DEV Community

Voltra
Voltra

Posted on

Fakerjs, colors, node-ipc... Why developers cannot be trusted

Ladies and gentlemen, the fact that I have to talk politics 3 times in less than 3 months is an aberration in itself.

RIAEvangelist, the maintainer of node-ipc, self-sabotaged it by using the malware-like package peacenotwar. Not only that, it also sabotages npm developers (including, but not limited to, Vue CLI users) in order to "protest" the invasion of Ukraine. Not only that, it can also delete files randomly if your IP is geolocated anywhere in Russia

This attitude of developers to "do whatever the fuck we want" has to stop. We have all the power but none of the responsibility. Many were fine when fakerjs (and colors) was self-sabotaged because its author expected payment without asking for it.

Life does have a sense of humor though: I've been working on an Oath for all Scientists for 2 weeks now. I didn't plan on revealing it until it was finalized, but it looks like it might actually be interesting. It's not done yet, but feel free to have a look around.


Additional links:

Oldest comments (11)

Collapse
 
renan01 profile image
Renan

Hi, I'm working on a proposal that could help to avoid these and other problems caused by dependencies. Here follows the article: dev.to/rmlira_/dependency-guards-jb5

I'll be happy to have your feedback, and suggestions.

Collapse
 
voltra profile image
Voltra

I will definitely have a look and leave feedback since I'm very interested in a more "ethical" license or anything that makes it more responsible.

Collapse
 
valeriavg profile image
Valeria

The Programmer's Oath

by Robert C. Martin (Uncle Bob)
18 November 2015

In order to defend and preserve the honor of the profession of computer programmers,

I Promise that, to the best of my ability and judgement:
I will not produce harmful code.

The code that I produce will always be my best work. I will not knowingly allow code that is defective either in behavior or structure to accumulate.

I will produce, with each release, a quick, sure, and repeatable proof that every element of the code works as it should.

I will make frequent, small, releases so that I do not impede the progress of others.

I will fearlessly and relentlessly improve my creations at every opportunity. I will never degrade them.

I will do all that I can to keep the productivity of myself, and others, as high as possible. I will do nothing that decreases that productivity.

I will continuously ensure that others can cover for me, and that I can cover for them.

I will produce estimates that are honest both in magnitude and precision. I will not make promises without certainty.

I will never stop learning and improving my craft.
blog.cleancoder.com/uncle-bob/2015...

Collapse
 
voltra profile image
Voltra

I never knew this existed. Thank you, this will definitely be a great additional source!

Collapse
 
darkwiiplayer profile image
𒎏Wii 🏳️‍⚧️

I get being upset at open source developers sabotaging their own projects, but I still think it's ultimately their right.

Over the years, we've come to believe that merely using an open source project gives us some kind of ownership over it, in the sense that we have the right to expect it to work and do what we want. Worse yet, we expect these projects not only to be updated, but also to change in the direction we want them to.

This is, of course, a very nice best-case scenario where everyone is happy. But let's not forget one thing: We don't own these projects, nor do we have any rights whatsoever to their continued development.

Open source licenses grant us exactly one right: to use, modify and share the software in the state that we receive it. That's it. If we clone a github repository, the author cannot take it away from us, nor prevent it from re-uploading it.

And without any form of compensation, there's little to no moral obligation either. It's, ultimately, the author's project, and if they get fed up with current events or with being taken advantage of by big companies, then it is still up to them if they want to take the project down, if need be, with a loud boom.

And if we don't like that option, there's several very simple solutions:

  • Get a contract guaranteeing fitness for purpose
  • Audit new versions of software before blindly using them
  • Simply write your own software

A few thoughts on this "Scientist's Oath":

I will work for the betterment of humanity

I will not let my personal biases hinder my work

What I find peculiar here, is that these two points already contradict one another, as the "betterment" of humanity is an inherently subjective concept that will inevitable rely heavily on personal biases.

I will not, under any circumstances, let myself be corrupted, forced, bought or influenced [...]

It's naive to disregard the very real possibility that people might face severe punishment and possibly even torture if they fail to comply with unjust demands, so this point is honestly kind of pointless.

I will not use the education or knowledge I have received and developed to further any personal agenda.

This oath, ironically, is exactly that: furthering a personal agenda. It might not be a bad one, but it's still just that.

