But to be fair, its not discrimination against the Russian people, its discrimination against a particular ideology that is predominantly held by the Russian people.
> But to be fair, its not discrimination against the Russian people, its discrimination against a particular ideology that is predominantly held by the Russian people.
To be even more fair, it's both.
There are plenty of Russians that absolutely do not agree with what the Russian leadership is doing, but have no choice in the matter.
Speaking as a Canadian, there was a time when we were similarly fighting an adversary and chose to indiscriminately treat all people from that nation as enemies. The result was the internment of Japanese Canadians, one of the most shameful periods in our nation's history.
I cannot help but be very concerned that we're heading down a very familiar and dangerous path, here...
Speaking as someone who was vehemently against the Iraq war and lived in the US, I welcomed discrimination against my own people. The United States was responsible for war crimes in that war, and for sure we deserved sanctions, boycotts, divestment, and bad international relations due to it.
I was treated extremely rudely for being American when I went to France in late 2003, and I totally understood why. I hated my own country and my countrymen for it as well. I still do, in a sense. We owe the Iraqi people an enormous debt of reparations
I was treated extremely rudely for being American when I went to France in late 2003, and I totally understood why.
It seems too easy to say "uh discrimination is fine" when the only thing you have to fear is people being rude to you on vacation. If you face the loss of your livelihood, like the owner of a small Russian restaurant somewhat, I don't think you'd be as sanguine.
One would think that after going through this you would become more empathetic and understanding of the ordinary citizens side. But no, somehow the takeaway was that discrimination against innocent people based where they're from is OK
>I was treated extremely rudely for being American when I went to France in late 2003
That's just the French being the French, would have been the same in the 90's lol. And if you think that's bad, try going there as a French Canadian like my grandfather did. He got treated way waaaay better when he spoke English instead of the his "dirty" (what the Frenchies called it) Quebecois French.
That's racist. And a deny of history about the anti-french sentiment in the USA consequently of the opposition of French to to participate in a war that later you want you never make.
You clearly don't know what the word means. French isn't a race, at most it's a nationality or ethnicity. And in any case I'm 1/4th French, ethnically.
>And a deny of history about the anti-french sentiment in the USA consequently of the opposition of French to to participate in a war that later you want you never make.
I never said there wasn't anti-French sentiment in the US though? Do you have issues with reading comprehension?
The author obviously thinks that open source that discriminates cannot be open source.
In principle this is true given the current Open Source license.
But i would argue that the clause about discrimination is out of touch with reality.
Usage rights to Open Source should not by default be granted to oppressive regimes and the author should absolutely be allowed to state that within the license.
If the west wants to send a clear signal to Putin, then matters such as the wording of the Open Source license needs to be adjusted accordingly.
Hello, author here. I do think the open source licence is framed to be non-discriminatory and I think that’s not a bad thing. Discrimination lends itself to politicisation and in turn division. And I think an ecosystem where we have lots of division is not good. What would happen if two interdependent projects suddenly had conflicting political requirements?
I think that holding onto the idea that software is apolitical is untenable. Social media companies and large corporations try to toe this line and have been widely rebuked for it (Google trying to get ICE contracts, for example). I think the idea that "everything is political" is taking it too far, but so is the idea that providing material support to any comers is apolitical.
Bear in mind that I'm talking descriptively rather than prescriptively here. I have my own opinions but I can also observe that political neutrality as a concept is waning.
Ok so its political, what if this political take where we encourage openness and interconnectivity is superior to the political take where we are reactionary? What if it literally is a winning strategy?
Im not saying it is necessarily- but i think to get past the division you have highlighted (apolitical universality vs political conservatism) there is perhaps a way to look at the various approaches and determine what approach would be technologically, logistically, and politically advantageous.
Let us let go of the idea it is apolitical, what now?
I do think that we should look at these choices through a utilitarian lens and consider both the immediate and long term impact of such decisions. I do think that innocent Russian civilians will inevitably get caught in the crossfire with sanctions, which is unfortunate. I still believe that it is a moral good to penalise colonialism and other unethical activity through withdrawal of material support because this increases the cost of such actions. I'm not sure what justification there could be that continuing material support for an expansionist government during an invasion has positive utility, it smells like an argument for consistency to me but I'd be happy to be corrected.
Something that comes to mind is the argument against aid NGOs in places with dire poverty and hunger.
When an NGO comes to your town, where you are trying to build a farm business, and delivers months worth of free rice, can you afford to run your business? Similarly, can any russians make successful software as a service that analogues FOSS offerings? No they cant, because the alternative is available and free.
Remove the free rice and you satisfy your egos necessity for first order moral resolution via punishment- bad people dont get rice- but as for second order effects? Perhaps now it becomes feasible to build a sustainable farm (or apache competitor)
The aid NGO question comes down to whether locals can build a self supporting economy and whether the aid is hampering economic development - but it isn't a binary question because you can subsidise farmers or reduce aid commensurate with local supply.
I'm familiar with second order effects, and nth order effects and nonlinear causality. If we restrict Russia's access to Apache Web server, sure, they will eventually develop a local equivalent. So, over time they transition from being disadvantaged to simply leveling the playing field. That's a pretty good outcome, especially if many more open source projects could withdraw from Russia.
Hi, must say that it's a thoughtful article that has valid points.
Maybe as a European i feel more strongly about this, but every means possible must be employed to send a clear signal to Russia about the unacceptable state of affairs.
Except destructive changes as in the second example, that behavior should not be allowed by the Open Source license.
I'm still hopeful that a better wording can be found going forward.
Almost everyone's sympathies are with Ukraine now, and Russia under its current regime is rightly being sanctioned by measures that are intended to hurt. Sanctions that aren't felt are meaningless.
When it comes to open source licensing, though, the problem with these kinds of exceptions tends to be that there are a lot of causes that would, at one time or another or from one perspective or another, seem to warrant similar exceptions.
There are other wars going on, with more or less clear aggressors. Should we build a list, somewhat akin to the U.S. export restrictions, that forbade using the software by the aggressive states? How would we make sure that the lists aren't influenced by political leanings or cultural preconceptions? (Hint: you can't.)
It would be objectively easy to argue that people who eat meat should be sanctioned to give them a "clear signal" that they shouldn't. It would be emotionally easy to argue that perhaps we should exclude people who violate human rights from using our software -- although what exactly constitutes such a violation would be pretty hard to delineate. In a different culture, objectively or not, entirely different acts might be considered morally contemptible or even unforgivable.
Allowing exceptions to open source terms based on individual reasons would lead to a jungle of rules that would end up ruining open source, even if each exception by itself can be easy to argue for. You could no longer build a Linux distribution or any kind of a large collection of software, or even an open source application that relied on lots of open source libraries for its functionality.
That is, unless you decided not to include any software that had licenses with any such exceptions. That's exactly what drawing the line for the meaning of "open source" is. If you only take one of those exceptions and not the others, that's no longer an objective choice, and others are going to have different exceptions; if you take them all, you create an untenable mess, or at least a walled garden with really tight walls.
At any given time it may feel like this is the one exception we should make, and it feels right at that moment. It just can't be done with any consistency without massive collateral damage in the big picture.
By all means, let's cause trouble to Russia (under its current regime) as long as it restricts their ability to wage war. Let's do that even if it costs us. But let's not do it in such a way that it creates a massive moral or legal conundrum in the long run. Even if it feels right at the moment.
- Another European, living less than 200 km from Russia
long-term OSS author here - strong agree "the open source license is framed to be non-discriminatory" is the "right thing" for Intelligent Humans of every color, creed and mother-language
A principle being out of touch with reality doesn't mean you get to redefine what the principle means; if you view its out-of-touchness as a mark against the principle, reject the principle. What you're really saying is that you want the social benefit of claiming to adhere to the principle, while not actually adhering the principle. 'The west' does not own open-source any more than Putin does, and if you intentionally make your software non-open-source to send a message to Putin, that's your right, but you can't keep pretending to be open-source if you do.
You're welcome to license your software under terms that discriminate against oppressive regimes. Just don't call it "open source".
The argument that software licenses should exclude certain people or fields of endeavor has been around for decades. Such licenses are outside the scope of Open Source. Specifically, such licenses do not conform to the Open Source Definition clauses 5 and 6:
> The license must not discriminate against any person or group of persons.
> 6. No Discrimination Against Fields of Endeavor
> The license must not restrict anyone from making use of the program in a specific field of endeavor. For example, it may not restrict the program from being used in a business, or from being used for genetic research.
Such discrimination is a form of sanction. It has been shown over and over again that sanctions do nothing to change governments — all they succeed in is to harm the lives of ordinary people. This makes license discrimination on such grounds nothing more than virtue signalling at best, and a punishment to ordinary people at worst.
Furthermore, the label "oppressive regime" is sometimes more propaganda than fact. Many western countries weaponize human rights by labeling enemy states as oppressive regimes, while either ignoring/muffling their own human rights abuses, or (more likely) having systems that allow one to protest against domestic human rights abuses while failing to change a single thing about them no matter how much people protest; and at the same time, turning a blind eye on actual oppressive regimes that happen to be allied states (until they fall out of grace, after which they will once again be labeled "oppressive regimes").
This makes license discrimination on the grounds of the "oppressive regime" label highly problematic and prone to geopolitical propaganda games. At worst, you can even say that such license discriminations become willing tools of geopolitical propaganda.
The current sanctions are doing a great job of hurting the Russian economy and, by extension, its ability to rip apart the flesh of 6 year old girls hiding in hospitals in Mariupol.
Actually they've done a great job driving up oil and gas prices, which actually helps the Russian economy because European countries are too dependent (and spineless) to cut off Russian gas pipelines.
And sanctions who target the "normal" citizen give Putin a really sharp knife to proof that the "west" really wants to harm Russians....what else then sanctions can be done? I honestly don't know.
Economic sanctions send a clear message to Putin that his invasion of Ukraine is unacceptable.
Direct confrontation is not an option and neither is doing nothing at all, so sanctions is the logical choice.
I agree that sanctions will not make Putin withdraw from Ukraine. But seeing Europe make a targeted effort to stop relying on Russian oil and gas, should make Putin think twice.
"I've stated above some parts of my views about certain political issues unrelated to the issue of free software—about which of those activities are or aren't unjust. Your views about them might differ, and that's precisely the point. If we accepted programs with usage restrictions as part of a free operating system such as GNU, people would come up with lots of different usage restrictions. There would be programs banned for use in meat processing, programs banned only for pigs, programs banned only for cows, and programs limited to kosher foods. Someone who hates spinach might license a program to allow use for processing any vegetable except spinach, while a Popeye fan's program might allow only use for spinach. There would be music programs allowed only for rap music, and others allowed only for classical music."
"The result would be a system that you could not count on for any purpose. For each task you wish to do, you'd have to check lots of licenses to see which parts of your system are off limits for that task. Not only for the components you explicitly use, but also for the hundreds of components that they link with, invoke, or communicate with."
"How would users respond to that? I think most of them would use proprietary systems. Allowing usage restrictions in free software would mainly push users towards nonfree software. Trying to stop users from doing something through usage restrictions in free software is as ineffective as pushing on an object through a long, straight, soft piece of cooked spaghetti."
"It is worse than ineffective; it is wrong too, because software developers should not exercise such power over what users do. Imagine selling pens with conditions about what you can write with them; that would be noisome, and we should not stand for it. Likewise for general software. If you make something that is generally useful, like a pen, people will use it to write all sorts of things, even horrible things such as orders to torture a dissident; but you must not have the power to control people's activities through their pens. It is the same for a text editor, compiler or kernel."
I agree about it being unprofessional. But does "virtue signalling" now mean simply any form of protest?
Were the Canadian truckers protesting in Ottawa virtue signalling? Are people posting "Let's Go Brandon" online also virtue signalling? If not, what's the difference between their form of protest and this Terraform stunt?
Like all politically-charged terms, the original meaning has been long lost as the context in which it was coined is forgotten.
I think the term ‘virtue signalling’ was originally intended to point out a perceived hypocrisy - that it’s much easier to gain public support for an idea/cause/campaign if that campaign is perceived to be helping some disenfranchised group - even if the campaign also benefits the organizer, and even if the campaign is not necessarily wanted by some or even all of the allegedly-aggrieved group.
It did start out that way (an attack by conservatives against progressives) but has since become ubiquitous. It just refers to immaterial forms of protest that don't accomplish anything except signaling support for a cause.
I believe “virtue signalling” means any form of protest which will not, and does not really try to, have any actual effect on that which it protests against. Any small actor protesting and boycotting something which they are unlikely to affect and even come into contact with, therefore qualifies. The protest is not done to affect any real change, only to signal virtue.
My understanding is that "virtue signaling" implies that the primary goal is performative with minimal personal risk and minimal commitment to productive action. The example that comes to mind is a company that spends far more money informing the public of their charitable works than they do on the works themselves.
So an in-person march, trucker protest, sit-ins, having a private conversation, calling your representative, making personal sacrifices, attempting to bring attention to lesser-known issues, donating money, engaging in dialog to convince someone of your position, etc would not be virtue signaling.
But things like posting "Let's Go Brandon" online, or changing your profile picture with no further action, or unironically using terms like "virtue signaling" for internet points might qualify as virtue signaling.
At least here in the United States, those are usually sold by charities that benefit various veteran's organizations, so there's some actual skin in the game there.
Good question. I think it would on the motivation of the wearer.
If if they are wearing it primarily as a method of socially fitting in and signaling to those around them then it might be "virtue signaling".
If they would continue to wear a poppy on remembrance day in contexts where the people around them did not know what it meant then there's clearly something more than signaling going on. Perhaps it is their tradition, or it helps them remember.
(I should caveat that I don't think there's anything particularly wrong with social signaling so I don't use the term "virtue signaling" as it seems to have a pejorative or sarcastic connotation.)
Just about all of your examples of not virtue signaling could or could not be depending on the context. Going in person to march, posting selfies on facebook, marching two blocks and leaving would be an in-person march and virtue signaling for example. Virtue signaling is more about intent and advertising of the act.
To paraphrase the bible "Jesus said The pious pray in their closet. Those who make big shows of praying in public are nothing but douchebags."
You just successfully moved the goalposts by redefining what "going to a march" means...and even then didn't address how "all the examples" don't count. Even then, showing up for a mere two blocks still involves more risk than staying at home.
To me, it's the element of risk that differentiates virtue signaling from meaningful action. Posting "Let's go Brandon" on parlour or "Black Lives Matter" or Tumblr aren't risky actions. Saying "I think gay marriage is ok" in a conservative church is. Just because you can imagine a situation where the context lessens the impact of the action, doesn't mean the example is weak or wrong.
Then you missed the point of my post entirely. "Virtue Signaling" isn't about what good deeds you do or don't do. It is about intent and what you do "around" those deeds. You can do real good and still be virtue signaling, because virtue signaling is the advertising aspect of it. Two people do the same deed, one won't shut up about it. One is virtue signaling, the other is just a good person.
