is that abandoning a key tenant of the free software movement, neutrality towards different uses (part of freedom 0 of the free software definition), does far more harm than good and contravenes FLOSS ideology.
> The movement towards free and open source software was created in no small part do to activists with a very strong ideology
They did have a strong ideology and they worked towards building the world they wished to see. Not by breaking existing things to virtue signal their support for "the current thing"
And then all of the effort spent on "building the world they wished to see" gets used to also build a world that goes against everything they wished, against their ideology. Due to openness of their efforts they also don't have an option on influencing that, unlike commercial products who can simply stop doing business with precise companies/people/territories. What if the very idea of open source gets used against itself? What would you advise those people to do? Shut up about "the current thing"?
> The movement towards free and open source software was created in no small part do to activists with a very strong ideology.
This is true, and an argument that keeps getting repeated, but isn't the same issue. The politics of open source software are about software. How it's made and how it's used.
The modern push is about injecting outside ideology into software (and everywhere else). Bringing geo, gender, and racial politics into software is a whole lot different than software politics in software.
Either you or I misread GP, because I don't see any disagreement. GP points out that FLOSS movement was and is inclusive by design, while this modern development is exclusive by design against people who disagree with the person's opinions.
Yep, not disagreeing with them at all on their overall point. I just see this "FLOSS is inherently political" line floated a lot, and wanted to point out that it's a false equivalence. I probably could have made that clearer.
"protestware" is just malware. The punchline is: do you understand your supply chain? Can you audit your software? Do you have security controls for potentially hostile packages?
This is nothing new: this is a problem which has always existed.
you can't really escape politics and ideology. What you can do, is to not be petty with your public contributions. As the parent example states, while somebody /could/ embed malware into their software that targets Texans, this falls under the pre-existing social doctrine of a "dick move". These things exist on a scale from "exclude government/corporate entities from your software license" to "try to fuck up random people's hard drives" and vary widely in terms of validity.
I think the main problem is that we are increasingly operating with different definitions of "dick move."
To many people, the idea that a small business owner would have their store burned to the ground because someone else in their town (or on the other side of their country) did something bad, is a massive dick move. Yet, this happened numerous times during the summer of BLM in 2020 and it was widely defended with things like, "everything is political" and "not to take a side is to take a side" and "you're either with us or you're against us" and "mostly peaceful protests." There was even a famous "looting is reparations" in articles and at least one book called "In Defense of Looting."
The only good news I have for you is that _perhaps_ in that case the FBI and CISA will investigate, because there will be a US resident victim.
IP-based geolocation is garbage but there aren't many Russian/Belarusian-attributed IPs in the US so the intersection of those with people using node-ipc was empty, and the US Government couldn't be pressured to investigate/enforce.
Basically all big js front ends have the same issue. Most of them had banners or whole pages for the BLM movement which made no sense to anyone outside of the US like myself.
I mean a framework or library with a global audience shouldn't push american politics. Vue, React, Preact, Nodejs, Ember (had a whole page and made documentation unavailable for some time), Go lang, ExpressJS (still has the banner up), Typescript, a lot of python projects etc etc. The list can be made very long.
I try to avoid any framework and library that pushes political agendas onto their sites because that signals what type of people are in charge of them. They must think that their political views are so important it must infiltrate every aspect of life even if the thing has nothing to do with it. Unfortunately, there is such a large amount of them doing this it's practically impossible to avoid it.
The funny thing is, now when Russia has invaded Ukraine there is no banners on the same websites so it's obvious some lives matters more than others in their views..
Comparing europe with the US when it comes to the police killings is ridicolous. Sure there was attempts to bring it to europe but that is besides the point. There are a lot of countries in the world, many without any issues in which the BLM protested against. Why should we get pushed american politics for? What is the point?
The UK as an example had something like 6 people killed that year when protests arrived. Most of which wasn't black if I remember correctly. Do you really think it's comparable to the issues that exists in the US?
My critique is still valid tho, doesn't ukrainian lives matter? Why are there no banners for them?
> The funny thing is, now when Russia has invaded Ukraine there is no banners on the same websites so it's obvious some lives matters more than others in their views..
Supporting one issue publicly does not mean you think it's more important than every issue you don't support publicly.
That was literally the whole thing of "inclusive language" right? It wasn't about what the words actually mean, just how people felt about them. If they felt the word was discriminatory, then it should be fixed.
If you're going to throw up banners on every JS site for one cause and not another, you're saying very loudly you don't care as much about the other. You, under the logic of "discriminatory language" even be engaging in discrimination.
> Supporting one issue publicly does not mean you think it's more important than every issue you don't support publicly.
There is a big difference with war and people being systematically killed and a potential unjust legal system. War is obviously many times worse in every aspect and I think it's hilarious on what these people publicly support and what they don't.
It's hypocritical, unfair which makes it a big irony since that was what the BLM movement was all about (unfair treatment).
It's not even that a software project can't (or shouldn't) have political causes that it supports.
It's the arrogant attitude that "if you aren't for me, then you're against me". That their views are so righteous, that the only people who could possibly object are bad actors.
Again, you’re calling this “political” because it doesn’t matter to you, and it certainly sounds like it doesn’t personally affect you. To other people, BLM is a serous existential threat. You’d lose your mind if someone chalked the question of your existence up to “politics”. You’re really showing your hand. And no, I’m not American either, but that doesn’t somehow make me blind to the fact that BLM is a big deal.
So why doesn't the same sites have banners for Ukrainian lives? Russias invasion is for sure a bigger existential threat to them since they got invaded by a foreign state.
I think you're showing your hand, I am arguing for treating everyone the same and that the people in charge of these sites appears to care more about American lives than Ukrainian ones.
If you're gonna have banners, then having them for ukraine is an obvious choice for me. OR.. maybe you could decide not to involve politics into tech with a global audience at all and skip all this bullshit.
It’s a problem in any ecosystem. It’s not like there haven’t been attacks in nuget packages or the recently famous Log4j vulnerability. I’m not going to pretend there aren’t some pretty deep flaws with nested dependencies in Node modules, but it’s really more an issue with unprofessionalism in my eyes.
I’ve never worked a place that would auto-magically roll out things like windows or chrome updates without having them vetted first. If you can’t trust those, then you certainly can’t trust some random NPM package, and if your organisation doesn’t have a strategy for how you handle something that unsafe then you really need to step up your professionalism.
