On the Weaponisation of Open Source

In my opinion, these changes are effectively supply-chain attacks in their execution. That would make them bad regardless of how correct their expressed positions are about the Ukraine war.<p>The fact that there has not been a strong push back confirms my suspicion that by now, everyone has gotten used to Node and NPM being insecure and silently accepted it as a way of life. Similarly, those Terraform scripts are apparently esoteric enough to only be used by a tiny minority of software developers, or else we would have heard about it in a different way.<p>Thank god nobody did similar shenanigans to open source projects that are actually in wide use :)

Also: when ‘colors’ and ‘faker’ packages printed stuff in the output in an endless loop, NPM and Github banned the author and took over the packages.<p>When ‘node-ipc’ overwrote all files on disk, NPM just waited while the author himself published an amendment and posted that the package ‘only created a text file, no biggie’.

We&#x27;ve pretty quickly decided to throw out decades of norms in favor of anti-Russia moves all the time. Not ideal.

This is exactly the problem with “uncurated” package managers like NPM and PyPi and where a curated package system like APT and RPM offer such a strong advantage. Far fewer people for you to have to put your trust into, but still a trust based system. They have gone so completely out of favour though.<p>It’s understandable why people moved to the uncurated systems, it’s so much easier to publish and so the variety of what’s available is brilliant. But I don’t think the tooling is there yet with all the languages that use them. Really we should have the ability to control permissions at the library level, choosing specifically what they can do.<p>Deno is doing some interesting things at the app level but has any language done anything with library level permissions?<p>Maybe we will see a movement back to the curated package managers, there may even be an opportunity to provide a curated service layer over the uncurated package managers like PyPi and NPN, possibly a paid service?

Software is not more important than human life. I would rather have proprietary than Open Source if it&#x27;s a choice between respecting human life or not.<p>When America goes to war with a backwater country that can&#x27;t defend itself, nobody can do anything. We have the nukes, we have the money, we have the aid, we have all the cards. Even when we literally make up shit to have an excuse to go to war (for Russia it&#x27;s &quot;Nazis&quot;, for the US it was &quot;Aluminium tubes&quot;), nobody can stop it. Well, I want the right to say: &quot;No, USA, you cannot use my software if you wage an unjust and unprovoked war.&quot;<p>Is it <i>unfair</i> to block a whole bunch of innocent people from using that software? Yes, I&#x27;m sure the families of the people your government are killing are quite upset that you can&#x27;t use some software. However, if you want to use the software again, force your government to stop its war. Or use different software. It&#x27;s not like anyone&#x27;s holding a gun to your head.

The terraform changes just seem so unprofessional and a prime example of virtue-signaling.

This seems like another example of people taking open source for granted. Software takes time and effort to create, and in return for that effort the author receives ownership and copyright. The author of an open source project can do whatever they want with it - limited only by other legal limitations (such as, it’s illegal to intentionally destroy other people’s properly).<p>In a legal contract, some value (consideration) must be contributed by both sides. What do most people contribute to the open source projects that they use? When the answer is “nothing”, then why do they expect the right to judge the decisions of the author?<p>Sure this is rant-ish. But I’m saying that people sure feel privileged to raise a hue and cry when open source authors make decisions that they don’t agree with. Don’t like it? Fork it - or buy a license that has the terms you want.

These attacks, regardless of how ethical, are shortsighted. Imagine a situation in the future where Russians revolt and take their govt for the people, a Democratic govt is successfully established, peace is realized, etc. This future Russia is still fucked because they can&#x27;t trust any code. The internet will be littered with virus landmines that target them based on their ancestors affiliations. You&#x27;ve literally created the toxic racist&#x2F;nationalist internet you thought you were protesting.

This is a sad thing for FOSS … why should developers from Russia be penalized for no reason of their own?

This comment does not related to the matters in Europe that the article is about, this comment points out something missed by other comments.<p>Open Source software was weaponised via the virtue signalling &quot;Code of Conduct&quot;, in particular when language categorises people into groups (&quot;everyone&quot; would suffice). Exclusion was always the goal of the &quot;Code of Conduct&quot; trojan horse.

