In my opinion, these changes are effectively supply-chain attacks in their execution. That would make them bad regardless of how correct their expressed positions are about the Ukraine war.
The fact that there has not been a strong push back confirms my suspicion that by now, everyone has gotten used to Node and NPM being insecure and silently accepted it as a way of life. Similarly, those Terraform scripts are apparently esoteric enough to only be used by a tiny minority of software developers, or else we would have heard about it in a different way.
Thank god nobody did similar shenanigans to open source projects that are actually in wide use :)
We're building Socket to stop this exact type of attack. See https://socket.dev
Socket turns the whole npm security problem on its head and asks: what if we assume all open source may be malicious? Can we proactively detect indicators of compromised packages? What's the simplest way to mitigate this risk without hurting usability?
Socket seems interesting. I just installed it on some of my repos.
In your FAQ, it says "We're working to make Socket the best open source security tool.", this was confusing for me, as I got the impression that Socket's codebase is Open Source, and I went looking for it.
Maybe "We're working to make Socket the best security tool for open source packages" would be less confusing.
Great feedback. I initially understood socket was open source as well, which would have prevented me from using it to secure open source projects? circular argument :)
How do you detect compromised packages?
What indicators of compromise do you use?
Is Socket itself open source?
Can I run it locally on the command-line?
We look at the behavior of packages, what APIs they use, and how that changes over time. The list of issues we currently look for is here: https://socket.dev/npm/issue
Socket’s not open source at this time, but we’re releasing a CLI in the coming week if the GitHub App doesn’t suit your purposes.
That's actually interesting, I will look into more details to see if we can integrate this into our systems. Do you have any avaiable technical documents so we can get a glimpse of how Socket is working, or is your Blog the best place to start?
There is so much wrong with this situation. Are developers who do something like delete-based-on-IP liable for some sort of civil or criminal penalty? Attempting to do active harm to a computer surely can't be legal.
You're thinking about it from the wrong perspective. Yes, publishing software can be thought of as expression, and that's protected by the constitution. But publishing malware as benign software, without disclosing it is fraud/deception, and that shouldn't be allowed. The legal system protects freedom of expression, but still allows you to get punished for deceptive speech that's harmful (ie. fraud/libel).
Those words are not some sort of magic spell. Licenses can't override law unless the law explicitly allows them to, and the law generally distinguishes or tries to distinguish between honest mistakes and malicious behaviour. IANAL and laws differ between countries so YMMV.
This isn't enforceable in quite a few jurisdictions anyways. The best you can do is "No warranty to the extend permitted by law" at which point this specific use case is pretty much no longer relevant.
There's a big difference between publishing the source code of malware while clearly stating that it's malware, vs publishing trojan malware on NPM while knowing that it will be automatically installed by a bunch of package managers and cause damage. The former is fine; the latter is clearly malicious and is or should be a crime.
/s the real crime here is the way so few people seem to think it is important to pay attention to their dependency tree....
But in all seriousness, that was one of the most jarring things I found when switching from a Java/Maven stack to JS/NPM. Both Maven and NPM offer similar features for managing dependencies, but anecdotally I found the folks managing Java projects to be a lot more obsessive about carefully managing their dependencies while in the NPM world, it seems almost to be a "best practice" to just use open ranges for your dependencies and automatically update them...
So... Sony's rootkit was a-okay in your opinion? Or have you just not given any thought to your position at all? Because that seems to be pretty common among utilitarians who are somehow perpetually surprised by blowback and "unintended consequences". It really strains credulity, the whole "unintended" defense, when you've got people pointing to the predictable outcome. Analogies are rarely helpful in technical discussions, but who knows - maybe this time will be different: boobytraps. Boobytraps are a major no-no, and have been for a very long time, regardless of whatever mitigating circumstances you can dream up (deep in your property, posted warnings, etc). This node dependency was a boobytrap. You can try and justify it by pointing to licenses, concepts of developer IP ownership, etc - it is still a boobytrap. There is no talking your way out of it, in the same way that you wouldn't be able to talk your way out of injuring a trespasser who scaled your fence and triggered a mousetrap rigged 12ga-shell while breaking into your storage shed. This case is even worse - its more like allowing the public to wander onto your property for years to access your free petting zoo, before one day deciding to bury landmines all over the place and post a sign informing people that you take no responsibility for the resulting carnage.
I agree, but I also believe communication should be consensual. That is, the recipient must give consent to install the malware. Otherwise the transmission is a commission of fraud against the recipient.
That said, such a law is difficult to enforce, in a justice system as moribund as ours, so instead we rely on (probably wrong) heuristics about what specific behavior makes us safe, and indeed, whether or not our resources have already been breached. Such behavior is what drives the overwhelming dominance of GMail, which is itself a remarkable tool with which to learn about any person group corporation government on the planet. So in terms of utility its hard to argue that malware is a good to society. Write a malware that installs a patch to prevent a 0-day in known use by a state actor, then I will be a malware fanboy. Not until then.
"Publishing malware is, and should remain, protected expression."
If it is advertised as malware, yes. But if it is advertised as a working open source project - but in reality is malware, then this just destroys trust into open source in general.
I guess it is good, that these things come up, to think about why we trust the dependencies and repositories and their maintainers.
Because it seems, no we cannot just trust them. And now I am more conscious about it.
It was not advertised as a "working open source project". In fact, quite the opposite. From the license:
> THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
Its fitness for any particular purpose was expressly disclaimed, in all caps.
I'm not sure what people think they did wrong here. You're allowed (and should be allowed) to publish malware, it is up to consumers to not install software they don't want to run.
What more warning could they have possibly posted beyond this one?
I hate to burst your bubble, but Anton Babenko's terraform modules are extremely popular. The difference here is that he added a input with a default value to a specific release version. Generally, if you're using terraform professionally you'd either fork or mirror the module and pin to a specific version. In such case this change would not affect you. If you had e.g. something in development calling 'latest' version of an impacted module you again would not see this. It's an optional argument that defaults to a value causing no outward change in behaviour.
I'd bet you that 95% of all programmers can't even explain from memory what exactly Terraform is.
Case in point, I have no idea. I know it's something related to the cloud but none of my clients are using it.
And their Wikipedia article is filled with buzzwords and no explanation of what it does, which doesn't exactly give me confidence that it'll be useful for regular companies. "Infrastructure as code"... so Ansible or docker compose? In any case, you don't need it if 2 HA bare metal servers do the job.
I’ll try: Terraform replaces all the actions you’d do in the AWS (or other cloud provider) console or API with declarative configuration code. This means you can parametrize it, version control it, compose it, etc. and generally treat it like code.
It would be overkill for many things that have a single, fairly static configuration, but for things like ensuring that a dev and prod cluster have the same configuration, it’s a lifesaver.
It is also awesome, easy to use and very convenient. If you are configuring anything through AWS web GUI, you should give Terraform a go, you won't regret it.
Working with NPM every day, that’s kind of how I look at it. Maybe my computer will be randomly wiped one day, but it’s not something you can worry about if you want to retain your sanity.
> it's not something you can worry about if you want to retain your sanity.
I build my nodejs/npm stuff in containers. Actually I build almost everything that way.
There are a lot of advantages in addition to the security gains, such as that I don't need to rely on every javascript programmer in the world understanding semver (they don't, and I have wasted more of my "sanity" on tracking down API changes and sloppy type contracts than I ever have spent cleaning up after malice.
> In my opinion, these changes are effectively supply-chain attacks in their execution. That would make them bad regardless of how correct their expressed positions are about the Ukraine war.
What’s the logic here? Why are supply-chain attacks inherently bad?
So, are the sanctions which attack other kinds of supply chains in Russia also bad?
And as far as i can tell they bumped up the major version by a digit. Whether or not that counts as a "Bright red warning" i don't know but personally i believe that a warning notice + a major version bump should be enough. Those who don't care about that would most likely not care about a bright red warning on the repo page either.
It's clearly a questionable thing to do, but is it illegal?
Apparently I didn't make that part clear enough: This is a supply-chain attack against EVERYONE using their project. Those users will be 99% innocent civilians.
I might one day have an IP that is accidentally mis-classified as Russia. I mean those Geo-IP services are only like 95% accurate and they go out of date pretty quickly and updates are expensive. Plus .RU VPN services used to rent subnets in the US all the time. But then all of my files get deleted because someone wanted to make a point. So then I'm collateral damage in someone's remote fight in a war that neither of us were actually involved in.
Your argument is a bit like saying "It's OK to use chemical weapons because we're the good guys." They are not banned to protect soldiers, they are banned to protect civilians. And most likely, node-ipc's patch will hurt much more innocent civilians than it'll hurt Russian soldiers. It's the software equivalent of indiscriminate bombing.
iirc npm has support for pinning dependencies, you just have to remove the “^” at the start of the dependency version. Is there a global option in npm or yarn or pnpm? Why don’t they make this the default?
> In my opinion, these changes are effectively supply-chain attacks in their execution. That would make them bad regardless of how correct their expressed positions are about the Ukraine war.
Well, yeah. War is bad. On the spectrum of war badness, obviously, these pranks are pretty mild. But they're bad. It's a bad situation. When at war, people are forced to do bad things to prevent worse things. That's why starting wars is very bad.
Now, sure, you can argue about the semantics about "who" is at war, or whether these npm authors are "really" at war, or why they "think" they're at war, or whether they "should" be at war. You could also get into a discussion about whether or not this tactic is effective (and I'd agree it's hurting more than helping, btw). Go nuts.
But that doesn't change the fact that this is an action in support of a war effort. In wars, principled stands don't win. If you want a particular outcome, you have to pick a side.
> But that doesn't change the fact that this is an action in support of a war effort. In wars, principled stands don't win. If you want a particular outcome, you have to pick a side.
I picked a side. I will take care that npm is not installed on my computers. Take your political sh*t out of my computer.
The premise behind your position is clearly that "politics" is some kind of meaningless distraction to the "real" business of shipping software. But... isn't that backwards? It's a war. People picked a side.
The idea that unilateral military invasion is merely "politics"[1] is... very strange to lots of people.
[1] In the sense of triviality you clearly intended, c.f. Clausewitz again.
You're implying that wars have no rules. This is very much not true, not legally and not morally. You should read the 4th Geneva Convention to disabuse yourself of this dangerous misconception: https://ihl-databases.icrc.org/applic/ihl/ihl.nsf/INTRO/380
>In wars, principled stands don't win
And excessively unprincipled stands can get you sent to The Hague to be prosecuted for war crimes.
Now, I'm not saying that deleting some files is a war crime. What I'm saying is that your reasoning for why it is legitimate is flawed.
I even doubt that you would agree with your own reasoning given some other examples. E.g., would you not agree that while we can ask McDonalds to stop doing business in Russia, it would be a crime for them to start poisoning their Russian customers?
> And excessively unprincipled stands can get you sent to The Hague to be prosecuted for war crimes.
Unless you're from the US, in which case the US will invade Netherlands to get you out of there. Apparently, there is a law (from 2002 IIRC) which allows the US to do this legally.
Same goes for Russia, China, Iran, Saudi Arabia, and a lot more countries that did not sign (or ratify) the Rome Statute.
> One of the principles of international law is that a treaty does not create either obligations or rights for third states without their consent, and this is also enshrined in the 1969 Vienna Convention on the Law of Treaties.[149] The co-operation of the non-party states with the ICC is envisioned by the Rome Statute of the International Criminal Court to be of voluntary nature.[150]
For Russia, China, and the US there's literally nothing that can be done: while the "members of UN Security Council" are "compelled to co-operate" with the ICC, these members can veto anything that comes up.
In other words, if you're from one of non-signatories, you can willfully kill, torture, subject to inhumane treatment, perform biological experiments, steal and destroy property, take hostages, unlawfully confine, transfer, and deport, and even willfully cause great suffering without fear of any kind of prosecution.
Does Geneva Convention make a difference? I only learned about ICC and Rome Statute, and it was disheartening enough for me to stop reading, so it's a genuine question.
Yes I think it does. Whatever the limits of enforcement, it means something that all the countries you mention are signatories to the Geneva Conventions I - IV.
Even if these countries refuse to extradite their citizens to The Hague, it doesn't necessarily protect war criminals from prosecution in their own countries. They are still breaking the law.
Right, and apparently all signatories to the Convention have an obligation to prosecute people who commit "grave breaches" of the conventions, no matter their nationality and the place the crime took place. So, if a commander from X commits the crime, and the X refuses to prosecute him, he can be legally captured and tried as soon as he visits another signatory country. This is better than just the ICC, definitely (if I understand it correctly).
Several countries have implemented some form of Universal jurisdiction for severe crimes like genocide, meaning their courts may prosecute regardless of nationality of the accused or country where the supposed crime happened.
Of course the practical problem is getting hold of the suspected war criminals.
> E.g., would you not agree that while we can ask McDonalds to stop doing business in Russia, it would be a crime for them to start poisoning their Russian customers?
In the current climate I am not sure anymore that people would disagree with poisoning Russians. Here in Germany they started to purge everything Russian (except people) and also agitating against Russians in general. It feels like we learned nothing from WW2.
From what I've seen there seem to be worldwide movements in that regard, that are even overboard for cold war propaganda.
I've seen a few people in the media specify that the war's about Putin's aggression, rather than Russian aggression. But I doubt that they're the majority. Russophobia sells better. We've got people vandalizing businesses [1] and sending threats in the US as well. That doesn't help anyone in Ukraine, if that's really their goal. It certainly doesn't affect Russia's economy if a restaurant in another country takes a dive. The point of the sanctions is to hurt Russia's government (and therefore their military). There's a cost to sanctions as well for Russian citizens who have nothing to do with the war, but I've yet to see an alternative solution beyond escalating the conflict.