I personally consider NPM packages to be sort or nice, in the very cynical way, that the community tends to beta test updates for you much faster than with any other dependency system.
Not all ecosystems are the same in the extent to which auditing and maintaining dependency chains is a burden. All of Linux from Scratch consists of something like less than 90 distinct dependencies, for instance. When I went to add a token-replacement library to mdbook so I can interpolate variables in a book, Cargo pulled in 287 dependencies. For better or worse, the newer, hotter languages of the day seem to be predicated on extremely small, something single-function, libraries, and thus enormous and arguably intractable dependency trees.
All things are inherently "political" just not always significant enough to be worth considering.
The trite ways to say it (ie: "we live in a society" or "actions have consequences") don't really capture the full complexity of human interaction but do somewhat describe the notion that everything you do as an individual affects and is affected by everything everyone else does. Being "political" really means just believing that those effects are too significant to ignore.
What makes everything political? Of course something I do or say can influence others, but it is still not political in the vast majority of instances. Not even non-significantly.
Political action is shaping my environment to my desire. Via compromise or war perhaps. What is your definition of it that it applies to everything?
That's just action. What makes it political is if happens to have an effect outside of your home. (And technically even those restricted to the inside will usually end up having some sort of effect outside of your home.)
Yes true but have you audited your thousands of modules? If you have a build tool that wasn’t born in 2020 chances are it pulls a hundred dependencies from 20 separate vendors.
I saw this as a JS developer who scarily runs npm installs multiple times a day.
again, nothing blocks you to have a better supply chain to your software:
Download all dependencies and freeze them, fork the dependencies and groom your fork or have dependantbot or depfu managing your dependencies for you and keep a delay between merging the PRs, have manual review, etc..
You shouldn't be pulling stuff from internet and pushing to production without take a look into that anyway...
So you’re basically saying, don’t use X tool chain because the 3rd party software doesn’t move on your pace? Or they have different “views” than yours? I don’t see how that makes any sense. Why do you have to be beholden 3rd party developers and the pace they work at?
I'm not sure if you being purposely obtuse, but the idea that you'd build your software on top of a technology or platform that might introduce instability due to the whims or politics of its stewards is absolutely and obviously a risk worth considering.
But, in at least one case—the peacenotwar module in the node-ipc package—an update sabotages npm developers with code intended to wipe data stored in Russia and Belarus. In a March 16 blog post on the malicious code, Liran Tal at Snyk said, “This security incident involves destructive acts of corrupting files on disk by one maintainer and their attempts to hide and restate that deliberate sabotage in different forms.”
This has nothing to do with pace of development, or even the political views of the developers. It has to do with inserting what is essentially malware into open source packages that affect users based on geo-location.
OK, and how is this something unique to the Node.js package ecosystem? What's stopping someone on PyPI/some other PM from doing the same thing? I personally view these more as malicious copycat acts than anything inherent with the ecosystem. Should NPM start manually reviewing all of the packages that go through them, because the handful of abusers? I'm not so sure. The situation on languages without a widely used package manager/ecosystem like C++ I don't think is any better.
A small, extremely loud, and extremely sanctimonious part of the population will not accept that. They will consider your lack of political motivation for your work distasteful and eventually immoral. You'll be asked to support movements, participate in ritual, and publicly proclaim your allegiance. Eventually, they'll demand it.
“Of all tyrannies, a tyranny sincerely exercised for the good of its victims may be the most oppressive. It would be better to live under robber barons than under omnipotent moral busybodies. The robber baron's cruelty may sometimes sleep, his cupidity may at some point be satiated; but those who torment us for our own good will torment us without end for they do so with the approval of their own conscience. They may be more likely to go to Heaven yet at the same time likelier to make a Hell of earth. This very kindness stings with intolerable insult. To be "cured" against one's will and cured of states which we may not regard as disease is to be put on a level of those who have not yet reached the age of reason or those who never will; to be classed with infants, imbeciles, and domestic animals.”
- C.S. Lewis
Oh there's no eventually. They've been demanding it for years. There's a very good reason why some software on my machines is already pinned to specific versions, and will not under any circumstances be upgraded.
Thankfully the field of software development has stagnated to the point that there really hasn't been any significant improvements to actual non-web software in about 15 years, so I'm looking forward to the brand new world with a stack of ancient machines, a bunch of boxes of capacitors, and a few hard drives' worth of abandonware, because frankly, fuck that noise THE AMISH WERE RIGHT.
not every politics-adjacent thread needs to devolve into "the wokes are coming for us all". You can disagree with the actions of progressives without making it this all-encompassing threat. Hell, I'm pretty left-wing and I'm fairly critical of some of the factions.
Either way, I can't see anybody putting "must add a BLM banner to their website" to the licensing conditions of their FOSS code.
That would be a wonderful thing to able be do, if the woke brigade wasn't screaming "YOU'RE WITH US OR YOU'RE AGAINST US" a parent over. ;) Ignoring that isn't an option, unfortunately, believe me, that's been tried.
> Being silent about shitty behavior is the same as condoning it, don't you know? Just because you don't like the playbook doesn't mean it doesn't work.
my point is that it doesn't matter. Condemn or not, regardless you can still fork earlier versions. Materially, it's not a threat to you.
> Considering that the developer just pulled a "no russians" stand with their software...
Yeah and look at how much shit they're catching for it. People are forking and freezing earlier versions, he's getting raked through the coals, etc. Is this really the outcome conservatives are afraid of?
> Kind of crappy whataboutism there don't you think? What if I'm a VPN user and my hard drive was wiped?
Yeah it obviously sucks to be a victim of this behaviour, but the developer is being roundly condemned by everybody. I thought you were worried about this type of behaviour being encouraged by progressives?
> What does this have to do with conservatives?
Just a guess, it's usually conservatives that hand-wring this much about "woke" people.
Is those laws that you should airstrike California? If not, why are you downplaying the significance of what's happening in Ukraine? Context matters in how proportional a response can be.
What about Californians throwing Molotov at your house?
My point is analogy is not a valid tool of criticism when talking about policies, because their inputs and outcomes are not simple bool -> bool functions.
Would you be satisfied with 1000000 years on average as the answer?
I have long argued that there are things that should remain agnostic of politics ( as hard it may sometimes be ). This trend is genuinely destructive to opensource and I can't help but wonder if it is not done to undermine it by design.
“Politics” Is often what people call serous issues that don’t affect them. So, maybe you’d just like open-source to be the domain of privileged people.