I will be neither judge, nor jury, nor executioner.

This should really apply to anyone, not just scientists. Unless you actually are a judge or member of a jury, you should not act like it. And if you're actually an executioner, it's time to quit your job.

Collapse
 
voltra profile image
Voltra • Edited

Thank you for your comment, there's a lot to unpack so I'll do my best. Two things to get right off the bat is:

  • I don't know if this is the classical strategy of swarming the other with a lot of things so that it's almost impossible to give satisfactory answers in a reasonable fashion and in a reasonable amount of time
  • There are a few petitio principii, which is (to define it shortly) setting as true something that has yet to be demonstrated or to use it to demonstrate it itself). Usually I have a tendency of giving up whenever someone uses fallacies because to me they void your entire argumentation: it's just a fancy way of saying fix it up first and then we can properly debate.

gives us some kind of ownership over it

I know there are a few people who genuinely act like that, but to others it's more of an implicit trust/agreement of "I will not fuck intentionally fuck your shit up" which I think is how the warranty part of the MIT license is mostly interpreted (that's a whole topic in and of itself). We wish for updates and so on, but we don't necessarily expect them: for instance I've used many times the sequency npm package which hasn't received any functional maintenance in years I believe (even though I have my own library for that purpose). Of course I'll be happy to propose features if I ever need them, or ask for them if it's too much for me, but I don't expect them in a timely manner or anything. Hell, I have pull requests that have 2 years that I technically needed to be merged 2 years ago, so even in those cases where you do the work yourself you have no guarantees.

Then there's the question of: Why do you share it? It's true, you don't technically need to share anything, so why do you? If it's to solve your own issues you can publish them privately. If you still want to make them accessible to anyone, you can just leave them be and never touch them again (i.e. nuking them is just malevolence). No one has ever any obligation, whichever party it may be.

You seem to equate money to morals, which is rather funny to be honest. That would mean that a doctor doesn't have to patch you up if you don't have the money, which would break their Hippocratic Oath btw. Morals can be State-wise (not state, State/country) which are the moral standards within a society. They can also be personal morals (your own in addition to). AFAIK going against your country's morals is a crime in most cases.

if need be, with a loud boom

You seem overly fine with malevolence, and that scares me quite a bit.

Audit new versions of software before blindly using them

I love this one because it's usually an argument used by the biggest hypocrites. Do you read the entire code of Apache before updating it? Do you read the entire code of gcc/bash/buildutils/etc... before updating them via apt? Sure theoretically we should probably do that, but in practice you ask to read thousands upon thousands of interconnected codebases on a daily basis. Or is that the argument you use in whatever company you work to avoid to keep software up to date and thus proceed to make upgrades extremely difficult and security breaches easier? npm audit will never be enough because, surprise, it relies mostly on user reporting vulnerabilities i.e. them being victims of it or finding them randomly whilst reading the code. No automated code will ever be enough, or we'd finally have perfect tools for static analysis, thread analysis, UB analysis, etc...

Simply write your own software

Yes, please reinvent the wheel every time.

the "betterment" of humanity is an inherently subjective

That's one of the petitio principii I was talking about. Why? What makes it so inherently subjective I could miss it. For instance, if the state of the world can be summed up as a number, betterment would mean that state(t+1) > state(t) for all t. Yes, oaths are not practical examples of things, that's why the Hippocratic Oath has no details on any specific procedure and the risk of dying during said procedure. And as I just stated, "betterment" is an overall thing not on a specific instance which might require a subjective evaluation. It means not evolving backwards, not regressing, which is the sentence right below it in my details box (no surprises there).

disregard the very real possibility that people might face severe punishment and possibly even torture

I don't see you complain about that in the case of the Hippocratic Oath. If in Nazi Germany a Doctor refused to provide temporary refuge to attend the wounds of a Jewish individual who asked for just that (attend to their wounds) because of the consequences there would be, then yes I'm pretty sure that would be breaking the Oath. Plus, there's technically nothing (in what I'm trying to do yet) specified for what happens when you break the Oath.

This oath, ironically, is exactly that: furthering a personal agenda.