> My understanding is that "virtue signaling" implies that the primary goal is performative with minimal personal risk and minimal commitment to productive action.
And it's based on the flawed assumption that stating public support for something without doing anything else is useless.
But people moderate their behaviour based on perceived social norms.
When people publicly state their support for a given issue, they are communicating what they understand social norms to be.
When a lot of people do that, that becomes the norm.
So "virtue signalling" could just as easily be labelled "showing support", which is the way that we share and align on those norms.
But, of course, folks who don't like people voicing their support for those values, for fear that they will become normalized, needed to find a label to apply to insult those people and, hopefully, stop people from voicing their support for these social movements.
And thus the term "virtue signalling" was born. Suddenly saying out loud what you believe becomes itself a social moray.
Now flying a pride flag, or calling for increased diversity in the workplace, has become "virtue signalling" and something to be embarrassed about.
It's quite clever as a means of controlling the narrative. And it appears a shocking number of people have bought into the BS.
1) Does "showing support," actually do anything? Are we really aligning on norms or just scoring points with people who already agree the same position? I suspect the detail matter and that there is continuum, where for uncommon positions maybe it does something, but for widely held views, it really is just "virtue signalling."
2) When does "showing support," become a substitute for more substantive action. Maybe I post a pride flag on my social media avatar, but don't bother to vote in a local election with discriminatory ballot initiative. Or consider any number of incidents of corporate "greenwashing."
But sure, plenty of virtue signalling, isn't _just_ signalling. And we shouldn't dismiss it on those terms, but rather ask about impact.
How much is a heap of sand? It's a Sorites problem. There exists a continuum between "changing your profile picture to be tinted like flag X" and "everyone is saying and doing the same thing and it's an entrenched social norm".
It's certainly less impactful than doing something substantive but it also costs nothing to signal boost. Same like boycotts, it only works en masse.
I think one of the important things about virtue signalling is that you're making a big deal about the prescribed norms that everyone is, in our unofficially official ideology, supposed to follow.
It'd be like flying a great big flag that says "I support the government and corporations." Whenever I see a pride flag, that is essentially what I see. It's like, (and it's useful to read the people who are against you as a mirror), when Patriarch Kirill of Russia says: ". Today there is such a test for the loyalty of this government, a kind of pass to that “happy” world, the world of excess consumption, the world of visible “freedom”. Do you know what this test is? The test is very simple and at the same time terrible - this is a gay parade. The demands on many to hold a gay parade are a test of loyalty to that very powerful world; and we know that if people or countries reject these demands, then they do not enter into that world, they become strangers to it."[1]
That's not far off from the truth. Virtue signalling, as opposed to protest, is oriented towards moving closer to power, rather than further away from it. In Foucauldian terms, protest would be a transgression, a breaking of the taboo, and virtue signalling would be the opposite of that, an adherence to and reinforcement of the taboo, in which one mimetically serves the strengthening of the taboo, until the mimetic crisis breaks into blodshed.
Virtue signalling is wearing the swastika in 1938, and bears no relation to wearing one in 1929, except to say that those who wore it in 1929 won.
The goals/motivations of the action is what matters here. Changing a few lines of code to state your stance on an issue won't cause any level of change whatsoever. It was clearly done to show which side of the war the author supported, more about the author than the conflict. A Canadian protestor that spent most of the time publishing their involvement on social media is virtue signaling, but one that merely occupied the capital is not. Saying "Let's go Brandon" is virtue signaling, unless the signal is meant only for your group, then it is dog whistling
My personal sense of the word is that “virtue signaling” is when people intentionally seek recognition from a group by visibly supporting something that group already endorses or considers normal. Going a step further, the support is often exaggerated, not totally sincere, or not congruent with that person’s previous behavior.
There is also a sense that whatever thing someone is “virtue signaling” about is acceptable enough that there is no real downside for taking the stance.
It would be like an American proudly declaring how much he loves the United States on Independence Day. He would go out of his way to emphasize just how much of a patriot he is, hoping to be rewarded for doing so.
If you support a cause, "virtue signal" describes an action which doesn't do a lot to materially support the cause, to encourage people to take more concrete action.
If you oppose a cause, "virtue signal" is a term of denigration for any public action on behalf of the cause to discourage people showing support for it.
When you protest something not because you care, but in order to signal that you care it is virtual signal (literally, you are trying to signal your virtue).
When you protest for gay rights in 2020 it is a virtue signal. When you protest for gay rights in 1987, it is because you believe in it and are willing to take the cost of it.
Since public trade companies only care about money, when those companies support some course it has become safe enough that it is now virtue signalling.
> When you protest for gay rights in 2020 it is a virtue signal.
I don’t think this is the case; it’s still legal to discriminate on the basis of sexuality in many states and contexts such as housing in the United States. You may not be able to fire someone for being gay but in many places you can evict them for it.
Additionally I don’t think it’s virtue signaling to protest for gay rights beyond the small number of countries that recognize marriage. There are still countries where gay behavior is illegal, marriage isn’t recognized, and gay panic is a legal defense.
I think people virtue signal when they dominate conversation with pet political topics. This is especially evident if they continually find non-sequitur ways to include moral and pet topics in regular conversation. I don't think that either of the examples you've brought up are virtue signaling, but introducing the topic of Starbucks cups to redirect a conversation into how "the country has lost its way" is a good example. An example of this on the left is how certain folks will redirect any conversation into one about oppression.
The impact of virtue signalling is pretty evident. Ever seen how in order to make a statement on something you have to first identify yourself as part of that something that you're criticising? That's a direct byproduct of virtue signaling.
Accusing people of virtue signalling is a prime example of virtue-signaling.
But really I don't know your motivations and you don't know the motivations of the Terraform folks. Let's be a bit more humble please. But yes, I also find it unprofessional.
This is the culmination of about a decade of reinforcing the idea that political actions don't count as violating norms if the actions are against someone who violates other norms of yours.
Or maybe just the culmination of internet libertarians who stick to principles being out-populated by more average people who stick to each other (that is a nice way of phrasing the practice of putting popularity before ideals but it's also true to its real nature).
Internet libertarians definitely also stick it to each other in dumb ways whenever they think their cause is right. Let’s not kid ourselves; an average person wouldn’t know how to wield open source for their personal political nonsense. It would precisely be a technocrat who thinks they’re enlightened.
>an average person wouldn’t know how to wield open source for their personal political nonsense
I am close to an average person in this regard because I am a free-rider on other people's enlightened steering: all I do is install stuff and in exchange I get privacy and security.
It has nothing to do with Russia. It has to do with stuff like inherent sinfulness, the promotion of social righteousness, the exhibition of the Kingdom of Heaven to the world, double predestination and whatever else Puritans and other Calvinists who became the American elite believed in and promoted. The views of those people who were considered fanatics back in Europe became the norm in the US.
I think people get a little carried away with this. I'd bet money that the average American cannot even describe the difference between Protestantism and Catholicism besides something facile like "they have a pope." There aren't even any Protestants sitting on the Supreme Court.
In a historical sense, it's very geographically dependent. Before states got rid of established churches, Virginia, for instance, established the Episcopal church, while Massachusetts established the Congregational church.
I don't think his point was directly related to people's religious views today, but the type of people who originally came to the US and how their views and norms have impacted the culture up to today.
Well I'd go a little further and say that it's getting too clever to act like the most important thing to understand how Americans think is the details of a dispute that happened before most of their ancestors came and that they can't even describe in broad strokes.
> I'd bet money that the average American cannot even describe the difference between Protestantism and Catholicism besides something facile like "they have a pope." There aren't even any Protestants sitting on the Supreme Court.
The modern American culture simply descends from Calvinist culture, by no means it is the same. Just like you wouldn’t expect a fish to explain its ancestry to you, you wouldn’t expect an American to do the same.
Some people seem to believe that if you remove a belief in God, a sudden discontinuous cultural gap appears. But there is no reason to assert such thing. An absence of belief in God doesn’t make Americans culturally more similar to Buddhists than to their ancestors, they still inherit similar values and social practices. The American culture experienced an abrupt shift from the British culture due to the founder effect, but from that point it pretty much developed continuously. (Well, of course like all cultures, it experienced outside influence but it wasn’t as impactful.)
> In a historical sense, it's very geographically dependent. Before states got rid of established churches, Virginia, for instance, established the Episcopal church, while Massachusetts established the Congregational church.
There is a book called The Faiths of the Founding Fathers by David L. Holmes, it covers explanation of the sheer influence Calvinism had in the US.
By the way, is it surprising that
(1) Harvard originally had a Calvinist church.
(2) Harvard is located in New England, the land of radical Protestants aka Puritans.
(3) Harvard is the most prestigious university.
My point is simply that American “average people” are in no way simply average people if such thing even exists.
This notion that somehow 'FOSS' is a moral ideal that stands above others is rubbish.
If you're helping Russians drop bombs on Mauripool that's a choice.
You can also choose not to do that.
That concerns an 'ideal'.
There are issues at hand of much greater consequence and idealism that 'internet librarians' pretending that they are consequential in this context.
'More Average People', like accountants and teachers, are literally right now upholding their 'ideals' by learning how to use a weapon and defending their homes with their lives against literally the Russian Empire. That is an 'ideal' thankfully none of us will ever have to contemplate upholding.
I think it is a little bit more complicated than that when you're taking sweeping actions like banning Russians from sport (something we managed to avoid in the Cold War but apparently not this time). I also wonder if you'd take the same line about someone seizing your bank account, because every American, by the standard we are now using, is culpable for the Iraq War.
Stupid people do stupid things all the time. Clearly not an educated tactic. No one with an anything above the brain stem would do that, and that's not what's being argued for.
Racism isn't the point, crippling the Russian state is. Assuming anything else smells like bad faith.
> Racism isn't the point, crippling the Russian state is. Assuming anything else smells like bad faith.
One incident related in the story is someone slipping malware into a node library which appears, among other collateral damage, to have deleted the archives one NPO had collected of the war hoping to document Russian war crimes. So really I'm not sold on it being that different.
Huge parts of the Russian state are "infrastructure necessary for civil life" attacking those would be contrary to international humanitarian law.
But there is also the tactical issue of whether such attacks would have the desired effect. Imagine if Russia would attempt to "cripple the US state" to stop the war in Iraq... I think the average Joe in America would feel quite threatened by that notion. As a corollary, consider this: as a response, would Joe be more likely turn against his state, or realise that he desperately needs to support it, in order to defend his way of life?
Targeted missile strikes on the homes of the leadership and military executives would be a way to do so, while minimizing direct harm to the population.
Of course, actually targeting elites in power isn't something elites in power want to promote.
Oh come off it, the notion of collateral damage-free missile strikes is a fantasy, and there are obvious reasons not to pursue a hot war with a nuclear power.
I never suggested that it would be collateral free... I said specifically "minimizing" the impact. That said, I don't support the practice, only making the point that there are in fact better options, including those with military action.
You can observe the difference between a military largely focused on PGMs and a military focused on 152mm artillery and unguided MLRS right now in this very war.
like banning Russians from sport (something we managed to avoid in the Cold War but apparently not this time)
That isn't as persuasive a point as you might want it to be. It may be the case that we are, now, simply being more comprehensive in defending against a descent back into those awful cold war times. Once we were already in the thick of it during the Cold War, even a little bit of cooperation was useful in not descending even further.
It's like a phase transition. When society is already functioning at a higher level of cooperation, appropriate consequences of deviating from that are highly exclusionary. But the game-theoretic risk/reward balance changes when society is functioning at a more adversarial level. At these different phase states, an action that may incentivise de-escalation in one phase state may have a different (even inverse) effect in another phase state.
I didn't call it the high water mark, just a higher level of functioning & cooperation than the cold war. I think that's an accurate statement.
But now that you've raised the question, it's difficult for me to think of any stretch of decades that was definitively better, certainly not in the last 100 years. I might look far back to the Pax Romana, but that couldn't be considered global in nature. I'd argue that it's probably only at some point in the past 100 years that regional civilizations became interconnected enough for us to even consider things as a truly global system.
Please note that I'm not claiming the last 20 years have actually been good in terms of global peace, stability, accord, etc., just that it seems a bit better than the recent decades prior to that. By one narrow metric, per Capita war-related deaths, we're doing quite a bit better. Of course these things are far from evenly distributed across the globe, and it seems like wider stability sometimes relies on allowing awful things to happen on a smaller scale. And I don't think it's much consolation to those dying in conflicts to tell them "no really you should be joyed to live at a time when so few people have their lives torn apart the way yours is right now".
All of that strays from the topic of my original comment though, which again compared current times to cold war times.
I disagree unless we mean, in a very narrow sense, "peer" challenges. Clearly the US hegemonic status went largely unchallenged for a while, but I don't agree with your characterization of the period as more peaceful than previous times, and therefore warranting a radical break with the past to preserve.
I honestly want to explore this topic further. I am not so closed off to the possibility that I'm wrong that I am unreceptive to counter arguments, so I hope you'll engage the topic with me a bit more:
peaceful is an vague term, but some of the language I have used is not much more precise. However I did mention one somewhat narrow metric, per-capita wartime deaths, and the world has been much better in this area during the the last 20-30 years than previously. What are your thoughts on that aspect of this discussion?
On the more ambiguous connotations of what I wrote, I will clarify the idea that was uppermost in my mind when I made my comments:
Essentially, a conflict that is catastrophic for the entire world is less likely (at least prior to recent events) during the last 20-30 years. The fall of the Soviet empire left no two adversaries so antagonistic to each other, each with world-destroying capabilities, that we have had to constantly worry about such a conflict breaking out. We have not had to walk so carefully on egg shells to avoid reaching that point. North Korea has only recently become the nation most likely to initiate a nuclear conflict, and I would still rate that as a lower probability than cold-war era direct US <-> Soviet conflict, and the capabilities of North Korea in this area are still too primitive for a conflict with them to inflict the same scale of damage as direct Soviet/US aggression.
Certainly horrific local and regional conflicts have still prevailed in some areas of the world, perhaps only slightly reduced (arguably not reduced at all, and worse in some regions) but their potential to spill over into a wider world-scale conflict remained exceedingly low compared to prior decades. They are less dangerous to the wider world because some of those cold-war era conflicts were proxy wars that risked escalation to direct conflict between military super powers.
Consider that the Vietnam War could easily have been won by either the US or Soviets if either of those powers had been willing to bring their full and complete military might to bear against their proxy opposition within that country. Indeed there was a constant tension that such a thing might happen and bring the puppet masters behind the North & South Vietnamese into direct conflict with each other.