I dislike this characterization ("privilege") as it is part of the new double-speak that is intended to stop the conversation, because, after all, how do you argue against that.
Yeah, I can do some things some people can't, but I can't do some people can. You can make a reasonable argument that everything is politics, but it is slippery slope, because tomorrow I might find myself with files deleted, because I did not read fine print with vegan inclinations of the developer and his stance on this subject.
It can bad really fast. It is already bad. Previously dumb pipes are being coerced to be 'smarter' and it is breaking the basic foundations of society. It is a privilege to live in a society. I think it would help if some naive activist did not undermine its foundations.
>I don't want to hear anyone in this country [the US] complain about the Electoral College or gerrymandering the next time we decide to pull another Iraq War but they're opposed to it.
>Just like, overthrow the government - it's so easy!
>And if you don't have the guts - well, don't be mad when someone deletes all your files, you collaborator!
Thankfully none of my Java deps have turned my files into digital swiss cheese.... yet!
What is it with some people wanting to "make the world a better place", but end up starting fires and making it worse. Is it just middle class western liberal arrogance manifesting through a software developer's actions?
I don't want to make the world a better place, I just want to keep it from burning.
I have never disappointed by open source projects until this recent weeks. The acts of some OSS maintainers that blatantly use the tools they maintained as a platform to show their support for one side has disappointed me. Especially because they have never took side nor notice other bloody conflict before this. I won't be as disappointed if they always use their tools to promote peace and stand with whichever nation being invaded and oppressed. But no, they only care when a western/western-aligned country being invaded. This just shows their hiprocricy and racism.
I think a lot of efforts to support one or the other side in a war overlook that governments often do things that are supported by only a small portion of their people, and that support is often achieved only through dishonest propaganda. And while the governments have the resources to weather economic and social pressure, their people frequently do not, the more so the more repressive the government. If we can't very directly target the government, not the people, we should keep out of wars that are not an attack on us.
It sucks because it only targets individuals, not companies that have actual power to change things.
A big site has production, testing, dev servers spun up by docker or whatever. So to fix this you just need to roll back the node package version and redeploy.
A person learning code/developing locally now just lost everything.
I'd say this is the case in the broader society, too.
Companies paying after the service is rendered, delivery services not having to be escorted by armed guards, being sure that a random worker won't poison the food on the production chain, etc
When I worked on Radar software (over a decade ago) they were very hesitant to use open source packages and such. Like everything there, there was a process that had to be followed. We'd have to vet the source and such and then bring it over to the development network. I don't think anyone did.
When I was leaving they were looking to run new projects on Linux (from the proprietary unixes we were running) so I'm not sure how that would work. I'm guessing that's where the linux vendors fees come in.
I personally think this kind of thing is just a symptom of a larger problem; the modern open source software ecosystem is highly vulnerable to supply chain attacks.
Frankly, given how normal it is to just blindly download unverified, unsandboxed code from random developers and execute it on our machines it's surprising this sort of incident isn't more common.
What we need are better tools and processes to detect and block malicious code in dependencies before it has a chance to execute. I wrote up a few suggestions for that several months ago and I think they're still applicable: https://news.ycombinator.com/item?id=29266992
Quorum publishing would help a lot, and is doable. It would guard against supply chain attacks where the identity of a publisher is taken over by an attacker, by multiplying the difficulty and requiring multiple takeovers. However, it would not fully guard against a conspiracy by people willing to burn their reputations, as in the "peacenotwar" attack.
Per-dependency sandboxing and permissions might mitigate things to a degree, just as it has on iOS etc with apps. But it would require a different software module architecture than we have today for common languages.
As the text makes clear, 'protestware' as a concept is fine, destroying random people's data is not.
> When deployed, this ‘protestware’ expresses the maintainer’s opposition to the Russian government’s invasion of Ukraine. Most protestware simply displays anti-war or pro-Ukrainian messages when run. This is a non-violent, creative form of protest that can be effective.
I wonder is protestware as a concept is fine. It's a form of ads, just people pushing their opinion in front of everybody just because they can.
Sure, everybody's against the war, but what if the message was a more controversial anti-this or pro-that topic - do we really want to have these messages popup during installation and even after?
If a large project had "unpopular" opinions in the commit messages, it would be top of HN instantly and companies everywhere would be pressured into not using the project in the future. Software should do what you want, only what you want, and do that thing well. Political messages are horrible additions that accomplish nothing but isolate people and make free software look bad.
There is an argument to be made in the opposite direction. One of the key benefits to open source software is the opportunity to inspect the code that you're running... before you run it.
At issue here isn't open source as a concept, but rather an emergent ecosystem in that blindly trusts package uploaders not to be malevolent. It points to a need for improved testing coverage. Indeed, since open source is open, it is also amenable to static analysis of uploaded package revisions, something one cannot readily do with closed-source software.
There were deliberate attempts to hide the file deletion payload in obfuscated d code. Running your tests would have resulted in your files being deleted or the test passing and would have done nothing to protect you from this particular instance.
>The “weaponization of open source” as Gerald Benischke calls it in his March 16 blog post is indiscriminate, and the collateral damage it causes damages the work of developers and operators solely because they have a Russia-assigned IP address. It harms peacemakers as much as the warmongers—even ethical hackers using a VPN to work against the invasion might become collateral damage.
I think this is a weirdly bad argument. All the sanctions against Russia harm pretty much all Russians because they're in Russia even if they're peacemakers. That's just the price of using sanctions. You can absolutely apply that to open source - block all Russian IPs and say "Sorry, but we endorse the sanctions that our government has put on Russia, and we're going to boycott your country for that reason" - just the same way that hundreds of western countries have pulled their businesses out of China.
Now they also make the argument that it's ineffective - that you're ruining your own codebase to try and make Russia suffer, but at the end of the day that's a judgement for the developer of the repo.
It's also naive to think posting "anti-propaganda" in commit logs is in any way an effective way of circumventing censorship, at best you're just hoping that your obscurity prevents you being censored, but that's basically just playing by the censors rules.
> Instead of malware, a better approach to free expression would be to use messages in commit logs to send anti-propaganda messages and to issue trackers to share accurate news inside Russia of what is really happening in Ukraine at the hands of the Russian military, to cite two obvious possibilities. There are so many outlets for open source communities to be creative without harming everyone who happens to load the update.