I think you have it completely backwards. You should not involve yourself in any war that you don’t personally want to fight and maybe die in. You do NOT have to take a side. You can oppose the war, or one or both sides, even vocally, without entangling yourself in the war.
If you choose to become an actor in a war, then you also open yourself up to being attacked. There is only one kind of actor in a war- combatant.
Consider the maintainer who did the “delete all files on servers with Russian IP addresses.” This could be construed as an act of war against Russia. Would Russia be wrong to commit acts of war against this person? If the server performed some life critical task like operating hospital equipment or air traffic control or whatever, this change could have resulted in loss of life (so many mistakes in using JavaScript in such cases but set that aside for a moment). If lives were lost as a result, would Russia be wrong to use lethal force against the maintainer?
Disclaimer (sad that you have to add this these days; it should go without saying): I only use this as an example. I think Putin is a thug and I think that it goes against most westerners’ values, mine included, for nation states to preemptively invade other nation states. I’m not apologizing for or justifying any act by Russia. I have deep sympathy for people in Ukraine who just want to live their lives and not be killed or have their stuff destroyed.
>Would Russia be wrong to commit acts of war against this person?
>If lives were lost as a result, would Russia be wrong to use lethal force against the maintainer?
Yeah, unless they want to admit that they’ve been waging war against the entire western world by allowing their homegrown ransomware groups to operate with impunity.
If we go by your logic, Western countries should have turned Moscow into a giant glass parking lot after NotPetya, a destructive wiper worm released by the Russian government targeting the entire world.
And there are levels of warfare between "nothing" and "nuclear", in case you hadn't noticed. And North Korea and China are doing state-sponsored attacks against US targets, commercial and government and military. It's not clear to me that NoPetya was state sponsored, it's ransomware. The RF is not a bastion of law enforcement and justice; I agree that they do a terrible job of controlling organized crime activities, both cyber and non-cyber.
RF kills people for any or no reason. Why you worry about that? If you think that when you don't attack RF, then they don't attack you, you are wrong. You are member of rotten West, your country is a member of evil NATO, you are speaking non-russian language, and you are spreading anti-russian propaganda. You are danger to Russian Civilization. They will kill you, but their ressources are limited, so stay in line.
But none of these people picked a side in any of the other currently ongoing unjust occupations, or any of those in the recent past. So clearly you don't need to pick a side.
Fighting against bad actors is definitely a 'principled decision'.
Ignoring the situation and not taking action is an 'unprincipled decision'. Though it might disguised as principled action, on the basis of supporting some other principle, such 'open source', but ignoring one at the expense of another implies serious lack of self awareness.
This war, plus COVID, and the recently released documents indicating a planned invasion of Taiwan (though we don't know for sure) - represent major geopolitical shift of the order of WW1/WW2/End of Cold War, the stakes and consequences are enormous.
That's sort of a semantic argument. To be clear: I was contrasting "choosing a side" (in this case by senselessly pranking your npm customers) as being a "practical" choice, vs. the "principled" stand taken to avoid the conflict out of a general sense of open source decorum. Obviously in some sense all decisions are based on "principle".
And the point is that it's a war. We've crossed the "bad things are going to happen" Rubicon already. You can't make principled arguments like that against people who have chosen to engage in a war out of the hope or desire for one side to win. They already did that moral calculus. It's like telling someone they shouldn't defend their home because pacifism is more important. You might be right, but you won't change anyone's mind.
Your argument creates dangerous implications. If a programmer creates targeted malware as an act of war - wouldn't that make him a valid military target? Would Russia be legitimised to carpet bomb wherever that programmer is supposed to live in retaliation? If not, would they be legitimised to capture and execute him - because he certainly isn't a legitimate combatant?
Also: when ‘colors’ and ‘faker’ packages printed stuff in the output in an endless loop, NPM and Github banned the author and took over the packages.
When ‘node-ipc’ overwrote all files on disk, NPM just waited while the author himself published an amendment and posted that the package ‘only created a text file, no biggie’.
It's difficult to trust NPM after node-ipc. After all, it's pretty close to a software eqivalent of warcrime. Imagine a hospital used node-ipc and got its files deleted.
I really hope no hospital did use node and npm to store important medical information or on critical systems.
But if they did, people might die for real, if suddenly important information about patients is gone or manipulated. Or a important operation had to be canceled because of it. How can one critizise bombings of hospitals and then potentially do the same on a software level?
Oh no, indeed, how could someone possibly object to killing civilians in cold blood with the full military force of an arguably-developed nation, while themselves committing such horrible crimes as - gasp! - deleting files? patterns of bits have human rights too!
I think the main concern of the OP was with _human_ collateral damage that can result from the deleted bits. Having worked for years in EMRs, I can definitely say that sustained IT outages in modern hospital systems can and often do lead to increased deaths.
Other things that lead to increased deaths: the Russian military intentionally bombing civilians.
I usually oppose “whataboutism” but I can’t bring myself to do it here. This is a war where the nation of Russia has decided to murder Ukrainians. Means to interfere with Russia’s blood-soaked campaign must be viewed not in isolation, but in the context of what they are attempting to stop.
To be clear, I am not making a general purpose “the end justifies the means” argument. I am making a narrow and specific “the circumstances justify extreme behavior with severe externalities” argument.
What ends were achieved? Has sabotaging node-ipc made any measurable progress towards stopping the war? The danger when you let the ends justify the means is that when you don't achieve your ends, then you haven't justified your means.
This fails the 'proportionality' test. Contrary to popular knowledge, it does not refer to number of civilians killed*, but to whether any legal goal could reasonably be achieved proportionate to the hurt.
Now, there's nothing this action could achieve aside from making people angry, becoming Russian propaganda-fodder, reducing trust in NPM, etc, in any remotely likely scenario. So any damage is a crime, and arguably even the possibility of damage is a crime.
* A strike on head of ISIS while being surrounded with a class of children might pass this test. Similarly even if one side (say ISIS supporters) has more civilians killed that does not imply a crime by itself.
If you really think that in security of open-source people should tolerate a malware attack because the author says ‘oh, I'm fighting those Russians’, then I sure hope I'll never have to use any of your software.
I’m very sympathetic to the attacker here, but I can’t imagine an argument for why there’s an ethical obligation to delete random Russian users’ files, much less why that duty should outweigh the NPM project’s general duty of good stewardship.
Because there is an obligation to stop the war by any means available. Since Putin will not stop voluntarily, he must be rendered unable to continue. Every possible tool to drain the resources and undermine the tenuous stability of Russia is necessary and appropriate.
War sucks for civilians. It sucks less for the civilians who get some files deleted than for the civilians who get their houses shelled by Russian and Belarusian artillery.
Does the NPM project have a general duty of good stewardship? Of course. Does the NPM project have a duty to interfere with a developer who chooses to increase the misery and pressure applied to a nation that has been committed to a path of an unjust war of aggression, which is deliberately bombing civilians? Fuck no.
I don't agree with the premise that every tool is appropriate and I struggle to believe you do either. If your boss told you that you need to work unpaid until further notice because they're donating everyone's salary to Ukraine, you wouldn't object to that? You wouldn't have concerns if you came home one day to find your stuff on the curb because your landlord wanted to make room for refugees? A lot of tools are appropriate that wouldn't be appropriate for most international disputes, but when you're fortunate enough to not be in the warzone, you can't go crazy and start smashing random people's root directories.
"Since Putin will not stop voluntarily, he must be rendered unable to continue."
Regardless of one's positions on the Ukraine war, I don't see how manipulating node packages could, for example, stop a Russian hypersonic missile or fortify Ukrainian barracks.
By the way, if you look at the damage to Ukraine's infrastructure and human capital, it has already lost the war. Also evident by repeated calls from Zelensky to resume negotiations. He badly miscalculated from the start...
Almost like “the norms” don’t apply when the situation is not normal?
Authoritarians pursuing military conquest and territorial expansion hasn’t been “the norm” for the past few decades. The world is changing with Ukraine and Hong Kong, and soon Taiwan.
Not saying these examples in the article are all models of how we should design things in the future. But the world is changing and norms will change alongside it.
I guess this is the Mandela effect because I can remember a few instances in my lifetime of larger countries invading smaller ones in contravention of international law.
I don't find it super convincing that our version is better because we merely aim to install a friendly government rather than annexing territory directly. We already did that. There isn't much more to annex.
According to whom? According to Putin, they invaded ukraine to "denazify it". On the other hand "US invades country for oil" is a pretty popular narrative on the internet.
You missed his point. The original comment said that territorial wasn't exactly the norm and that it's pretty unique situation. The person you replied to then said that they can recall quite a few invasions, disoroving that assertion. Nobody is justifying anything, there is no need to be so defensive about it.
Even if you want to support Ukraine, some things have certainly gone to far, like discriminating against anybody and anything with Russian origins (professor being told to not teach Dostojewski for example, as posted on HN a couple of days ago).
And demonstrating the international monetary system is not reliable at all, not sure it is a good thing.
RF propaganda claims West is an enemy and most of the population is brainwashed. 70% of RF population supports "special operation". RF rectors supports war. RF military can't even defeat Ukraine, it specifically bombs civilians causing terror, thousands dead, millions displaced already. It is threatening to nuke. Extraordinary cases requires extraordinary solutions.
I find it hard to attribute the sad state of the academic freedom in academia (as in, none at all) to anything to do with Russia. It was dead long before Putin decided to mess with Ukraine for the first time. Right now censorship is just being deployed for a newly fashionable cause, but before that it was dozens of other causes, and no doubt once Putin finds his ignoble end, it will find dozens of new causes to pursue.
So everything that's been happening in the Middle East is to be ignored? Do we only consider the norm disturbed when a non-brown country is invaded and destroyed?
The “norms” were rules which were developed after everybody saw what the alternative looked like. Humans have a lot of rules around conflict and fighting because it’s very costly for everyone to have an all-out war.
Also we need to account for all Ukrainian software developers. Is it not their right to defend against Russian invasion by targeting Russian software development? Should they welcome Russian invaders with open arms and help them to write better software to occupy Ukraine?
Is it the Juba sniper's right to shoot American soldiers in the head while standing outside their vehicle in downtown Baghdad?
On the one hand, I cannot deny the right of Iraqis to defend their territory from a criminal war of aggression. But do I need to stand up for what he is doing? Should I put money in his paypal account? Do I have to agree that all soldiers are legitimate targets, even when there is no military objective other than "exacting a cost?" Can I ask who pays that cost? Is it the war criminal George Bush, or just some grieving American family somewhere? If twice as many families have sons, brothers, fathers taken from them, would a future George Bush think twice?
Back to the topic at hand. Of course we can understand the motivation but at the same time the question for us is whether we in the open source community want to preserve software as a humanitarian sphere which is not necessarily neutral in conflict but, at least, part of civil society and not involved in or drawn into cyber-warfare as far as possible.
That fact that hostilities have broken out does not mean that everyone has to camp at one ridiculous extreme (kill them all) or another (total capitulation) and it's perfectly reasonable to try to find a path between them which is consistent with our own moral and ethical code.
If it were a Ukrainian guy who did this I think it would be much less controversial. It’s good and proper for people being invaded to fight back with whatever means are available to them, but it’s a problem if we end up in a place where major conflicts have to escalate into global cyber war.
(I should mention that Russia already does tolerate destructive hacking against the West, and has been doing so for a while - that doesn’t change my opinion, but it would be unfair not to note.)
This is the culmination of about a decade of reinforcing the idea that political actions don't count as violating norms if the actions are against someone who violates other norms of yours.
Or maybe just the culmination of internet libertarians who stick to principles being out-populated by more average people who stick to each other (that is a nice way of phrasing the practice of putting popularity before ideals but it's also true to its real nature).
This notion that somehow 'FOSS' is a moral ideal that stands above others is rubbish.
If you're helping Russians drop bombs on Mauripool that's a choice.
You can also choose not to do that.
That concerns an 'ideal'.
There are issues at hand of much greater consequence and idealism that 'internet librarians' pretending that they are consequential in this context.
'More Average People', like accountants and teachers, are literally right now upholding their 'ideals' by learning how to use a weapon and defending their homes with their lives against literally the Russian Empire. That is an 'ideal' thankfully none of us will ever have to contemplate upholding.
I think it is a little bit more complicated than that when you're taking sweeping actions like banning Russians from sport (something we managed to avoid in the Cold War but apparently not this time). I also wonder if you'd take the same line about someone seizing your bank account, because every American, by the standard we are now using, is culpable for the Iraq War.
like banning Russians from sport (something we managed to avoid in the Cold War but apparently not this time)
That isn't as persuasive a point as you might want it to be. It may be the case that we are, now, simply being more comprehensive in defending against a descent back into those awful cold war times. Once we were already in the thick of it during the Cold War, even a little bit of cooperation was useful in not descending even further.
It's like a phase transition. When society is already functioning at a higher level of cooperation, appropriate consequences of deviating from that are highly exclusionary. But the game-theoretic risk/reward balance changes when society is functioning at a more adversarial level. At these different phase states, an action that may incentivise de-escalation in one phase state may have a different (even inverse) effect in another phase state.
I didn't call it the high water mark, just a higher level of functioning & cooperation than the cold war. I think that's an accurate statement.
But now that you've raised the question, it's difficult for me to think of any stretch of decades that was definitively better, certainly not in the last 100 years. I might look far back to the Pax Romana, but that couldn't be considered global in nature. I'd argue that it's probably only at some point in the past 100 years that regional civilizations became interconnected enough for us to even consider things as a truly global system.