Do we think Russians manage no open source?<p>How many fundamental open source libraries have Russian maintainers?<p>How long before they decide to commit a disk wiping malware and release it without a breaking change?<p>What if they decide to do it on a larger, coordinated scale?<p>I would be very careful before attacking an entire population with cruel malware. They dont deserve it, and punishing so many innocent people at once can have serious consequences.<p>Personally I hope that the creator of peacenotwar, RIAEvangelist, (same creator of node-ipc) will lose his position in open source and hopefully any current and future gig in the industry.<p>His action was so reckless, vile and stupid that I don&#x27;t ever want to run a single code statement written from him on my hardware. What a coward.<p>I also hope he is made to pay all the damage he caused, in the future. Hopefully very soon.

Such precedents simply indicate immaturity of the developer behind it.<p>I hate XXX (insert any English speaking politician from Western World), yet I am speaking in English. Shock! Tools are a-political. Could you believe that?

Yeah, no. This is the weaponization of the cloud. Open-source and closed-source are irrelevant here. I get that it&#x27;s trendy to think of open-source as the community, the hosting platform, and then, as a distant third, almost an afterthought, the code itself, but that&#x27;s wrong. Open-source is the code, and the code transcends any given hosting platform or community blacklist.

My first thought yesterday was that I really cannot trust NPM anymore because if someone sneaks in an anti Russian piece of code somebody else could sneak in code against any other country, or look at the content of files to get an idea of the kind of person running the code and decide what to do. People voting for the other party, thinking something different, etc.<p>And why not Python, or Java, Ruby, anything. Maybe we&#x27;ll all end up running Tails.<p>Edit: if something like that happens, how long before certifications require that no unvetted code is used in projects or no open source at all?

&gt; My problem is that this weaponisation is killing off trust.<p>Trust that all programmers started to place in open source maintainers maybe a decade ago out of sheer lazyness is absolutely insane.<p>Pulling freshest code out of thousand libraries automatically into the medium security project that you are building is absolutely crazy.<p>It&#x27;s inviting thousand strangers to run code on your machine which contains your comercial creation and data. Without any protection whatsoever besides &quot;trust&quot; which is just another word for laziness and being hopeful.<p>The faster we can ditch this trust, the faster we will develop actual protections, vetting processes, delaying updates, caching, forking, so we can isolate our work from the thousands of wonderfull people all of which are one bad day from wiping all your files.

I am strongly against this all hysteria. The least thing we need is the world and society to be more divisive.<p>We are at insane levels of hysteria, people calling McDonalds to stop selling in Russia because they have ukrainian kids blood on them. Does it also have 200k iraqi blood killed by us?

Nothing is perfect, and the world is not black and white, it&#x27;s not ideal, but it is what it is.<p>A criminal will lose part of his&#x2F;her rights, some of his freedom, and even his life in a perfect democratic liberal human rights first country. This is how the system works.<p>If the war is deemed by most as a criminal act, losing some open source is just a very tiny part of what the offender deserves. Why is this even a surprise? Software is no exception here.

Putting aside the issue of &quot;is it still open source?&quot;, deleting files is problematic from another perspective as well: private citizens launching a cyberwar attack against a foreign power.<p>It seems to me that the only legal way to do this is with the approval of your government.<p>I have seen at least a few argue that devs should be&#x2F;are allowed to act in accordance with their own values. I agree, with same caveat I would apply in any circumstance: <i>so long as those actions are in accordance with the law</i>.<p>To do otherwise in a geopolitical conflict like this is foolhardy in the extreme. The Western world is struggling very hard right now to find the right balance of actions that supports the Ukraine while punishing Russia, at the same time balancing that against the risks if escalating the conflict far beyond it&#x27;s current confines.<p>I would be very confident in a guess that even large corporations making perfectly legal business decisions to shut operations in Russia are doing so with some coordination &amp; communication with their governments. It is certainly not at all up to private citizens to take extralegal actions that may escalate this conflict in any way.

Wars cause people to do really drastic things that would be out of the question in peacetime. Programmers are people and some of them have relatives who have been blown to smithereens by Russian strikes. These are the peanuts, saboteurs have been known to destroy physical things with high collateral damage. While crimes like deleting files should be prosecuted, the best way to end such things is to end the war.