Add a single script tag to your project website, and all visitors from Russian IPs see a popup providing real information about the war in Russian, and links to accurate Russian-language reporting & Telegram groups, from outside the Russian state propaganda bubble.
Not malicious or damaging, no problem for anybody in Russia visiting who doesn't support the war, but a quick & easy way to inform those who do, and to push back against Russia's internal propaganda & censorship.
Isn't it likely for Russian ISPs to start blocking infowarship.com, if they haven't already? Since the script is loaded from their domain this would be easy to censor.
I certainly hope people don't just load this random website's script directly from their website frontend. That seem super insecure. If people want to use that popup they should download the code, give it a quick review, then host it themselves. This also solves the issue with that domain getting blocked.
> That seem super insecure. If people want to use that popup they should download the code, give it a quick review, then host it themselves.
If the node devs did the same thing, this whole story would have been a nonstarter. I don’t recall if you suggested for node devs to also do this.
Ironically, if the dev who made the hard drive wiping changes had said that it was a protest against the bad practices of the node ecosystem which allowed for their hard drive wiping code to work as intended, I think that the dev would be getting just as much ire cast their way, if not more. This way, they get to perform two protest actions at once.
I’m impressed. I don’t approve of his methods, but I do find the causes justifiable.
With backend code, malicious stuff has to get through testing and hopefully some level of review, which is why the hard drive wiping changes were deliberately obfuscated.
The problem with loading frontend libraries directly from third parties is that they can change that code at anytime and for arbitrary subsets of users.
> The problem with loading frontend libraries directly from third parties is that they can change that code at anytime and for arbitrary subsets of users.
I’m showing my ignorance here, but why does node do this? Is that just a consequence of how JavaScript works in the browser? Could node be designed or used differently so that it doesn’t have these failure modes?
I never understood why any maintainer worth his salt would admit logic bombs into his own turf. This is literally putting a wolf in the sheepfold in the hope he only eats the black sheep.
OSS is built on hard earned collective trust. Once this is gone, the golden age we are surfing on right now will be gone.
Unpopular opinion: telling people they need to keep their protests non-disruptive is akin to telling them they can’t protest. “Protest in a way where I can ignore you.”
Do I think “protestware” is a bad idea? Sure. Am I going to tell them to take their fight for human rights elsewhere? Not a chance.
> Something doesn't become more ethical just because it's described as an act of protest.
Agreed, but fighting back is often seen as ethical when unwarranted aggression is not.
In the case of this “protestware”, they’re both fighting back against unwarranted unjustifiable war AND doing no direct harm. They’re free to restrict who or where their software may run. They’re also free to include a boobytrap for anyone who doesn’t respect the license/restriction.
I'm saying malware isn't the same as a license change.
If we consider malware to be simply a form of licensing, than all malware is allowed, in every place. If malware hits you, it means you shouldn't have been using the software.
I work in the banking industry which has a bit of regulation, and is a bit risk-averse. People are expected to engage in risk management at all levels. If sabotaging became more common, OSS adoption would likely become unacceptable at these organizations. Mine already blocks Github and you need to request permission just to view it, and even then you can't pull code via command line.
Putting in code that is destructive like that, for any reason, is a good and fast way to scare management away from using your code. If you are going to insist on doing that stuff, just engage in hacking on the side lol.
> Instead of malware, a better approach to free expression would be to use messages in commit logs to send anti-propaganda messages and to issue trackers to share accurate news inside Russia of what is really happening in Ukraine at the hands of the Russian military, to cite two obvious possibilities
How about not taking sides instead of acting like a kid believing one side is black and the other white with absolutely no gradient in the middle? Also, propaganda goes both sides, just like in absolutely every conflict in History. Stop being a tool of your own government.
> How about not taking sides instead of acting like a kid
If you have the power to do something and you don't, that's taking a side. You either oppose something or you enable it. At least own that. If you're saying you're neutral, you either agree with the unpopular side and are scared to admit it, or you can't form an opinion because you're uninformed and thus uncivil, or you feel unaffected by what's happening and thus discompassionate. Either way, that's pretty much the definition of "acting like a kid".
By the way, everything is not propaganda: anti-propaganda can just be the truth.
> If you have the power to do something and you don't, that's taking a side. You either oppose something or you enable it. At least own that. If you're saying you're neutral, you either agree with the unpopular side and are scared to admit it, or you can't form an opinion because you're uninformed and thus uncivil, or you feel unaffected by what's happening and thus discompassionate. Either way, that's pretty much the definition of "acting like a kid".
I think this is an interesting argument, and I think it translates to a real world example quite well. For example, if my older kid hits younger kid I have to either:
1. Punish the older kid, taking the "side" of the younger kid
2. Not punish the older kid, thus taking the "side" of the older kid
however I think there's more nuance here than just that, because either of the kids could be lying. I wasn't' there, I have no video footage or proof, so I can only investigate and interrogate, and at some point I have to make a decision. Often times it comes down to the question of which is worse? Punishing an innocent kid, or letting a crime go unpunished?
The answer to that is far from clear to me. As an authority and neutral arbiter, I have a duty to administer justice, and I don't think taking a view that punishing an innocence can be worse than not punishing a guilty (obviously individual circumstances really matter here).
I also have a full time job, and I can't arbitrate between my kids all day long. I have limited time/attention. Given that there are dozens of issues every day that come up, and I don't have enough bandwidth to handle them, some packets will by necessity have to drop.
How do you know which position on which issue is the "right" one to default too when you don't have enough information? Given your argument, you must default to one of them. What criteria do you use when you have limited info?
You described a challenging situation to arbiter. What if your kids were adults and one of them broke into the other one's house with the intent to murder him and his family?
I say that Ukraine has the right to sovereignty and I condemn Russia's assault on that right and on its people. It goes against what I want from the society I live in. There is no nuance there.
We could talk about war crimes that are seemingly being committed in droves by the Russian side. We might find nuances there. But, there's no nuance about the crime of starting the invasion in the first place.
> If you have the power to do something and you don't, that's taking a side.
Pushing political commit messages is not "power". If you like like everyone around you you are not a rebel, just a conformist.
And using indiscriminate IP-location malware to annoy people is the textbook definition of evil child behavior. I'm not sure what exactly you are trying to defend here.
> By the way, everything is not propaganda: anti-propaganda can just be the truth.
How do you know what the truth is when you have no foot on the ground?
> Pushing political commit messages is not "power".