This was perhaps even more true during the Korean War, with the added risk of more significant Chinese involvement & explicit threats by the US that nuclear options were on the table. The only thing that mitigated the potential for global nuclear war was that US nuclear capabilities were still relatively limited, Soviet nuclear capabilities even further behind, and Chinese nukes a decade or more away from completion. (by which point we'd progressed past the sino-soviet split so an alliance between those two powers was pretty much off the table) But during that conflict there was still significant possibility that a conflict on the scale of WWII, with slightly more advanced technology, could erupt & include a major nuclear component as well.
And of course there was the idiotic brinkmanship if the Cuban Missile Crisis.
Nothing of that scale has been anywhere near as probable after the end of the cold war. Having grown up in the twilight years itf the cold war, I can directly attest to the global tension of those times, and the global sigh of relief as they ended. In the years since then we have never approached that level of tension until today, with the Ukrainian invasion, where small echoes of those times can now be felt.
This is the thrust behind my comments. That perhaps local & regional conflicts have seen little change, but world-wide existential threats from military conflict are-- comparatively-- a much reduced concern.
> Iraq dominated the headlines throughout the fall of 2002 and into the winter of 2003. Public opinion on the wisdom of war, however, stabilized relatively early and slightly in favor of war. Gallup found that from August 2002 through early March 2003 the share of Americans favoring war hovered in a relatively narrow range between a low of 52 percent and a high of 59 percent. By contrast, the share of the public opposed to war fluctuated between 35 percent and 43 percent.
Your comment is proving his point. We decided at some point that not all is fair in war, even if there is a war of aggression. "The Japanese started the war" wasn't a good excuse for Japanese internment. "The USA started bombing the middle east" wasn't an excuse for 9/11. "They are invading iraq" wasn't an excuse for torturing captive American soldiers or hurting American civilians. "Afghan civilians had it coming for harboring talibans" wasn't a valid excuse for droning them either.
And so on.
Not that this kind of pretty bad take hasn't been pervasive in the past month. It's just funny in a horrifying way to see a century worth of lessons just evaporating in 3 weeks. Just go on any social media and you will see the exact same argument used to justify and even promote literal war crimes against the russians because they started the war. But no, even an invading soldier does not deserve to be tortured.
It is a cyber crime. I would assume that if the victimes were e.g in the EU there would be an attempt to prosecute.
Which leads me to my next point: an essential attribute of a state under the rule of law is that the law is applied impartially, irrespective of who the victim and the perpetrator are. Doesn’t always work out, but it’s certainly what most people find fair and what we strive for.
That will keep happening if we build solutions on top of obviously unsafe platforms, ignoring incident after incident. It’s not like this is the first time and it’s not like people will now suddenly learn from this. Blind software updates like yarn upgrade, brew upgrade etc, happen every single day.
Almost like “the norms” don’t apply when the situation is not normal?
Authoritarians pursuing military conquest and territorial expansion hasn’t been “the norm” for the past few decades. The world is changing with Ukraine and Hong Kong, and soon Taiwan.
Not saying these examples in the article are all models of how we should design things in the future. But the world is changing and norms will change alongside it.
I guess this is the Mandela effect because I can remember a few instances in my lifetime of larger countries invading smaller ones in contravention of international law.
You missed his point. The original comment said that territorial wasn't exactly the norm and that it's pretty unique situation. The person you replied to then said that they can recall quite a few invasions, disoroving that assertion. Nobody is justifying anything, there is no need to be so defensive about it.
According to whom? According to Putin, they invaded ukraine to "denazify it". On the other hand "US invades country for oil" is a pretty popular narrative on the internet.
I don't find it super convincing that our version is better because we merely aim to install a friendly government rather than annexing territory directly. We already did that. There isn't much more to annex.
Even if you want to support Ukraine, some things have certainly gone to far, like discriminating against anybody and anything with Russian origins (professor being told to not teach Dostojewski for example, as posted on HN a couple of days ago).
And demonstrating the international monetary system is not reliable at all, not sure it is a good thing.
I find it hard to attribute the sad state of the academic freedom in academia (as in, none at all) to anything to do with Russia. It was dead long before Putin decided to mess with Ukraine for the first time. Right now censorship is just being deployed for a newly fashionable cause, but before that it was dozens of other causes, and no doubt once Putin finds his ignoble end, it will find dozens of new causes to pursue.
RF propaganda claims West is an enemy and most of the population is brainwashed. 70% of RF population supports "special operation". RF rectors supports war. RF military can't even defeat Ukraine, it specifically bombs civilians causing terror, thousands dead, millions displaced already. It is threatening to nuke. Extraordinary cases requires extraordinary solutions.
So everything that's been happening in the Middle East is to be ignored? Do we only consider the norm disturbed when a non-brown country is invaded and destroyed?
The “norms” were rules which were developed after everybody saw what the alternative looked like. Humans have a lot of rules around conflict and fighting because it’s very costly for everyone to have an all-out war.
Also we need to account for all Ukrainian software developers. Is it not their right to defend against Russian invasion by targeting Russian software development? Should they welcome Russian invaders with open arms and help them to write better software to occupy Ukraine?
If it were a Ukrainian guy who did this I think it would be much less controversial. It’s good and proper for people being invaded to fight back with whatever means are available to them, but it’s a problem if we end up in a place where major conflicts have to escalate into global cyber war.
(I should mention that Russia already does tolerate destructive hacking against the West, and has been doing so for a while - that doesn’t change my opinion, but it would be unfair not to note.)
Is it the Juba sniper's right to shoot American soldiers in the head while standing outside their vehicle in downtown Baghdad?
On the one hand, I cannot deny the right of Iraqis to defend their territory from a criminal war of aggression. But do I need to stand up for what he is doing? Should I put money in his paypal account? Do I have to agree that all soldiers are legitimate targets, even when there is no military objective other than "exacting a cost?" Can I ask who pays that cost? Is it the war criminal George Bush, or just some grieving American family somewhere? If twice as many families have sons, brothers, fathers taken from them, would a future George Bush think twice?
Back to the topic at hand. Of course we can understand the motivation but at the same time the question for us is whether we in the open source community want to preserve software as a humanitarian sphere which is not necessarily neutral in conflict but, at least, part of civil society and not involved in or drawn into cyber-warfare as far as possible.
That fact that hostilities have broken out does not mean that everyone has to camp at one ridiculous extreme (kill them all) or another (total capitulation) and it's perfectly reasonable to try to find a path between them which is consistent with our own moral and ethical code.
it's pretty gross if you ask me. i don't think that throwing stones at the people in a nation where the government is misbehaving helps much anything at all. on the contrary, all it can do, is harm.
I think it’s a bit counterproductive when you can probably safely assume that most of the people affected by this were probably already on your side.
But putting pressure on people to make them do what you want is a fairly accepted strategy. Hell, Russia is following the same strategy, except they’re dropping bombs and missiles on cities, which also (even mostly) impacts civilians that have nothing to do with the war.
As much as it sucks, it’s the only way to retaliate.
Certain things should be a-political. Like the international space station, football, and open source software.
But a software development has yielded to demands that it adhere to causes. Redis isn't just a key value store, it's engaging in anti-racism by removing terms of whiteness, like "master" and "slave".
And here we are. Uninstall nginx, unless you're a fascist that supports Putin! Did you hear? Russia is using leftpad.js! Quick, unpublish the repository in solidarity with... We have to reduce harm! No one is neutral! You're for us, or against us!
Lending software to "social progress" leads to the insane place we are today. (And not to mention, it hasn't achieved much.)
No, my software isn't a tool for your social goals, noble as they may be. And that doesn't make me a bad person.
I think this is a straw man. It takes the relatively lukewarm “master/slave terminology should be moved away from” and somehow uses it as an example for “if you use ngix you support Putin”. Please consider actually looking at reality how it is, instead of how it might be if it was convenient to bash.
States will never allow a-political things to last for long, there's just too much money and power involved. Even the Olympics has been coopted - the event was created on the premise of reuniting warring nations around sport.
I understand that all of this may seem annoying to those that like to bury their head in the sand but where's this energy and label of "weaponisation" when OSS is LITERALLY used to build weapons e.g openCV being used for mass surveillance & ardupilot/OSS drone projects being used to make tear gass deploying drones?
Changing the license is weaponisation?? It's the bare minimum and least intrusive. And then you all complain when someone tries to implement a Hippocratic or Do Not Harm license. "WEAPONSIATION"?? Really?
The lesson of all this is to keep an eye on your supply chain. Simple as. I think it's a sign of entitlement when you expect OSS devs to build you robust and reliable systems then leave the rest of themselves at the door.
It may be an odd idea to comprehend for someone whose culture stems from and still closely relates to mainline Protestantism, but you can actually believe that someone has a right to do something yet disagree with the action.
Well, yes. But this goes (or did, before the author fixed it) against the most widespread and accepted definitions of FOSS (nobody from the OSI or FSF would accept this as a free licence, and those are the two major camps), so it cannot be considered a FOSS licence that most people would accept.
It makes one wary, too. The weaponization of Open Source is very dangerous and sets a bad precedent. So Russia are the bad guys now, but who's next? Are you sure it's not going to be your country?
Think about this: forget Russia, a good chunk of the world thinks the US is a bad faith actor on many occasions. Would it still be a free license one that forbid people from the US from using the software?
There have been licenses that do this same kind of stuff before. There have been dozens of variations of FOSS licenses over the years that prohibit things like use for nuclear facilities, use in weapon systems, use in genocide, etc.
That's not to say I think any of this is a good idea. I think it's insanely naive to try to contractually block a dictator from using your software in the first place. Do these people think they're going to sue the dictator in the dictator's court? The Russian government is already considering legalizing piracy of proprietary software to evade sanctions; they DGAF about these licenses.
I mostly just think that the OSI and FSF's "all or nothing" stance on some topics is a bit extremist. A hypothetical license that said "You can do anything with this software except launching missiles at kittens" is pretty damn in line with the spirit of FOSS, even though the OSI or FSF would never approve it. I understand they take that ideological angle because they are thought leaders and need a clear message, not a slippery slope, but this is where I think it's reasonable to be reasonable.
I think it's better to criticize these types of "weaponized" FOSS licenses by pointing out that they're entirely ineffective wastes of time. There are plenty of real merits to undermine these licenses, which is why they haven't caught on previously. Saying "that's not open source" is just like a chocolate snob telling their friend that their Hershey's bar is "totally not real chocolate"
That being said, we're beyond the realm of software licenses in this conflict anyway. Sanctions have already started cutting people off from FOSS projects, regardless of license.
> There have been dozens of variations of FOSS licenses over the years that prohibit things like use for nuclear facilities, use in weapon systems, use in genocide, etc.
I'm not aware of any FOSS license that states things like that. I think you're wrong.
> A hypothetical license that said "You can do anything with this software except launching missiles at kittens" is pretty damn in line with the spirit of FOSS
No, it's not in line with the spirit of FOSS, but rather against it.
I understand that you have this vision about a kind of license you would like for software. I cannot argue with that -- it's your vision and it's your right to have it. The problem is that it's not any kind of FOSS license that is recognized as such (i.e. as FOSS) by the wider community. You can call it FOSS but nobody else will.
> The problem is that it's not any kind of FOSS license that is recognized as such (i.e. as FOSS) by the wider community. You can call it FOSS but nobody else will.
There is evidence to the contrary. There are popular community supported projects that are often colloquially described as open source which use licenses that are not OSI/FSF.
Your evidence is incorrect. None of those are FOSS licenses. If you google their names, you'll see each sparked controversy, and ultimately the SPDX doesn't exclusively list FOSS licenses.
Ultimately they infringe on the most basic right: to use the software for whatever you want.
> There are popular community supported projects that are often colloquially described as open source which use licenses that are not OSI/FSF.
Nobody cares about "colloquially". Colloquially, Microsoft in the past tried to pull a fast one and pass their Shared Source initiative as "open source", which it wasn't.
FOSS means something. None of the examples you gave are FOSS.
> Your evidence is incorrect. None of those are FOSS licenses.
I said “variations of FOSS licenses”, which is precisely what I provided examples of.
> Ultimately they infringe on the most basic right: to use the software for whatever you want.
Unless of course, “whatever you want” includes not publishing your changes. Copyleft does not permit people to do “whatever they want”. It places specific requirements on people who use that code and punishes them under penalty of copyright law if they do not.
You’re touching on the reason that some people prefer public domain waivers instead of copyleft licenses. If you want an example of disagreements in FOSS: case in point.
> FOSS means something. None of the examples you gave are FOSS.
There are factually multiple definitions of what falls under the umbrella of FOSS. FSF and OSI are certainly prominent. There are other individuals and organizations who disagree.
I think it’s kind of funny that people want to argue that the majority opinions on licensing are the only valid opinions on software licensing. That’s exactly how people dismissed RMS in the 80s and 90s.
> Unless of course, “whatever you want” includes not publishing your changes. Copyleft does not permit people to do “whatever they want”
You can absolutely not publish your changes, where did you get the idea FOSS forces you to publish? FOSS imposes restrictions upon distribution; you're free to use the software however you want if you keep it to yourself.
> I said “variations of FOSS licenses”, which is precisely what I provided examples of.
In that case, you introduced something irrelevant. A variation of FOSS which introduces changes that break the fundamental tenets stops being FOSS. Hence, you cannot get away with using the term "a variation of FOSS", because it's a variation that happens not to be FOSS.
Your other opinions of why people like or dislike this or that license or philosophy, comparisons to RMS's early days, etc, are all red herrings. They are worth debating, but completely irrelevant for deciding what is or isn't FOSS.
A license that restrict usage by Russians, or in nuclear reactors, or that requires you to first agree abortion is wrong (or right) is fundamentally not FOSS. Whether this is a good or a bad thing is on you, but also irrelevant in this context.
> Saying "that's not open source" is just like a chocolate snob telling their friend that their Hershey's bar is "totally not real chocolate"
I don't think this is a great comparison. Open source has a particular, commonly understood meaning, just like chocolate does. When I say "this is not an open source license", I am not saying that it doesn't meet some kind of quality standard, or that I just don't like it. I am saying that it is a deceptive label that contradicts the common understanding of the term.
If an author would like to relicense their open source project to exclude certain groups of users, why must they insist on using the open source label? They ought to be proud that they reject open source norms. Why would they want to associate themselves with projects allow dictatorships to use them?
I have written software with a license that allows for noncommercial use only. I label it as freeware (which clearly communicates "you need to check the license"). I have no desire to label it as open source, because I do not wish to mislead people who have a coherent and widely accepted mental model of what that entails. I am generally suspicious of the motivations of people who would want to muddy the waters with unclear labeling.
There is a perfectly honest way to address this, as esr did: invent a different term. If you can come up with a short, snappy term for "source-available software that allows for open-source-like use for certain classes of people", then use that, and don't lie to your users.
> I don't think this is a great comparison. Open source has a particular, commonly understood meaning, just like chocolate does.
