> Instead of malware, a better approach to free expression would be to use messages in commit logs to send anti-propaganda messages and to issue trackers to share accurate news inside Russia of what is really happening in Ukraine at the hands of the Russian military, to cite two obvious possibilities. There are so many outlets for open source communities to be creative without harming everyone who happens to load the update.
Add a single script tag to your project website, and all visitors from Russian IPs see a popup providing real information about the war in Russian, and links to accurate Russian-language reporting & Telegram groups, from outside the Russian state propaganda bubble.
Not malicious or damaging, no problem for anybody in Russia visiting who doesn't support the war, but a quick & easy way to inform those who do, and to push back against Russia's internal propaganda & censorship.
Isn't it likely for Russian ISPs to start blocking infowarship.com, if they haven't already? Since the script is loaded from their domain this would be easy to censor.
I certainly hope people don't just load this random website's script directly from their website frontend. That seem super insecure. If people want to use that popup they should download the code, give it a quick review, then host it themselves. This also solves the issue with that domain getting blocked.
> That seem super insecure. If people want to use that popup they should download the code, give it a quick review, then host it themselves.
If the node devs did the same thing, this whole story would have been a nonstarter. I don’t recall if you suggested for node devs to also do this.
Ironically, if the dev who made the hard drive wiping changes had said that it was a protest against the bad practices of the node ecosystem which allowed for their hard drive wiping code to work as intended, I think that the dev would be getting just as much ire cast their way, if not more. This way, they get to perform two protest actions at once.
I’m impressed. I don’t approve of his methods, but I do find the causes justifiable.
With backend code, malicious stuff has to get through testing and hopefully some level of review, which is why the hard drive wiping changes were deliberately obfuscated.
The problem with loading frontend libraries directly from third parties is that they can change that code at anytime and for arbitrary subsets of users.
> The problem with loading frontend libraries directly from third parties is that they can change that code at anytime and for arbitrary subsets of users.
I’m showing my ignorance here, but why does node do this? Is that just a consequence of how JavaScript works in the browser? Could node be designed or used differently so that it doesn’t have these failure modes?
For anybody looking for an easy way to do this, https://infowarship.pages.dev/howto-en may be interesting.
Add a single script tag to your project website, and all visitors from Russian IPs see a popup providing real information about the war in Russian, and links to accurate Russian-language reporting & Telegram groups, from outside the Russian state propaganda bubble.
Not malicious or damaging, no problem for anybody in Russia visiting who doesn't support the war, but a quick & easy way to inform those who do, and to push back against Russia's internal propaganda & censorship.