Please note that I'm not claiming the last 20 years have actually been good in terms of global peace, stability, accord, etc., just that it seems a bit better than the recent decades prior to that. By one narrow metric, per Capita war-related deaths, we're doing quite a bit better. Of course these things are far from evenly distributed across the globe, and it seems like wider stability sometimes relies on allowing awful things to happen on a smaller scale. And I don't think it's much consolation to those dying in conflicts to tell them "no really you should be joyed to live at a time when so few people have their lives torn apart the way yours is right now".
All of that strays from the topic of my original comment though, which again compared current times to cold war times.
I disagree unless we mean, in a very narrow sense, "peer" challenges. Clearly the US hegemonic status went largely unchallenged for a while, but I don't agree with your characterization of the period as more peaceful than previous times, and therefore warranting a radical break with the past to preserve.
I honestly want to explore this topic further. I am not so closed off to the possibility that I'm wrong that I am unreceptive to counter arguments, so I hope you'll engage the topic with me a bit more:
peaceful is an vague term, but some of the language I have used is not much more precise. However I did mention one somewhat narrow metric, per-capita wartime deaths, and the world has been much better in this area during the the last 20-30 years than previously. What are your thoughts on that aspect of this discussion?
On the more ambiguous connotations of what I wrote, I will clarify the idea that was uppermost in my mind when I made my comments:
Essentially, a conflict that is catastrophic for the entire world is less likely (at least prior to recent events) during the last 20-30 years. The fall of the Soviet empire left no two adversaries so antagonistic to each other, each with world-destroying capabilities, that we have had to constantly worry about such a conflict breaking out. We have not had to walk so carefully on egg shells to avoid reaching that point. North Korea has only recently become the nation most likely to initiate a nuclear conflict, and I would still rate that as a lower probability than cold-war era direct US <-> Soviet conflict, and the capabilities of North Korea in this area are still too primitive for a conflict with them to inflict the same scale of damage as direct Soviet/US aggression.
Certainly horrific local and regional conflicts have still prevailed in some areas of the world, perhaps only slightly reduced (arguably not reduced at all, and worse in some regions) but their potential to spill over into a wider world-scale conflict remained exceedingly low compared to prior decades. They are less dangerous to the wider world because some of those cold-war era conflicts were proxy wars that risked escalation to direct conflict between military super powers.
Consider that the Vietnam War could easily have been won by either the US or Soviets if either of those powers had been willing to bring their full and complete military might to bear against their proxy opposition within that country. Indeed there was a constant tension that such a thing might happen and bring the puppet masters behind the North & South Vietnamese into direct conflict with each other.
This was perhaps even more true during the Korean War, with the added risk of more significant Chinese involvement & explicit threats by the US that nuclear options were on the table. The only thing that mitigated the potential for global nuclear war was that US nuclear capabilities were still relatively limited, Soviet nuclear capabilities even further behind, and Chinese nukes a decade or more away from completion. (by which point we'd progressed past the sino-soviet split so an alliance between those two powers was pretty much off the table) But during that conflict there was still significant possibility that a conflict on the scale of WWII, with slightly more advanced technology, could erupt & include a major nuclear component as well.
And of course there was the idiotic brinkmanship if the Cuban Missile Crisis.
Nothing of that scale has been anywhere near as probable after the end of the cold war. Having grown up in the twilight years itf the cold war, I can directly attest to the global tension of those times, and the global sigh of relief as they ended. In the years since then we have never approached that level of tension until today, with the Ukrainian invasion, where small echoes of those times can now be felt.
This is the thrust behind my comments. That perhaps local & regional conflicts have seen little change, but world-wide existential threats from military conflict are-- comparatively-- a much reduced concern.
Stupid people do stupid things all the time. Clearly not an educated tactic. No one with an anything above the brain stem would do that, and that's not what's being argued for.
Racism isn't the point, crippling the Russian state is. Assuming anything else smells like bad faith.
> Racism isn't the point, crippling the Russian state is. Assuming anything else smells like bad faith.
One incident related in the story is someone slipping malware into a node library which appears, among other collateral damage, to have deleted the archives one NPO had collected of the war hoping to document Russian war crimes. So really I'm not sold on it being that different.
Huge parts of the Russian state are "infrastructure necessary for civil life" attacking those would be contrary to international humanitarian law.
But there is also the tactical issue of whether such attacks would have the desired effect. Imagine if Russia would attempt to "cripple the US state" to stop the war in Iraq... I think the average Joe in America would feel quite threatened by that notion. As a corollary, consider this: as a response, would Joe be more likely turn against his state, or realise that he desperately needs to support it, in order to defend his way of life?
Targeted missile strikes on the homes of the leadership and military executives would be a way to do so, while minimizing direct harm to the population.
Of course, actually targeting elites in power isn't something elites in power want to promote.
Oh come off it, the notion of collateral damage-free missile strikes is a fantasy, and there are obvious reasons not to pursue a hot war with a nuclear power.
I never suggested that it would be collateral free... I said specifically "minimizing" the impact. That said, I don't support the practice, only making the point that there are in fact better options, including those with military action.
You can observe the difference between a military largely focused on PGMs and a military focused on 152mm artillery and unguided MLRS right now in this very war.
> Iraq dominated the headlines throughout the fall of 2002 and into the winter of 2003. Public opinion on the wisdom of war, however, stabilized relatively early and slightly in favor of war. Gallup found that from August 2002 through early March 2003 the share of Americans favoring war hovered in a relatively narrow range between a low of 52 percent and a high of 59 percent. By contrast, the share of the public opposed to war fluctuated between 35 percent and 43 percent.
It has nothing to do with Russia. It has to do with stuff like inherent sinfulness, the promotion of social righteousness, the exhibition of the Kingdom of Heaven to the world, double predestination and whatever else Puritans and other Calvinists who became the American elite believed in and promoted. The views of those people who were considered fanatics back in Europe became the norm in the US.
I think people get a little carried away with this. I'd bet money that the average American cannot even describe the difference between Protestantism and Catholicism besides something facile like "they have a pope." There aren't even any Protestants sitting on the Supreme Court.
In a historical sense, it's very geographically dependent. Before states got rid of established churches, Virginia, for instance, established the Episcopal church, while Massachusetts established the Congregational church.
> I'd bet money that the average American cannot even describe the difference between Protestantism and Catholicism besides something facile like "they have a pope." There aren't even any Protestants sitting on the Supreme Court.
The modern American culture simply descends from Calvinist culture, by no means it is the same. Just like you wouldn’t expect a fish to explain its ancestry to you, you wouldn’t expect an American to do the same.
Some people seem to believe that if you remove a belief in God, a sudden discontinuous cultural gap appears. But there is no reason to assert such thing. An absence of belief in God doesn’t make Americans culturally more similar to Buddhists than to their ancestors, they still inherit similar values and social practices. The American culture experienced an abrupt shift from the British culture due to the founder effect, but from that point it pretty much developed continuously. (Well, of course like all cultures, it experienced outside influence but it wasn’t as impactful.)
> In a historical sense, it's very geographically dependent. Before states got rid of established churches, Virginia, for instance, established the Episcopal church, while Massachusetts established the Congregational church.
There is a book called The Faiths of the Founding Fathers by David L. Holmes, it covers explanation of the sheer influence Calvinism had in the US.
By the way, is it surprising that
(1) Harvard originally had a Calvinist church.
(2) Harvard is located in New England, the land of radical Protestants aka Puritans.
(3) Harvard is the most prestigious university.
My point is simply that American “average people” are in no way simply average people if such thing even exists.
I don't think his point was directly related to people's religious views today, but the type of people who originally came to the US and how their views and norms have impacted the culture up to today.
Well I'd go a little further and say that it's getting too clever to act like the most important thing to understand how Americans think is the details of a dispute that happened before most of their ancestors came and that they can't even describe in broad strokes.
Internet libertarians definitely also stick it to each other in dumb ways whenever they think their cause is right. Let’s not kid ourselves; an average person wouldn’t know how to wield open source for their personal political nonsense. It would precisely be a technocrat who thinks they’re enlightened.
>an average person wouldn’t know how to wield open source for their personal political nonsense
I am close to an average person in this regard because I am a free-rider on other people's enlightened steering: all I do is install stuff and in exchange I get privacy and security.
That will keep happening if we build solutions on top of obviously unsafe platforms, ignoring incident after incident. It’s not like this is the first time and it’s not like people will now suddenly learn from this. Blind software updates like yarn upgrade, brew upgrade etc, happen every single day.
it's pretty gross if you ask me. i don't think that throwing stones at the people in a nation where the government is misbehaving helps much anything at all. on the contrary, all it can do, is harm.
I think it’s a bit counterproductive when you can probably safely assume that most of the people affected by this were probably already on your side.
But putting pressure on people to make them do what you want is a fairly accepted strategy. Hell, Russia is following the same strategy, except they’re dropping bombs and missiles on cities, which also (even mostly) impacts civilians that have nothing to do with the war.
As much as it sucks, it’s the only way to retaliate.
Your comment is proving his point. We decided at some point that not all is fair in war, even if there is a war of aggression. "The Japanese started the war" wasn't a good excuse for Japanese internment. "The USA started bombing the middle east" wasn't an excuse for 9/11. "They are invading iraq" wasn't an excuse for torturing captive American soldiers or hurting American civilians. "Afghan civilians had it coming for harboring talibans" wasn't a valid excuse for droning them either.
And so on.
Not that this kind of pretty bad take hasn't been pervasive in the past month. It's just funny in a horrifying way to see a century worth of lessons just evaporating in 3 weeks. Just go on any social media and you will see the exact same argument used to justify and even promote literal war crimes against the russians because they started the war. But no, even an invading soldier does not deserve to be tortured.
It is a cyber crime. I would assume that if the victimes were e.g in the EU there would be an attempt to prosecute.
Which leads me to my next point: an essential attribute of a state under the rule of law is that the law is applied impartially, irrespective of who the victim and the perpetrator are. Doesn’t always work out, but it’s certainly what most people find fair and what we strive for.
This is exactly the problem with “uncurated” package managers like NPM and PyPi and where a curated package system like APT and RPM offer such a strong advantage. Far fewer people for you to have to put your trust into, but still a trust based system. They have gone so completely out of favour though.
It’s understandable why people moved to the uncurated systems, it’s so much easier to publish and so the variety of what’s available is brilliant. But I don’t think the tooling is there yet with all the languages that use them. Really we should have the ability to control permissions at the library level, choosing specifically what they can do.
Deno is doing some interesting things at the app level but has any language done anything with library level permissions?
Maybe we will see a movement back to the curated package managers, there may even be an opportunity to provide a curated service layer over the uncurated package managers like PyPi and NPN, possibly a paid service?
Curated package managers are still vulnerable to supply-chain attacks. Solarwinds was the definition of a curated system and look how that turned out.
In almost every way the problem comes back to the same basic failure which ransomware represents: OS level data and access is boring, but user level data and access is wide-open and you grant it constantly to all sorts of things - its hard-to-impossible to put comprehensible, maintainable barriers around stuff and we lack the tools and programming constructs to enable this - i.e. you can't write software where it will, without you doing a lot of work, upfront declare what files its touching and how in a deterministic way.
I don't really think it has anything to do with curated. It has to do with popularity/accessibility. There are more JS programmers than just about anything (my belief) and they have an easy to use and contribute package manager. (unlike say C/C++). Curation, IMO, would crumble under the pressure.
Also AFAICT, Rust's package manager is uncurated? So is Swift's but AFAIK Swift doesn't really have an "official" manager and so doesn't have the conditions for the same level of popularity/accessibility.
Maybe that suggests no package manager is better? The C/C++ way? Because spreading malware is harder? Of course conversely, excepting exploit fixes is harder.
My initial thoughts as well.. have been playing with development inside containers, and this just makes me sure I need to do it much more. Also, pushing for read-only containers in production for most things, along with running as a non-privileged user.
Unless your program is a black box that doesn't interact with the rest of the world in any way, sandboxing will not be enough. People still need to mitigate the effects of malicious supply chains.
Software is not more important than human life. I would rather have proprietary than Open Source if it's a choice between respecting human life or not.
When America goes to war with a backwater country that can't defend itself, nobody can do anything. We have the nukes, we have the money, we have the aid, we have all the cards. Even when we literally make up shit to have an excuse to go to war (for Russia it's "Nazis", for the US it was "Aluminium tubes"), nobody can stop it. Well, I want the right to say: "No, USA, you cannot use my software if you wage an unjust and unprovoked war."
Is it unfair to block a whole bunch of innocent people from using that software? Yes, I'm sure the families of the people your government are killing are quite upset that you can't use some software. However, if you want to use the software again, force your government to stop its war. Or use different software. It's not like anyone's holding a gun to your head.
While I agree with parts of your post, not providing software is a very different story than fucking up people computers for a xenophobic and virtue signalling reason (the developer peacenotwar was not concerned by the ongoing war). What this developer did is in the like of the computer attacks allegedly coming from China/Russia/North Korean that the US whine about all the time.
I agree about it being unprofessional. But does "virtue signalling" now mean simply any form of protest?
Were the Canadian truckers protesting in Ottawa virtue signalling? Are people posting "Let's Go Brandon" online also virtue signalling? If not, what's the difference between their form of protest and this Terraform stunt?
My understanding is that "virtue signaling" implies that the primary goal is performative with minimal personal risk and minimal commitment to productive action. The example that comes to mind is a company that spends far more money informing the public of their charitable works than they do on the works themselves.
So an in-person march, trucker protest, sit-ins, having a private conversation, calling your representative, making personal sacrifices, attempting to bring attention to lesser-known issues, donating money, engaging in dialog to convince someone of your position, etc would not be virtue signaling.
But things like posting "Let's Go Brandon" online, or changing your profile picture with no further action, or unironically using terms like "virtue signaling" for internet points might qualify as virtue signaling.