Mongo SaaS is a commercial service, as such having little to do with open source. And of course it&#x27;s not the first and even not the second time commercial vendors refuse to provide service, including for political reasons. People getting banned all the time on social networks for political reason, and AWS famously killed Parler service for the same. So it&#x27;s not something new, it&#x27;s just continuation of the same trend. And undoubtedly we will see more of it - if the government can close your bank account for disagreeing with it, they&#x27;d certainly be able to close your Google or AWS account. For private companies, it&#x27;s even easier.<p>And node library... well, malicious code in node libraries is also not new, though in this particular case the question whether it&#x27;s malicious or righteous action may be subjective. That&#x27;s a supply chain attack, and nodejs community certainly will have to figure out whether they want to stop it and if so, how. Until this happens, the node developers should be super careful with their dependencies I guess.

I&#x27;d say that the code that is malware&#x2F;not malware depending on IP address of the server is a bad kind of weaponization. Not because I pity poor Russians or some such. I&#x27;m a Ukrainian national myself. Putin is a dickhead that should be put down with extreme prejudice; much of both the state and ordinary folk in Russia should be accountable, too. Here, I said it.<p>The problem with those NPM packages, or better said, the approach they are taking is that it is a double-edged sword. IP blocks can be sold and bought. Today they belong to someone in Russia you don&#x27;t mind targeting, tomorrow it&#x27;s someone else entirely. Today you put in a trigger to turn your code into malware, tomorrow someone finds a way to flip that trigger at will. Bad things ensue.<p>Not providing services to Russians is another thing and that could work. Limiting downloads by the country is okay in my books. After all, you block IPs that try to DDoS you, so banning IPs of an aggressor country that is fond of murdering civilians is fair game too. Radio silence their contributions. Don&#x27;t respond to their support requests. Close the issues they open as if they never existed. Of course they can find alternative ways to download stuff, fork, implement the necessary changes themselves, but it&#x27;s jumping through the hoops. Let them jump extra and then some.<p>Stop providing documentation in Russian, kick some people off the team&#x2F;mailing list. Make the OSS you&#x27;re responsible for be, for all intents and purposes, unmaintained piece of software if the user is from an aggressor country.<p>These are ways of sabotage I can stand behind. But putting in actual malware is rather where I draw the line.

I think incidents such as this will wake organizations up to the reality that open source is not inherently more secure or cost effective than proprietary software.<p>For the past 10 years the prevailing wisdom has been that one should not &quot;re-invent the wheel&quot;, but we&#x27;re starting to see the dangers of not owning the full stack.<p>As a professional software developer working for a major company, I&#x27;m much more inclined to implement something myself rather than pull in a bunch transitive dependencies, that introduce unknown and hard to manage risks. 10 years ago I would have laughed at someone who suggested such a thing.<p>The argument has always been that closed source can&#x27;t be inspected and as such is more risky, but I think in the current landscape as open source developers get more ideological, commercial incentives are a better way to protect against supply chain risks than open source code.

There is a great essay related to this by Software Freedom Conservancy:<p><a href="https:&#x2F;&#x2F;sfconservancy.org&#x2F;blog&#x2F;2022&#x2F;mar&#x2F;17&#x2F;copyleft-ethical-source-putin-ukraine&#x2F;" rel="nofollow">https:&#x2F;&#x2F;sfconservancy.org&#x2F;blog&#x2F;2022&#x2F;mar&#x2F;17&#x2F;copyleft-ethical-...</a>

This is what happens when -- above everything else -- not following EXACTLY the mainstream political view gets you cancelled.<p>I think the Russian war in Ukraine is bad. However, I don&#x27;t extend the Russian _governments_ actions to Russian citizens. All nuance is lost and unless you spout &quot;Russia bad&quot; or are flagrantly anti-Russia you are someone worthy of being cancelled by the Twitter mob et al.<p>Acts against Russian citizens who are trapped by their government are immoral and unethical. Acts that introduce malware into open source software and discriminate against people are immoral and unethical. Right now, however, doing exactly these things is the &quot;woke&quot; and &quot;politically correct&quot; thing to do.

Build systems should adapt. Run all dependency install scripts at least in docker. Run build in docker. Run executable in docker and connect to it via debug sockets. Run language server in docker and so on.<p>Preferably not even docker, but separate VM.

Certain things should be a-political. Like the international space station, football, and open source software.<p>But a software development has yielded to demands that it adhere to causes. Redis isn&#x27;t just a key value store, it&#x27;s engaging in anti-racism by removing terms of whiteness, like &quot;master&quot; and &quot;slave&quot;.<p>And here we are. Uninstall nginx, unless you&#x27;re a fascist that supports Putin! Did you hear? Russia is using leftpad.js! Quick, unpublish the repository in solidarity with... We have to reduce harm! No one is neutral! You&#x27;re for us, or against us!<p>Lending software to &quot;social progress&quot; leads to the insane place we are today. (And not to mention, it hasn&#x27;t achieved much.)<p>No, my software isn&#x27;t a tool for your social goals, noble as they may be. And that doesn&#x27;t make me a bad person.