I'm not debating whether it works or whether it's the right form of activism. I'm responding to your comment. Namely you saying that taking a side is childish.
> If you like like everyone around you you are not a rebel, just a conformist.
If your goal is to follow the herd, that's bad. If it's to go in the opposite direction, that's the same thing. I'd encourage a person like that to think about more than himself.
> How do you know what the truth is when you have no foot on the ground?
Are you disputing the recent Russia's invasion of Ukraine?
> Are you disputing the recent Russia's invasion of Ukraine?
Not the GP. I don't specifically dispute that. But in a time when many fictional stories can be told through video, I think it's reasonable to be unsure and neutral on things that we don't have direct knowledge about. Put another way, I think being neutral and silent by default is a necessary defense against manipulation.
> Put another way, I think being neutral and silent by default is a necessary defense against manipulation.
I can sympathize with the sense of confusion, but this is one of the principal purposes of information warfare. When successful it does one of following things:
1. disengages people who would otherwise be opposed;
2. sows doubt and division;
3. makes people believe the propaganda is true.
We often fixate on #3, but #1 and #2 are the principal goals of today's information warfare, because they're much easier to achieve. When the other side's population doesn't know what to think, you're in a great position. It's effectively demobilizing the enemy.
>Put another way, I think being neutral and silent by default is a necessary defense against manipulation.
But what if the purpose of the manipulation is to suppress dissent, or at least encourage passive acceptance of the status quo, by convincing people remain to neutral and silent?
The people who have certain knowledge of something wrong in the world, through firsthand experience or domain expertise, should certainly speak out. For example, I'm vocal about accessibility for blind people, perhaps to a fault. But I think we should be silent about things that we don't have direct knowledge about. Otherwise, we're no better than computers in a botnet sending out spam. That's why, lately, I've unsubscribed from multiple political mailing lists that keep pestering me to sign this petition or talk to my legislator about that important issue. I realize that I don't know enough to have an informed opinion on these things, and I don't want to be manipulated. (Yes, the fact that I unsubscribed implies that I went through a period where I was more involved in things I don't have expertise about; I was wrong in that.)
>The people who have certain knowledge of something wrong in the world, through firsthand experience or domain expertise, should certainly speak out.
To whom? If everyone followed the rule you're proposing, the only people they could speak out to are people who share their firsthand experience or domain expertise. Communicating further would necessitate secondhand information or some form of media which can't be trusted, as it could possibly contain some manipulating element. Who could Ukrainians ask for help from? The Russians? Would everyone else be required to fly to Ukraine to try to verify the existence of the war firsthand before having an opinion?
There are more important things than being made a fool of sometimes. The risk of being manipulated exists no matter what you do, or don't do, and you can never have perfect knowledge of any situation, even if you're an eyewitness, because human perception itself is fallible, limited to a single perspective and prone to self-deception.
Open source is driven by many opioniated and idealistic people who also worry about the current geopolitical development. They might make their opinions known in a non-destructive manner.
You might not like it, fair enough, but expressing one's opinion in commit messages is neither childish nor an instrumentalisation by any government.
> expressing one's opinion in commit messages is neither childish nor an instrumentalisation by any government.
It's childish because it's incredibly naive to think that commit messages are going to change anyone's mind. Instead they will look like someone preaching for no reason. Next, how about doing an online petition as well? /s
No, not taking sides is just not taking sides. There's no need to turn such a position into a shortcut to something else. It's as stupid as the kids saying "if you are not with us you are against us". Typical populist bullshit.
How hard is it to just say "I think Russia is wrong for invading Ukraine and killing people"? That's all you have to do. Just write it.
If you can't do that, but still want to engage in the discussion on the topic, your standpoint is clear. You're not some holier person not taking a stand. You have taken one, you just don't dare to spell it out.
> If you can't do that, but still want to engage in the discussion on the topic, your standpoint is clear.
That's not the topic at hand. The topic is, you don't need to pollute every thing you work on out there with your preachy opinions on every single topic, especially when you are whole-fully ignorant about what's actually happening, the in-and-outs of the conflict, because you are in a state of constant propaganda, whether you are in Russia or in the West.
And this is not just about the conflict at hand, it's about this disgusting habit these days of bringing politics in all walks of life where it was not before.
You can't blame people for doing whatever they can when they are literally being bombed. Same with BLM mentioned in another subthread, it's easy to don't care when the issues don't affect you, but for other's it's their daily life. Of course it colors what people do.
People who claim there were no politics before, were just oblivious to others' struggle. Which is ok, but it still happened, you were just sheltered or privileged.
> You can't blame people for doing whatever they can when they are literally being bombed.
Are the authors of the change in question actually in Ukraine? And I'm pretty sure that technical minded people there could find better uses for their talents, rather than petty vandalism
> You can't blame people for doing whatever they can when they are literally being bombed.
I can't remember when people cared about the bombs falling everyday in Yemen. How absurd is it for people to suddenly care and cry publicly about one country's conflict while another much bloodier one, not too far away, is being completely ignored. Is their blood less red? Are their children worth less? Systemic racism maybe, since these are not white people?
Mass media (including social media nowadays) is what shapes what people care and feel concerned about. It's not about people's values, this goes on to say a lot more about how easy people can be manipulated to project violence onto anything they had no clue about 5 minutes ago, as long as you repeat it all day long.
Because if I spend my time writing down everything I think is wrong with the world, I literally will not have time to do anything else.
Your cause is not more important than thousands of other causes, and my refusal to spend my time amplifying your viewpoint does not in any sense imply I agree with the opposing view.
That's a fair point, but not when one intentionally enters a discussion about a conflict. Can't both claim no side and simultaneously pretend the aggressor is just as bad as the protester.
If I'm not mistaken, though, the discussion here isn't about the Russia versus Ukraine conflict itself, but about appropriate ways to show support for a political cause in general, and whether it's even appropriate to do so in particular contexts. On that meta-issue, I think it's possible to state an opinion, without implying any position on the conflict of the moment. And if I'm not mistaken, some people are saying that it's obligatory to state an opinion on the conflict of the moment; that's what some of us are disagreeing with.
I can still say that Russia is wrong for invading Ukraine and say that the protestware we're talking about in the thread is wrong too (a different, lesser wrong, though)
Of course. What I take issue with is the "don't choose sides"-people often say both are wrong, as if they are equally wrong. In these issues, it's one part killing or denying others their way of living, and others protesting the oppressors.