> My understanding is that "virtue signaling" implies that the primary goal is performative with minimal personal risk and minimal commitment to productive action.
And it's based on the flawed assumption that stating public support for something without doing anything else is useless.
But people moderate their behaviour based on perceived social norms.
When people publicly state their support for a given issue, they are communicating what they understand social norms to be.
When a lot of people do that, that becomes the norm.
So "virtue signalling" could just as easily be labelled "showing support", which is the way that we share and align on those norms.
But, of course, folks who don't like people voicing their support for those values, for fear that they will become normalized, needed to find a label to apply to insult those people and, hopefully, stop people from voicing their support for these social movements.
And thus the term "virtue signalling" was born. Suddenly saying out loud what you believe becomes itself a social moray.
Now flying a pride flag, or calling for increased diversity in the workplace, has become "virtue signalling" and something to be embarrassed about.
It's quite clever as a means of controlling the narrative. And it appears a shocking number of people have bought into the BS.
1) Does "showing support," actually do anything? Are we really aligning on norms or just scoring points with people who already agree the same position? I suspect the detail matter and that there is continuum, where for uncommon positions maybe it does something, but for widely held views, it really is just "virtue signalling."
2) When does "showing support," become a substitute for more substantive action. Maybe I post a pride flag on my social media avatar, but don't bother to vote in a local election with discriminatory ballot initiative. Or consider any number of incidents of corporate "greenwashing."
But sure, plenty of virtue signalling, isn't _just_ signalling. And we shouldn't dismiss it on those terms, but rather ask about impact.
How much is a heap of sand? It's a Sorites problem. There exists a continuum between "changing your profile picture to be tinted like flag X" and "everyone is saying and doing the same thing and it's an entrenched social norm".
It's certainly less impactful than doing something substantive but it also costs nothing to signal boost. Same like boycotts, it only works en masse.
I think one of the important things about virtue signalling is that you're making a big deal about the prescribed norms that everyone is, in our unofficially official ideology, supposed to follow.
It'd be like flying a great big flag that says "I support the government and corporations." Whenever I see a pride flag, that is essentially what I see. It's like, (and it's useful to read the people who are against you as a mirror), when Patriarch Kirill of Russia says: ". Today there is such a test for the loyalty of this government, a kind of pass to that “happy” world, the world of excess consumption, the world of visible “freedom”. Do you know what this test is? The test is very simple and at the same time terrible - this is a gay parade. The demands on many to hold a gay parade are a test of loyalty to that very powerful world; and we know that if people or countries reject these demands, then they do not enter into that world, they become strangers to it."[1]
That's not far off from the truth. Virtue signalling, as opposed to protest, is oriented towards moving closer to power, rather than further away from it. In Foucauldian terms, protest would be a transgression, a breaking of the taboo, and virtue signalling would be the opposite of that, an adherence to and reinforcement of the taboo, in which one mimetically serves the strengthening of the taboo, until the mimetic crisis breaks into blodshed.
Virtue signalling is wearing the swastika in 1938, and bears no relation to wearing one in 1929, except to say that those who wore it in 1929 won.
At least here in the United States, those are usually sold by charities that benefit various veteran's organizations, so there's some actual skin in the game there.
Good question. I think it would on the motivation of the wearer.
If if they are wearing it primarily as a method of socially fitting in and signaling to those around them then it might be "virtue signaling".
If they would continue to wear a poppy on remembrance day in contexts where the people around them did not know what it meant then there's clearly something more than signaling going on. Perhaps it is their tradition, or it helps them remember.
(I should caveat that I don't think there's anything particularly wrong with social signaling so I don't use the term "virtue signaling" as it seems to have a pejorative or sarcastic connotation.)
Just about all of your examples of not virtue signaling could or could not be depending on the context. Going in person to march, posting selfies on facebook, marching two blocks and leaving would be an in-person march and virtue signaling for example. Virtue signaling is more about intent and advertising of the act.
To paraphrase the bible "Jesus said The pious pray in their closet. Those who make big shows of praying in public are nothing but douchebags."
You just successfully moved the goalposts by redefining what "going to a march" means...and even then didn't address how "all the examples" don't count. Even then, showing up for a mere two blocks still involves more risk than staying at home.
To me, it's the element of risk that differentiates virtue signaling from meaningful action. Posting "Let's go Brandon" on parlour or "Black Lives Matter" or Tumblr aren't risky actions. Saying "I think gay marriage is ok" in a conservative church is. Just because you can imagine a situation where the context lessens the impact of the action, doesn't mean the example is weak or wrong.
Then you missed the point of my post entirely. "Virtue Signaling" isn't about what good deeds you do or don't do. It is about intent and what you do "around" those deeds. You can do real good and still be virtue signaling, because virtue signaling is the advertising aspect of it. Two people do the same deed, one won't shut up about it. One is virtue signaling, the other is just a good person.
The goals/motivations of the action is what matters here. Changing a few lines of code to state your stance on an issue won't cause any level of change whatsoever. It was clearly done to show which side of the war the author supported, more about the author than the conflict. A Canadian protestor that spent most of the time publishing their involvement on social media is virtue signaling, but one that merely occupied the capital is not. Saying "Let's go Brandon" is virtue signaling, unless the signal is meant only for your group, then it is dog whistling
If you support a cause, "virtue signal" describes an action which doesn't do a lot to materially support the cause, to encourage people to take more concrete action.
If you oppose a cause, "virtue signal" is a term of denigration for any public action on behalf of the cause to discourage people showing support for it.
My personal sense of the word is that “virtue signaling” is when people intentionally seek recognition from a group by visibly supporting something that group already endorses or considers normal. Going a step further, the support is often exaggerated, not totally sincere, or not congruent with that person’s previous behavior.
There is also a sense that whatever thing someone is “virtue signaling” about is acceptable enough that there is no real downside for taking the stance.
It would be like an American proudly declaring how much he loves the United States on Independence Day. He would go out of his way to emphasize just how much of a patriot he is, hoping to be rewarded for doing so.
I believe “virtue signalling” means any form of protest which will not, and does not really try to, have any actual effect on that which it protests against. Any small actor protesting and boycotting something which they are unlikely to affect and even come into contact with, therefore qualifies. The protest is not done to affect any real change, only to signal virtue.
When you protest something not because you care, but in order to signal that you care it is virtual signal (literally, you are trying to signal your virtue).
When you protest for gay rights in 2020 it is a virtue signal. When you protest for gay rights in 1987, it is because you believe in it and are willing to take the cost of it.
Since public trade companies only care about money, when those companies support some course it has become safe enough that it is now virtue signalling.
> When you protest for gay rights in 2020 it is a virtue signal.
I don’t think this is the case; it’s still legal to discriminate on the basis of sexuality in many states and contexts such as housing in the United States. You may not be able to fire someone for being gay but in many places you can evict them for it.
Additionally I don’t think it’s virtue signaling to protest for gay rights beyond the small number of countries that recognize marriage. There are still countries where gay behavior is illegal, marriage isn’t recognized, and gay panic is a legal defense.
Like all politically-charged terms, the original meaning has been long lost as the context in which it was coined is forgotten.
I think the term ‘virtue signalling’ was originally intended to point out a perceived hypocrisy - that it’s much easier to gain public support for an idea/cause/campaign if that campaign is perceived to be helping some disenfranchised group - even if the campaign also benefits the organizer, and even if the campaign is not necessarily wanted by some or even all of the allegedly-aggrieved group.
It did start out that way (an attack by conservatives against progressives) but has since become ubiquitous. It just refers to immaterial forms of protest that don't accomplish anything except signaling support for a cause.
I think people virtue signal when they dominate conversation with pet political topics. This is especially evident if they continually find non-sequitur ways to include moral and pet topics in regular conversation. I don't think that either of the examples you've brought up are virtue signaling, but introducing the topic of Starbucks cups to redirect a conversation into how "the country has lost its way" is a good example. An example of this on the left is how certain folks will redirect any conversation into one about oppression.
The impact of virtue signalling is pretty evident. Ever seen how in order to make a statement on something you have to first identify yourself as part of that something that you're criticising? That's a direct byproduct of virtue signaling.
Accusing people of virtue signalling is a prime example of virtue-signaling.
But really I don't know your motivations and you don't know the motivations of the Terraform folks. Let's be a bit more humble please. But yes, I also find it unprofessional.
This seems like another example of people taking open source for granted. Software takes time and effort to create, and in return for that effort the author receives ownership and copyright. The author of an open source project can do whatever they want with it - limited only by other legal limitations (such as, it’s illegal to intentionally destroy other people’s properly).
In a legal contract, some value (consideration) must be contributed by both sides. What do most people contribute to the open source projects that they use? When the answer is “nothing”, then why do they expect the right to judge the decisions of the author?
Sure this is rant-ish. But I’m saying that people sure feel privileged to raise a hue and cry when open source authors make decisions that they don’t agree with. Don’t like it? Fork it - or buy a license that has the terms you want.
Like any human endeavor, open source contains an implicit expectation that everyone is going to behave reasonably. You can disagree with the author’s arguments that this behavior is unreasonable, but it kinda misses the point to say that open source authors can do whatever they want and nobody has a right to judge them. When I’m a guest in someone’s house, they have every right to do what they want, but if they decide one day to bellow a war cry and start smashing their plates I’m probably not gonna visit again.
Well, again, the author is arguing (correctly in my view) that this is understandable but incompatible with the baseline expectations of the community. It’s a basic principle of open source that you won’t go out of your way to stop people from using your code, and a project which tries to prevent all Russian citizens from using it is straightforwardly not “open source” by the OSI definition.
I feel like you're just skipping over the meat of my comments to get in quick zingers and I'm not interested in engaging with that style of conversation any longer. Sorry.
These attacks, regardless of how ethical, are shortsighted. Imagine a situation in the future where Russians revolt and take their govt for the people, a Democratic govt is successfully established, peace is realized, etc. This future Russia is still fucked because they can't trust any code. The internet will be littered with virus landmines that target them based on their ancestors affiliations. You've literally created the toxic racist/nationalist internet you thought you were protesting.
This point should be discussed more (and sadly isn't). Who is going to enforce the de-escalation in case of outraged mobs and individuals, and the automated artifacts of war they left behind? The likely answer is nobody, and it will just breed more violence. It's the reason behind banning certain munitions in warfare, by the way.
It's not just the individuals either. Broadly speaking, the whole war happened because there are very little de-escalation mechanisms in modern politics, leading to runaway processes of hatred and violence. And being able to back down requires williness, understanding, and most importantly mutual guarantees. There are simply no such mechanisms in place, modern politics can typically only go "forward" (whatever the perceived forward direction is) which is self-destructive.
Same reason that you shoot at enemy conscripts in a war, drop bombs on enemy cities. Same reason why Russia is now being subjected to sanctions. To undermine the Russian economy in a non-violent manner.
Whether or not it results in political change is irrelevant - a crippled Russia is a sufficient end all in itself, just like dead soldiers are a sufficient end all in itself during a war. Wars rarely end with a government being overthrown, but they do often end when a government decides that peace is the better option. Bombed cities, dead soldiers, and starving children are the calculus that pushes governments towards making that decision.
Unless you're targeting military forces or infrastructure in those cities, bombing civilians is a war crime. Of course, who gets tried as a war criminal or not mostly depends on who wins
In wars between industrialized nations, most civilian infrastructure is dual-use. A factory makes widgets for a factory that makes widgets for the army. A highway is used to ship military supplies. A port unloads military supplies. An oil refinery makes gasoline for civilian cars... and diesel for tanks.
I'm not saying how I think wars should be fought. I'm describing how they are fought.
Given that our militaries don't balk at drone striking weddings and funerals, I can't see how they would take much issue with dropping a couple hundred bombs on a refinery, or a rail yard, or a line of tanker trucks. Which are all things that have been done since 1945, and as far as I'm aware, nobody has been dragged off to the ICC for it.
Everyone except for the very jingoistic few balks at drone striking weddings and funerals. Everyone hates that! So maybe that's not the modus operandi to which we should compare OSS strategies.
Maybe everyone in your and my social circles, but that speaks more about our bubbles. Half this country is completely fine with doing it... In a war that we had no reason to even fight!
I imagine the rate of support would be higher if it was a conflict where we weren't the aggressor.
But most Russians affected by these aren't shooting back. They aren't conscripts or have anything to do with the war (doubly so now that sanctions are in effect).
Shooting at solders trying to hurt you is one thing, but that's not what's happening here.
> Me refusing to transact with you isn't a war crime.
You refusing to transact with me isn't a war crime, but your line of thinking where normal citizen activities are similar to conscripts shooting at you can certainly lead to one.
It's one thing to target citizens who work on applications for the military, and another to target open source devs because they happen to be Russian. If you can't acknowledge this distinction then I'm afraid we have to agree to disagree.
Also please don't put words in my mouth. Strawmen will get us nowhere.
By that logic, any harm to any Russians, even those living outside of Russia but e.g. sending money back home, would also negatively affect the development of the Russian economy.
How far would you follow that logic? Which Russians should be harmed, in your opinion, and how much?
I think that's a different logic from what the comment that I was replying to was trying to convey.
BTW, you should know that sending money to Russia is almost an impossibility as it is. For example, living in Russia, I couldn't accept a consulting job from Kazakhstan because we couldn't figure out a way for them to pay me.
We live in a world of grey so the 'everything is grey' logic doesn't help.
We have proportionality, we draw lines, we target individuals differently that government than industry than high tech that commodities than consumer services etc..
In my view, we should be doing much more, borderline embargo.
Russian military gains in Ukraine will never, ever be conceded by anything other that either force or 'near collapse' of economic conditions (or overthrow of regime).