Even if you agree with what he did, I don&#x27;t think you can justify how it was done. I think it&#x27;s fair to infect someone you dislike with malware if you&#x27;re capable if that&#x27;s the upfront intention. But the history of the particular piece of software in question was not malicious. It&#x27;s like going to the doctor for your 6th booster shot, the first 5 were fine but this time he decides he doesn&#x27;t like your accent and gives you the arsenic shot instead. Really his intention was clear with this, hiding malware behind a piece of legitimate software he was maintaining and had built a good reputation on. Ransomware is the new big thing so comparing it to that I feel that the motorcyclist&#x27;s actions were actually worse. At least with actual malicious actors you know upfront what their intentions are. Putting aside the politics this is an overall negative for OSS.

With respect to open source code used for &#x27;evil&#x27; this had been covered in reasonable depth previously since it&#x27;s fairly easy to imagine open source being used for things the original author(s) do not approve of, and the issues that would cause if they could revoke the licence after the fact.<p>As far as I&#x27;m aware the final conclusion after decades of discussion was that open source licences were not the place to do this for various pragmatic reasons, though including messages, manifestos and other such communication seems fairly common.<p>Potentially we need a mechanism that says explicitly &quot;all code in this ecosystem is open source unless you give informed consent to opt-in to other licence types&quot; and flags as early as possible when that&#x27;s not the case (e.g. updating the dependency of your dependency ... etc.) and allow people to explicitly override the exceptions they care about, and otherwise halt the update.

&gt; Note, I do not think that this means that we should all rush to building our own data centres, writing our own databases and running all our own services.<p>The author is conflating three very different things:<p>* Running software on your own machines<p>* Setting up a full-scale data center<p>* Writing your own &quot;infrastructural&quot; software<p>... helping him make an argument in favor of &quot;the simplification and optimisation of using Software as a Service&quot;. That&#x27;s disingenuous.<p>----------------------------<p>&gt; My problem is that this weaponisation is killing off trust.<p>Certainly there is little trust left after such weaponization. Sometimes, though, there&#x27;s enough of a reason to mistrust _before_ this happens. After all, it&#x27;s the same people&#x2F;organizations which would later engage in such weaponization. There are sometimes&#x2F;often preliminary signs that something like that could one day happen.

This incident makes me feel good in my decision to start using Qubes OS (<a href="https:&#x2F;&#x2F;www.qubes-os.org" rel="nofollow">https:&#x2F;&#x2F;www.qubes-os.org</a>) as a day-to-day development OS. Had I been hit by this, it would&#x27;ve considerably limited the blast radius.

This is the equivalent of beating up the neighbours kids because the neighbours are doing bad shit

&gt;an American NGO lost 30,000 files documenting Russian war crimes<p>This is a bullshit claim made by a one hour old GitHub account with a random username. Probably a pro-Russian troll that wants to dissuade other open source maintainers from pushing anti-Russian protestware.

Open Source was always political, ultimately this is where some moonshot projects like GNU got their momentum from. IMHO the red line is where it gets destructive or actually discriminates individuals. In the past PGP couldn&#x27;t be exported to certain countries so sanctions apply also for OSS. Speaking of the immense popularity of web3 and decentralized of course not all measures will be realizations of government directives. That said I don&#x27;t think OSI (opensource.org) represents the whole OSS movement.<p>Also the title is a bit click-baity. The protestware example is clearly weaponization of OSS but the other examples are not.

Does anyone know the game that is being shown in the image? @beny23, I checked your code (OSS FTW!) but the image name doesn&#x27;t reveal anything:<p><a href="https:&#x2F;&#x2F;github.com&#x2F;beny23&#x2F;beny23.github.io&#x2F;blob&#x2F;master&#x2F;posts&#x2F;on_weaponisation_of_open_source&#x2F;index.html#L33" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;beny23&#x2F;beny23.github.io&#x2F;blob&#x2F;master&#x2F;posts...</a><p><a href="https:&#x2F;&#x2F;beny23.github.io&#x2F;images&#x2F;on_weaponisation_of_open_source_title.jpg" rel="nofollow">https:&#x2F;&#x2F;beny23.github.io&#x2F;images&#x2F;on_weaponisation_of_open_sou...</a>

Weaponisation ?<p>I guess you are victimizes yourself. It is fair for free software developers to express themselves in the software they build.<p>If you don&#x27;t want them to, or if you want a specific idea to be promoted, just pay for that.