Goal: make an oath for scientists so that we may have a code to follow. Actions taken: make an oath. I'm pretty sure an agenda would be taking more steps than just, literally doing the one thing I set out to do. What that part means is that in your work you will not further a personal agenda: if a judge doesn't like you for X reason, that doesn't give them the right to make you automatically guilty without any substance. You also failed to mention that it's under the "I will not abuse of the privileges bestowed upon me" which is required context because the details boxes are here to detail an individual item. Either you were making a genuine argument, or you adopted the strategy of "I can't attack the title so I'll take the details out of context" without doing the opposite first which is to attach the details to the title to understand what it's supposed to mean. In my case, I'm a front-end developer, making a website isn't exactly against that point. What would be was if I absolutely refused to have any concern regarding accessibility and refused to comply to it (which I'm not sure I've done yet, but take a point of pride in putting everywhere in my work). No knowledge nor education was used specifically besides knowing about the Hippocratic Oath. Every bit of detail is either inspiration or things that seemed like common sense to me.

And if you're actually an executioner, it's time to quit your job.

And that to me seems like a way to avoid the fact that "I will be neither judge, nor jury, nor executioner" is a callback to the idiomatic expression "judge jury and executioner" which is how I managed to make that specific title so concise and yet so precise. In layman's terms it means "I will not hold the power to judge and punish others". And yes, it must apply to everyone, but the Oath was made with Scientists in mind, because I am a Scientist, an Engineer and a developer. But then again, you talked about morals earlier so you should know that's something that can be part of your own.

EDIT: Correct me if I'm wrong, but to me it seems you think every bit of human decency is off the table without any kind of contract. That would make a lot of cases, of "bias in AI" for instance, very void since there are not contractual obligations of not having it. Pushing "logics" to their extreme is a good way to test how true they are or to limit their scope of application.

Collapse
 
krazy_meanie profile image
KrazyMeanie • Edited

I think your problem is not understanding that when someone owns something, whether it be used by others or no one at all, its their choice to do whatever they like with it; moral or immoral. This doesn't mean I support immorality. It just means I understand the concepts of free will and ownership. I'm not saying people can't be upset because of this but that's about the most you can do. Most if all your points are subjective because it negatively affects you and other people that think the same way you do but the owner may not see what their doing as immoral. Trust is a choice people make, others can't do it for you and sometimes choosing to trust someone/something is simply one of the wrong choices you made and the person at fault is oneself.

Then there's the question of: Why do you share it? It's true, you don't technically need to share anything, so why do you? If it's to solve your own issues you can publish them privately.

This question has a rather simple answer. Because it's their choice. No one needs a motive to share anything online nor are there any restrictions in them doing so. Some might say maybe there should be restrictions but that would violate the free will of humanity itself. You don't technically need to share anything but that doesn't mean you can't and shouldn't.

I agree with most of your points since they fall in line with what I believe but there's a very thin line between human choice and morality. They are both arguments against each other and neither will every be a valid win/conclusion over the other since both are very subjective subjects.

If I put a project online and people start using it then I no longer feel motivated to continued working on the project it's my choice to do whatever I like with the project whether or not my choice seems moral or not to others that use my project. Again this doesn't mean I support those that choose a subjectively immoral choice (I tend to look at things from both sides not just my own). And the people that use my project should understand how ownership works. They can complain as much as they like but in the end they have no power over the choices I/the owner of the project makes. They simple need to find another project that suits their needs.

As for the Scientist Oath topic I'm not interested in that so I won't comment anything about it. People online, in fact in general, need to understand that not everyone think or does the same as they do and that understanding needs to be mutual.

Collapse
 
collimarco profile image
Marco Colli

I'm working on a new license that grants most freedoms of open source but also allows easier monetization for maintainers:

Here's the original idea on DEV:
dev.to/collimarco/why-a-standard-s...

And this is the license on GitHub:
github.com/collimarco/Standard-Sou...

What do you think? Can be a compromise for the future?

Collapse
 
darkwiiplayer profile image
𒎏Wii 🏳️‍⚧️

One big problem I see with that license: It doesn't allow sharing the code.

Collapse
 
collimarco profile image
Marco Colli

Good point, I appreciate it! In my mind it was not prohibited, but I agree that the license doesn't explicitly allow "redistribution" at the moment.

I'm also contacting the OSI mailing list to have more feedback like this.

Collapse
 
voltra profile image
Voltra

I'm definitely interested in something that gives more responsibility to maintainers whilst keeping it easy to use by anyone. I'll have a look, thank you for sharing.