Russia can 'put bodies' in Crimea, NW of Kyiv basically to act as targets forever, Kyiv doesn't have the manpower to route them even if they can defend themselves.
Strategically, this implies Russia can merely endure some local pain and make permanent territorial gains.
In 10 years, this war might be like Afghanistan or Iraq, something that '55-75 demographic' watches on the news but otherwise everyone else is busy on TikTok - which is what Putin wants.
He can definitely win the war of attribution because he has a much longer frame view of things, and is willing to pay the cost of 'No Volvos or Starbucks for 25 years'.
Other nations that play the long-tame (like China) are watching.
We don't need courts, we just don't give them the stuff, and pressure those trying to 'sneak them stuff' to stop. Much like Aribus/Boeing is telling anyone that is thinking of providing parts and service to those 100 Jets that they are cutoff if they do that.
I don't want to hear anyone in this country [the US] complain about the Electoral College or gerrymandering the next time we decide to pull another Iraq War but they're opposed to it.
Just like, overthrow the government - it's so easy!
And if you don't have the guts - well, don't be mad when someone deletes all your files, you collaborator!
Average Americans most definitely benefited from US military shenanigans but that kinda besides the point here I think. The main point is that "just overthrow your government, bro" is not a thing people can go out and just do and these comments make it seem that they're negligent if they don't start doing it right now. "Just do it, bro. It's so easy"
The point of sanctions is to make doing nothing worse that doing something. If the USA was economically isolated as a result of it's invasion, I'd be willing to bet the iraq war would've finished much sooner
If Americans were singled out by the entire world, forbidden from traveling and targeted by even the software the install it would have just led to much much more patriotism and unity. There is no better way to unite a divided group than to target it as a single entity. Makes it a lot easier to set aside your differences and a lot harder to dissent within your group. That's what happened after 9/11, no one paused to think what actions lead to that event or the geopolitical context. It just united every American overnight.
In a way that already has happened in Russia. The sanctions did not lead to less (or more) support for the war. The initial sanctions were justified as they targeted the russian state, but the knee jerk reaction of also imposing sanctions that explicitly were aimed at the population lead to nothing but resentment against the west.
Whether you are on the morally right side or not, it does not matter in that context; you cant really debate your way into convincing someone that you are doing something for his own good when you are doing everything you can to also make him suffer
If the intention is just to hurt them for the war, then sure that will work as intended... but I think it's dishonest to pretend we are doing it for anything more "noble" than that
Ok. So we should hug and support Russia in those difficult times and it will inevitably result in lowering Russian patriotism and becomming more westernized? Because we were trying to do for the last 3 decades and nothing like that happened. Russians are very patriotic and strongly support their government when it confronts the western world by bombing civilians.
If nothing works I prefer to apply punishment in hopes that smart Russians emigrate and Russia will crumble. And yes, punishment should affect more civilised and smarter Russians too to either motivate them to clean up their country or leave it.
No, not at all. My only argument is that we can't pretend it's all just for their own good because it will make them finally see the light and get rid of their government. That's just not true, it won't happen and I think it's just something people say to themselves because they aren't comfortable with the reality that they are pushing for an entire civilian population to suffer.
It's war, so again no moral judgment on that, but sugar-coating it is even worse than admitting the truth.
A bit off topic but if you think the west was supporting and hugging russia or ukraine in the 1990s and 2000s, you might need to revisit how we got here.
It's for their own good because result of that is them getting out of dictatorship rather sooner than later. And it's a greater good than enjoying conveniences of life while living in a dictatorship.
Why would that result in changes in their political system? And sorry but your last sentence is clearly coming from a very... western perspective. It's only true until it's you actually face hardship. I'm sure for most people security is more important than ideology or freedom; even in the west we saw in the past 2 years that a huge chunk of the population was willing to trade pretty much any right or freedom in exchange for safety.
There's just no need to pretend it's for their own good when it's trivially easy to prove that sanctions rarely lead to the end of a dictatorship. Just look at Cuba,Iran,NK or even venezuala.
no, not true at all in any meaningful sense. American taxpayers pay for the military budget; that some of that money comes back to some as wages does not on average mean that average Americans benefit.
Not quite. Anerican corporations made a steal in Iraq. That country was robbed.
And pushing America's economic interests like prolonging dollar as main currency of resource trade was huge benefit to every USA citizen because main USA export is the dollar. That's why USA van run deficit for decades and be the richest country on Earth.
Not sure if that will motivate them to dethrone the dictator. But this will most likely impact their work and may as well make them more nationalist in the process. And at the same time open source's reputation suffers in the process.
Why should someone be obliged solely due to where they were born? I'm sure there are many incredibly competent de-throners in Europe, surely they should also get out of their chairs and help?
What does that supposed to prove? They got rid of Russia sponsored corrupt dictators, had a bit of politicsl turmoil after that. They got their first good president in 2019. Then there was pandemics that raised the level of corruption in nearly all countries. Especially those weaker in that department.
And you are going to judge what system of power Ukraine has based on 2021 datapoint?
How quickly did your country got rid of corruption that plagued it?
It's a process that just stars with replacing corrupt system of power. You need to adjust whole public sector after that. It can take decades.
This comment does not related to the matters in Europe that the article is about, this comment points out something missed by other comments.
Open Source software was weaponised via the virtue signalling "Code of Conduct", in particular when language categorises people into groups ("everyone" would suffice). Exclusion was always the goal of the "Code of Conduct" trojan horse.
Which people, in particular, do you feel are excluded by codes of conduct?
The goal of these things is indeed to exclude people, but what you are missing is that the people it they seek to exclude is those whose behavior in the community excludes others - the goal is fewer people excluded overall.
How, exactly, is this a bad thing?
Surly you must have been exposed to "The Paradox of Tolerance" by now?
It’s a bad thing because the enforcement is arbitrary and not transparent.
It’s also bad because once a set of evil personas was established it became trivial to expand each of those personas to cover more and more benign attitudes and opinions to the point that labels like “racist” have lost all meaning.
Maybe if only people which caused objectively measurable harm were excluded this could be called a positive thing. As it is, it’s a power game of censoring and bullying those that don’t bow before whatever the fashionable media/activist/political opinion is on that particular day.
> It’s a bad thing because the enforcement is arbitrary and not transparent.
That's not an inherent issue. Sometimes enforcement must be opaque to protect victims, but otherwise it should absolutely be transparent.
> It’s also bad because once a set of evil personas was established it became trivial to expand each of those personas to cover more and more benign attitudes and opinions to the point that labels like “racist” have lost all meaning.
I'm honestly not even sure what you're saying here. Can you give some examples of "benign attitudes and opinions" for which people were found to be in violation of codes of conducts for espousing?
> Maybe if only people which caused objectively measurable harm were excluded this could be called a positive thing.
What, in your opinion, would constitute "objectively measurable harm"? Why do you feel that harm that can't be objectively measured doesn't matter?
> As it is, it’s a power game of censoring and bullying those that don’t bow before whatever the fashionable media/activist/political opinion is on that particular day.
As opposed to bullying those who have no power? I don't see how that's better.
I'm also not aware of codes of conduct being used to exclude people based on political opinions. Unless you consider "people who are different from me don't deserve rights" to be a political opinion, in which case... well, I will hold my metaphorical tongue.
Which sorts of opinions, exactly, are you referring to here?
A facetious example of the lunacy of the existing "Code of Conduct" brigade:
- Project members must be treated with impunity if they wear footwear inside or not but especially if the footwear is required to define the personality of the wearer.
- Project members must be treated with impunity if they smoke inside or not, especially if their preference is vape brand bubble gum heaven.
- Obey the law, obey the speed limit in your country.
- Obey the law, pay for your groceries.
- The contribution of code, ideas or documentation to the project is unnecessary.
A Sane "Code of Conduct", which would not be written down because it's implied by baseline civility and common sense:
- This project requires cordial behaviour from everyone involved.
- This project is to improve this particular software (and/or documentation, artwork etc)
> A facetious example of the lunacy of the existing "Code of Conduct" brigade
This seems like nothing more that a textbook strawman argument, except you haven't even bothered to make the argument.
> A Sane "Code of Conduct", which would not be written down because it's implied by baseline civility and common sense
You underestimate the conviction with which uncivil people will cling to "but what rule did I violate!?".
CoCs signal to potential members of a project/community that abusive behavior won't be tolerated - they are necessary because some types of communities historically have tended to tolerate such behavior.
How many fundamental open source libraries have Russian maintainers?
How long before they decide to commit a disk wiping malware and release it without a breaking change?
What if they decide to do it on a larger, coordinated scale?
I would be very careful before attacking an entire population with cruel malware. They dont deserve it, and punishing so many innocent people at once can have serious consequences.
Personally I hope that the creator of peacenotwar, RIAEvangelist, (same creator of node-ipc) will lose his position in open source and hopefully any current and future gig in the industry.
His action was so reckless, vile and stupid that I don't ever want to run a single code statement written from him on my hardware. What a coward.
I also hope he is made to pay all the damage he caused, in the future. Hopefully very soon.
Such precedents simply indicate immaturity of the developer behind it.
I hate XXX (insert any English speaking politician from Western World), yet I am speaking in English. Shock! Tools are a-political. Could you believe that?
I'm currently studying and trying to learn the russian language and I think this argument is a bit of a straw man. I don't think people in general would suggest you're evil for learning a language. Obviously you would find such people on Twitter or Reddit but not in the real world I don't believe
just like sometimes we prefer to reason on limits rather than on concrete values, I believe some straw mans are "useful limits" to reason about some concepts
Yeah, no. This is the weaponization of the cloud. Open-source and closed-source are irrelevant here. I get that it's trendy to think of open-source as the community, the hosting platform, and then, as a distant third, almost an afterthought, the code itself, but that's wrong. Open-source is the code, and the code transcends any given hosting platform or community blacklist.
My first thought yesterday was that I really cannot trust NPM anymore because if someone sneaks in an anti Russian piece of code somebody else could sneak in code against any other country, or look at the content of files to get an idea of the kind of person running the code and decide what to do. People voting for the other party, thinking something different, etc.
And why not Python, or Java, Ruby, anything. Maybe we'll all end up running Tails.
Edit: if something like that happens, how long before certifications require that no unvetted code is used in projects or no open source at all?
> My problem is that this weaponisation is killing off trust.
Trust that all programmers started to place in open source maintainers maybe a decade ago out of sheer lazyness is absolutely insane.
Pulling freshest code out of thousand libraries automatically into the medium security project that you are building is absolutely crazy.
It's inviting thousand strangers to run code on your machine which contains your comercial creation and data. Without any protection whatsoever besides "trust" which is just another word for laziness and being hopeful.
The faster we can ditch this trust, the faster we will develop actual protections, vetting processes, delaying updates, caching, forking, so we can isolate our work from the thousands of wonderfull people all of which are one bad day from wiping all your files.
Actually things are working quite well! These events remain remarkable news items. There are tremendous benefits to having an ecosystem built on trust and mutual assumption of good will. Transforming this into a scar tissue bureaucracy after some minor cuts is only one of several options. Another is to make choices like this so socially radioactive that only people with nothing to lose would ever make them. Trust is very valuable.
Systems are not working well. They are just working carelessly till the catastrophy.
leftpad.js wasn't even malicious action. Just one developer withdrawing his code from the community.
Imagine what would happen if one dev of popular package just had a nervous breakdown and did rm -fr / on his next update. Or delete the contents of the repo it is a dependancy of and do a force push.
We have zero systems in place that could catch it before work of thousands of people is destroyed.
Yeah. Competing interests. We can all slow down and work like real engineers do, with the same level of responsibility they take on, and check every line of code.
OR we can just do whatever the fuck we want, solving our problems and/or making money. But if we do it without the rigor of real engineering, we can't exactly blame OSS or the devs that provide the OSS for this choice. It's entirely our fault if it goes south.
I am strongly against this all hysteria. The least thing we need is the world and society to be more divisive.
We are at insane levels of hysteria, people calling McDonalds to stop selling in Russia because they have ukrainian kids blood on them. Does it also have 200k iraqi blood killed by us?
RF can't defeat Ukraine military so it bombs civilians specifically to cause terror, kills woman and children. Meanwhile RF populations consumes propaganda that they area fighting "nazis", whose who know real situation are oppressed, beaten, tortured.
Russians who understand what's going on generally supports sanctions and business exodus.
I don't think it's hysterical. The point is that by encouraging companies to pull out of Russia, firstly, ordinary Russians become aware that something is wrong and that the rest of the world strongly deprecates the invasion of Ukraine, and secondly, elite Russians become aware that the cost of invading Ukraine is serious damage to their economy. Actions have consequences.
You might reasonably disagree and argue that either or both of those things won't work. But it's not nuts.
I really think it is, I also find it racist. Why doesn't this hysteria involves Israel and Palestinians? Myanmar killed 50k Rohingyas throwing them into fire few years ago. Why is it okay for US to avoid this hysteria when it invades and kills hundreds of thousands in middle east? This is hysteria.
Nothing is perfect, and the world is not black and white, it's not ideal, but it is what it is.
A criminal will lose part of his/her rights, some of his freedom, and even his life in a perfect democratic liberal human rights first country. This is how the system works.
If the war is deemed by most as a criminal act, losing some open source is just a very tiny part of what the offender deserves. Why is this even a surprise? Software is no exception here.
Putting aside the issue of "is it still open source?", deleting files is problematic from another perspective as well: private citizens launching a cyberwar attack against a foreign power.
It seems to me that the only legal way to do this is with the approval of your government.
I have seen at least a few argue that devs should be/are allowed to act in accordance with their own values. I agree, with same caveat I would apply in any circumstance: so long as those actions are in accordance with the law.