We have parallel problems in science and in software.<p>My faith in science was never in the moral character of scientists and their organizations - individuals and organizations are always vulnerable to corruption. My faith was in the principle of replication. If anyone can repeat an experiment, we can all see for ourselves what is true, and a community dedicated to that (and individuals with a healthy fear of the process) is reliable.<p>Only, we don&#x27;t replicate experiments. We got so busy and excited building on what had gone before that we&#x27;ve built some huge houses of cards on questionable foundations, because who wants to spend time and money doing replication? Distracted by the free riches, we neglected what had always been the source of our strength, and here we are - arguing over who funded studies and fuming over the replication crisis.<p>Where are the critics who say, &quot;I can&#x27;t trust that paper - it&#x27;s impossible to replicate!&quot; Where are our Poppers who insist on falsifiability? An entire community that frowned on complexity and opaqueness and walled gardens of data, a community that trusted things insofar as they had been replicated and re-examined from many angles and proven sound, would force us towards a level of simplicity, honesty, and reliability that science should have. Instead, a general agreement to pursue individual and institutional glory at the expense of upholding foundational principles has rotted the foundation of the endeavor.<p>Put simply, I trust science because you can replicate it. But for whatever reason, (and I can&#x27;t propose a specific solution, but), to the degree our community is not devoted to replication, it loses its trustworthiness.<p>Software has a parallel problem.<p>I don&#x27;t trust open source software because I trust the character of developers or institutions. I trust it because it can be examined and fixed. Because of reproducible builds. Because anyone can examine it, anyone can build it, no trust of individuals or organizations is needed. A community that insists on such features and abhors offerings that offend these principles will steer us towards a level of simplicity, comprehensibility, reproducibility that open source software should have.<p>But we are all so excited to build things on top of other things that we spend much more time multiplying dependencies and layering on complexity than worrying about foundational principles. We are now seeing the rotting foundations.<p>There are people who complain about whether code can be examined, or factors that make it difficult. It is becoming increasingly important to listen to them! A community that celebrated open source software, not only for what it can functionally do, but for how <i>open</i> it is, is what is needed to maintain those foundations. A community that has trust issues with unexaminable long dependency chains, that is sensitive to the difference between software that has been around the block and examined for a long time, and software that some guy just put out last night.<p>Put simply, I trust open source because you can examine it. But for whatever reason, (and I can&#x27;t propose a specific solution, but), to the degree our community is not devoted to examination, it loses trustworthiness.<p>Reserve your trust for communities that take seriously the principles that trust is built on.

I was thinking about this in a different context a while back. Basically companies (amazon for sure) utilize open source then make some closed off fork of it while giving nothing or peanuts back to the original open source development foundations. For example Amazon has indisputably made Billions if not Trillions from monetizing Mozilla products. Yet has only donated a few paltry million back to the foundation. While at the same time using the FOSS products to create their own walled garden.

Afaik mongodb licensed to be free as in beer, and is not actually FLOSS.<p>Doesn’t seem like the argument holds for open source as a whole, especially looking at gpl and apache2 licensed projects.

&gt; <i>I don’t really want to have to read through each of my dependencies and transitive dependencies licences to determine whether I am agreeing to &lt;the things included&gt;</i><p>I slighly edited the last part of that sentence to highlight a problem with this kind of thinking. I do understand that the author may prefer all their software dependencies using some well known license like &quot;Apache 2.0&quot; instead of dozens of variations of &quot;Apache 2.0~modified&quot;

I think the mongodb example is the most &quot;right&quot; in that it&#x27;s only the service of mongodb that gets cut off.<p>With that said it&#x27;s a similar &quot;issue&quot; I remember a few years back when there were &quot;anti-fascist&quot;&#x2F; &quot;&quot; social activists&quot;&quot; advocate for excluding certain groups where the same issue came up, the idea may be noble but in practice causes unintented consequences.

