(image copyright by Ministry of Defense of Ukraine, shared on flickr under CC-AT-SA)
Like any war, the current one in the Ukraine brings out the best and the worst in people. The best of us support the people of the Ukraine defending against the unlawful invasion by the Russian Regime. The worst of us commit package sabotage against users with a russian IP address.
On one hand, package sabotage is two-edged sword, as you cannot possibly know if the Russian IP currently installing your npm package is not actually against the war and just wanted to set up a site to spread knowledge on how to circumvent Russian net blockades – and now you've successfully stopped them from doing so and indirectly aided Russian Propaganda to prevail in the absence of that information. On the other hand, you undermine the global trust in the whole ecosystem that your package is a tiny part of.
For that reason, I'm rather convinced it's ultimately a really bad idea, but I wanted to hear your positions, too. What do you think about package sabotage? Also, shouldn't we be more mindful of the dependencies we pull from npm?
Latest comments (28)
Food for thought:
nukes + EMP = you don't have to worry about software anymore.
Oh boy, I ended up talking more about this than I thought. So let's start off with this: I want to thank Alex Lohr for starting this conversation. As a software guy with an engineering background, I often find the emphasis on ethics in software rather lacking. Almost like "follow these rules and you'll be ethically untouchable" and then that's it, you're excused. So I really appreciate any discussion about ethics in the space. Moving on...
Who's this hurt?
I don't think many of these actions are actually hurting Russian people who can't afford it, if I were a Russian I would be concerned about food, medicine, and communication devices; not my self hosted server. Many large Russian companies may be slightly hurt by these actions, but ultimately I think much of the cost is spread around the Russian economy in general. I'm not an economist so I won't claim to know how much this economic damage will trickle down to uninvolved Russian citizens, but that ship has already sailed with western countries leading the charge.
Should software be neutral?
I don't believe the argument of neutrality here. As others have pointed out, inaction is sometimes an action in itself. And while I will admit we don't have perfect information, and the moon may indeed be made of green cheese, we have to work with what we've got and try our best. As Hannah Arendt, a holocaust survivor and philosopher, said "The sad truth is that most evil is done by people who never make up their minds to be good or evil." While Arendt has received criticism for underplaying the extent to which Nazis actively participated in evil, I still think this thought holds significance on an individual level.
What about package sabotage?
I think package sabotaging is a bad choice regardless of the above. I think it shows a level of dishonesty and lack of commitment to promises. When you publish a package as open source you get to set the rules, or license. To break the expectations of those rules later is dishonest. I think it's important for open source devs to consider if they are truly okay with even the worst people using their package. If you aren't okay with literally anyone using your package, you should consider using a different license than BSD, MIT, GPL, etcetera. While many of the "ethical" licenses lack legal teeth, they would at least set forward the expectation that the author may try to curb use of package if they find it immoral.
Closing thoughts
Are there examples where the gravity of what you're protesting justifies package sabotage? Well, probably. I have yet to see anything that would justify it for me (and doubt I ever will), but I'm also not in a literal war zone. Let's remember that hard problems make bad rules, and what's most important is to take time to think about our decisions and whether or not they align with our values. Circling back to Hannah Arendt, one of her conclusions was that evil often comes not from malice, but from a lack of thinking. Not taking time alone with yourself to think things over, and instead getting swept up by the rapids of society, often leads to immoral action (or inaction). Again this is not a concept that was met uncriticized, but I do think it holds personal merit even if it's ability to explain evil doings is controversial at best.
So would I sabotage a package? Almost certainly not. Would I think poorly of someone who has? Probably not, if anything I think it shows that they've taken the time to examine their values and made a choice that felt moral to them. That's the most I can really ask of anyone, even if I disagree with the outcome they decided to go for.
Thanks for participating in the discussion. Answers like this one is why I started this thread and am happy to be a part of this community.
I don't mean the official media. I'm talking about opinion polls conducted by independent bloggers, just a variety of private YouTube videos, comments on social networks, and live communication.
Even if you have such an impression, 30 years have passed. This is a different country and a different people drugged by propaganda. Now they are praising Stalin and want a firm managerial hand.
I guess you don't communicate much with Russians right now and aren't well integrated into the Russian part of the internet.
I wish your optimism were true, but there's hardly 20% against what's happening. Most of the sane left the country during these 8 years of conflict and growing madness.
Many russians wear T-shirts with the letter Z, which is a symbol of the new fascism and approval of what is happening. They stick them on their cars, post them on social media accounts, etc.
youtube.com/watch?v=C_39n3AUQv0
youtube.com/watch?v=zRrtfeW8ONM
youtu.be/CRoJljTIzqA?t=133
youtu.be/gDvuxScUdVw?t=10
youtu.be/zXIWjOc2du8?t=12
Most russians support the war, not only Putin is to blame. They dream of an empire, military exploits, and new territories. They yearn to restore at least the Soviet Union. Others simply want material gain, fame, a sense of military power, and superiority. They are resentful and embittered at losing the Cold War.
And what if that protest wants to use node-ipc? That would result in one's "valiant aid" to the Ukraine putting a stop to anti-war protest in Russia.
Yes, we need to make the Russian people see that Putin is a dictator. Antagonizing them with sabotage is not going to help that cause.
Not to disagree, but sabotaging the node ecosystem, even if you only target Russians within their country, is hardly going to affect Putin or his cronies. If anything, they can tie these actions into their propaganda against the west.
Oh, do you still think that the citizens of russia do not support the war? Very naive, although I understand that there is little information from primary sources in the English-speaking part of web. Even those few who are against the war are not concerned with the horror of what is happening, but simply with the issue of sanctions and their material well-being.
Package sabotaging is madness - There's no other ways to put it. And for those participating in it, they're effectively committing intellectual and professional suicide. I would never trust such a person ever again. And I am very much against Russian aggression and I have friends in Ukraine, suffering from this madness - Still, sabotaging packages is like a doctor refusing to treat patients because they're on "the wrong side of history" ...
I meeean... is it though?
My take on retaliation against the Russian people (as opposed to the government and oligarchs) is the following:
So you can broadly categorise the Russian population into three groups
It is easy to argue that the first group deserves any form of mild consequences, being scarcity due to trade restrictions or losing access to digital services due to activism.
The third group, while they may be the most sympathetic to the cause, is probably the least deserving of retaliation.
The third group, which I assume may be the largest, is the interesting one though: While it is ultimately their choice to prioritise their own safety over that of strangers in a foreign country, I don't think there shouldn't be any consequences to this inaction. They are, after all, tolerating war crimes being committed in their name almost daily. So ultimately, putting pressure on this part of the Russian population with hopes of driving them to speak out against the Russian invasion of Ukraine is not a choice we should indiscriminately label as "bad".
Sabotaging packages indiscriminately against a group is something we must label as bad as a) there are better options, b) we might be even helping our opponents this way, since they can afford security against these steps rather than their internal enemies can and c) we are undermining the global trust in our ecosystem.
So you just add layers of trust through reviewers. But how can you possibly know they're not in on the sabotage? That's what I meant: once the trust is out of the window, it doesn't suffice to open the door to someone else.
Trust isn't a binary. I'd trust a paid reviewer more than an unpaid open source developer. Sure, somebody can take money and still sabotage you, but at that point they're actively scamming you out of your money instead of just messing with people whom they owe nothing.
Ultimately, it's a question of trust. If your solution to a lack of trust in the ecosystem is curated sources, then how can you trust the curators?