Last week the maintainer of a JavaScript package decided to monetize installation of its package through NPM by showing ads after the install.
The response to this was surprisingly quite mixed. I did not expect so many people supporting this idea. Most of the supporters justified this as a valid means to earn money of maintaining the open source project.
The above incident was not the first case. A few months ago an other developer decided to beg for a job in a similar way. And there are some more.
I was rather supersized that NPM allows arbitrary code execution during package installation. Seems like a major security issue, which can clearly also be abused in other ways.
So what is your take on this? Is your console output available for others to rent out?
Top comments (2)
I think it's a pretty terrible idea.
If this was ever going to happen I could have bet money that it would have happened in the javascript community. It's still relatively new to package management, and it's far more interested in open source than in free software. It's still feeling its way, and only time will tell how this all ends up. Is it a slippery slope to installing miners in installers? How about arbitrary third-party cpu-as-a-service, like Brilliant Digital did?
How about defaulting to opt-out or not having the option at all?
If this was someone doing it in the AUR, for example, then someone would immediately remove the offensive code and re-release the package with a variant name.
And it is offensive code. It's code that is entirely unrelated to the project. It's not really any different to that Mr Robot "easter egg" that caused all the kerfuffle a while back.
Next up: "Installing this package requires X minutes of CPU cycles donated to my cryptocurrency mining pool"