DEV Community

Discussion on: Open Source Sustainability

Collapse
wolverineks profile image
Kevin Sullivan

what were the arguments against using scarf?

Collapse
erikras profile image
Erik Rasmussen Author

Basically just around the "implicit contract" I mentioned in the article. It feels "dirty" or "shady" or "creepy" to have a library force your computer to upload information about you (minimal as it may be) to anyone. The irony, of course, is that you're trusting NPM with this knowledge...basically as a requirement, since they have a monopoly in this space (No wonder Microsoft liked them! 🤣). Also, nothing about the npm install build process is secure. There's nothing stopping a library from adding a postinstall script that uploads ~/**/* to a server somewhere, and now you have no privacy. None of us are running our npm install commands from some permissions-restricted account, aside from the CI vendors.

Collapse
wolverineks profile image
Kevin Sullivan

whats your opinion on? are either of those deal-breakers?

  • explicit / no opt out
  • explicit / opt out
Thread Thread
wolverineks profile image
Kevin Sullivan

and what would an acceptable opt-out mechanism?

  • go into node modules and flip a toggle?
  • 2 npm packages?
  • a branch sans scarf?
Collapse
samsch_org profile image
Samuel Scheiderich

Hey Kevin, here's a write up of the main issues. gist.github.com/samsch/c38f3109701...

I acted as point person for pushing to get scarf dropped from libraries, so I'm an explicitly biased source. However, I did drop this for some review in the discussion channel on Reactiflux where a lot of conversation about this happened.