The Pandora box has been opened. Prepare for the same kind of attacks addressing US IPs (cloud on us-west-2? bad luck)

This is a completely immature behavior. If you did something like this, please remind me to never use your software again, because today you protest Russia, and tomorrow maybe you decide that you actually hate capitalism, who knows. Probably not, but I&#x27;d rather not take the risk.<p>If you want to send a political message, there are less harmful ways to do so. Like, print a message at program start, or write it into logs. You could even provide all kinds of forbidden information, such as numbers of Russian soldiers who died in the war. Better than &quot;Putin sucks&quot;, right? If you want an equivalent of sanctions, just make your software stop working, and explain why.<p>But if you insist on playing soldiers and doing damage, how about you contact your local secret service and tell them &quot;you know, I have this program that is also used in Russia, if you have any ideas how to weaponize it, I am open to suggestions&quot;. Maybe they would give you some code that targets a specific IP address, and extracts a Russian state secret, or whatever. That could potentially accomplish much more, with much less colateral damage. You had one shot; you wasted it.<p>Also, consider the long-term consequences of such things becoming the new normal. Do you want to live in a world where an internet-connected washing machine will destroy your laundry because you voted &#x2F; didn&#x27;t vote for Trump? Because this is the world you are helping to build.

Possibly while looking into running multi-cloud etc. to mitigate these risks you could also ask &quot;is my country likely to face global sanctions? Why?&quot; and combined with other business owners in the location you can do something to avoid that eventuality.

The author can&#x27;t read the license, which is odd considering it is quoted directly<p>The license must not discriminate against any person or group of persons.<p>The license itself does not discriminate, even if the licensed content does. This is an important freedom.

The steps of scanning code for dependencies is instrumental in preventing issues like this. Simplifying use of things like external libraries is also a good move, vigilance has always been vital to security.<p>Implementing zero trust and taking proper steps in build, test, and deployment to secure vital data (like government agencies do) helps to better insure and protect data. That&#x27;s one of the main reasons why PHP and Python are so prevalent, code is usually&#x2F;basically in text files that can be vetted, tested, and edited a lot more easily than in compiled source... Not saying any open source lang is better than any other in stating that though mind you.

Literally the first freedom from gnu.org, too.<p>&gt; The freedom to run the program as you wish, for any purpose (freedom 0).<p>This is like believing in freedom of speech, but only for speech you agree with.

Ottomh, George Takei and Neil DGT have both lectured me on what a stain on American history the internment of Japanese Americans during ww2 is. Part of that included harassment of Japanese appearing businesses and people. The stain still remains to this day so I don’t say was. I think they were using it for antiTrump stuff but I took it as a general lesson.<p>And then bamm the whole world is in total war with Russia and your either with us or against us. Freedom fries were a deranged pro Iraq war conservative thing, no enlightened person would allow themselves to fall to such petty hate ho ho ho. People would laugh as a relic of the past stories about how my grand mother didn’t listen to German composers or buy Japanese goods and as she got older, buried anything precious to her in the backyard.<p>James Webb telescope say for example had&#x2F;has lots of international assistance, who would want to throw those decades away to spit on Russia?<p>Regardless of justification, if you‘re pouring shots too big too often the bar will have to install automatic shot pourers and everyone suffers. Maybe it’s a relic of the past also but isn’t there an idealised heart at the core to open source? Hope for a better world built on trust and responsibility? We know there’s no one to sue but trust us and use libreoffice it’ll be fine.<p>Another anecdote: mercenaries in South Africa and Sudan on different sides drank at the same bars at night. I heard a story of a pilot on one side and a ships AA gunner on another sharing their stories with each other for many nights before they realised they’d spent days trying to kill each other. They didn’t go home afterwards either it just was what it was. Australia tells as legend how the Anzacs and Turks could play cricket over a ceasefire. After all there’s no reason we can’t be civil <i>bites pretentious fruit</i><p>My Ukrainian, russian-language teacher has changed his online names to basically John Smith. Seems he feels a danger in being mistaken for russian.<p>These are things I’m contemplating and are not meant to overrule whatever you might be contemplating or advocating dear reader. I want to say obiter dictum. I follow the sentiment of the article.

Interesting how the internet has given people more power to act, and the freedom people have has also made it possible.