People with a contrarian streak are never going to performatively denounce something on command if they want to make a point which is unrelated to that denounciation.
No one said that. I'm saying that if you cannot answer which "side" you're on, but still engage in the discussion (and thus have knowledge / interest in the subject), it's obvious for everyone to see.
That's not what we were talking about though? In the context of this thread, we we talking about the behavior of open source projects, not people engaging in political debates.
Are there limits to this, or do you think ”not taking sides” is a morally defensible position to have regarding everything? Is it ethical to be neutral when it comes to the holocaust?
I think it's OK to refrain from taking sides about anything that we don't have firsthand knowledge about. There's no shortage of political and moral busybodies in the world, especially now that we have the Internet. I'm sure I've been one at times. So I think it's not so bad if we start going in the other direction, just minding our own business and sticking to things we can actually do something about. I should get back to that.
It's perfectly ethical to not be loudly and publicly performing an anti-holocaust view 24/7/365, and failing to do that does not make one "pro-holocaust".
The list of Bad Things is endless, and failing to address any one of them does not make you in favor of that Bad Thing. It just doesn't.
You're just trying to bully people into spending their time amplifying your particular protest, and bullying in itself is a Bad Thing.
Not silent when it is ukraine, but other non white part of the world - it is ok to be silent, right? BLM “peaceful “ protest also ok to be silent?
Since when do we switched from Covid experts to ukraine experts? Can you even find ukraine on the map?
The only non silent thing should be engraved in anyones head is - war is bad.
Cut the BS. One part has been reported mass butchering newborns and pregnant women in hospitals. I hardly could think in anything more wrong than this.
There is not 'I can explain it' or 'this is not what it seems' or 'they must have a reason' or 'just kidding' here. This is not normal behavior in humans.
There is not any gray area about the war crimes of the Russian army. Had been videotaped, narrated, proven and reported extensively. Each building is a proof. And now they are talking about using chemical weapons to speed up this genocide. Seriously, what Russians were expecting? A clap?
Not taking sides? We are animals brain-wired to develop a strong reaction of seek and destroy in this cases. In less civilized times the murderers would be hunted and mashed to grinded meat.
Not more excuses. Don't call us kids, silly, ignorant, inconvenient or Russophobes. We are furious. We want this to stop. Right now.
How about taking sides instead of acting like a kid believing the existence of gray negates the existence of white and black. Perspectivism is the beginning of inquiry, not the end of it. Stop being a tool of your own social superstitions.
Perhaps I'm overthinking this, but open source malware is absolutely not new. It's been around basically as long as the internet has (and I mean pre-www). You could even argue that it pre-exists the internet since phone phreakers were sharing "code" earlier than that.
That's true that malware source code was available in the open even before large scale Internet access. But no one made a fuss about licensing, "freedom", philosophy and the authors were mostly unknown.
It’s open source: If the government’s are willing to pay people to fork the original and vet and merge all the future deltas then they just need to host their own package manager. But would developers trust a government managed set of packages? In the US that is doubtful (I’d assume at some point FBI, CIA, NSA, DOD do something dishonest with it at some point.)
But on the other hand, these people are not promising anything, do they? Check the MIT/BSD/GPL etc, all of them explicitly state that the software does _not_ come with any kind of guarantee.
Harsh reality is: It's user's responsibility to test for those. Noone is forcing you to use this piece of code which is given as-is without any guarantees. Noone is forcing you to update. It might be a dependency, but still it's not the problem of the code owner.
They are not. And there would be absolutely nothing wrong with them no longer maintaining the package, deleting it, or with the package not working.
The issue here is spreading actual malware. A developer doesn't owe anything to anyone.
But actually and actively harming others trough actual malware is unethical even if someone didn't promise they wouldn't do so.
If I give someone a piece of food that I expressly don't guarantee anything about, the worse one would assume is that it might be spoiled and I didn't check, or that the ingredients may be of very law quality. Not that I actually purposefully poisoned it.
I don't know. Going from same example, if you give me food with a note on it saying "I don't be liable for anything, I am not giving any guarantees. And if you'd like to give this food to someone else, you must give a copy of this note too.", poison possibility is not off the table.
Anyway, I understand the frustration of people who got broken tests, but just noting the different angle.
I think what you're missing is that this discussion is not about the legal consequences of these individuals, but about ethical decisions that will have a negative impact on the ecosystem as a whole.
Tbh I don't see an ecosystem here, there are some dots which are connected but seems like people are thinking there is a liable vendor polishing npm packages..
Also I'm not sure which one is more unethical: Malware from a random developer or profiting over his/her "free code"
* by not giving any care about open source or sustainability of it at all.
I think almost anything that makes corporations realize they are exposed to the whims of people contributing most of the labor to build their businesses is a good thing. They should be careful about what open source code they use, and more open to paying for support contracts or other contracts that provide some warranty of functionality. Right now they are freeloading, and THAT actually does hurt open source.
IIRC the recent examples of genuine "protestware" included a modification to the license. There are already tools on the SCM side which will detect that (Whitesource being one).
You can say what you want but this is a risk in remote unpinned dependencies.
As platforms it is important to protect against this making artifacts immutable. As people we can only protect against it by auditing upgrades depending on risk.
I much preferred the old world, where I could pick pretty much any software package and it would be safe but that is not today’s world. It’s entirely possible that a colorizer scans my disk for ethereum keys.
In practice I rely on social validation but it is not a safe thing in general. Unhappy about the outcome but this tends to happen in time.
In the end, it’s true. If you bomb my house, I will strike back in whatever way I can. If the only thing I can do is burn you and your children, I will. If the only thing I can do is destroy your hard disk, I will. I am limited in retaliation not by morality but by ability.
And if I am like this, then I must assume that others are, too. And that I might get caught in the collateral blast zone.
The problem is not protestware, sabotage, or whatever. The problem is who does it.
Suppose US government did this to sabotage Russia, since it cannot directly act against Russia because it would trigger WWIII. Nobody would care about.
But this guy doing it, or you, or me? No. We are not allowed.
> Suppose US government did this to sabotage Russia, since it cannot directly act against Russia because it would trigger WWIII. Nobody would care about.
I would care even more about it. I absolutely don't want our government destroying trust in open source in such a fashion.
Major projects are going to need to add a clause to their CLA and/or vet their contributors. Sad we've come to this place, but everything is politics now.
Time to start paying for closed source and/or curated/vetted OS libraries now?