To do otherwise in a geopolitical conflict like this is foolhardy in the extreme. The Western world is struggling very hard right now to find the right balance of actions that supports the Ukraine while punishing Russia, at the same time balancing that against the risks if escalating the conflict far beyond it's current confines.
I would be very confident in a guess that even large corporations making perfectly legal business decisions to shut operations in Russia are doing so with some coordination & communication with their governments. It is certainly not at all up to private citizens to take extralegal actions that may escalate this conflict in any way.
And the open source aspects of this are barely a footnote. The issue isn't weaponization of open source, it's weaponization of software, i.e., cyberwarfare. Debating whether or not software that engages in this still meets one specific definition of "open source" is a question that closely resembles the "Maserati Problem" in its immediate relevance when compared to the other implications of these actions. It seems very weird to observe a malware attack in this situation proceed to make the malware's status as open source software a primary issue in discussing the attack.
If someone feels the need to include it in the conversation then the appropriate ordering of the message should be more like: "unilateral escalation of the conflict by private individuals is a bad idea. Really you shouldn't be making decisions about how to handle a conflict that directly or indirectly involves half the world and multiple nuclear powers. Stick to activities that are legal when showing or giving support to the Ukrainians. And oh, yeah, I guess your code may not technically be open source anymore if you do this sort of thing."
Wars cause people to do really drastic things that would be out of the question in peacetime. Programmers are people and some of them have relatives who have been blown to smithereens by Russian strikes. These are the peanuts, saboteurs have been known to destroy physical things with high collateral damage. While crimes like deleting files should be prosecuted, the best way to end such things is to end the war.
Mongo SaaS is a commercial service, as such having little to do with open source. And of course it's not the first and even not the second time commercial vendors refuse to provide service, including for political reasons. People getting banned all the time on social networks for political reason, and AWS famously killed Parler service for the same. So it's not something new, it's just continuation of the same trend. And undoubtedly we will see more of it - if the government can close your bank account for disagreeing with it, they'd certainly be able to close your Google or AWS account. For private companies, it's even easier.
And node library... well, malicious code in node libraries is also not new, though in this particular case the question whether it's malicious or righteous action may be subjective. That's a supply chain attack, and nodejs community certainly will have to figure out whether they want to stop it and if so, how. Until this happens, the node developers should be super careful with their dependencies I guess.
I'd say that the code that is malware/not malware depending on IP address of the server is a bad kind of weaponization. Not because I pity poor Russians or some such. I'm a Ukrainian national myself. Putin is a dickhead that should be put down with extreme prejudice; much of both the state and ordinary folk in Russia should be accountable, too. Here, I said it.
The problem with those NPM packages, or better said, the approach they are taking is that it is a double-edged sword. IP blocks can be sold and bought. Today they belong to someone in Russia you don't mind targeting, tomorrow it's someone else entirely. Today you put in a trigger to turn your code into malware, tomorrow someone finds a way to flip that trigger at will. Bad things ensue.
Not providing services to Russians is another thing and that could work. Limiting downloads by the country is okay in my books. After all, you block IPs that try to DDoS you, so banning IPs of an aggressor country that is fond of murdering civilians is fair game too. Radio silence their contributions. Don't respond to their support requests. Close the issues they open as if they never existed. Of course they can find alternative ways to download stuff, fork, implement the necessary changes themselves, but it's jumping through the hoops. Let them jump extra and then some.
Stop providing documentation in Russian, kick some people off the team/mailing list. Make the OSS you're responsible for be, for all intents and purposes, unmaintained piece of software if the user is from an aggressor country.
These are ways of sabotage I can stand behind. But putting in actual malware is rather where I draw the line.
I think incidents such as this will wake organizations up to the reality that open source is not inherently more secure or cost effective than proprietary software.
For the past 10 years the prevailing wisdom has been that one should not "re-invent the wheel", but we're starting to see the dangers of not owning the full stack.
As a professional software developer working for a major company, I'm much more inclined to implement something myself rather than pull in a bunch transitive dependencies, that introduce unknown and hard to manage risks. 10 years ago I would have laughed at someone who suggested such a thing.
The argument has always been that closed source can't be inspected and as such is more risky, but I think in the current landscape as open source developers get more ideological, commercial incentives are a better way to protect against supply chain risks than open source code.
This is what happens when -- above everything else -- not following EXACTLY the mainstream political view gets you cancelled.
I think the Russian war in Ukraine is bad. However, I don't extend the Russian _governments_ actions to Russian citizens. All nuance is lost and unless you spout "Russia bad" or are flagrantly anti-Russia you are someone worthy of being cancelled by the Twitter mob et al.
Acts against Russian citizens who are trapped by their government are immoral and unethical. Acts that introduce malware into open source software and discriminate against people are immoral and unethical. Right now, however, doing exactly these things is the "woke" and "politically correct" thing to do.
Build systems should adapt. Run all dependency install scripts at least in docker. Run build in docker. Run executable in docker and connect to it via debug sockets. Run language server in docker and so on.
Certain things should be a-political. Like the international space station, football, and open source software.
But a software development has yielded to demands that it adhere to causes. Redis isn't just a key value store, it's engaging in anti-racism by removing terms of whiteness, like "master" and "slave".
And here we are. Uninstall nginx, unless you're a fascist that supports Putin! Did you hear? Russia is using leftpad.js! Quick, unpublish the repository in solidarity with... We have to reduce harm! No one is neutral! You're for us, or against us!
Lending software to "social progress" leads to the insane place we are today. (And not to mention, it hasn't achieved much.)
No, my software isn't a tool for your social goals, noble as they may be. And that doesn't make me a bad person.
States will never allow a-political things to last for long, there's just too much money and power involved. Even the Olympics has been coopted - the event was created on the premise of reuniting warring nations around sport.
I think this is a straw man. It takes the relatively lukewarm “master/slave terminology should be moved away from” and somehow uses it as an example for “if you use ngix you support Putin”. Please consider actually looking at reality how it is, instead of how it might be if it was convenient to bash.
Even if you agree with what he did, I don't think you can justify how it was done. I think it's fair to infect someone you dislike with malware if you're capable if that's the upfront intention. But the history of the particular piece of software in question was not malicious. It's like going to the doctor for your 6th booster shot, the first 5 were fine but this time he decides he doesn't like your accent and gives you the arsenic shot instead.
Really his intention was clear with this, hiding malware behind a piece of legitimate software he was maintaining and had built a good reputation on. Ransomware is the new big thing so comparing it to that I feel that the motorcyclist's actions were actually worse. At least with actual malicious actors you know upfront what their intentions are.
Putting aside the politics this is an overall negative for OSS.
With respect to open source code used for 'evil' this had been covered in reasonable depth previously since it's fairly easy to imagine open source being used for things the original author(s) do not approve of, and the issues that would cause if they could revoke the licence after the fact.
As far as I'm aware the final conclusion after decades of discussion was that open source licences were not the place to do this for various pragmatic reasons, though including messages, manifestos and other such communication seems fairly common.
Potentially we need a mechanism that says explicitly "all code in this ecosystem is open source unless you give informed consent to opt-in to other licence types" and flags as early as possible when that's not the case (e.g. updating the dependency of your dependency ... etc.) and allow people to explicitly override the exceptions they care about, and otherwise halt the update.
> Note, I do not think that this means that we should all rush to building our own data centres, writing our own databases and running all our own services.
The author is conflating three very different things:
* Running software on your own machines
* Setting up a full-scale data center
* Writing your own "infrastructural" software
... helping him make an argument in favor of "the simplification and optimisation of using Software as a Service". That's disingenuous.
----------------------------
> My problem is that this weaponisation is killing off trust.
Certainly there is little trust left after such weaponization. Sometimes, though, there's enough of a reason to mistrust _before_ this happens. After all, it's the same people/organizations which would later engage in such weaponization. There are sometimes/often preliminary signs that something like that could one day happen.
This incident makes me feel good in my decision to start using Qubes OS (https://www.qubes-os.org) as a day-to-day development OS. Had I been hit by this, it would've considerably limited the blast radius.
>an American NGO lost 30,000 files documenting Russian war crimes
This is a bullshit claim made by a one hour old GitHub account with a random username. Probably a pro-Russian troll that wants to dissuade other open source maintainers from pushing anti-Russian protestware.
Open Source was always political, ultimately this is where some moonshot projects like GNU got their momentum from. IMHO the red line is where it gets destructive or actually discriminates individuals. In the past PGP couldn't be exported to certain countries so sanctions apply also for OSS. Speaking of the immense popularity of web3 and decentralized of course not all measures will be realizations of government directives. That said I don't think OSI (opensource.org) represents the whole OSS movement.
Also the title is a bit click-baity. The protestware example is clearly weaponization of OSS but the other examples are not.
We have parallel problems in science and in software.
My faith in science was never in the moral character of scientists and their organizations - individuals and organizations are always vulnerable to corruption. My faith was in the principle of replication. If anyone can repeat an experiment, we can all see for ourselves what is true, and a community dedicated to that (and individuals with a healthy fear of the process) is reliable.
Only, we don't replicate experiments. We got so busy and excited building on what had gone before that we've built some huge houses of cards on questionable foundations, because who wants to spend time and money doing replication? Distracted by the free riches, we neglected what had always been the source of our strength, and here we are - arguing over who funded studies and fuming over the replication crisis.
Where are the critics who say, "I can't trust that paper - it's impossible to replicate!" Where are our Poppers who insist on falsifiability? An entire community that frowned on complexity and opaqueness and walled gardens of data, a community that trusted things insofar as they had been replicated and re-examined from many angles and proven sound, would force us towards a level of simplicity, honesty, and reliability that science should have. Instead, a general agreement to pursue individual and institutional glory at the expense of upholding foundational principles has rotted the foundation of the endeavor.
Put simply, I trust science because you can replicate it. But for whatever reason, (and I can't propose a specific solution, but), to the degree our community is not devoted to replication, it loses its trustworthiness.
Software has a parallel problem.
I don't trust open source software because I trust the character of developers or institutions. I trust it because it can be examined and fixed. Because of reproducible builds. Because anyone can examine it, anyone can build it, no trust of individuals or organizations is needed. A community that insists on such features and abhors offerings that offend these principles will steer us towards a level of simplicity, comprehensibility, reproducibility that open source software should have.
But we are all so excited to build things on top of other things that we spend much more time multiplying dependencies and layering on complexity than worrying about foundational principles. We are now seeing the rotting foundations.
There are people who complain about whether code can be examined, or factors that make it difficult. It is becoming increasingly important to listen to them! A community that celebrated open source software, not only for what it can functionally do, but for how open it is, is what is needed to maintain those foundations. A community that has trust issues with unexaminable long dependency chains, that is sensitive to the difference between software that has been around the block and examined for a long time, and software that some guy just put out last night.
Put simply, I trust open source because you can examine it. But for whatever reason, (and I can't propose a specific solution, but), to the degree our community is not devoted to examination, it loses trustworthiness.
Reserve your trust for communities that take seriously the principles that trust is built on.
I was thinking about this in a different context a while back. Basically companies (amazon for sure) utilize open source then make some closed off fork of it while giving nothing or peanuts back to the original open source development foundations. For example Amazon has indisputably made Billions if not Trillions from monetizing Mozilla products. Yet has only donated a few paltry million back to the foundation. While at the same time using the FOSS products to create their own walled garden.
> I don’t really want to have to read through each of my dependencies and transitive dependencies licences to determine whether I am agreeing to <the things included>
I slighly edited the last part of that sentence to highlight a problem with this kind of thinking. I do understand that the author may prefer all their software dependencies using some well known license like "Apache 2.0" instead of dozens of variations of "Apache 2.0~modified"
I think the mongodb example is the most "right" in that it's only the service of mongodb that gets cut off.
With that said it's a similar "issue" I remember a few years back when there were "anti-fascist"/ "" social activists"" advocate for excluding certain groups where the same issue came up, the idea may be noble but in practice causes unintented consequences.
This is a completely immature behavior. If you did something like this, please remind me to never use your software again, because today you protest Russia, and tomorrow maybe you decide that you actually hate capitalism, who knows. Probably not, but I'd rather not take the risk.
If you want to send a political message, there are less harmful ways to do so. Like, print a message at program start, or write it into logs. You could even provide all kinds of forbidden information, such as numbers of Russian soldiers who died in the war. Better than "Putin sucks", right? If you want an equivalent of sanctions, just make your software stop working, and explain why.
But if you insist on playing soldiers and doing damage, how about you contact your local secret service and tell them "you know, I have this program that is also used in Russia, if you have any ideas how to weaponize it, I am open to suggestions". Maybe they would give you some code that targets a specific IP address, and extracts a Russian state secret, or whatever. That could potentially accomplish much more, with much less colateral damage. You had one shot; you wasted it.
Also, consider the long-term consequences of such things becoming the new normal. Do you want to live in a world where an internet-connected washing machine will destroy your laundry because you voted / didn't vote for Trump? Because this is the world you are helping to build.
Possibly while looking into running multi-cloud etc. to mitigate these risks you could also ask "is my country likely to face global sanctions? Why?" and combined with other business owners in the location you can do something to avoid that eventuality.
The steps of scanning code for dependencies is instrumental in preventing issues like this. Simplifying use of things like external libraries is also a good move, vigilance has always been vital to security.
Implementing zero trust and taking proper steps in build, test, and deployment to secure vital data (like government agencies do) helps to better insure and protect data. That's one of the main reasons why PHP and Python are so prevalent, code is usually/basically in text files that can be vetted, tested, and edited a lot more easily than in compiled source... Not saying any open source lang is better than any other in stating that though mind you.
