If an OSS developer can drop a logic bomb on Russian interests, one could do it to anyone else they disagree with, and that might understandably make people uncomfortable.

Furthermore, the “attack” was indiscriminate, hitting out at a geographical area potentially damaging the data of many innocent bystanders not just those responsible for, taking part in, or supporting, the invasion. Or is it OK for a code bomb to affect civilian targets? I know physical protests often inconvenience bystanders, intentionally so, a lot of the point is to do so in order to draw attention to the matter being protested, but wilful destruction of property is usually considered bad form for such protests (arguably at that point you have a riot, not a protest) and that is essentially what node.ipc change did.

Putting commercial interests off OSS is a symptom of a deeper wrong here.

That's why you audit your dependencies and have tests right? Right?

* Many don't.

* Even for those that do something might slip through the cracks, particularly given how deep and wide some dependency trees go in the current JS ecosystem.

* Such attacks would still cause you problems once your audit spots one: you now have to hold back a version, perhaps back-porting security fixes, at least until you can migrate to another package or create your own (or, rather than creating fresh, decide to continue maintaining a fork of the affected one). And you may need a deeper audit, checking to see if anything else slipped by earlier that has left dangerous traces.

And the existence of dependency audits doesn't make damaging protest updates like this right any more than the existence of secure zips makes pick-pocketing those without them fine.

That's not a problem caused by this "attack". You should assume that any open source project you use is unmaintained unless you have a support contract and that it will never get any updates again. A lot of these packages have a bus factor of 1 with no backup plan.

And that's the problem I see with many of these political statements. There seems to be this politically driven assumption that the only users of OSS are greedy companies that won't pay to support it. So they make a political statement, take down their package or make it malicious. All this does is creates a minor headache for the big corps that have resources and fucks over the little guy.

That said, I'm all for open source software monetization; include messages in the README, code, or logging that basically says something to the tune of "If you are using this for commercial purposes, please consider donating / sponsoring / hiring". I think Github and co can do a lot more as well to encourage big corporations to pay open source contributors.

Most people, certainly productive people, are employed by companies. Take an extremist position on who your product works for and you limit the developer pool. An agnostic competitor would be expected to replace you.

The GPL, LGPL, BSD, Apache licenses have not changed. A rogue actions by any supplier comes directly under bargaining powers of suppliers in your corporate strategy risk analysis. If it happens you deal with it and you've already thought about it or you have no business in making decisions in a large company. If any big company runs away scared from Free software, bye.

Google literally shot to glory when they went extra hard at using Free software when established big companies were scared. It's not a sufficient condition for their success but it was absolutely a necessary one. They don't get going if they have to pay for operating systems alone.

This is fair. Would note that one advantage to teams that do the outreach and accommodation can be support, financial and contributions. But that's speculative and not the right move for every team.

That's what this discussion is about. You want to monetize your Free software project? That's a very different discussion to this one, about which nobody writing Free software need care. Note also the "protestware" or whatever nonsense this is didn't hit anyone with a support contract from the developer, or am I wrong with that guess? So big co.s are using a metric ship load of code that they didn't pay a cent for and don't bother even reading once. Just hit the auto-update while paying and contributing nothing,, then claim this is the fault of Free software somehow? Yeah. Ok. Bye. The value proposition sucks for them, apparently so they'll pay someone a lot of money to solve that. Nobody else need care - unless you're sliding into that space to solve that problem for them.

Exactly. Setting off a logic bomb targetted at whole countries is not “without causing more harm than necessary”. Add wilful destruction to a protest, especially if that destruction is such that is affects innocent bystanders, and you no longer have a protest, you have a riot.

Proprietary software provided by a single vendor is much easier for a government to lock down via actual sanctions. Hypothetically, they can outlaw your company doing business with that vendor.