(image copyright by Ministry of Defense of Ukraine, shared on flickr under CC-AT-SA)
Like any war, the current one in the Ukraine brings out the best and the worst in people. The best of us support the people of the Ukraine defending against the unlawful invasion by the Russian Regime. The worst of us commit package sabotage against users with a russian IP address.
On one hand, package sabotage is two-edged sword, as you cannot possibly know if the Russian IP currently installing your npm package is not actually against the war and just wanted to set up a site to spread knowledge on how to circumvent Russian net blockades – and now you've successfully stopped them from doing so and indirectly aided Russian Propaganda to prevail in the absence of that information. On the other hand, you undermine the global trust in the whole ecosystem that your package is a tiny part of.
For that reason, I'm rather convinced it's ultimately a really bad idea, but I wanted to hear your positions, too. What do you think about package sabotage? Also, shouldn't we be more mindful of the dependencies we pull from npm?
Top comments (34)
Open source should be neutral.
I understand not wanting your project used by someone upsetting the world balance, but activism in Open Source like we've seen has real collateral damage.
For those of us in InfoSec, we have to review & respond to reported incidents. When this disclosure became public, I had to review the threat, scan all my projects to see if the dependency was used, and patch/pin those dependencies so it didn't use the vulnerable version. In addition to the change itself, tickets had to be created and reports compiled to keep auditors happy.
In the grand scheme of things, the incident only took 3 hours of my time. But I'm not the only one handling InfoSec in the world. If America has ~ 500,000 tech companies, then it's very plausible that at least 100k of those have InfoSec obligations. Let's also assume an average salary of $100k for the worker. That translates to millions in dollars of spent labor, responding to the disclosure. Labor, that's having to handle an increased number of responses because cutting off Russia from the global economy shook the bees nest.
Also, what kind of impact does sabotaging inflict on your target? Is the FSB or the Russian Military really using
node-ipcon critical systems? If there's definitive proof that's the case, my position may be up for negotiation, but otherwise you're just inflicting more collateral damage. There's plenty of folks in Russia and Belarus who don't subscribe to their leader's beliefs and are powerless to enact change.
If you were absolutely dead-set on doing open source activism, you'd have a better chance at inflicting damage to your true enemy by targeting more essential dependencies. Git, Linux, those type of things are likely to be far more accessible to critical systems than a npm package.
First of all, thank you for playing the devil's advocate.
However, as Hiram Johnson said: "The first casualty, when war comes, is truth.", so in absence of full knowledge of all facts how can we be sure to be justified in our actions? Also, taking action in a way that is so damaging to everyone else cannot be justified even by extreme importance to take a stance.
So by all means, write it in your license text that nobody who is in agreement with this war may use your software. Write your support for the Ukraine into a postinstall message in package.json. But don't break the trust in our ecosystem; don't break open source itself.
I really hope you're also playing devil's advocate here. Russia is invading Ukraine. Fact. Russia has no legitimate reason to do so. Also fact.
Claiming that we shouldn't take sides because we might not know all the details implies that there could even be any details that would justify not only the invasion but also the countless war crimes committed because of it, which just isn't the case.
Hiding behind the little uncertainties is making a clear statement: Invading another country unprovoked and against their will to effectively annex them and exploit their natural resources isn't bad.
Wrong. Russia has many reasons to invade Ukraine, including the minsk treaty: Ukraine is supposed to be a neutral country, and according to the minsk agreement, they are not allowed to join NATO. They have made the request.
I am against this invasion, but it is time to be objective in history and stop with this Ukrainian propaganda. Ukraine is not all white either. I'm the first one to be saddened by what's going on, but is it a good enough reason to screw up open source projects by adding a "glory to Ukraine" button to access to the app for example?
We now live in a world where everyone has to choose sides, and neutrality no longer counts. I see every day new open source projects choosing the side of Ukraine.
Please know that I am and will remain neutral in this story, I don't think it's fair to punish the Russian population for acts they didn't commit. Only the Russian government should receive the sanctions, not a whole country.
I strongly disagree. Russia has absolutely no reason to invade Ukraine. None. They can cry all they want, but they will still be the only ones to blame. Every single reason Russia claims to have is either a complete fabrication or high-level crybully tactics. If Ukraine wants to join NATO, that's their decision alone, and in no way does it legitimise any action from the Russian side, let alone a war.
People just need to stop seeing nuances where there aren't any. Sometimes, although rarely, things just are black and white. This is one such case.
Unless Ukraine completely fabricated the whole invasion, I have no clue what propaganda you're talking about.
There's a point when inaction isn't neutral. Walking past a drowning child with a shrug isn't neutral, and neither is the acceptance of the Russian population towards this war.