From the article:<p>&gt; I don’t think this can be classed as open source anymore:<p>&gt; The definition of an Open Source License is quite clear:<p>&gt; 5. No Discrimination Against Persons or Groups The license must not discriminate against any person or group of persons.<p>&gt; I don’t really want to have to read through each of my dependencies and transitive dependencies licences to determine whether I am agreeing to discriminatory terms by using a library.<p>I think the author of the article has misunderstood the definition, thus reached the wrong conclusion.<p>The non-discrimination rule applies only to accessibility and nothing else. Simply put, you provide the same code&#x2F;product to everybody, including Santa Claus and Mr Putin under the same set of condition and permissions. Adding&#x2F;removing malicious code does not change the fact that the code is by definition open sourced.<p>All and all, this is not a license problem.<p>Now, talk about node-ipc, which just got attacked by mobs (see <a href="https:&#x2F;&#x2F;github.com&#x2F;RIAEvangelist&#x2F;node-ipc&#x2F;issues?q=is%3Aissue+is%3Aclosed" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;RIAEvangelist&#x2F;node-ipc&#x2F;issues?q=is%3Aissu...</a>).<p>If an open source project is a scam, then it&#x27;s a scamware. If an open source project is malicious, then it&#x27;s a malware.<p>Personally, as a normal human being, it is hard to keep a peace of mind after watching how the Russians fired multiple heavy rounds to kill the elderly couple who just traveling peacefully in a car down the road near a hospital. It is even harder to keep a peace of mind after watching a video recorded by a son showing how the Russians shoot and killed his father who sits in the driver&#x27;s seat right beside him. I fully understand and respect the anger.<p>However, I do agree that people need to be more mature on this even during this difficult time. Turn your project into a malware only hurts your own reputation and people who trusted you. Once the trust is gone, it might never recover. There are many ways to actually hurt those who contributed the invasion. Be constructive and accurate, or at very least don&#x27;t be destructive.

I wonder how the license changes are going to get enforced in Russia, it seems unlikely to happen there.

Their code, their rules ?

1. Pin your dependency versions.<p>2. Develop inside a containerized environment... it&#x27;s pretty easy with things like VS Code&#x27;s remote extensions.<p>3. Consider looking at Deno as an option over Node for new projects.

I don&#x27;t see what&#x27;s wrong with Mongo cutting ties with Russia. There are practical problems receiving payment from Russian territories, and companies are allowed to choose which countries they do and don&#x27;t do business with.<p>In a similar fashion, developers may choose who can and cannot use their code. In fact, depending on how your government&#x27;s sanctions are structured, you may even be obligated to not license code to developers in some countries.<p>Using malware to overwrite random files against random Russian IPs is obviously stupid. I&#x27;m sure the dev will get to explain his case to a judge at some point. The Terraform thing, though, is different; it&#x27;s not malicious, merely political.<p>However, I think the assertion that software &quot;should not be political&quot; is silly. All software is political. Open source licenses stem from American ideals of freedom, for example, and are designed to work in the American legal system above all else. Then there are the implied cultural contexts; the list of software that only works in left-to-right configuration or even fail to just accept standard unicode input is laughably huge. The amount of times I&#x27;ve had to adjust software to work with alternative decimal separators...<p>Independent developers can (and probably should) decide to mostly focus on the problem they themselves are trying to solve. If that doesn&#x27;t work for someone else, they can either ask (and possibly be denied) alterations to extend the solution to their problem space, or suggest additions by extending the software themselves, but in essence, cultural and political assertions are everywhere throughout &quot;open source&quot;.<p>Protestware has been around for quite a while, but I think this is one of the first times we&#x27;re seeing high profile developers take a stance. Whatever risk this is exposing was always there; we can try to hide the risks of open source, but in the end, that&#x27;s just covering them up.<p>I agree that protestware should not be considered open source, but any open source project can turn into protestware at any time, and it always could have. This is why groups like Debian and companies like Canonical are important: they use their organization to produce a unified view that you can rely on. Debian applies patches to align software with their views in several ways. The result is that software is often re-packaged and is deployed slower than upstream, but stuff like this doesn&#x27;t get into your systems. The Python&#x2F;Pip&#x2F;Cargo&#x2F;Go way of distributing dependencies directly, rather than using some kind of unified repository, exposes you to the risk of open source software becoming protestware, but it doesn&#x27;t have to be that way.<p>Developers scrutinize Debian and Ubuntu for packaging old software, but you can safely develop against their dependencies. This is the open source that can be trusted, to a usual extent. In my opinion, the trust developers place in random usernames on NPM is misplaced, and the extensive dependency graphs modern frameworks require make that problem so much worse.<p>To those saying that it&#x27;s bad that innocent Russians are getting hit by this: that&#x27;s the point. It&#x27;s also why sanctions are only applied in extreme circumstances. Foreigners can&#x27;t tell other governments what to do, the best the rest of the world can do is hope or incentivize a country&#x27;s citizens to make their government change their minds.