I’m using that example because there is disagreement about the definition of chocolate. Here in the US there are some things called chocolate which are not called chocolate in other parts of the world. How much cacao is required? How much milk solids are required? You will get different answers from different organizations. All of which, claim to be an authority.
In my opinion, these changes are effectively supply-chain attacks in their execution. That would make them bad regardless of how correct their expressed positions are about the Ukraine war.
The fact that there has not been a strong push back confirms my suspicion that by now, everyone has gotten used to Node and NPM being insecure and silently accepted it as a way of life. Similarly, those Terraform scripts are apparently esoteric enough to only be used by a tiny minority of software developers, or else we would have heard about it in a different way.
Thank god nobody did similar shenanigans to open source projects that are actually in wide use :)
Apparently I didn't make that part clear enough: This is a supply-chain attack against EVERYONE using their project. Those users will be 99% innocent civilians.
I might one day have an IP that is accidentally mis-classified as Russia. I mean those Geo-IP services are only like 95% accurate and they go out of date pretty quickly and updates are expensive. Plus .RU VPN services used to rent subnets in the US all the time. But then all of my files get deleted because someone wanted to make a point. So then I'm collateral damage in someone's remote fight in a war that neither of us were actually involved in.
Your argument is a bit like saying "It's OK to use chemical weapons because we're the good guys." They are not banned to protect soldiers, they are banned to protect civilians. And most likely, node-ipc's patch will hurt much more innocent civilians than it'll hurt Russian soldiers. It's the software equivalent of indiscriminate bombing.
> In my opinion, these changes are effectively supply-chain attacks in their execution. That would make them bad regardless of how correct their expressed positions are about the Ukraine war.
Well, yeah. War is bad. On the spectrum of war badness, obviously, these pranks are pretty mild. But they're bad. It's a bad situation. When at war, people are forced to do bad things to prevent worse things. That's why starting wars is very bad.
Now, sure, you can argue about the semantics about "who" is at war, or whether these npm authors are "really" at war, or why they "think" they're at war, or whether they "should" be at war. You could also get into a discussion about whether or not this tactic is effective (and I'd agree it's hurting more than helping, btw). Go nuts.
But that doesn't change the fact that this is an action in support of a war effort. In wars, principled stands don't win. If you want a particular outcome, you have to pick a side.
Fighting against bad actors is definitely a 'principled decision'.
Ignoring the situation and not taking action is an 'unprincipled decision'. Though it might disguised as principled action, on the basis of supporting some other principle, such 'open source', but ignoring one at the expense of another implies serious lack of self awareness.
This war, plus COVID, and the recently released documents indicating a planned invasion of Taiwan (though we don't know for sure) - represent major geopolitical shift of the order of WW1/WW2/End of Cold War, the stakes and consequences are enormous.
That's sort of a semantic argument. To be clear: I was contrasting "choosing a side" (in this case by senselessly pranking your npm customers) as being a "practical" choice, vs. the "principled" stand taken to avoid the conflict out of a general sense of open source decorum. Obviously in some sense all decisions are based on "principle".
And the point is that it's a war. We've crossed the "bad things are going to happen" Rubicon already. You can't make principled arguments like that against people who have chosen to engage in a war out of the hope or desire for one side to win. They already did that moral calculus. It's like telling someone they shouldn't defend their home because pacifism is more important. You might be right, but you won't change anyone's mind.
> But that doesn't change the fact that this is an action in support of a war effort. In wars, principled stands don't win. If you want a particular outcome, you have to pick a side.
I picked a side. I will take care that npm is not installed on my computers. Take your political sh*t out of my computer.
The premise behind your position is clearly that "politics" is some kind of meaningless distraction to the "real" business of shipping software. But... isn't that backwards? It's a war. People picked a side.
The idea that unilateral military invasion is merely "politics"[1] is... very strange to lots of people.
[1] In the sense of triviality you clearly intended, c.f. Clausewitz again.
But none of these people picked a side in any of the other currently ongoing unjust occupations, or any of those in the recent past. So clearly you don't need to pick a side.
I think you have it completely backwards. You should not involve yourself in any war that you don’t personally want to fight and maybe die in. You do NOT have to take a side. You can oppose the war, or one or both sides, even vocally, without entangling yourself in the war.
If you choose to become an actor in a war, then you also open yourself up to being attacked. There is only one kind of actor in a war- combatant.
Consider the maintainer who did the “delete all files on servers with Russian IP addresses.” This could be construed as an act of war against Russia. Would Russia be wrong to commit acts of war against this person? If the server performed some life critical task like operating hospital equipment or air traffic control or whatever, this change could have resulted in loss of life (so many mistakes in using JavaScript in such cases but set that aside for a moment). If lives were lost as a result, would Russia be wrong to use lethal force against the maintainer?
Disclaimer (sad that you have to add this these days; it should go without saying): I only use this as an example. I think Putin is a thug and I think that it goes against most westerners’ values, mine included, for nation states to preemptively invade other nation states. I’m not apologizing for or justifying any act by Russia. I have deep sympathy for people in Ukraine who just want to live their lives and not be killed or have their stuff destroyed.
RF kills people for any or no reason. Why you worry about that? If you think that when you don't attack RF, then they don't attack you, you are wrong. You are member of rotten West, your country is a member of evil NATO, you are speaking non-russian language, and you are spreading anti-russian propaganda. You are danger to Russian Civilization. They will kill you, but their ressources are limited, so stay in line.
>Would Russia be wrong to commit acts of war against this person?
>If lives were lost as a result, would Russia be wrong to use lethal force against the maintainer?
Yeah, unless they want to admit that they’ve been waging war against the entire western world by allowing their homegrown ransomware groups to operate with impunity.
If we go by your logic, Western countries should have turned Moscow into a giant glass parking lot after NotPetya, a destructive wiper worm released by the Russian government targeting the entire world.
And there are levels of warfare between "nothing" and "nuclear", in case you hadn't noticed. And North Korea and China are doing state-sponsored attacks against US targets, commercial and government and military. It's not clear to me that NoPetya was state sponsored, it's ransomware. The RF is not a bastion of law enforcement and justice; I agree that they do a terrible job of controlling organized crime activities, both cyber and non-cyber.
You're implying that wars have no rules. This is very much not true, not legally and not morally. You should read the 4th Geneva Convention to disabuse yourself of this dangerous misconception: https://ihl-databases.icrc.org/applic/ihl/ihl.nsf/INTRO/380
>In wars, principled stands don't win
And excessively unprincipled stands can get you sent to The Hague to be prosecuted for war crimes.
Now, I'm not saying that deleting some files is a war crime. What I'm saying is that your reasoning for why it is legitimate is flawed.
I even doubt that you would agree with your own reasoning given some other examples. E.g., would you not agree that while we can ask McDonalds to stop doing business in Russia, it would be a crime for them to start poisoning their Russian customers?
> E.g., would you not agree that while we can ask McDonalds to stop doing business in Russia, it would be a crime for them to start poisoning their Russian customers?
In the current climate I am not sure anymore that people would disagree with poisoning Russians. Here in Germany they started to purge everything Russian (except people) and also agitating against Russians in general. It feels like we learned nothing from WW2.
From what I've seen there seem to be worldwide movements in that regard, that are even overboard for cold war propaganda.
I've seen a few people in the media specify that the war's about Putin's aggression, rather than Russian aggression. But I doubt that they're the majority. Russophobia sells better. We've got people vandalizing businesses [1] and sending threats in the US as well. That doesn't help anyone in Ukraine, if that's really their goal. It certainly doesn't affect Russia's economy if a restaurant in another country takes a dive. The point of the sanctions is to hurt Russia's government (and therefore their military). There's a cost to sanctions as well for Russian citizens who have nothing to do with the war, but I've yet to see an alternative solution beyond escalating the conflict.
> And excessively unprincipled stands can get you sent to The Hague to be prosecuted for war crimes.
Unless you're from the US, in which case the US will invade Netherlands to get you out of there. Apparently, there is a law (from 2002 IIRC) which allows the US to do this legally.
Same goes for Russia, China, Iran, Saudi Arabia, and a lot more countries that did not sign (or ratify) the Rome Statute.
> One of the principles of international law is that a treaty does not create either obligations or rights for third states without their consent, and this is also enshrined in the 1969 Vienna Convention on the Law of Treaties.[149] The co-operation of the non-party states with the ICC is envisioned by the Rome Statute of the International Criminal Court to be of voluntary nature.[150]
For Russia, China, and the US there's literally nothing that can be done: while the "members of UN Security Council" are "compelled to co-operate" with the ICC, these members can veto anything that comes up.
In other words, if you're from one of non-signatories, you can willfully kill, torture, subject to inhumane treatment, perform biological experiments, steal and destroy property, take hostages, unlawfully confine, transfer, and deport, and even willfully cause great suffering without fear of any kind of prosecution.
Does Geneva Convention make a difference? I only learned about ICC and Rome Statute, and it was disheartening enough for me to stop reading, so it's a genuine question.
Yes I think it does. Whatever the limits of enforcement, it means something that all the countries you mention are signatories to the Geneva Conventions I - IV.
Even if these countries refuse to extradite their citizens to The Hague, it doesn't necessarily protect war criminals from prosecution in their own countries. They are still breaking the law.
Several countries have implemented some form of Universal jurisdiction for severe crimes like genocide, meaning their courts may prosecute regardless of nationality of the accused or country where the supposed crime happened.
Of course the practical problem is getting hold of the suspected war criminals.
Right, and apparently all signatories to the Convention have an obligation to prosecute people who commit "grave breaches" of the conventions, no matter their nationality and the place the crime took place. So, if a commander from X commits the crime, and the X refuses to prosecute him, he can be legally captured and tried as soon as he visits another signatory country. This is better than just the ICC, definitely (if I understand it correctly).
Your argument creates dangerous implications. If a programmer creates targeted malware as an act of war - wouldn't that make him a valid military target? Would Russia be legitimised to carpet bomb wherever that programmer is supposed to live in retaliation? If not, would they be legitimised to capture and execute him - because he certainly isn't a legitimate combatant?
There is so much wrong with this situation. Are developers who do something like delete-based-on-IP liable for some sort of civil or criminal penalty? Attempting to do active harm to a computer surely can't be legal.
I agree, but I also believe communication should be consensual. That is, the recipient must give consent to install the malware. Otherwise the transmission is a commission of fraud against the recipient.
That said, such a law is difficult to enforce, in a justice system as moribund as ours, so instead we rely on (probably wrong) heuristics about what specific behavior makes us safe, and indeed, whether or not our resources have already been breached. Such behavior is what drives the overwhelming dominance of GMail, which is itself a remarkable tool with which to learn about any person group corporation government on the planet. So in terms of utility its hard to argue that malware is a good to society. Write a malware that installs a patch to prevent a 0-day in known use by a state actor, then I will be a malware fanboy. Not until then.
There's a big difference between publishing the source code of malware while clearly stating that it's malware, vs publishing trojan malware on NPM while knowing that it will be automatically installed by a bunch of package managers and cause damage. The former is fine; the latter is clearly malicious and is or should be a crime.
/s the real crime here is the way so few people seem to think it is important to pay attention to their dependency tree....
But in all seriousness, that was one of the most jarring things I found when switching from a Java/Maven stack to JS/NPM. Both Maven and NPM offer similar features for managing dependencies, but anecdotally I found the folks managing Java projects to be a lot more obsessive about carefully managing their dependencies while in the NPM world, it seems almost to be a "best practice" to just use open ranges for your dependencies and automatically update them...
You're thinking about it from the wrong perspective. Yes, publishing software can be thought of as expression, and that's protected by the constitution. But publishing malware as benign software, without disclosing it is fraud/deception, and that shouldn't be allowed. The legal system protects freedom of expression, but still allows you to get punished for deceptive speech that's harmful (ie. fraud/libel).
Those words are not some sort of magic spell. Licenses can't override law unless the law explicitly allows them to, and the law generally distinguishes or tries to distinguish between honest mistakes and malicious behaviour. IANAL and laws differ between countries so YMMV.
This isn't enforceable in quite a few jurisdictions anyways. The best you can do is "No warranty to the extend permitted by law" at which point this specific use case is pretty much no longer relevant.
So... Sony's rootkit was a-okay in your opinion? Or have you just not given any thought to your position at all? Because that seems to be pretty common among utilitarians who are somehow perpetually surprised by blowback and "unintended consequences". It really strains credulity, the whole "unintended" defense, when you've got people pointing to the predictable outcome. Analogies are rarely helpful in technical discussions, but who knows - maybe this time will be different: boobytraps. Boobytraps are a major no-no, and have been for a very long time, regardless of whatever mitigating circumstances you can dream up (deep in your property, posted warnings, etc). This node dependency was a boobytrap. You can try and justify it by pointing to licenses, concepts of developer IP ownership, etc - it is still a boobytrap. There is no talking your way out of it, in the same way that you wouldn't be able to talk your way out of injuring a trespasser who scaled your fence and triggered a mousetrap rigged 12ga-shell while breaking into your storage shed. This case is even worse - its more like allowing the public to wander onto your property for years to access your free petting zoo, before one day deciding to bury landmines all over the place and post a sign informing people that you take no responsibility for the resulting carnage.
"Publishing malware is, and should remain, protected expression."
If it is advertised as malware, yes. But if it is advertised as a working open source project - but in reality is malware, then this just destroys trust into open source in general.
I guess it is good, that these things come up, to think about why we trust the dependencies and repositories and their maintainers.
Because it seems, no we cannot just trust them. And now I am more conscious about it.
It was not advertised as a "working open source project". In fact, quite the opposite. From the license:
> THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
Its fitness for any particular purpose was expressly disclaimed, in all caps.
I'm not sure what people think they did wrong here. You're allowed (and should be allowed) to publish malware, it is up to consumers to not install software they don't want to run.
What more warning could they have possibly posted beyond this one?
And as far as i can tell they bumped up the major version by a digit. Whether or not that counts as a "Bright red warning" i don't know but personally i believe that a warning notice + a major version bump should be enough. Those who don't care about that would most likely not care about a bright red warning on the repo page either.
It's clearly a questionable thing to do, but is it illegal?
iirc npm has support for pinning dependencies, you just have to remove the “^” at the start of the dependency version. Is there a global option in npm or yarn or pnpm? Why don’t they make this the default?
We're building Socket to stop this exact type of attack. See https://socket.dev
Socket turns the whole npm security problem on its head and asks: what if we assume all open source may be malicious? Can we proactively detect indicators of compromised packages? What's the simplest way to mitigate this risk without hurting usability?
Socket seems interesting. I just installed it on some of my repos.
In your FAQ, it says "We're working to make Socket the best open source security tool.", this was confusing for me, as I got the impression that Socket's codebase is Open Source, and I went looking for it.