Absolutely not. Not the rest of the world, who isn't responsible for this war. I don't think we should attack those who do pick a side in the form of cyber activism, but I won't blame anybody who doesn't want that. This, however, is not the case for people who, directly or indirectly, support this invasion simply by remaining inactive. They are picking a side by default.
I obviously am, but from that I've heard, Ukraine was planning a military action against the dissenters in Donbass, so the invasion might feel justified at least to Russians as certainly not unprovoked.
That being said, I'm still convinced the invasion is certainly a breach of international laws and not justified.
Military action within one’s own country is a domestic issue and there is insufficient evidence of actual genocide with open source intelligence, a third party intervening is not justified in this case.
Exactly. Russia may have "felt" justified, but that just isn't relevant. It's the international equivalent of punching a random person on the street because you didn't like their face.
You confuse the government and the population of a country a lot. Russia is in itself a dictatorship:
Definition of a dictatorship:
Therefore, many people living in Russia did not choose to start this war. From what I see, you seem to be lumping all Russians into one camp.
Also, the fact that we do not take part in the war and the conflict does not mean that we choose the side of the aggressor and that we support his actions.
Definition of something neutral:
Inaction is the very principle of neutrality.
Finally, we are dealing here with a propaganda:
Definition of a propaganda:
This is what Ukraine is doing lately, and especially what people all over the world are doing by specifying their sides and showing their support to Ukraine.
Again, I'm just being neutral, and I wish everyone else was. Unfortunately, I understand that empathy can distort one's view of a situation, and I am the first to be saddened by what is going on. I wouldn't want to experience what the Ukrainians go through every day, and I support their courage.
I can only repeat that none of the things that make this a black-and-white issue where Russia is the only one at fault has anything to do with propaganda. Claiming so is, at best, painting a very skewed picture where Russia may have valid reasons for invading Ukraine. At worst it's actively undermining the truth and excusing war crimes.
Propaganda will always be used on both sides of any armed conflict. Pointing this out in this case is like watching someone get stabbed only to point out that they called the other guy a dumbass the day before. It's just surreal.
In every war, every side subscribes to its own truth, so their reasons need not make sense to outsiders.
But as I stated initially: we don't know if a Russian will be pro- or anti-war.
OSS should not meddle with politics or other movements (for most of it that is way off from Software Domain at the very least).
Although, the silver lining of this incidents is lots of devs can become aware on best practices about npm packages (hardlocking versions, backup registry etc) which at the very first place should be considered.
While medium / small and personal projects are more likely susceptive to this.
I am always baffled that there are large entities and companies still that get affected by this, imagine having collective team of engineers not foresee that possibility.
And to those oss owners doing this sh*t, I only have few words
You're not a cool activist, you're just a plain simple d**k
Oh boy, I ended up talking more about this than I thought. So let's start off with this: I want to thank Alex Lohr for starting this conversation. As a software guy with an engineering background, I often find the emphasis on ethics in software rather lacking. Almost like "follow these rules and you'll be ethically untouchable" and then that's it, you're excused. So I really appreciate any discussion about ethics in the space. Moving on...
Who's this hurt?
I don't think many of these actions are actually hurting Russian people who can't afford it, if I were a Russian I would be concerned about food, medicine, and communication devices; not my self hosted server. Many large Russian companies may be slightly hurt by these actions, but ultimately I think much of the cost is spread around the Russian economy in general. I'm not an economist so I won't claim to know how much this economic damage will trickle down to uninvolved Russian citizens, but that ship has already sailed with western countries leading the charge.
Should software be neutral?
I don't believe the argument of neutrality here. As others have pointed out, inaction is sometimes an action in itself. And while I will admit we don't have perfect information, and the moon may indeed be made of green cheese, we have to work with what we've got and try our best. As Hannah Arendt, a holocaust survivor and philosopher, said "The sad truth is that most evil is done by people who never make up their minds to be good or evil." While Arendt has received criticism for underplaying the extent to which Nazis actively participated in evil, I still think this thought holds significance on an individual level.
What about package sabotage?
I think package sabotaging is a bad choice regardless of the above. I think it shows a level of dishonesty and lack of commitment to promises. When you publish a package as open source you get to set the rules, or license. To break the expectations of those rules later is dishonest. I think it's important for open source devs to consider if they are truly okay with even the worst people using their package. If you aren't okay with literally anyone using your package, you should consider using a different license than BSD, MIT, GPL, etcetera. While many of the "ethical" licenses lack legal teeth, they would at least set forward the expectation that the author may try to curb use of package if they find it immoral.