Ottomh, George Takei and Neil DGT have both lectured me on what a stain on American history the internment of Japanese Americans during ww2 is. Part of that included harassment of Japanese appearing businesses and people. The stain still remains to this day so I don’t say was. I think they were using it for antiTrump stuff but I took it as a general lesson.
And then bamm the whole world is in total war with Russia and your either with us or against us. Freedom fries were a deranged pro Iraq war conservative thing, no enlightened person would allow themselves to fall to such petty hate ho ho ho. People would laugh as a relic of the past stories about how my grand mother didn’t listen to German composers or buy Japanese goods and as she got older, buried anything precious to her in the backyard.
James Webb telescope say for example had/has lots of international assistance, who would want to throw those decades away to spit on Russia?
Regardless of justification, if you‘re pouring shots too big too often the bar will have to install automatic shot pourers and everyone suffers. Maybe it’s a relic of the past also but isn’t there an idealised heart at the core to open source? Hope for a better world built on trust and responsibility? We know there’s no one to sue but trust us and use libreoffice it’ll be fine.
Another anecdote: mercenaries in South Africa and Sudan on different sides drank at the same bars at night. I heard a story of a pilot on one side and a ships AA gunner on another sharing their stories with each other for many nights before they realised they’d spent days trying to kill each other. They didn’t go home afterwards either it just was what it was. Australia tells as legend how the Anzacs and Turks could play cricket over a ceasefire. After all there’s no reason we can’t be civil bites pretentious fruit
My Ukrainian, russian-language teacher has changed his online names to basically John Smith. Seems he feels a danger in being mistaken for russian.
These are things I’m contemplating and are not meant to overrule whatever you might be contemplating or advocating dear reader. I want to say obiter dictum. I follow the sentiment of the article.
> I don’t think this can be classed as open source anymore:
> The definition of an Open Source License is quite clear:
> 5. No Discrimination Against Persons or Groups The license must not discriminate against any person or group of persons.
> I don’t really want to have to read through each of my dependencies and transitive dependencies licences to determine whether I am agreeing to discriminatory terms by using a library.
I think the author of the article has misunderstood the definition, thus reached the wrong conclusion.
The non-discrimination rule applies only to accessibility and nothing else. Simply put, you provide the same code/product to everybody, including Santa Claus and Mr Putin under the same set of condition and permissions. Adding/removing malicious code does not change the fact that the code is by definition open sourced.
If an open source project is a scam, then it's a scamware. If an open source project is malicious, then it's a malware.
Personally, as a normal human being, it is hard to keep a peace of mind after watching how the Russians fired multiple heavy rounds to kill the elderly couple who just traveling peacefully in a car down the road near a hospital. It is even harder to keep a peace of mind after watching a video recorded by a son showing how the Russians shoot and killed his father who sits in the driver's seat right beside him. I fully understand and respect the anger.
However, I do agree that people need to be more mature on this even during this difficult time. Turn your project into a malware only hurts your own reputation and people who trusted you. Once the trust is gone, it might never recover. There are many ways to actually hurt those who contributed the invasion. Be constructive and accurate, or at very least don't be destructive.
Well, yes. But this goes (or did, before the author fixed it) against the most widespread and accepted definitions of FOSS (nobody from the OSI or FSF would accept this as a free licence, and those are the two major camps), so it cannot be considered a FOSS licence that most people would accept.
It makes one wary, too. The weaponization of Open Source is very dangerous and sets a bad precedent. So Russia are the bad guys now, but who's next? Are you sure it's not going to be your country?
Think about this: forget Russia, a good chunk of the world thinks the US is a bad faith actor on many occasions. Would it still be a free license one that forbid people from the US from using the software?
There have been licenses that do this same kind of stuff before. There have been dozens of variations of FOSS licenses over the years that prohibit things like use for nuclear facilities, use in weapon systems, use in genocide, etc.
That's not to say I think any of this is a good idea. I think it's insanely naive to try to contractually block a dictator from using your software in the first place. Do these people think they're going to sue the dictator in the dictator's court? The Russian government is already considering legalizing piracy of proprietary software to evade sanctions; they DGAF about these licenses.
I mostly just think that the OSI and FSF's "all or nothing" stance on some topics is a bit extremist. A hypothetical license that said "You can do anything with this software except launching missiles at kittens" is pretty damn in line with the spirit of FOSS, even though the OSI or FSF would never approve it. I understand they take that ideological angle because they are thought leaders and need a clear message, not a slippery slope, but this is where I think it's reasonable to be reasonable.
I think it's better to criticize these types of "weaponized" FOSS licenses by pointing out that they're entirely ineffective wastes of time. There are plenty of real merits to undermine these licenses, which is why they haven't caught on previously. Saying "that's not open source" is just like a chocolate snob telling their friend that their Hershey's bar is "totally not real chocolate"
That being said, we're beyond the realm of software licenses in this conflict anyway. Sanctions have already started cutting people off from FOSS projects, regardless of license.
> Saying "that's not open source" is just like a chocolate snob telling their friend that their Hershey's bar is "totally not real chocolate"
I don't think this is a great comparison. Open source has a particular, commonly understood meaning, just like chocolate does. When I say "this is not an open source license", I am not saying that it doesn't meet some kind of quality standard, or that I just don't like it. I am saying that it is a deceptive label that contradicts the common understanding of the term.
If an author would like to relicense their open source project to exclude certain groups of users, why must they insist on using the open source label? They ought to be proud that they reject open source norms. Why would they want to associate themselves with projects allow dictatorships to use them?
I have written software with a license that allows for noncommercial use only. I label it as freeware (which clearly communicates "you need to check the license"). I have no desire to label it as open source, because I do not wish to mislead people who have a coherent and widely accepted mental model of what that entails. I am generally suspicious of the motivations of people who would want to muddy the waters with unclear labeling.
There is a perfectly honest way to address this, as esr did: invent a different term. If you can come up with a short, snappy term for "source-available software that allows for open-source-like use for certain classes of people", then use that, and don't lie to your users.
> I don't think this is a great comparison. Open source has a particular, commonly understood meaning, just like chocolate does.
I’m using that example because there is disagreement about the definition of chocolate. Here in the US there are some things called chocolate which are not called chocolate in other parts of the world. How much cacao is required? How much milk solids are required? You will get different answers from different organizations. All of which, claim to be an authority.
> There have been dozens of variations of FOSS licenses over the years that prohibit things like use for nuclear facilities, use in weapon systems, use in genocide, etc.
I'm not aware of any FOSS license that states things like that. I think you're wrong.
> A hypothetical license that said "You can do anything with this software except launching missiles at kittens" is pretty damn in line with the spirit of FOSS
No, it's not in line with the spirit of FOSS, but rather against it.
I understand that you have this vision about a kind of license you would like for software. I cannot argue with that -- it's your vision and it's your right to have it. The problem is that it's not any kind of FOSS license that is recognized as such (i.e. as FOSS) by the wider community. You can call it FOSS but nobody else will.
> The problem is that it's not any kind of FOSS license that is recognized as such (i.e. as FOSS) by the wider community. You can call it FOSS but nobody else will.
There is evidence to the contrary. There are popular community supported projects that are often colloquially described as open source which use licenses that are not OSI/FSF.
Your evidence is incorrect. None of those are FOSS licenses. If you google their names, you'll see each sparked controversy, and ultimately the SPDX doesn't exclusively list FOSS licenses.
Ultimately they infringe on the most basic right: to use the software for whatever you want.
> There are popular community supported projects that are often colloquially described as open source which use licenses that are not OSI/FSF.
Nobody cares about "colloquially". Colloquially, Microsoft in the past tried to pull a fast one and pass their Shared Source initiative as "open source", which it wasn't.
FOSS means something. None of the examples you gave are FOSS.
> Your evidence is incorrect. None of those are FOSS licenses.
I said “variations of FOSS licenses”, which is precisely what I provided examples of.
> Ultimately they infringe on the most basic right: to use the software for whatever you want.
Unless of course, “whatever you want” includes not publishing your changes. Copyleft does not permit people to do “whatever they want”. It places specific requirements on people who use that code and punishes them under penalty of copyright law if they do not.
You’re touching on the reason that some people prefer public domain waivers instead of copyleft licenses. If you want an example of disagreements in FOSS: case in point.
> FOSS means something. None of the examples you gave are FOSS.
There are factually multiple definitions of what falls under the umbrella of FOSS. FSF and OSI are certainly prominent. There are other individuals and organizations who disagree.
I think it’s kind of funny that people want to argue that the majority opinions on licensing are the only valid opinions on software licensing. That’s exactly how people dismissed RMS in the 80s and 90s.
> Unless of course, “whatever you want” includes not publishing your changes. Copyleft does not permit people to do “whatever they want”
You can absolutely not publish your changes, where did you get the idea FOSS forces you to publish? FOSS imposes restrictions upon distribution; you're free to use the software however you want if you keep it to yourself.
> I said “variations of FOSS licenses”, which is precisely what I provided examples of.
In that case, you introduced something irrelevant. A variation of FOSS which introduces changes that break the fundamental tenets stops being FOSS. Hence, you cannot get away with using the term "a variation of FOSS", because it's a variation that happens not to be FOSS.
Your other opinions of why people like or dislike this or that license or philosophy, comparisons to RMS's early days, etc, are all red herrings. They are worth debating, but completely irrelevant for deciding what is or isn't FOSS.
A license that restrict usage by Russians, or in nuclear reactors, or that requires you to first agree abortion is wrong (or right) is fundamentally not FOSS. Whether this is a good or a bad thing is on you, but also irrelevant in this context.
It may be an odd idea to comprehend for someone whose culture stems from and still closely relates to mainline Protestantism, but you can actually believe that someone has a right to do something yet disagree with the action.
I don't see what's wrong with Mongo cutting ties with Russia. There are practical problems receiving payment from Russian territories, and companies are allowed to choose which countries they do and don't do business with.
In a similar fashion, developers may choose who can and cannot use their code. In fact, depending on how your government's sanctions are structured, you may even be obligated to not license code to developers in some countries.
Using malware to overwrite random files against random Russian IPs is obviously stupid. I'm sure the dev will get to explain his case to a judge at some point. The Terraform thing, though, is different; it's not malicious, merely political.
However, I think the assertion that software "should not be political" is silly. All software is political. Open source licenses stem from American ideals of freedom, for example, and are designed to work in the American legal system above all else. Then there are the implied cultural contexts; the list of software that only works in left-to-right configuration or even fail to just accept standard unicode input is laughably huge. The amount of times I've had to adjust software to work with alternative decimal separators...
Independent developers can (and probably should) decide to mostly focus on the problem they themselves are trying to solve. If that doesn't work for someone else, they can either ask (and possibly be denied) alterations to extend the solution to their problem space, or suggest additions by extending the software themselves, but in essence, cultural and political assertions are everywhere throughout "open source".
Protestware has been around for quite a while, but I think this is one of the first times we're seeing high profile developers take a stance. Whatever risk this is exposing was always there; we can try to hide the risks of open source, but in the end, that's just covering them up.
I agree that protestware should not be considered open source, but any open source project can turn into protestware at any time, and it always could have. This is why groups like Debian and companies like Canonical are important: they use their organization to produce a unified view that you can rely on. Debian applies patches to align software with their views in several ways. The result is that software is often re-packaged and is deployed slower than upstream, but stuff like this doesn't get into your systems. The Python/Pip/Cargo/Go way of distributing dependencies directly, rather than using some kind of unified repository, exposes you to the risk of open source software becoming protestware, but it doesn't have to be that way.
Developers scrutinize Debian and Ubuntu for packaging old software, but you can safely develop against their dependencies. This is the open source that can be trusted, to a usual extent. In my opinion, the trust developers place in random usernames on NPM is misplaced, and the extensive dependency graphs modern frameworks require make that problem so much worse.
To those saying that it's bad that innocent Russians are getting hit by this: that's the point. It's also why sanctions are only applied in extreme circumstances. Foreigners can't tell other governments what to do, the best the rest of the world can do is hope or incentivize a country's citizens to make their government change their minds.
I understand that all of this may seem annoying to those that like to bury their head in the sand but where's this energy and label of "weaponisation" when OSS is LITERALLY used to build weapons e.g openCV being used for mass surveillance & ardupilot/OSS drone projects being used to make tear gass deploying drones?
Changing the license is weaponisation?? It's the bare minimum and least intrusive. And then you all complain when someone tries to implement a Hippocratic or Do Not Harm license. "WEAPONSIATION"?? Really?
The lesson of all this is to keep an eye on your supply chain. Simple as. I think it's a sign of entitlement when you expect OSS devs to build you robust and reliable systems then leave the rest of themselves at the door.
The author obviously thinks that open source that discriminates cannot be open source.
In principle this is true given the current Open Source license.
But i would argue that the clause about discrimination is out of touch with reality.
Usage rights to Open Source should not by default be granted to oppressive regimes and the author should absolutely be allowed to state that within the license.
If the west wants to send a clear signal to Putin, then matters such as the wording of the Open Source license needs to be adjusted accordingly.
You're welcome to license your software under terms that discriminate against oppressive regimes. Just don't call it "open source".
The argument that software licenses should exclude certain people or fields of endeavor has been around for decades. Such licenses are outside the scope of Open Source. Specifically, such licenses do not conform to the Open Source Definition clauses 5 and 6:
> The license must not discriminate against any person or group of persons.
> 6. No Discrimination Against Fields of Endeavor
> The license must not restrict anyone from making use of the program in a specific field of endeavor. For example, it may not restrict the program from being used in a business, or from being used for genetic research.