Maybe "We're working to make Socket the best security tool for open source packages" would be less confusing.
Great feedback. I initially understood socket was open source as well, which would have prevented me from using it to secure open source projects? circular argument :)
How do you detect compromised packages?
What indicators of compromise do you use?
Is Socket itself open source?
Can I run it locally on the command-line?
We look at the behavior of packages, what APIs they use, and how that changes over time. The list of issues we currently look for is here: https://socket.dev/npm/issue
Socket’s not open source at this time, but we’re releasing a CLI in the coming week if the GitHub App doesn’t suit your purposes.
That's actually interesting, I will look into more details to see if we can integrate this into our systems. Do you have any avaiable technical documents so we can get a glimpse of how Socket is working, or is your Blog the best place to start?
Working with NPM every day, that’s kind of how I look at it. Maybe my computer will be randomly wiped one day, but it’s not something you can worry about if you want to retain your sanity.
> it's not something you can worry about if you want to retain your sanity.
I build my nodejs/npm stuff in containers. Actually I build almost everything that way.
There are a lot of advantages in addition to the security gains, such as that I don't need to rely on every javascript programmer in the world understanding semver (they don't, and I have wasted more of my "sanity" on tracking down API changes and sloppy type contracts than I ever have spent cleaning up after malice.
I hate to burst your bubble, but Anton Babenko's terraform modules are extremely popular. The difference here is that he added a input with a default value to a specific release version. Generally, if you're using terraform professionally you'd either fork or mirror the module and pin to a specific version. In such case this change would not affect you. If you had e.g. something in development calling 'latest' version of an impacted module you again would not see this. It's an optional argument that defaults to a value causing no outward change in behaviour.
I'd bet you that 95% of all programmers can't even explain from memory what exactly Terraform is.
Case in point, I have no idea. I know it's something related to the cloud but none of my clients are using it.
And their Wikipedia article is filled with buzzwords and no explanation of what it does, which doesn't exactly give me confidence that it'll be useful for regular companies. "Infrastructure as code"... so Ansible or docker compose? In any case, you don't need it if 2 HA bare metal servers do the job.
I’ll try: Terraform replaces all the actions you’d do in the AWS (or other cloud provider) console or API with declarative configuration code. This means you can parametrize it, version control it, compose it, etc. and generally treat it like code.
It would be overkill for many things that have a single, fairly static configuration, but for things like ensuring that a dev and prod cluster have the same configuration, it’s a lifesaver.
It is also awesome, easy to use and very convenient. If you are configuring anything through AWS web GUI, you should give Terraform a go, you won't regret it.
> In my opinion, these changes are effectively supply-chain attacks in their execution. That would make them bad regardless of how correct their expressed positions are about the Ukraine war.
What’s the logic here? Why are supply-chain attacks inherently bad?
So, are the sanctions which attack other kinds of supply chains in Russia also bad?
I don't want to hear anyone in this country [the US] complain about the Electoral College or gerrymandering the next time we decide to pull another Iraq War but they're opposed to it.
Just like, overthrow the government - it's so easy!
And if you don't have the guts - well, don't be mad when someone deletes all your files, you collaborator!
Average Americans most definitely benefited from US military shenanigans but that kinda besides the point here I think. The main point is that "just overthrow your government, bro" is not a thing people can go out and just do and these comments make it seem that they're negligent if they don't start doing it right now. "Just do it, bro. It's so easy"
The point of sanctions is to make doing nothing worse that doing something. If the USA was economically isolated as a result of it's invasion, I'd be willing to bet the iraq war would've finished much sooner
If Americans were singled out by the entire world, forbidden from traveling and targeted by even the software the install it would have just led to much much more patriotism and unity. There is no better way to unite a divided group than to target it as a single entity. Makes it a lot easier to set aside your differences and a lot harder to dissent within your group. That's what happened after 9/11, no one paused to think what actions lead to that event or the geopolitical context. It just united every American overnight.
In a way that already has happened in Russia. The sanctions did not lead to less (or more) support for the war. The initial sanctions were justified as they targeted the russian state, but the knee jerk reaction of also imposing sanctions that explicitly were aimed at the population lead to nothing but resentment against the west.
Whether you are on the morally right side or not, it does not matter in that context; you cant really debate your way into convincing someone that you are doing something for his own good when you are doing everything you can to also make him suffer
If the intention is just to hurt them for the war, then sure that will work as intended... but I think it's dishonest to pretend we are doing it for anything more "noble" than that
Ok. So we should hug and support Russia in those difficult times and it will inevitably result in lowering Russian patriotism and becomming more westernized? Because we were trying to do for the last 3 decades and nothing like that happened. Russians are very patriotic and strongly support their government when it confronts the western world by bombing civilians.
If nothing works I prefer to apply punishment in hopes that smart Russians emigrate and Russia will crumble. And yes, punishment should affect more civilised and smarter Russians too to either motivate them to clean up their country or leave it.
No, not at all. My only argument is that we can't pretend it's all just for their own good because it will make them finally see the light and get rid of their government. That's just not true, it won't happen and I think it's just something people say to themselves because they aren't comfortable with the reality that they are pushing for an entire civilian population to suffer.
It's war, so again no moral judgment on that, but sugar-coating it is even worse than admitting the truth.
A bit off topic but if you think the west was supporting and hugging russia or ukraine in the 1990s and 2000s, you might need to revisit how we got here.
It's for their own good because result of that is them getting out of dictatorship rather sooner than later. And it's a greater good than enjoying conveniences of life while living in a dictatorship.
Why would that result in changes in their political system? And sorry but your last sentence is clearly coming from a very... western perspective. It's only true until it's you actually face hardship. I'm sure for most people security is more important than ideology or freedom; even in the west we saw in the past 2 years that a huge chunk of the population was willing to trade pretty much any right or freedom in exchange for safety.
There's just no need to pretend it's for their own good when it's trivially easy to prove that sanctions rarely lead to the end of a dictatorship. Just look at Cuba,Iran,NK or even venezuala.
no, not true at all in any meaningful sense. American taxpayers pay for the military budget; that some of that money comes back to some as wages does not on average mean that average Americans benefit.
Not quite. Anerican corporations made a steal in Iraq. That country was robbed.
And pushing America's economic interests like prolonging dollar as main currency of resource trade was huge benefit to every USA citizen because main USA export is the dollar. That's why USA van run deficit for decades and be the richest country on Earth.
Not sure if that will motivate them to dethrone the dictator. But this will most likely impact their work and may as well make them more nationalist in the process. And at the same time open source's reputation suffers in the process.
Why should someone be obliged solely due to where they were born? I'm sure there are many incredibly competent de-throners in Europe, surely they should also get out of their chairs and help?
What does that supposed to prove? They got rid of Russia sponsored corrupt dictators, had a bit of politicsl turmoil after that. They got their first good president in 2019. Then there was pandemics that raised the level of corruption in nearly all countries. Especially those weaker in that department.
And you are going to judge what system of power Ukraine has based on 2021 datapoint?
How quickly did your country got rid of corruption that plagued it?
It's a process that just stars with replacing corrupt system of power. You need to adjust whole public sector after that. It can take decades.
We don't need courts, we just don't give them the stuff, and pressure those trying to 'sneak them stuff' to stop. Much like Aribus/Boeing is telling anyone that is thinking of providing parts and service to those 100 Jets that they are cutoff if they do that.
By that logic, any harm to any Russians, even those living outside of Russia but e.g. sending money back home, would also negatively affect the development of the Russian economy.
How far would you follow that logic? Which Russians should be harmed, in your opinion, and how much?
I think that's a different logic from what the comment that I was replying to was trying to convey.
BTW, you should know that sending money to Russia is almost an impossibility as it is. For example, living in Russia, I couldn't accept a consulting job from Kazakhstan because we couldn't figure out a way for them to pay me.
We live in a world of grey so the 'everything is grey' logic doesn't help.
We have proportionality, we draw lines, we target individuals differently that government than industry than high tech that commodities than consumer services etc..
In my view, we should be doing much more, borderline embargo.
Russian military gains in Ukraine will never, ever be conceded by anything other that either force or 'near collapse' of economic conditions (or overthrow of regime).
Russia can 'put bodies' in Crimea, NW of Kyiv basically to act as targets forever, Kyiv doesn't have the manpower to route them even if they can defend themselves.
Strategically, this implies Russia can merely endure some local pain and make permanent territorial gains.
In 10 years, this war might be like Afghanistan or Iraq, something that '55-75 demographic' watches on the news but otherwise everyone else is busy on TikTok - which is what Putin wants.
He can definitely win the war of attribution because he has a much longer frame view of things, and is willing to pay the cost of 'No Volvos or Starbucks for 25 years'.
Other nations that play the long-tame (like China) are watching.
Same reason that you shoot at enemy conscripts in a war, drop bombs on enemy cities. Same reason why Russia is now being subjected to sanctions. To undermine the Russian economy in a non-violent manner.
Whether or not it results in political change is irrelevant - a crippled Russia is a sufficient end all in itself, just like dead soldiers are a sufficient end all in itself during a war. Wars rarely end with a government being overthrown, but they do often end when a government decides that peace is the better option. Bombed cities, dead soldiers, and starving children are the calculus that pushes governments towards making that decision.
Unless you're targeting military forces or infrastructure in those cities, bombing civilians is a war crime. Of course, who gets tried as a war criminal or not mostly depends on who wins
In wars between industrialized nations, most civilian infrastructure is dual-use. A factory makes widgets for a factory that makes widgets for the army. A highway is used to ship military supplies. A port unloads military supplies. An oil refinery makes gasoline for civilian cars... and diesel for tanks.
I'm not saying how I think wars should be fought. I'm describing how they are fought.
Given that our militaries don't balk at drone striking weddings and funerals, I can't see how they would take much issue with dropping a couple hundred bombs on a refinery, or a rail yard, or a line of tanker trucks. Which are all things that have been done since 1945, and as far as I'm aware, nobody has been dragged off to the ICC for it.
Everyone except for the very jingoistic few balks at drone striking weddings and funerals. Everyone hates that! So maybe that's not the modus operandi to which we should compare OSS strategies.
Maybe everyone in your and my social circles, but that speaks more about our bubbles. Half this country is completely fine with doing it... In a war that we had no reason to even fight!
I imagine the rate of support would be higher if it was a conflict where we weren't the aggressor.
But most Russians affected by these aren't shooting back. They aren't conscripts or have anything to do with the war (doubly so now that sanctions are in effect).
Shooting at solders trying to hurt you is one thing, but that's not what's happening here.
> Me refusing to transact with you isn't a war crime.
You refusing to transact with me isn't a war crime, but your line of thinking where normal citizen activities are similar to conscripts shooting at you can certainly lead to one.
It's one thing to target citizens who work on applications for the military, and another to target open source devs because they happen to be Russian. If you can't acknowledge this distinction then I'm afraid we have to agree to disagree.
Also please don't put words in my mouth. Strawmen will get us nowhere.
Such precedents simply indicate immaturity of the developer behind it.
I hate XXX (insert any English speaking politician from Western World), yet I am speaking in English. Shock! Tools are a-political. Could you believe that?
I'm currently studying and trying to learn the russian language and I think this argument is a bit of a straw man. I don't think people in general would suggest you're evil for learning a language. Obviously you would find such people on Twitter or Reddit but not in the real world I don't believe
just like sometimes we prefer to reason on limits rather than on concrete values, I believe some straw mans are "useful limits" to reason about some concepts
> My problem is that this weaponisation is killing off trust.
Trust that all programmers started to place in open source maintainers maybe a decade ago out of sheer lazyness is absolutely insane.
Pulling freshest code out of thousand libraries automatically into the medium security project that you are building is absolutely crazy.
It's inviting thousand strangers to run code on your machine which contains your comercial creation and data. Without any protection whatsoever besides "trust" which is just another word for laziness and being hopeful.
The faster we can ditch this trust, the faster we will develop actual protections, vetting processes, delaying updates, caching, forking, so we can isolate our work from the thousands of wonderfull people all of which are one bad day from wiping all your files.
Actually things are working quite well! These events remain remarkable news items. There are tremendous benefits to having an ecosystem built on trust and mutual assumption of good will. Transforming this into a scar tissue bureaucracy after some minor cuts is only one of several options. Another is to make choices like this so socially radioactive that only people with nothing to lose would ever make them. Trust is very valuable.
Systems are not working well. They are just working carelessly till the catastrophy.
leftpad.js wasn't even malicious action. Just one developer withdrawing his code from the community.
Imagine what would happen if one dev of popular package just had a nervous breakdown and did rm -fr / on his next update. Or delete the contents of the repo it is a dependancy of and do a force push.
We have zero systems in place that could catch it before work of thousands of people is destroyed.
Yeah. Competing interests. We can all slow down and work like real engineers do, with the same level of responsibility they take on, and check every line of code.
OR we can just do whatever the fuck we want, solving our problems and/or making money. But if we do it without the rigor of real engineering, we can't exactly blame OSS or the devs that provide the OSS for this choice. It's entirely our fault if it goes south.
I was thinking about this in a different context a while back. Basically companies (amazon for sure) utilize open source then make some closed off fork of it while giving nothing or peanuts back to the original open source development foundations. For example Amazon has indisputably made Billions if not Trillions from monetizing Mozilla products. Yet has only donated a few paltry million back to the foundation. While at the same time using the FOSS products to create their own walled garden.
This is exactly the problem with “uncurated” package managers like NPM and PyPi and where a curated package system like APT and RPM offer such a strong advantage. Far fewer people for you to have to put your trust into, but still a trust based system. They have gone so completely out of favour though.
It’s understandable why people moved to the uncurated systems, it’s so much easier to publish and so the variety of what’s available is brilliant. But I don’t think the tooling is there yet with all the languages that use them. Really we should have the ability to control permissions at the library level, choosing specifically what they can do.
Deno is doing some interesting things at the app level but has any language done anything with library level permissions?
Maybe we will see a movement back to the curated package managers, there may even be an opportunity to provide a curated service layer over the uncurated package managers like PyPi and NPN, possibly a paid service?
I don't really think it has anything to do with curated. It has to do with popularity/accessibility. There are more JS programmers than just about anything (my belief) and they have an easy to use and contribute package manager. (unlike say C/C++). Curation, IMO, would crumble under the pressure.
Also AFAICT, Rust's package manager is uncurated? So is Swift's but AFAIK Swift doesn't really have an "official" manager and so doesn't have the conditions for the same level of popularity/accessibility.
Maybe that suggests no package manager is better? The C/C++ way? Because spreading malware is harder? Of course conversely, excepting exploit fixes is harder.
My initial thoughts as well.. have been playing with development inside containers, and this just makes me sure I need to do it much more. Also, pushing for read-only containers in production for most things, along with running as a non-privileged user.