Keep dependencies low and use only the really crucial and well vetted ones. i.e. on recent web application I'm using next.js react and styled components, express and knex.js. you don't need anything else
It's eye-opening to see the amount of unexpected changes we're going to go through as a result of the west deciding to completely remove an entire country from their economic systems and encouraging/allowing their citizens to harass the (mostly innocent) populace trying to just survive.
I don't like how open source is being co-opted by people supporting _ANY_ political ideology or belief to cause harm to other people around the world. It's not _your_ code, so why are people openly advocating to modify it to cause harm to others?
The rancor this protest has caused in certain tech circles has really shown that we believe we're somehow different or better than the rest of the world.
In the real world 1 specific region has violated the norms the rest of us have agreed to ... you don't get to indiscriminately kill innocents while taking their land and has accted appropriately by cutting them off.
In the tech world we are screaming about how the people in that region are getting inconvenienced by the free tools we provide because we are supposed to be above "politics"
> In the tech world we are screaming about how the people in that region are getting inconvenienced by the free tools we provide because we are supposed to be above "politics"
It isn't about being above politics. It is about abusing and destroying trust.
If you want to add messaging to your project, that is not harmful to the ecosystem and will just cause some people to view you as unprofessional. If you try to actively destroy people's file, you have stepped up at over that line are attacking and harming people, not just "inconveniencing" them.
Isn't that the whole point of "open source" software? The author gets to put out code that matches their will, and if you don't like it, you either don't use it, or you fork it and make your own.
It's funny how every time there is an "open" project on the internet, from code to Wikipedia to whatever, there is always a group of people that forms to quantify, collate, tabulate, and regulate it into some imagined corporate structure.
I absolutely agree with this premise. Software (open source or not) should be usable and perform a useful function, not swarm users with spam to protest this or that.
The developer of the software that made the protestware was rightfully banned by Github. I haven't heard if he ever regained access to his account.
It could certainly have been done better: if it has instead ran a torrent client that downloaded actual video from Ukraine it might actually have done something.
I get the author, it is impossible to see what is actually going on and not want to eviscerate Russia but the way he did it was counter productive.
The broader issue here is the security problem that this article highlights, which was present before the invasion. If the thesis of this article is correct now, it was correct then, and will continue to be correct. Even if you could put the cat back in the bag, we would still have the cat.
I don't think "protestware" is fully correct. Destructive behavior is more than just protest (my understanding is the dev deleted and changed user files to "heart emojis") and is something that shouldn't be tolerated. It's malware.
what they doing matches literally with the definition of terrorism: "use of violence and intimidation, especially against civilians, in the pursuit of political aims." so let's not dilute that into "protestware"
Arguments about protesting aside, isn't this not the first time npm has been hit with what is basically an injection attack that screwed up the day for a lot of people?
In the past the big multinational corporations did not give a shit about ethics. IBM happily sold Hitler machines to categorize jews gipsies slavs and gay people. Now programmers 'protest', or more accurately, attack what they conceive as evil, and it suddenly become a thing. Which one is better? Of course neither is good enough, but I certainly think programmers can express their views and values. Sometimes you have to admit that fairytale concepts, such as open source, or the internet that every person can get access to, or globalization, or the end of history, are hitting a hard wall. Maybe none of these thing from the last few decades are everlasting in the time scale of human history. If I have to choose between freedom of speech which proves true for like several hundreds of years and decades old open source, I would not hesitate.
I get why the OSI published this post. They have a vested interest in the conversation and I agree with their points.
But the battle for the narrative has already been lost when people consider this to be a problem with 'open source'. Rather, it's a problem with software that's being given away for reputation brownie points. Here, the author showed exceedingly poor judgment towards users of their software, and this should result in the loss of goodwill and respect towards the author and the forking of their works if the license allows.
Open Source didn't enable this behavior. The author's poor judgement and the author's lack of need to care for the users of one's software is what didn't dissuade this behavior. In this case, it was giveaway software causing harm. In other cases, it's commercial software pushing hamfisted changes users don't want, because the users aren't empowered enough to fight it. The reason commercial software would avoid this particular type of stunt is because it's poor business sense to harm one's direct customers.
So what of Open Source? Open Source allows anyone to review or modify the software that engages in this behavior. So the community can salvage the author's good contributions and better custodians can carry the software forward.
Open Source also allows anyone to discover these cases proactively. Of course, almost nobody does this, because we as an "industry" have gotten used to four troubling trends, and ridicule those who aren't on this "bleeding edge":
* thinking that software that costs $0 to obtain incurs no additional costs
* not auditing our dependencies
* being unconcerned about the sheer quantity of dependencies
* blindly updating dependencies
It's a sad but predictable development that the field of Open Source software has basically merged with the community of authors actively looking to give away software for $0 (for fame or to upsell advanced features). Basically, the Open Source movement was too successful (in its advocacy and in raising the demands of the customers of software), and it has largely subsumed and supplanted the formerly-separate fields of shareware and trialware software.
This development is what truly hurts Open Source: so much software but too little emphasis on (or even demand for) curation, massive imbalance of contributors to users, the decreasing influence programming-language-specific spaces, and increasing dominance of the "move-fast-and-break-things" culture.
The way forward is to achieve stronger curation, more focused maker spaces, tighter (as opposed to larger) communities, and an outreach effort to re-establish the philosophical distinctions between Open Source and freeware.
Considering that HN skews Libertarian, I'm a bit surprised by the anger directed at people excercising control over projects they own.
I guess it's easier for folks here to empathize with why a level of restraints over ownership for "the common good" when it's an open source library they imagine using.
Libertarians oppose fraud. Software that deletes your files on purpose, in a context where people reasonably expect it not to delete your files on purpose, is fraud unless thete's a notice on it prominent enough to make the expectation not reasonable.
I'm probably going to start sounding like a broken record here, but what I have realized is I am living here as a man. I am not a citizen, or another entity, and my morality is is between my myself, and my "creator". This creator could be God, could be nature/natural selection, just whatever process brought the "I am" here.
I am also aware that with this knowledge I chose to not harm any other living entities. The "problem" is that people calling themselves "agents of governments" go around asking other people initiate violence on other people, using words such as "laws" and "orders", and these other people, believing that "the government" i a real entity, and that these "laws" somehow overwrite our natural sense of morality and free will decided to act and initiate violence.
In this current conflict, people who call themselves the government on both "sides" are instructing people to go initiate violence, and people thinking the authority is real do so, and go murder other people.