Are there examples where the gravity of what you're protesting justifies package sabotage? Well, probably. I have yet to see anything that would justify it for me (and doubt I ever will), but I'm also not in a literal war zone. Let's remember that hard problems make bad rules, and what's most important is to take time to think about our decisions and whether or not they align with our values. Circling back to Hannah Arendt, one of her conclusions was that evil often comes not from malice, but from a lack of thinking. Not taking time alone with yourself to think things over, and instead getting swept up by the rapids of society, often leads to immoral action (or inaction). Again this is not a concept that was met uncriticized, but I do think it holds personal merit even if it's ability to explain evil doings is controversial at best.
So would I sabotage a package? Almost certainly not. Would I think poorly of someone who has? Probably not, if anything I think it shows that they've taken the time to examine their values and made a choice that felt moral to them. That's the most I can really ask of anyone, even if I disagree with the outcome they decided to go for.
Thanks for participating in the discussion. Answers like this one is why I started this thread and am happy to be a part of this community.
Most russians support the war, not only Putin is to blame. They dream of an empire, military exploits, and new territories. They yearn to restore at least the Soviet Union. Others simply want material gain, fame, a sense of military power, and superiority. They are resentful and embittered at losing the Cold War.
And what if that protest wants to use node-ipc? That would result in one's "valiant aid" to the Ukraine putting a stop to anti-war protest in Russia.
Yes, we need to make the Russian people see that Putin is a dictator. Antagonizing them with sabotage is not going to help that cause.
Package sabotaging is madness - There's no other ways to put it. And for those participating in it, they're effectively committing intellectual and professional suicide. I would never trust such a person ever again. And I am very much against Russian aggression and I have friends in Ukraine, suffering from this madness - Still, sabotaging packages is like a doctor refusing to treat patients because they're on "the wrong side of history" ...
Not to disagree, but sabotaging the node ecosystem, even if you only target Russians within their country, is hardly going to affect Putin or his cronies. If anything, they can tie these actions into their propaganda against the west.
Oh, do you still think that the citizens of russia do not support the war? Very naive, although I understand that there is little information from primary sources in the English-speaking part of web. Even those few who are against the war are not concerned with the horror of what is happening, but simply with the issue of sanctions and their material well-being.
I agree on all accounts. Even though I can also see how someone could do something irrational in the heat of the moment when confronted with the extreme violence brought upon the people of Ukraine. It ultimately is not the answer and there are reports of NGO's trying to help being affected. For me I'm considering finally moving my Node.js apps into (Docker) containers to shield direct acces to the host. I try to minimise layers of indirection but may have reached the threshold to go this route.
I meeean... is it though?
My take on retaliation against the Russian people (as opposed to the government and oligarchs) is the following:
So you can broadly categorise the Russian population into three groups
It is easy to argue that the first group deserves any form of mild consequences, being scarcity due to trade restrictions or losing access to digital services due to activism.
The third group, while they may be the most sympathetic to the cause, is probably the least deserving of retaliation.
The third group, which I assume may be the largest, is the interesting one though: While it is ultimately their choice to prioritise their own safety over that of strangers in a foreign country, I don't think there shouldn't be any consequences to this inaction. They are, after all, tolerating war crimes being committed in their name almost daily. So ultimately, putting pressure on this part of the Russian population with hopes of driving them to speak out against the Russian invasion of Ukraine is not a choice we should indiscriminately label as "bad".
Sabotaging packages indiscriminately against a group is something we must label as bad as a) there are better options, b) we might be even helping our opponents this way, since they can afford security against these steps rather than their internal enemies can and c) we are undermining the global trust in our ecosystem.
I don't mean the official media. I'm talking about opinion polls conducted by independent bloggers, just a variety of private YouTube videos, comments on social networks, and live communication.
Even if you have such an impression, 30 years have passed. This is a different country and a different people drugged by propaganda. Now they are praising Stalin and want a firm managerial hand.
I guess you don't communicate much with Russians right now and aren't well integrated into the Russian part of the internet.
I wish your optimism were true, but there's hardly 20% against what's happening. Most of the sane left the country during these 8 years of conflict and growing madness.
Many russians wear T-shirts with the letter Z, which is a symbol of the new fascism and approval of what is happening. They stick them on their cars, post them on social media accounts, etc.
So you just add layers of trust through reviewers. But how can you possibly know they're not in on the sabotage? That's what I meant: once the trust is out of the window, it doesn't suffice to open the door to someone else.
Trust isn't a binary. I'd trust a paid reviewer more than an unpaid open source developer. Sure, somebody can take money and still sabotage you, but at that point they're actively scamming you out of your money instead of just messing with people whom they owe nothing.
Food for thought:
nukes + EMP = you don't have to worry about software anymore.
Ultimately, it's a question of trust. If your solution to a lack of trust in the ecosystem is curated sources, then how can you trust the curators?