I understand that all of this may seem annoying to those that like to bury their head in the sand but where&#x27;s this energy and label of &quot;weaponisation&quot; when OSS is LITERALLY used to build weapons e.g openCV being used for mass surveillance &amp; ardupilot&#x2F;OSS drone projects being used to make tear gass deploying drones?<p>Changing the license is weaponisation?? It&#x27;s the bare minimum and least intrusive. And then you all complain when someone tries to implement a Hippocratic or Do Not Harm license. &quot;WEAPONSIATION&quot;?? Really?<p>The lesson of all this is to keep an eye on your supply chain. Simple as. I think it&#x27;s a sign of entitlement when you expect OSS devs to build you robust and reliable systems then leave the rest of themselves at the door.

Knee-jerk reaction and discrimination against the Russian people.

&gt;&gt;political discourse has turned to be very divisive and tribal. You are either with us, or against us.<p>This is because much of politics is currently driven by a global set of fascist&#x2F;authoritarian govts and sponsored &#x27;movements&#x27; pushing to destroy democracy. This is, IMO, back to the pre-cold war days, but stripped of all the &quot;--isms&quot; and ideologies.<p>It is now either self-determination for the people via democracy, or live under rulers like Putin, stripped of any cloking ideology. This is being strongly pushed&#x2F;sponsored globally by Putin&#x27;s govt; the Chinese are going about it differently with the &#x27;Belt &amp; Road&#x27; initiative and other exploitative agreements.<p>The grand experiment has been tried. It was thought that free trade exchanges and greater information flow from free nations would cause freedom, self-determination, &amp; democracy to the former Communist nations. It did not. In trying to prove the thesis, the test proved the opposite, and enriched the authoritarian states.<p>Russia&#x27;s ongoing assault on Ukraine since 24-Feb-2022, and the ongoing blatant war crimes including specific instructions to ignore civilian care[0], cluster munitions on civilian targets[1], or bombing a theater&#x2F;shelter with &quot;Children&quot; written on the pavement outside [2], and it&#x27;s support by ~70% of the deluded RUS population, show what can be expected from yielding to or appeasing authoritarianism.<p>It now really <i>IS</i> you are with us, or against us.<p>You are either in favor of democratic self-rule for all people, or you are against it.<p>This is war, and we are fighting against those who are happy to be war criminals.<p>It is important to take every measure, and &quot;weaponizing&quot; open source is among the least of the things that can be done to help.<p>[0] <a href="https:&#x2F;&#x2F;twitter.com&#x2F;cnsnews&#x2F;status&#x2F;1504494016137555968?cxt=HHwWgMCj6cTVhOEpAAAA" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;cnsnews&#x2F;status&#x2F;1504494016137555968?cxt=H...</a><p>[1] <a href="https:&#x2F;&#x2F;www.bellingcat.com&#x2F;news&#x2F;rest-of-world&#x2F;2022&#x2F;03&#x2F;11&#x2F;these-are-the-cluster-munitions-documented-by-ukrainian-civilians&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.bellingcat.com&#x2F;news&#x2F;rest-of-world&#x2F;2022&#x2F;03&#x2F;11&#x2F;the...</a><p>[2] <a href="https:&#x2F;&#x2F;www.npr.org&#x2F;2022&#x2F;03&#x2F;17&#x2F;1087164709&#x2F;ukraine-mariupol-theater-bombing" rel="nofollow">https:&#x2F;&#x2F;www.npr.org&#x2F;2022&#x2F;03&#x2F;17&#x2F;1087164709&#x2F;ukraine-mariupol-t...</a>

It would be much more honest for the democratic world to dare an open military conflict with Russia now. But also people understandably fear the nuclear war. So people are weaponising whatever they can, and there is nothing wrong with it. The situation is pretty extraordinary, and the sooner we can get back to a system where dictators waging wars against democracies end up in Hague the sooner can we start sticking to our peace time norms again.