Unless your program is a black box that doesn't interact with the rest of the world in any way, sandboxing will not be enough. People still need to mitigate the effects of malicious supply chains.
Curated package managers are still vulnerable to supply-chain attacks. Solarwinds was the definition of a curated system and look how that turned out.
In almost every way the problem comes back to the same basic failure which ransomware represents: OS level data and access is boring, but user level data and access is wide-open and you grant it constantly to all sorts of things - its hard-to-impossible to put comprehensible, maintainable barriers around stuff and we lack the tools and programming constructs to enable this - i.e. you can't write software where it will, without you doing a lot of work, upfront declare what files its touching and how in a deterministic way.
I don't see what's wrong with Mongo cutting ties with Russia. There are practical problems receiving payment from Russian territories, and companies are allowed to choose which countries they do and don't do business with.
In a similar fashion, developers may choose who can and cannot use their code. In fact, depending on how your government's sanctions are structured, you may even be obligated to not license code to developers in some countries.
Using malware to overwrite random files against random Russian IPs is obviously stupid. I'm sure the dev will get to explain his case to a judge at some point. The Terraform thing, though, is different; it's not malicious, merely political.
However, I think the assertion that software "should not be political" is silly. All software is political. Open source licenses stem from American ideals of freedom, for example, and are designed to work in the American legal system above all else. Then there are the implied cultural contexts; the list of software that only works in left-to-right configuration or even fail to just accept standard unicode input is laughably huge. The amount of times I've had to adjust software to work with alternative decimal separators...
Independent developers can (and probably should) decide to mostly focus on the problem they themselves are trying to solve. If that doesn't work for someone else, they can either ask (and possibly be denied) alterations to extend the solution to their problem space, or suggest additions by extending the software themselves, but in essence, cultural and political assertions are everywhere throughout "open source".
Protestware has been around for quite a while, but I think this is one of the first times we're seeing high profile developers take a stance. Whatever risk this is exposing was always there; we can try to hide the risks of open source, but in the end, that's just covering them up.
I agree that protestware should not be considered open source, but any open source project can turn into protestware at any time, and it always could have. This is why groups like Debian and companies like Canonical are important: they use their organization to produce a unified view that you can rely on. Debian applies patches to align software with their views in several ways. The result is that software is often re-packaged and is deployed slower than upstream, but stuff like this doesn't get into your systems. The Python/Pip/Cargo/Go way of distributing dependencies directly, rather than using some kind of unified repository, exposes you to the risk of open source software becoming protestware, but it doesn't have to be that way.
Developers scrutinize Debian and Ubuntu for packaging old software, but you can safely develop against their dependencies. This is the open source that can be trusted, to a usual extent. In my opinion, the trust developers place in random usernames on NPM is misplaced, and the extensive dependency graphs modern frameworks require make that problem so much worse.
To those saying that it's bad that innocent Russians are getting hit by this: that's the point. It's also why sanctions are only applied in extreme circumstances. Foreigners can't tell other governments what to do, the best the rest of the world can do is hope or incentivize a country's citizens to make their government change their minds.
Open Source was always political, ultimately this is where some moonshot projects like GNU got their momentum from. IMHO the red line is where it gets destructive or actually discriminates individuals. In the past PGP couldn't be exported to certain countries so sanctions apply also for OSS. Speaking of the immense popularity of web3 and decentralized of course not all measures will be realizations of government directives. That said I don't think OSI (opensource.org) represents the whole OSS movement.
Also the title is a bit click-baity. The protestware example is clearly weaponization of OSS but the other examples are not.
> I don’t really want to have to read through each of my dependencies and transitive dependencies licences to determine whether I am agreeing to <the things included>
I slighly edited the last part of that sentence to highlight a problem with this kind of thinking. I do understand that the author may prefer all their software dependencies using some well known license like "Apache 2.0" instead of dozens of variations of "Apache 2.0~modified"
>>political discourse has turned to be very divisive and tribal. You are either with us, or against us.
This is because much of politics is currently driven by a global set of fascist/authoritarian govts and sponsored 'movements' pushing to destroy democracy. This is, IMO, back to the pre-cold war days, but stripped of all the "--isms" and ideologies.
It is now either self-determination for the people via democracy, or live under rulers like Putin, stripped of any cloking ideology. This is being strongly pushed/sponsored globally by Putin's govt; the Chinese are going about it differently with the 'Belt & Road' initiative and other exploitative agreements.
The grand experiment has been tried. It was thought that free trade exchanges and greater information flow from free nations would cause freedom, self-determination, & democracy to the former Communist nations. It did not. In trying to prove the thesis, the test proved the opposite, and enriched the authoritarian states.
Russia's ongoing assault on Ukraine since 24-Feb-2022, and the ongoing blatant war crimes including specific instructions to ignore civilian care[0], cluster munitions on civilian targets[1], or bombing a theater/shelter with "Children" written on the pavement outside [2], and it's support by ~70% of the deluded RUS population, show what can be expected from yielding to or appeasing authoritarianism.
It now really IS you are with us, or against us.
You are either in favor of democratic self-rule for all people, or you are against it.
This is war, and we are fighting against those who are happy to be war criminals.
It is important to take every measure, and "weaponizing" open source is among the least of the things that can be done to help.
Living on a different continent, I'm relatively unfamiliar with the details, but with the information I have, I do support Catalan independence.
The Spanish police reaction detailed in your linked article tells us much and gives reason in itself to support it. (The only thing that would change my mind is sound information that it is not the a grassroots people's movement that it appears and is instead some sponsored fascist movement like Brexit)
If Russia stopped bombing places with "children" written on them, Ukraine would just write "children" on important places that they didn't want to be bombed.
And no, they would not. IIRC disguising military locations as civilian, or using civilians as human shields is itself a war crime. The Ukranians are not doing that.
What's your excuse for the maternity hospital? Firing on civilians in a prearranged exit route/cease-fire? Cluster-bombing civilian areas? I could go on for pages and pages, and the War Crimes case is already starting, and being substantiated up to the level that the POTUS and SecState are specifically speaking of Putin as a "War Criminal".
Thanks for demonstrating my point about the how otherwise intelligent people can still have insane levels of self-absorbed myopia and inability to understand moral issues, and lack of perspective.
Your being so certain that, if Russia did not fire on locations marked as being filled with "children", that Ukraine would never ever put soldiers in them, may be misplaced.
We have parallel problems in science and in software.
My faith in science was never in the moral character of scientists and their organizations - individuals and organizations are always vulnerable to corruption. My faith was in the principle of replication. If anyone can repeat an experiment, we can all see for ourselves what is true, and a community dedicated to that (and individuals with a healthy fear of the process) is reliable.
Only, we don't replicate experiments. We got so busy and excited building on what had gone before that we've built some huge houses of cards on questionable foundations, because who wants to spend time and money doing replication? Distracted by the free riches, we neglected what had always been the source of our strength, and here we are - arguing over who funded studies and fuming over the replication crisis.
Where are the critics who say, "I can't trust that paper - it's impossible to replicate!" Where are our Poppers who insist on falsifiability? An entire community that frowned on complexity and opaqueness and walled gardens of data, a community that trusted things insofar as they had been replicated and re-examined from many angles and proven sound, would force us towards a level of simplicity, honesty, and reliability that science should have. Instead, a general agreement to pursue individual and institutional glory at the expense of upholding foundational principles has rotted the foundation of the endeavor.
Put simply, I trust science because you can replicate it. But for whatever reason, (and I can't propose a specific solution, but), to the degree our community is not devoted to replication, it loses its trustworthiness.
Software has a parallel problem.
I don't trust open source software because I trust the character of developers or institutions. I trust it because it can be examined and fixed. Because of reproducible builds. Because anyone can examine it, anyone can build it, no trust of individuals or organizations is needed. A community that insists on such features and abhors offerings that offend these principles will steer us towards a level of simplicity, comprehensibility, reproducibility that open source software should have.
But we are all so excited to build things on top of other things that we spend much more time multiplying dependencies and layering on complexity than worrying about foundational principles. We are now seeing the rotting foundations.
There are people who complain about whether code can be examined, or factors that make it difficult. It is becoming increasingly important to listen to them! A community that celebrated open source software, not only for what it can functionally do, but for how open it is, is what is needed to maintain those foundations. A community that has trust issues with unexaminable long dependency chains, that is sensitive to the difference between software that has been around the block and examined for a long time, and software that some guy just put out last night.
Put simply, I trust open source because you can examine it. But for whatever reason, (and I can't propose a specific solution, but), to the degree our community is not devoted to examination, it loses trustworthiness.
Reserve your trust for communities that take seriously the principles that trust is built on.
I'd say that the code that is malware/not malware depending on IP address of the server is a bad kind of weaponization. Not because I pity poor Russians or some such. I'm a Ukrainian national myself. Putin is a dickhead that should be put down with extreme prejudice; much of both the state and ordinary folk in Russia should be accountable, too. Here, I said it.
The problem with those NPM packages, or better said, the approach they are taking is that it is a double-edged sword. IP blocks can be sold and bought. Today they belong to someone in Russia you don't mind targeting, tomorrow it's someone else entirely. Today you put in a trigger to turn your code into malware, tomorrow someone finds a way to flip that trigger at will. Bad things ensue.
Not providing services to Russians is another thing and that could work. Limiting downloads by the country is okay in my books. After all, you block IPs that try to DDoS you, so banning IPs of an aggressor country that is fond of murdering civilians is fair game too. Radio silence their contributions. Don't respond to their support requests. Close the issues they open as if they never existed. Of course they can find alternative ways to download stuff, fork, implement the necessary changes themselves, but it's jumping through the hoops. Let them jump extra and then some.
Stop providing documentation in Russian, kick some people off the team/mailing list. Make the OSS you're responsible for be, for all intents and purposes, unmaintained piece of software if the user is from an aggressor country.
These are ways of sabotage I can stand behind. But putting in actual malware is rather where I draw the line.
My first thought yesterday was that I really cannot trust NPM anymore because if someone sneaks in an anti Russian piece of code somebody else could sneak in code against any other country, or look at the content of files to get an idea of the kind of person running the code and decide what to do. People voting for the other party, thinking something different, etc.
And why not Python, or Java, Ruby, anything. Maybe we'll all end up running Tails.
Edit: if something like that happens, how long before certifications require that no unvetted code is used in projects or no open source at all?
Wars cause people to do really drastic things that would be out of the question in peacetime. Programmers are people and some of them have relatives who have been blown to smithereens by Russian strikes. These are the peanuts, saboteurs have been known to destroy physical things with high collateral damage. While crimes like deleting files should be prosecuted, the best way to end such things is to end the war.
421 comments
[ 2.1 ms ] story [ 335 ms ] threadBut to be fair, its not discrimination against the Russian people, its discrimination against a particular ideology that is predominantly held by the Russian people.
To be even more fair, it's both.
There are plenty of Russians that absolutely do not agree with what the Russian leadership is doing, but have no choice in the matter.
Speaking as a Canadian, there was a time when we were similarly fighting an adversary and chose to indiscriminately treat all people from that nation as enemies. The result was the internment of Japanese Canadians, one of the most shameful periods in our nation's history.
I cannot help but be very concerned that we're heading down a very familiar and dangerous path, here...
I was treated extremely rudely for being American when I went to France in late 2003, and I totally understood why. I hated my own country and my countrymen for it as well. I still do, in a sense. We owe the Iraqi people an enormous debt of reparations
It seems too easy to say "uh discrimination is fine" when the only thing you have to fear is people being rude to you on vacation. If you face the loss of your livelihood, like the owner of a small Russian restaurant somewhat, I don't think you'd be as sanguine.
That's just the French being the French, would have been the same in the 90's lol. And if you think that's bad, try going there as a French Canadian like my grandfather did. He got treated way waaaay better when he spoke English instead of the his "dirty" (what the Frenchies called it) Quebecois French.
That's racist. And a deny of history about the anti-french sentiment in the USA consequently of the opposition of French to to participate in a war that later you want you never make.
You clearly don't know what the word means. French isn't a race, at most it's a nationality or ethnicity. And in any case I'm 1/4th French, ethnically.
>And a deny of history about the anti-french sentiment in the USA consequently of the opposition of French to to participate in a war that later you want you never make.
I never said there wasn't anti-French sentiment in the US though? Do you have issues with reading comprehension?
Which will never happen. For very obvious reasons. Hypocrisy is our first and last name. And the examples of it are countless.
In principle this is true given the current Open Source license.
But i would argue that the clause about discrimination is out of touch with reality.
Usage rights to Open Source should not by default be granted to oppressive regimes and the author should absolutely be allowed to state that within the license.
If the west wants to send a clear signal to Putin, then matters such as the wording of the Open Source license needs to be adjusted accordingly.
Bear in mind that I'm talking descriptively rather than prescriptively here. I have my own opinions but I can also observe that political neutrality as a concept is waning.
Im not saying it is necessarily- but i think to get past the division you have highlighted (apolitical universality vs political conservatism) there is perhaps a way to look at the various approaches and determine what approach would be technologically, logistically, and politically advantageous.
Let us let go of the idea it is apolitical, what now?
Remove the free rice and you satisfy your egos necessity for first order moral resolution via punishment- bad people dont get rice- but as for second order effects? Perhaps now it becomes feasible to build a sustainable farm (or apache competitor)
I'm familiar with second order effects, and nth order effects and nonlinear causality. If we restrict Russia's access to Apache Web server, sure, they will eventually develop a local equivalent. So, over time they transition from being disadvantaged to simply leveling the playing field. That's a pretty good outcome, especially if many more open source projects could withdraw from Russia.
IBM is still notorious for their willingness to work with the Nazi regime.
Maybe as a European i feel more strongly about this, but every means possible must be employed to send a clear signal to Russia about the unacceptable state of affairs.
Except destructive changes as in the second example, that behavior should not be allowed by the Open Source license.
I'm still hopeful that a better wording can be found going forward.
When it comes to open source licensing, though, the problem with these kinds of exceptions tends to be that there are a lot of causes that would, at one time or another or from one perspective or another, seem to warrant similar exceptions.
There are other wars going on, with more or less clear aggressors. Should we build a list, somewhat akin to the U.S. export restrictions, that forbade using the software by the aggressive states? How would we make sure that the lists aren't influenced by political leanings or cultural preconceptions? (Hint: you can't.)
It would be objectively easy to argue that people who eat meat should be sanctioned to give them a "clear signal" that they shouldn't. It would be emotionally easy to argue that perhaps we should exclude people who violate human rights from using our software -- although what exactly constitutes such a violation would be pretty hard to delineate. In a different culture, objectively or not, entirely different acts might be considered morally contemptible or even unforgivable.
Allowing exceptions to open source terms based on individual reasons would lead to a jungle of rules that would end up ruining open source, even if each exception by itself can be easy to argue for. You could no longer build a Linux distribution or any kind of a large collection of software, or even an open source application that relied on lots of open source libraries for its functionality.
