Open Source, Ownership, Trust and Sabatoge

Mark Squires published a few very popular open source javascript libraries. These were released open source, on github under the MIT license.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO

Countless other programmers relied on his code to make their own code work. Notably, companies like Amazon and Facebook, but by proxy, a large majority of programmers working with javascript frameworks relied on his software as part of their kits.

Recent updates to his packages have intentionally broken them. They cease to function, and output gibberish.

While inconveniencing some people, these changes should have no serious affect on production systems or software reliability. But it could have. Instead of a malicious but harmless call for attention, any javascript dependency could introduce intentional sabatoge, crypto miners, malware and worse to the developers who use them.

Bleeping Computer's article on the topic is a great example of the exaggerated fear mongering on the topic. Many alarming and dramatic news articles have been plastering tech news sites about this, each more doomsaying than the last.

But freedom is, and always has been, a feature of open source, not a bug.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO

Mark Squires, or any other open source developer, is under no obligation to maintain code for free in service of billionaires, corporations, or anybody else. Just because they decided to use our free software. Our code is our own. If we want to break it, that's our perogative. Is this responsible behavior? Of course not. But it's his code repository. He can make whatever commits he wants. In the end, we are all responsible for our own codebases, and for the libraries we import into them. Your own responsibility using open source libraries is protecting yourself from the chaos freedom in open source makes possible. This is not difficult to do.

To anybody cursing and panicing about today's distraction, learn to pin your library versions. Ensure your test suite passes before code is pushed into production. If you had done these things, all this drama would not be an emergency for you. Your users would not be affected. You would barely be affected.

As for Microsoft stripping Mark Squires of his github account and reverting his code revisions, this is a worse affront to free software than somebody pushing controversial changes to their own open source codebase.

We are all free to fork this codebase and do with it what we will. Microsoft striped Mark of agency over his own open source code and social media identity, just to save some lazy corporations the hassle of creating a fork or pinning their versions.

Microsoft is, and always will be, the enemy of open source. Nothing new to see here.

Key Incident Takeaways

  1. Trust but verify. Pin your software versions.
  2. Free software and open source maintainers don't own you anything. Their libraries may change or break at any time without warning. It's always been this way. By Design. Plan your operations accordingly.
  3. Never trust Microsoft, or any other mega corporation, to behave any way except in their own self interest. Regardless of whatever their marketing says at the time.