"I've stated above some parts of my views about certain political issues unrelated to the issue of free software—about which of those activities are or aren't unjust. Your views about them might differ, and that's precisely the point. If we accepted programs with usage restrictions as part of a free operating system such as GNU, people would come up with lots of different usage restrictions. There would be programs banned for use in meat processing, programs banned only for pigs, programs banned only for cows, and programs limited to kosher foods. Someone who hates spinach might license a program to allow use for processing any vegetable except spinach, while a Popeye fan's program might allow only use for spinach. There would be music programs allowed only for rap music, and others allowed only for classical music."
"The result would be a system that you could not count on for any purpose. For each task you wish to do, you'd have to check lots of licenses to see which parts of your system are off limits for that task. Not only for the components you explicitly use, but also for the hundreds of components that they link with, invoke, or communicate with."
"How would users respond to that? I think most of them would use proprietary systems. Allowing usage restrictions in free software would mainly push users towards nonfree software. Trying to stop users from doing something through usage restrictions in free software is as ineffective as pushing on an object through a long, straight, soft piece of cooked spaghetti."
"It is worse than ineffective; it is wrong too, because software developers should not exercise such power over what users do. Imagine selling pens with conditions about what you can write with them; that would be noisome, and we should not stand for it. Likewise for general software. If you make something that is generally useful, like a pen, people will use it to write all sorts of things, even horrible things such as orders to torture a dissident; but you must not have the power to control people's activities through their pens. It is the same for a text editor, compiler or kernel."
Such discrimination is a form of sanction. It has been shown over and over again that sanctions do nothing to change governments — all they succeed in is to harm the lives of ordinary people. This makes license discrimination on such grounds nothing more than virtue signalling at best, and a punishment to ordinary people at worst.
Furthermore, the label "oppressive regime" is sometimes more propaganda than fact. Many western countries weaponize human rights by labeling enemy states as oppressive regimes, while either ignoring/muffling their own human rights abuses, or (more likely) having systems that allow one to protest against domestic human rights abuses while failing to change a single thing about them no matter how much people protest; and at the same time, turning a blind eye on actual oppressive regimes that happen to be allied states (until they fall out of grace, after which they will once again be labeled "oppressive regimes").
This makes license discrimination on the grounds of the "oppressive regime" label highly problematic and prone to geopolitical propaganda games. At worst, you can even say that such license discriminations become willing tools of geopolitical propaganda.
The current sanctions are doing a great job of hurting the Russian economy and, by extension, its ability to rip apart the flesh of 6 year old girls hiding in hospitals in Mariupol.
Actually they've done a great job driving up oil and gas prices, which actually helps the Russian economy because European countries are too dependent (and spineless) to cut off Russian gas pipelines.
And sanctions who target the "normal" citizen give Putin a really sharp knife to proof that the "west" really wants to harm Russians....what else then sanctions can be done? I honestly don't know.
Economic sanctions send a clear message to Putin that his invasion of Ukraine is unacceptable.
Direct confrontation is not an option and neither is doing nothing at all, so sanctions is the logical choice.
I agree that sanctions will not make Putin withdraw from Ukraine. But seeing Europe make a targeted effort to stop relying on Russian oil and gas, should make Putin think twice.
Hello, author here. I do think the open source licence is framed to be non-discriminatory and I think that’s not a bad thing. Discrimination lends itself to politicisation and in turn division. And I think an ecosystem where we have lots of division is not good. What would happen if two interdependent projects suddenly had conflicting political requirements?
long-term OSS author here - strong agree "the open source license is framed to be non-discriminatory" is the "right thing" for Intelligent Humans of every color, creed and mother-language
I think that holding onto the idea that software is apolitical is untenable. Social media companies and large corporations try to toe this line and have been widely rebuked for it (Google trying to get ICE contracts, for example). I think the idea that "everything is political" is taking it too far, but so is the idea that providing material support to any comers is apolitical.
Bear in mind that I'm talking descriptively rather than prescriptively here. I have my own opinions but I can also observe that political neutrality as a concept is waning.
Ok so its political, what if this political take where we encourage openness and interconnectivity is superior to the political take where we are reactionary? What if it literally is a winning strategy?
Im not saying it is necessarily- but i think to get past the division you have highlighted (apolitical universality vs political conservatism) there is perhaps a way to look at the various approaches and determine what approach would be technologically, logistically, and politically advantageous.
Let us let go of the idea it is apolitical, what now?
I do think that we should look at these choices through a utilitarian lens and consider both the immediate and long term impact of such decisions. I do think that innocent Russian civilians will inevitably get caught in the crossfire with sanctions, which is unfortunate. I still believe that it is a moral good to penalise colonialism and other unethical activity through withdrawal of material support because this increases the cost of such actions. I'm not sure what justification there could be that continuing material support for an expansionist government during an invasion has positive utility, it smells like an argument for consistency to me but I'd be happy to be corrected.
Something that comes to mind is the argument against aid NGOs in places with dire poverty and hunger.
When an NGO comes to your town, where you are trying to build a farm business, and delivers months worth of free rice, can you afford to run your business? Similarly, can any russians make successful software as a service that analogues FOSS offerings? No they cant, because the alternative is available and free.
Remove the free rice and you satisfy your egos necessity for first order moral resolution via punishment- bad people dont get rice- but as for second order effects? Perhaps now it becomes feasible to build a sustainable farm (or apache competitor)
The aid NGO question comes down to whether locals can build a self supporting economy and whether the aid is hampering economic development - but it isn't a binary question because you can subsidise farmers or reduce aid commensurate with local supply.
I'm familiar with second order effects, and nth order effects and nonlinear causality. If we restrict Russia's access to Apache Web server, sure, they will eventually develop a local equivalent. So, over time they transition from being disadvantaged to simply leveling the playing field. That's a pretty good outcome, especially if many more open source projects could withdraw from Russia.
Hi, must say that it's a thoughtful article that has valid points.
Maybe as a European i feel more strongly about this, but every means possible must be employed to send a clear signal to Russia about the unacceptable state of affairs.
Except destructive changes as in the second example, that behavior should not be allowed by the Open Source license.
I'm still hopeful that a better wording can be found going forward.
Almost everyone's sympathies are with Ukraine now, and Russia under its current regime is rightly being sanctioned by measures that are intended to hurt. Sanctions that aren't felt are meaningless.
When it comes to open source licensing, though, the problem with these kinds of exceptions tends to be that there are a lot of causes that would, at one time or another or from one perspective or another, seem to warrant similar exceptions.
There are other wars going on, with more or less clear aggressors. Should we build a list, somewhat akin to the U.S. export restrictions, that forbade using the software by the aggressive states? How would we make sure that the lists aren't influenced by political leanings or cultural preconceptions? (Hint: you can't.)
It would be objectively easy to argue that people who eat meat should be sanctioned to give them a "clear signal" that they shouldn't. It would be emotionally easy to argue that perhaps we should exclude people who violate human rights from using our software -- although what exactly constitutes such a violation would be pretty hard to delineate. In a different culture, objectively or not, entirely different acts might be considered morally contemptible or even unforgivable.
Allowing exceptions to open source terms based on individual reasons would lead to a jungle of rules that would end up ruining open source, even if each exception by itself can be easy to argue for. You could no longer build a Linux distribution or any kind of a large collection of software, or even an open source application that relied on lots of open source libraries for its functionality.
That is, unless you decided not to include any software that had licenses with any such exceptions. That's exactly what drawing the line for the meaning of "open source" is. If you only take one of those exceptions and not the others, that's no longer an objective choice, and others are going to have different exceptions; if you take them all, you create an untenable mess, or at least a walled garden with really tight walls.
At any given time it may feel like this is the one exception we should make, and it feels right at that moment. It just can't be done with any consistency without massive collateral damage in the big picture.
By all means, let's cause trouble to Russia (under its current regime) as long as it restricts their ability to wage war. Let's do that even if it costs us. But let's not do it in such a way that it creates a massive moral or legal conundrum in the long run. Even if it feels right at the moment.
- Another European, living less than 200 km from Russia
A principle being out of touch with reality doesn't mean you get to redefine what the principle means; if you view its out-of-touchness as a mark against the principle, reject the principle. What you're really saying is that you want the social benefit of claiming to adhere to the principle, while not actually adhering the principle. 'The west' does not own open-source any more than Putin does, and if you intentionally make your software non-open-source to send a message to Putin, that's your right, but you can't keep pretending to be open-source if you do.
But to be fair, its not discrimination against the Russian people, its discrimination against a particular ideology that is predominantly held by the Russian people.
> But to be fair, its not discrimination against the Russian people, its discrimination against a particular ideology that is predominantly held by the Russian people.
To be even more fair, it's both.
There are plenty of Russians that absolutely do not agree with what the Russian leadership is doing, but have no choice in the matter.
Speaking as a Canadian, there was a time when we were similarly fighting an adversary and chose to indiscriminately treat all people from that nation as enemies. The result was the internment of Japanese Canadians, one of the most shameful periods in our nation's history.
I cannot help but be very concerned that we're heading down a very familiar and dangerous path, here...
Speaking as someone who was vehemently against the Iraq war and lived in the US, I welcomed discrimination against my own people. The United States was responsible for war crimes in that war, and for sure we deserved sanctions, boycotts, divestment, and bad international relations due to it.
I was treated extremely rudely for being American when I went to France in late 2003, and I totally understood why. I hated my own country and my countrymen for it as well. I still do, in a sense. We owe the Iraqi people an enormous debt of reparations
I was treated extremely rudely for being American when I went to France in late 2003, and I totally understood why.
It seems too easy to say "uh discrimination is fine" when the only thing you have to fear is people being rude to you on vacation. If you face the loss of your livelihood, like the owner of a small Russian restaurant somewhat, I don't think you'd be as sanguine.
One would think that after going through this you would become more empathetic and understanding of the ordinary citizens side. But no, somehow the takeaway was that discrimination against innocent people based where they're from is OK
>I was treated extremely rudely for being American when I went to France in late 2003
That's just the French being the French, would have been the same in the 90's lol. And if you think that's bad, try going there as a French Canadian like my grandfather did. He got treated way waaaay better when he spoke English instead of the his "dirty" (what the Frenchies called it) Quebecois French.
That's racist. And a deny of history about the anti-french sentiment in the USA consequently of the opposition of French to to participate in a war that later you want you never make.
You clearly don't know what the word means. French isn't a race, at most it's a nationality or ethnicity. And in any case I'm 1/4th French, ethnically.
>And a deny of history about the anti-french sentiment in the USA consequently of the opposition of French to to participate in a war that later you want you never make.
I never said there wasn't anti-French sentiment in the US though? Do you have issues with reading comprehension?
>>political discourse has turned to be very divisive and tribal. You are either with us, or against us.
This is because much of politics is currently driven by a global set of fascist/authoritarian govts and sponsored 'movements' pushing to destroy democracy. This is, IMO, back to the pre-cold war days, but stripped of all the "--isms" and ideologies.
It is now either self-determination for the people via democracy, or live under rulers like Putin, stripped of any cloking ideology. This is being strongly pushed/sponsored globally by Putin's govt; the Chinese are going about it differently with the 'Belt & Road' initiative and other exploitative agreements.
The grand experiment has been tried. It was thought that free trade exchanges and greater information flow from free nations would cause freedom, self-determination, & democracy to the former Communist nations. It did not. In trying to prove the thesis, the test proved the opposite, and enriched the authoritarian states.
Russia's ongoing assault on Ukraine since 24-Feb-2022, and the ongoing blatant war crimes including specific instructions to ignore civilian care[0], cluster munitions on civilian targets[1], or bombing a theater/shelter with "Children" written on the pavement outside [2], and it's support by ~70% of the deluded RUS population, show what can be expected from yielding to or appeasing authoritarianism.
It now really IS you are with us, or against us.
You are either in favor of democratic self-rule for all people, or you are against it.
This is war, and we are fighting against those who are happy to be war criminals.
It is important to take every measure, and "weaponizing" open source is among the least of the things that can be done to help.
Living on a different continent, I'm relatively unfamiliar with the details, but with the information I have, I do support Catalan independence.
The Spanish police reaction detailed in your linked article tells us much and gives reason in itself to support it. (The only thing that would change my mind is sound information that it is not the a grassroots people's movement that it appears and is instead some sponsored fascist movement like Brexit)
If Russia stopped bombing places with "children" written on them, Ukraine would just write "children" on important places that they didn't want to be bombed.
And no, they would not. IIRC disguising military locations as civilian, or using civilians as human shields is itself a war crime. The Ukranians are not doing that.
What's your excuse for the maternity hospital? Firing on civilians in a prearranged exit route/cease-fire? Cluster-bombing civilian areas? I could go on for pages and pages, and the War Crimes case is already starting, and being substantiated up to the level that the POTUS and SecState are specifically speaking of Putin as a "War Criminal".
Thanks for demonstrating my point about the how otherwise intelligent people can still have insane levels of self-absorbed myopia and inability to understand moral issues, and lack of perspective.
Your being so certain that, if Russia did not fire on locations marked as being filled with "children", that Ukraine would never ever put soldiers in them, may be misplaced.
It would be much more honest for the democratic world to dare an open military conflict with Russia now. But also people understandably fear the nuclear war. So people are weaponising whatever they can, and there is nothing wrong with it. The situation is pretty extraordinary, and the sooner we can get back to a system where dictators waging wars against democracies end up in Hague the sooner can we start sticking to our peace time norms again.
The fact that there has not been a strong push back confirms my suspicion that by now, everyone has gotten used to Node and NPM being insecure and silently accepted it as a way of life. Similarly, those Terraform scripts are apparently esoteric enough to only be used by a tiny minority of software developers, or else we would have heard about it in a different way.
Thank god nobody did similar shenanigans to open source projects that are actually in wide use :)