That is, unless you decided not to include any software that had licenses with any such exceptions. That's exactly what drawing the line for the meaning of "open source" is. If you only take one of those exceptions and not the others, that's no longer an objective choice, and others are going to have different exceptions; if you take them all, you create an untenable mess, or at least a walled garden with really tight walls.
At any given time it may feel like this is the one exception we should make, and it feels right at that moment. It just can't be done with any consistency without massive collateral damage in the big picture.
By all means, let's cause trouble to Russia (under its current regime) as long as it restricts their ability to wage war. Let's do that even if it costs us. But let's not do it in such a way that it creates a massive moral or legal conundrum in the long run. Even if it feels right at the moment.
- Another European, living less than 200 km from Russia
The same thing that happens when two countries have irreconcilable differences.
Software is a human artifact and subject to the same principles as all such artifacts.
The argument that software licenses should exclude certain people or fields of endeavor has been around for decades. Such licenses are outside the scope of Open Source. Specifically, such licenses do not conform to the Open Source Definition clauses 5 and 6:
https://opensource.org/osd
> 5. No Discrimination Against Persons or Groups
> The license must not discriminate against any person or group of persons.
> 6. No Discrimination Against Fields of Endeavor
> The license must not restrict anyone from making use of the program in a specific field of endeavor. For example, it may not restrict the program from being used in a business, or from being used for genetic research.
Furthermore, the label "oppressive regime" is sometimes more propaganda than fact. Many western countries weaponize human rights by labeling enemy states as oppressive regimes, while either ignoring/muffling their own human rights abuses, or (more likely) having systems that allow one to protest against domestic human rights abuses while failing to change a single thing about them no matter how much people protest; and at the same time, turning a blind eye on actual oppressive regimes that happen to be allied states (until they fall out of grace, after which they will once again be labeled "oppressive regimes").
This makes license discrimination on the grounds of the "oppressive regime" label highly problematic and prone to geopolitical propaganda games. At worst, you can even say that such license discriminations become willing tools of geopolitical propaganda.
Direct confrontation is not an option and neither is doing nothing at all, so sanctions is the logical choice.
I agree that sanctions will not make Putin withdraw from Ukraine. But seeing Europe make a targeted effort to stop relying on Russian oil and gas, should make Putin think twice.
China is happy to take it for a cheaper price.
"I've stated above some parts of my views about certain political issues unrelated to the issue of free software—about which of those activities are or aren't unjust. Your views about them might differ, and that's precisely the point. If we accepted programs with usage restrictions as part of a free operating system such as GNU, people would come up with lots of different usage restrictions. There would be programs banned for use in meat processing, programs banned only for pigs, programs banned only for cows, and programs limited to kosher foods. Someone who hates spinach might license a program to allow use for processing any vegetable except spinach, while a Popeye fan's program might allow only use for spinach. There would be music programs allowed only for rap music, and others allowed only for classical music."
"The result would be a system that you could not count on for any purpose. For each task you wish to do, you'd have to check lots of licenses to see which parts of your system are off limits for that task. Not only for the components you explicitly use, but also for the hundreds of components that they link with, invoke, or communicate with."
"How would users respond to that? I think most of them would use proprietary systems. Allowing usage restrictions in free software would mainly push users towards nonfree software. Trying to stop users from doing something through usage restrictions in free software is as ineffective as pushing on an object through a long, straight, soft piece of cooked spaghetti."
"It is worse than ineffective; it is wrong too, because software developers should not exercise such power over what users do. Imagine selling pens with conditions about what you can write with them; that would be noisome, and we should not stand for it. Likewise for general software. If you make something that is generally useful, like a pen, people will use it to write all sorts of things, even horrible things such as orders to torture a dissident; but you must not have the power to control people's activities through their pens. It is the same for a text editor, compiler or kernel."
https://www.gnu.org/philosophy/open-source-misses-the-point....
Open Source is right now defined as open for everyone by the license, ie. the paragraph about not discriminating.
Perhaps the only sane way for Open Source to exist is to not discriminate.
Secondly, why would any such oppressive regime care about your license? What are you going to do, sue them?
Were the Canadian truckers protesting in Ottawa virtue signalling? Are people posting "Let's Go Brandon" online also virtue signalling? If not, what's the difference between their form of protest and this Terraform stunt?
Political valence. It is a term a certain flavor of culture warrior likes to employ in attempts to devalue public statements by their opponents.
I think the term ‘virtue signalling’ was originally intended to point out a perceived hypocrisy - that it’s much easier to gain public support for an idea/cause/campaign if that campaign is perceived to be helping some disenfranchised group - even if the campaign also benefits the organizer, and even if the campaign is not necessarily wanted by some or even all of the allegedly-aggrieved group.
So an in-person march, trucker protest, sit-ins, having a private conversation, calling your representative, making personal sacrifices, attempting to bring attention to lesser-known issues, donating money, engaging in dialog to convince someone of your position, etc would not be virtue signaling.
But things like posting "Let's Go Brandon" online, or changing your profile picture with no further action, or unironically using terms like "virtue signaling" for internet points might qualify as virtue signaling.
If if they are wearing it primarily as a method of socially fitting in and signaling to those around them then it might be "virtue signaling".
If they would continue to wear a poppy on remembrance day in contexts where the people around them did not know what it meant then there's clearly something more than signaling going on. Perhaps it is their tradition, or it helps them remember.
(I should caveat that I don't think there's anything particularly wrong with social signaling so I don't use the term "virtue signaling" as it seems to have a pejorative or sarcastic connotation.)
To paraphrase the bible "Jesus said The pious pray in their closet. Those who make big shows of praying in public are nothing but douchebags."
To me, it's the element of risk that differentiates virtue signaling from meaningful action. Posting "Let's go Brandon" on parlour or "Black Lives Matter" or Tumblr aren't risky actions. Saying "I think gay marriage is ok" in a conservative church is. Just because you can imagine a situation where the context lessens the impact of the action, doesn't mean the example is weak or wrong.
And it's based on the flawed assumption that stating public support for something without doing anything else is useless.
But people moderate their behaviour based on perceived social norms.
When people publicly state their support for a given issue, they are communicating what they understand social norms to be.
When a lot of people do that, that becomes the norm.
So "virtue signalling" could just as easily be labelled "showing support", which is the way that we share and align on those norms.
But, of course, folks who don't like people voicing their support for those values, for fear that they will become normalized, needed to find a label to apply to insult those people and, hopefully, stop people from voicing their support for these social movements.
And thus the term "virtue signalling" was born. Suddenly saying out loud what you believe becomes itself a social moray.
Now flying a pride flag, or calling for increased diversity in the workplace, has become "virtue signalling" and something to be embarrassed about.
It's quite clever as a means of controlling the narrative. And it appears a shocking number of people have bought into the BS.
1) Does "showing support," actually do anything? Are we really aligning on norms or just scoring points with people who already agree the same position? I suspect the detail matter and that there is continuum, where for uncommon positions maybe it does something, but for widely held views, it really is just "virtue signalling."
2) When does "showing support," become a substitute for more substantive action. Maybe I post a pride flag on my social media avatar, but don't bother to vote in a local election with discriminatory ballot initiative. Or consider any number of incidents of corporate "greenwashing."
But sure, plenty of virtue signalling, isn't _just_ signalling. And we shouldn't dismiss it on those terms, but rather ask about impact.
It's certainly less impactful than doing something substantive but it also costs nothing to signal boost. Same like boycotts, it only works en masse.
It'd be like flying a great big flag that says "I support the government and corporations." Whenever I see a pride flag, that is essentially what I see. It's like, (and it's useful to read the people who are against you as a mirror), when Patriarch Kirill of Russia says: ". Today there is such a test for the loyalty of this government, a kind of pass to that “happy” world, the world of excess consumption, the world of visible “freedom”. Do you know what this test is? The test is very simple and at the same time terrible - this is a gay parade. The demands on many to hold a gay parade are a test of loyalty to that very powerful world; and we know that if people or countries reject these demands, then they do not enter into that world, they become strangers to it."[1]
That's not far off from the truth. Virtue signalling, as opposed to protest, is oriented towards moving closer to power, rather than further away from it. In Foucauldian terms, protest would be a transgression, a breaking of the taboo, and virtue signalling would be the opposite of that, an adherence to and reinforcement of the taboo, in which one mimetically serves the strengthening of the taboo, until the mimetic crisis breaks into blodshed.
Virtue signalling is wearing the swastika in 1938, and bears no relation to wearing one in 1929, except to say that those who wore it in 1929 won.
[1]: https://www-patriarchia-ru.translate.goog/db/text/5906442.ht...
There is also a sense that whatever thing someone is “virtue signaling” about is acceptable enough that there is no real downside for taking the stance.
It would be like an American proudly declaring how much he loves the United States on Independence Day. He would go out of his way to emphasize just how much of a patriot he is, hoping to be rewarded for doing so.
If you oppose a cause, "virtue signal" is a term of denigration for any public action on behalf of the cause to discourage people showing support for it.
When you protest for gay rights in 2020 it is a virtue signal. When you protest for gay rights in 1987, it is because you believe in it and are willing to take the cost of it.
Since public trade companies only care about money, when those companies support some course it has become safe enough that it is now virtue signalling.
I don’t think this is the case; it’s still legal to discriminate on the basis of sexuality in many states and contexts such as housing in the United States. You may not be able to fire someone for being gay but in many places you can evict them for it.
Additionally I don’t think it’s virtue signaling to protest for gay rights beyond the small number of countries that recognize marriage. There are still countries where gay behavior is illegal, marriage isn’t recognized, and gay panic is a legal defense.
The impact of virtue signalling is pretty evident. Ever seen how in order to make a statement on something you have to first identify yourself as part of that something that you're criticising? That's a direct byproduct of virtue signaling.
More or less, it's a form of manipulation.
But really I don't know your motivations and you don't know the motivations of the Terraform folks. Let's be a bit more humble please. But yes, I also find it unprofessional.
I am close to an average person in this regard because I am a free-rider on other people's enlightened steering: all I do is install stuff and in exchange I get privacy and security.
In a historical sense, it's very geographically dependent. Before states got rid of established churches, Virginia, for instance, established the Episcopal church, while Massachusetts established the Congregational church.
The modern American culture simply descends from Calvinist culture, by no means it is the same. Just like you wouldn’t expect a fish to explain its ancestry to you, you wouldn’t expect an American to do the same.
Some people seem to believe that if you remove a belief in God, a sudden discontinuous cultural gap appears. But there is no reason to assert such thing. An absence of belief in God doesn’t make Americans culturally more similar to Buddhists than to their ancestors, they still inherit similar values and social practices. The American culture experienced an abrupt shift from the British culture due to the founder effect, but from that point it pretty much developed continuously. (Well, of course like all cultures, it experienced outside influence but it wasn’t as impactful.)
> In a historical sense, it's very geographically dependent. Before states got rid of established churches, Virginia, for instance, established the Episcopal church, while Massachusetts established the Congregational church.
There is a book called The Faiths of the Founding Fathers by David L. Holmes, it covers explanation of the sheer influence Calvinism had in the US.
By the way, is it surprising that (1) Harvard originally had a Calvinist church. (2) Harvard is located in New England, the land of radical Protestants aka Puritans. (3) Harvard is the most prestigious university.
My point is simply that American “average people” are in no way simply average people if such thing even exists.
This notion that somehow 'FOSS' is a moral ideal that stands above others is rubbish.
If you're helping Russians drop bombs on Mauripool that's a choice.
You can also choose not to do that.
That concerns an 'ideal'.
There are issues at hand of much greater consequence and idealism that 'internet librarians' pretending that they are consequential in this context.
'More Average People', like accountants and teachers, are literally right now upholding their 'ideals' by learning how to use a weapon and defending their homes with their lives against literally the Russian Empire. That is an 'ideal' thankfully none of us will ever have to contemplate upholding.
Racism isn't the point, crippling the Russian state is. Assuming anything else smells like bad faith.
One incident related in the story is someone slipping malware into a node library which appears, among other collateral damage, to have deleted the archives one NPO had collected of the war hoping to document Russian war crimes. So really I'm not sold on it being that different.
Draw your own conclusions about authenticity but it doesn't sound implausible.
But there is also the tactical issue of whether such attacks would have the desired effect. Imagine if Russia would attempt to "cripple the US state" to stop the war in Iraq... I think the average Joe in America would feel quite threatened by that notion. As a corollary, consider this: as a response, would Joe be more likely turn against his state, or realise that he desperately needs to support it, in order to defend his way of life?
Of course, actually targeting elites in power isn't something elites in power want to promote.
Technically, there is a way to hurt a state while helping its citizens -- help them move away, to a better place.
That isn't as persuasive a point as you might want it to be. It may be the case that we are, now, simply being more comprehensive in defending against a descent back into those awful cold war times. Once we were already in the thick of it during the Cold War, even a little bit of cooperation was useful in not descending even further.
It's like a phase transition. When society is already functioning at a higher level of cooperation, appropriate consequences of deviating from that are highly exclusionary. But the game-theoretic risk/reward balance changes when society is functioning at a more adversarial level. At these different phase states, an action that may incentivise de-escalation in one phase state may have a different (even inverse) effect in another phase state.
But now that you've raised the question, it's difficult for me to think of any stretch of decades that was definitively better, certainly not in the last 100 years. I might look far back to the Pax Romana, but that couldn't be considered global in nature. I'd argue that it's probably only at some point in the past 100 years that regional civilizations became interconnected enough for us to even consider things as a truly global system.
Please note that I'm not claiming the last 20 years have actually been good in terms of global peace, stability, accord, etc., just that it seems a bit better than the recent decades prior to that. By one narrow metric, per Capita war-related deaths, we're doing quite a bit better. Of course these things are far from evenly distributed across the globe, and it seems like wider stability sometimes relies on allowing awful things to happen on a smaller scale. And I don't think it's much consolation to those dying in conflicts to tell them "no really you should be joyed to live at a time when so few people have their lives torn apart the way yours is right now".
All of that strays from the topic of my original comment though, which again compared current times to cold war times.
peaceful is an vague term, but some of the language I have used is not much more precise. However I did mention one somewhat narrow metric, per-capita wartime deaths, and the world has been much better in this area during the the last 20-30 years than previously. What are your thoughts on that aspect of this discussion?
On the more ambiguous connotations of what I wrote, I will clarify the idea that was uppermost in my mind when I made my comments:
Essentially, a conflict that is catastrophic for the entire world is less likely (at least prior to recent events) during the last 20-30 years. The fall of the Soviet empire left no two adversaries so antagonistic to each other, each with world-destroying capabilities, that we have had to constantly worry about such a conflict breaking out. We have not had to walk so carefully on egg shells to avoid reaching that point. North Korea has only recently become the nation most likely to initiate a nuclear conflict, and I would still rate that as a lower probability than cold-war era direct US <-> Soviet conflict, and the capabilities of North Korea in this area are still too primitive for a conflict with them to inflict the same scale of damage as direct Soviet/US aggression.
