A cautionary tale about software dependencies during major geopolitical events

I don't really see how this has anything to do with major geopolitical events, other than the fact that the developer of the library is Russian. The author's complaints could have happened with any open source library and don't seem to relate to the war in Ukraine in any way.

Is the author's implication that the developer took the project in a different direction because of the war? I don't understand what the connection is between "major geopolitical events" and the library. It's just a graph that shows that a year after the war started, the developer removed a feature the author liked.

&gt;&gt; The founder &amp; lead developer is Russian and does not accept donations, perhaps noble, perhaps to avoid a financial trail.<p>In modern Russia, if one receives money transfer from any other country, they may receive &quot;Foreign Agent&quot; (иностранный агент) status<p><a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Foreign_agent" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Foreign_agent</a><p>&quot;prohibited from receiving state funding, teaching at state universities, or working with children&quot;

I see the post got flagged, sad to see but if that&#x27;s the verdict this&#x27;ll be the last comment on this post.<p>The title is not &quot;I caught a Russian developer doing bad things during war!!&quot;, the title mentions &quot;a cautionary tale&quot;, which from my point of view is a PSA through the means of sharing observations and my interpretation, with some speculation to inform the reader of possible avenues which may affect them, if not through this repository, through another.<p>To close my writing I&#x27;ll include the content of a comment in response to a different user, which should define my intent:<p>&quot;My point would mainly be to spread awareness and share an experience and my interpretation of it, not &quot;slander&quot; and paint a target on my back by namecalling and divulging more information which doesn&#x27;t serve a purpose beyond wanting clout under the assumption that the war does not affect myself and others around me.&quot;<p>Thanks. Have a good weekend.

From my experience as a developer from Russia, it&#x27;s usually the other way around from what&#x27;s found in the article. Since 2022, there&#x27;s been a lot of instances of malware being found in dependencies which target Russian developers (deleting data in prod, denial of service). Many sites which host tutorials, programming blogs etc. have become unavailable to Russian devs (&quot;access from your country is blocked&quot;). Some repos removed Russian localizations altogether. Github deleted repos and banned accounts of developers with links to Russian banks and other large companies (even if they don&#x27;t work there anymore). In the last year, our corporate site was defaced and DDoSed several times from foreign IPs.<p>I don&#x27;t know about others, but I have&#x27;t witnessed some kind of similar refusal by Russian devs to cooperate with Western devs, not there&#x27;s been any protests in the form of altering repos.<p>What really changed in Russian IT after the war started is that 1) it strenghtened Russia&#x27;s infosec - for example, our company finally started reviewing random dependencies developers found on the Internet before going to production 2) some companies went into &quot;hiding&quot; and changed their legal names, &quot;moved&quot; their offices abroad, changed country info in GitHub profiles etc., to avoid being associated with Russia because it&#x27;s now problematic if you want to deal with Western companies&#x2F;devs (refusal to work with). As for not receiving donations etc. - it&#x27;s not easy to set up because of sanctions.

Have there already been cases where a project switched part of their codebase to protest something(whatever it may be) and it resulted in lower quality&#x2F;security issues, or is that something we&#x27;ll see in the future?<p>Seems like an interesting attack vector. LibFoo was made by BadGroup, use LibBar instead, it&#x27;s GoodGroup approved!<p>Meanwhile LibBar has security flaws, known or unknown, intentional or unintentional, which quickly get absorbed into other projects in a political frenzy to expel LibFoo at all costs (and said actions also are incentivized given that they drive publicity, engagement, etc).<p>I would have thought this completely nuts, prior to the whole node-ipc malware debacle. I would expect state actors to make the most of this expanded Overton window.

Many underestimate how many resources Russia puts into cyber warfare, and how simple dependencies or Docker images can be infected with malicious intent. Authors often have no choice but to do what they are told if they are physically located in Russia. Western folks, having never lived in such an environment, simply have no idea how things are different.<p>Are there not enough examples already proving the state of things in the industry right now? All the points the author mentioned are valid, in my opinion. Even if in this particular case it may not be true, there is a large background suggesting why it could be true.

I&#x27;m not sure the article really makes the point, but in my experience the war has complicated remote work.<p>I&#x27;m tangentially aware of at least one US company that was outsourcing work to Russian and Ukrainian coders. Apart from the obvious &quot;team&quot; dynamics collapsing, it&#x27;s not even possible (legal) to pay Russians at this point if you are a US company.<p>I&#x27;m also aware that the narrative inside Russia as to the cause of the war is very different to the narrative I hear. Naturally I believe the narrative I hear as do they.<p>In this global work-space, who you hire and where they live can become material quickly.

I have trouble discerning the author&#x27;s point exactly.<p>- Yes, you can&#x27;t rely on open-source project going in the same direction as you want.<p>- Yes, any process involving people has a phycological and interpersonal component.<p>&gt; To this day we read about the war and it feels distant[...]<p>&gt; [..]don&#x27;t get blindsided, especially in times of war[...]<p>I&#x27;m glad the author is not affected by the war, but I supposed it&#x27;s fair to say that it is not hard for the author to stay unbiased (or it might be just indifferent).

Yeah, of course, there are many much worse effects from this invasion. But one, while less harmful than the many deaths and displaced people, that hits close to home is that it is not really possible to collaborate with folks in Russia anymore. Hopefully their country will relent and allow them to rejoin the international community.

I&#x27;ve had to reread, I was certain I missed something. But no, this is entirely conspiratorial speculation without any basis _or_ even without any point?<p>If at least they explicitly put forward a theory like &quot;it&#x27;s russian influence to slow down western digital development&quot; it would have some internal consistency, but no. They suppose it&#x27;s russian influence (again, without basis) without any theory of _why_ Russia would care about an inconsequential CSS-related lib. Shrug.

Related <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=35182705">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=35182705</a>

the developer of a library removed a feature around the time the war started and this is enough to accuse them of what, being a Russian state operative? without evidence, this is borderline xenophobic, man.<p>people&#x27;s minds change, APIs change: look at the mess that was Python 2 -&gt; 3, Angular 1 -&gt; 2, react-router 4 -&gt; 5, etc.