We, as people who are mostly "uninvolved", acting in the role of "citizens", are seeing this evil occur, and want it to stop. However, we are still supporting this idea that government is real, that "Russia" is doing something to "Ukraine", when there is no "Ukraine", or "Russia" or "United States", but simply people who act as if these entities exist. We give power to these egregores, or intersubjective entities, and by doing so believe we are somehow absolved from making our own moral decisions.
All of this stops when each and every one of us (or at least a big enough percentage) takes individual moral responsibility for our actions, and learns to be moral for its own sake.
A big part of this that a lot of people I've talked to seem to be missing is the role of "money", and how people with free will thinking that pieces of paper, or numbers on a computer have power or value. The only value that exists is us as conscious entities. Every aspect of reality, from this computer I am typing this response on, to buildings, art, and technology is the output of consciousness acting on matter on its own free will.
When we believe that having money in our possession gives us power and freedom, it gives us a false sense of security. If I have some sum of money, I believe I can use this money to influence reality by giving it to other conscious entities. For now this is somewhat true, because you, and other entities agree to do thing in exchange for these imaginary numbers. However, what is true is that each and every one of us acts on our own free will, and we use money because we are too afraid to admit we are dependent on each other. As we continue believing this, we allow other people who know how to manipulate the numbers in clever ways, such as those people controlling central banks, and printing money to exert large influence on the direction of the world. During the last two years, a very large number of money was printed, and used to reshape reality. The value of every dollar decreased, as suddenly the equation was out of balance, but again, those in control of the money supply use this new money, and we, believing it represents value change our behavior trying to capture the value, forgetting it is us who are the real value the whole time.
So my message to other people who want to hear it is: you are the value. There are no governments, companies or money. There is only us, and we are the value.
I miss the golden age when people more or less adhered to a "no politics at work" rule. Yes it's not possible to be 100% apolitical in most decisions but that's not an excuse to inject unrelated political signaling into everything.
I think there needs to be a counter effort against these people. Some entity like the EFF should maintain a database of people who have engaged in protestware so that there can exist APIs which will check for whether any of your dependencies come from these blacklisted people... or if you are about to hire them.
Not really a fan of exorcism, but it would pose a security risk. The probability it will hit the wrong people is immense to almost certain. Maybe even someone organizing protest within Russia. But random acts against Russian developers is an infantile form of protest in my opinion.
What if the "whinging" is done by women? Or non-white men? Do Ukranian men get a pass for now, considering it's their country that is being invaded?
Seriously, this is a sexist qualifier. It speaks volumes about your ideology that it is important what kind of people believe something, rather than just evaluating the idea on it's merits.
> Also, there’s certainly a subset of people with genuinely shitty views that don’t like that tech circles are becoming less of a save haven.
Is it so wrong to want feel a sense of belonging somewhere? Especially if many of those people with "shitty views" actually helped make tech such a desirable industry to work in?
In general a person's ideology is not the best filter of their quality or whether they should be included in a community. A lot of toxic people hold the "correct" beliefs.
> Open source / free software philosophy’s demand for apolitical stoicism is dripping with privilege and the way people treat the ramblings of RMS et al as inherently infallible just because it helped push this industry through its infancy shows how immature this industry is.
FOSS is far from apolitical. What it is, is relentlessly focused on its mission. Many of these virtue signaling acts do nothing for their claimed political goals and at the same time undermine the great good FOSS had brought to the world. That you don’t understand this is a sign of your own immaturity.
This may actually be counterproductive to that end, as it disrupts the ability of the Russian grass roots to develop their own software. That capacity is fairly important to provide the technical ability to avoid state surveillance and to communicate without ending up in the cell next to Navalny.
While I am personally disgusted with what transpired with node-ipc and am also completely gutted and outraged at Russias violent invasion of Ukraine - I don’t like the idea of us trying to “tone police” open source projects. If some idiot maintainer wants to pull a stupid stunt like that they should have the right to do so. In my view it’s the software equivalent of “hate speech” which, while vile, should be protected.
This could quickly devolve into a nasty slippery slope where people who simply disagree with a direction of an open source project try to strip it of its licenses or eject it from various package managers.
>I don’t like the idea of us trying to “tone police” open source projects. If some idiot maintainer wants to pull a stupid stunt like that they should have the right to do so. In my view it’s the software equivalent of “hate speech” which, while vile, should be protected.
I don't understand your characterization of this issue as "trying to “tone police” open source projects". In this case it's quite likely breaking the law (ie. CFAA), and for good reason. It's one thing to start a website with racist content. It's another to actually damage people's property. Not even US, home of the most liberal free speech laws (at least when it comes to "hate speech") allows this.
He has the legal right to, of course. And that right won't be stripped from free software ever. He also has the freedom to be called a dumbass who is harming open source on a massive scale.
"Hate speech" (which I don't really agree should be protected in the first place) does not have the capability to cripple infrastructure and destroy personal data. This is an act of property damage and should be prosecuted as such.
Trying to paint this as "tone policing" is completely ridiculous.
This is a false comparison. Speech is not software in the sense it can't harm critical infrastructure as malicious software can. And by the way, malicious code violates most OSS licenses because they are not made "in the hope that it will be useful".
1. I agree, as much as I think the maintainer of node-ipc is a flipping idiot and should be given an atomic wedgie, it's their project to do with as they wish.
2. That being said, forking a project due to maintainer disagreements is a time-honored open source thing to do.
3. The last point you made is already happening on both sides of the political aisle.
Conclusion: Maybe software being political isn't a great thing, but that's what everybody chose, and that's what everybody gets to live with. I am looking forward to the +NOPOLITICS licensing clauses.
E: Bring on the downvote brigade, I'm just happy knowing that in the end this too will inevitably burn itself out.
Recently, I saw a similar pattern with the Svelte REPL adding a pro-Ukraine message.[1] The banner along the bottom is so large that landscape mode becomes unusable, and non-trivial examples are hard to see even in portrait mode. Again, who does this help? (I support Ukraine, so feel like, "yeah, I get it; can I close the banner now?")
The worst part about these patterns is that they can't be disabled and seem to be deployed haphazardly without regard for the overall design.
While these aren't malware, they are still hostile for the majority of users who aren't so gung ho in their support for the current thing.
[0] https://isomorphic-git.org/docs/en/deleteBranch
[1] https://svelte.dev/repl/hello-world?version=3.46.4