Certainly horrific local and regional conflicts have still prevailed in some areas of the world, perhaps only slightly reduced (arguably not reduced at all, and worse in some regions) but their potential to spill over into a wider world-scale conflict remained exceedingly low compared to prior decades. They are less dangerous to the wider world because some of those cold-war era conflicts were proxy wars that risked escalation to direct conflict between military super powers.
Consider that the Vietnam War could easily have been won by either the US or Soviets if either of those powers had been willing to bring their full and complete military might to bear against their proxy opposition within that country. Indeed there was a constant tension that such a thing might happen and bring the puppet masters behind the North & South Vietnamese into direct conflict with each other.
This was perhaps even more true during the Korean War, with the added risk of more significant Chinese involvement & explicit threats by the US that nuclear options were on the table. The only thing that mitigated the potential for global nuclear war was that US nuclear capabilities were still relatively limited, Soviet nuclear capabilities even further behind, and Chinese nukes a decade or more away from completion. (by which point we'd progressed past the sino-soviet split so an alliance between those two powers was pretty much off the table) But during that conflict there was still significant possibility that a conflict on the scale of WWII, with slightly more advanced technology, could erupt & include a major nuclear component as well.
And of course there was the idiotic brinkmanship if the Cuban Missile Crisis.
Nothing of that scale has been anywhere near as probable after the end of the cold war. Having grown up in the twilight years itf the cold war, I can directly attest to the global tension of those times, and the global sigh of relief as they ended. In the years since then we have never approached that level of tension until today, with the Ukrainian invasion, where small echoes of those times can now be felt.
This is the thrust behind my comments. That perhaps local & regional conflicts have seen little change, but world-wide existential threats from military conflict are-- comparatively-- a much reduced concern.
It would be nice if there was a link to those sources. This isn't worth much more than "trust me bro"
Which ever of the polls you choose to believe, this is not a war largely unsupported by its citizens.
[1] https://meduza.io/en/feature/2022/03/07/russia-s-tricky-opin...
[2] https://www.washingtonpost.com/world/2022/03/08/russia-publi...
[3] https://www.cnn.com/interactive/2022/02/europe/russia-ukrain...
> Iraq dominated the headlines throughout the fall of 2002 and into the winter of 2003. Public opinion on the wisdom of war, however, stabilized relatively early and slightly in favor of war. Gallup found that from August 2002 through early March 2003 the share of Americans favoring war hovered in a relatively narrow range between a low of 52 percent and a high of 59 percent. By contrast, the share of the public opposed to war fluctuated between 35 percent and 43 percent.
Earlier reporting had it in excess of 70% support: https://news.gallup.com/poll/8038/seventytwo-percent-america...
So did Putin. Dying isn't ideal.
And so on.
Not that this kind of pretty bad take hasn't been pervasive in the past month. It's just funny in a horrifying way to see a century worth of lessons just evaporating in 3 weeks. Just go on any social media and you will see the exact same argument used to justify and even promote literal war crimes against the russians because they started the war. But no, even an invading soldier does not deserve to be tortured.
So it a fair game, as far as international law goes.
Which leads me to my next point: an essential attribute of a state under the rule of law is that the law is applied impartially, irrespective of who the victim and the perpetrator are. Doesn’t always work out, but it’s certainly what most people find fair and what we strive for.
Authoritarians pursuing military conquest and territorial expansion hasn’t been “the norm” for the past few decades. The world is changing with Ukraine and Hong Kong, and soon Taiwan.
Not saying these examples in the article are all models of how we should design things in the future. But the world is changing and norms will change alongside it.
Guy murders your kids anyone can murder anyone from now on, no big deal
Barring, you know, the current suspect.
According to whom? According to Putin, they invaded ukraine to "denazify it". On the other hand "US invades country for oil" is a pretty popular narrative on the internet.
Even if you want to support Ukraine, some things have certainly gone to far, like discriminating against anybody and anything with Russian origins (professor being told to not teach Dostojewski for example, as posted on HN a couple of days ago).
And demonstrating the international monetary system is not reliable at all, not sure it is a good thing.
That's the norm now, right?
(I should mention that Russia already does tolerate destructive hacking against the West, and has been doing so for a while - that doesn’t change my opinion, but it would be unfair not to note.)
On the one hand, I cannot deny the right of Iraqis to defend their territory from a criminal war of aggression. But do I need to stand up for what he is doing? Should I put money in his paypal account? Do I have to agree that all soldiers are legitimate targets, even when there is no military objective other than "exacting a cost?" Can I ask who pays that cost? Is it the war criminal George Bush, or just some grieving American family somewhere? If twice as many families have sons, brothers, fathers taken from them, would a future George Bush think twice?
Back to the topic at hand. Of course we can understand the motivation but at the same time the question for us is whether we in the open source community want to preserve software as a humanitarian sphere which is not necessarily neutral in conflict but, at least, part of civil society and not involved in or drawn into cyber-warfare as far as possible.
That fact that hostilities have broken out does not mean that everyone has to camp at one ridiculous extreme (kill them all) or another (total capitulation) and it's perfectly reasonable to try to find a path between them which is consistent with our own moral and ethical code.
But putting pressure on people to make them do what you want is a fairly accepted strategy. Hell, Russia is following the same strategy, except they’re dropping bombs and missiles on cities, which also (even mostly) impacts civilians that have nothing to do with the war.
As much as it sucks, it’s the only way to retaliate.
But a software development has yielded to demands that it adhere to causes. Redis isn't just a key value store, it's engaging in anti-racism by removing terms of whiteness, like "master" and "slave".
And here we are. Uninstall nginx, unless you're a fascist that supports Putin! Did you hear? Russia is using leftpad.js! Quick, unpublish the repository in solidarity with... We have to reduce harm! No one is neutral! You're for us, or against us!
Lending software to "social progress" leads to the insane place we are today. (And not to mention, it hasn't achieved much.)
No, my software isn't a tool for your social goals, noble as they may be. And that doesn't make me a bad person.
Why?
> And here we are. Uninstall nginx, unless you're a fascist that supports Putin!
You know that nginx has been US owned for a while now, right?
Changing the license is weaponisation?? It's the bare minimum and least intrusive. And then you all complain when someone tries to implement a Hippocratic or Do Not Harm license. "WEAPONSIATION"?? Really?
The lesson of all this is to keep an eye on your supply chain. Simple as. I think it's a sign of entitlement when you expect OSS devs to build you robust and reliable systems then leave the rest of themselves at the door.
As for the first one, that's just whataboutism. Sure, we need to stand up to that too. But that changes nothing here.
It makes one wary, too. The weaponization of Open Source is very dangerous and sets a bad precedent. So Russia are the bad guys now, but who's next? Are you sure it's not going to be your country?
Think about this: forget Russia, a good chunk of the world thinks the US is a bad faith actor on many occasions. Would it still be a free license one that forbid people from the US from using the software?
That's not to say I think any of this is a good idea. I think it's insanely naive to try to contractually block a dictator from using your software in the first place. Do these people think they're going to sue the dictator in the dictator's court? The Russian government is already considering legalizing piracy of proprietary software to evade sanctions; they DGAF about these licenses.
I mostly just think that the OSI and FSF's "all or nothing" stance on some topics is a bit extremist. A hypothetical license that said "You can do anything with this software except launching missiles at kittens" is pretty damn in line with the spirit of FOSS, even though the OSI or FSF would never approve it. I understand they take that ideological angle because they are thought leaders and need a clear message, not a slippery slope, but this is where I think it's reasonable to be reasonable.
I think it's better to criticize these types of "weaponized" FOSS licenses by pointing out that they're entirely ineffective wastes of time. There are plenty of real merits to undermine these licenses, which is why they haven't caught on previously. Saying "that's not open source" is just like a chocolate snob telling their friend that their Hershey's bar is "totally not real chocolate"
That being said, we're beyond the realm of software licenses in this conflict anyway. Sanctions have already started cutting people off from FOSS projects, regardless of license.
I'm not aware of any FOSS license that states things like that. I think you're wrong.
> A hypothetical license that said "You can do anything with this software except launching missiles at kittens" is pretty damn in line with the spirit of FOSS
No, it's not in line with the spirit of FOSS, but rather against it.
I understand that you have this vision about a kind of license you would like for software. I cannot argue with that -- it's your vision and it's your right to have it. The problem is that it's not any kind of FOSS license that is recognized as such (i.e. as FOSS) by the wider community. You can call it FOSS but nobody else will.
Here's examples:
https://spdx.org/licenses/BSD-3-Clause-No-Nuclear-License.ht...
https://spdx.org/licenses/BSD-3-Clause-No-Military-License.h...
https://spdx.org/licenses/Hippocratic-2.1.html
> The problem is that it's not any kind of FOSS license that is recognized as such (i.e. as FOSS) by the wider community. You can call it FOSS but nobody else will.
There is evidence to the contrary. There are popular community supported projects that are often colloquially described as open source which use licenses that are not OSI/FSF.
Your evidence is incorrect. None of those are FOSS licenses. If you google their names, you'll see each sparked controversy, and ultimately the SPDX doesn't exclusively list FOSS licenses.
Ultimately they infringe on the most basic right: to use the software for whatever you want.
> There are popular community supported projects that are often colloquially described as open source which use licenses that are not OSI/FSF.
Nobody cares about "colloquially". Colloquially, Microsoft in the past tried to pull a fast one and pass their Shared Source initiative as "open source", which it wasn't.
FOSS means something. None of the examples you gave are FOSS.
I said “variations of FOSS licenses”, which is precisely what I provided examples of.
> Ultimately they infringe on the most basic right: to use the software for whatever you want.
Unless of course, “whatever you want” includes not publishing your changes. Copyleft does not permit people to do “whatever they want”. It places specific requirements on people who use that code and punishes them under penalty of copyright law if they do not.
You’re touching on the reason that some people prefer public domain waivers instead of copyleft licenses. If you want an example of disagreements in FOSS: case in point.
> FOSS means something. None of the examples you gave are FOSS.
There are factually multiple definitions of what falls under the umbrella of FOSS. FSF and OSI are certainly prominent. There are other individuals and organizations who disagree.
I think it’s kind of funny that people want to argue that the majority opinions on licensing are the only valid opinions on software licensing. That’s exactly how people dismissed RMS in the 80s and 90s.
You can absolutely not publish your changes, where did you get the idea FOSS forces you to publish? FOSS imposes restrictions upon distribution; you're free to use the software however you want if you keep it to yourself.
> I said “variations of FOSS licenses”, which is precisely what I provided examples of.
In that case, you introduced something irrelevant. A variation of FOSS which introduces changes that break the fundamental tenets stops being FOSS. Hence, you cannot get away with using the term "a variation of FOSS", because it's a variation that happens not to be FOSS.
Your other opinions of why people like or dislike this or that license or philosophy, comparisons to RMS's early days, etc, are all red herrings. They are worth debating, but completely irrelevant for deciding what is or isn't FOSS.
A license that restrict usage by Russians, or in nuclear reactors, or that requires you to first agree abortion is wrong (or right) is fundamentally not FOSS. Whether this is a good or a bad thing is on you, but also irrelevant in this context.
I don't think this is a great comparison. Open source has a particular, commonly understood meaning, just like chocolate does. When I say "this is not an open source license", I am not saying that it doesn't meet some kind of quality standard, or that I just don't like it. I am saying that it is a deceptive label that contradicts the common understanding of the term.
If an author would like to relicense their open source project to exclude certain groups of users, why must they insist on using the open source label? They ought to be proud that they reject open source norms. Why would they want to associate themselves with projects allow dictatorships to use them?
I have written software with a license that allows for noncommercial use only. I label it as freeware (which clearly communicates "you need to check the license"). I have no desire to label it as open source, because I do not wish to mislead people who have a coherent and widely accepted mental model of what that entails. I am generally suspicious of the motivations of people who would want to muddy the waters with unclear labeling.
There is a perfectly honest way to address this, as esr did: invent a different term. If you can come up with a short, snappy term for "source-available software that allows for open-source-like use for certain classes of people", then use that, and don't lie to your users.
I’m using that example because there is disagreement about the definition of chocolate. Here in the US there are some things called chocolate which are not called chocolate in other parts of the world. How much cacao is required? How much milk solids are required? You will get different answers from different organizations. All of which, claim to be an authority.
The FOSS landscape is no less opinionated.
The fact that there has not been a strong push back confirms my suspicion that by now, everyone has gotten used to Node and NPM being insecure and silently accepted it as a way of life. Similarly, those Terraform scripts are apparently esoteric enough to only be used by a tiny minority of software developers, or else we would have heard about it in a different way.
Thank god nobody did similar shenanigans to open source projects that are actually in wide use :)
I might one day have an IP that is accidentally mis-classified as Russia. I mean those Geo-IP services are only like 95% accurate and they go out of date pretty quickly and updates are expensive. Plus .RU VPN services used to rent subnets in the US all the time. But then all of my files get deleted because someone wanted to make a point. So then I'm collateral damage in someone's remote fight in a war that neither of us were actually involved in.
Your argument is a bit like saying "It's OK to use chemical weapons because we're the good guys." They are not banned to protect soldiers, they are banned to protect civilians. And most likely, node-ipc's patch will hurt much more innocent civilians than it'll hurt Russian soldiers. It's the software equivalent of indiscriminate bombing.
Who's interests do corporations represent?
What are the costs of their actions?
What are the costs of their inactions?
Well, yeah. War is bad. On the spectrum of war badness, obviously, these pranks are pretty mild. But they're bad. It's a bad situation. When at war, people are forced to do bad things to prevent worse things. That's why starting wars is very bad.
Now, sure, you can argue about the semantics about "who" is at war, or whether these npm authors are "really" at war, or why they "think" they're at war, or whether they "should" be at war. You could also get into a discussion about whether or not this tactic is effective (and I'd agree it's hurting more than helping, btw). Go nuts.
But that doesn't change the fact that this is an action in support of a war effort. In wars, principled stands don't win. If you want a particular outcome, you have to pick a side.
Fighting against bad actors is definitely a 'principled decision'.
Ignoring the situation and not taking action is an 'unprincipled decision'. Though it might disguised as principled action, on the basis of supporting some other principle, such 'open source', but ignoring one at the expense of another implies serious lack of self awareness.
This war, plus COVID, and the recently released documents indicating a planned invasion of Taiwan (though we don't know for sure) - represent major geopolitical shift of the order of WW1/WW2/End of Cold War, the stakes and consequences are enormous.
And the point is that it's a war. We've crossed the "bad things are going to happen" Rubicon already. You can't make principled arguments like that against people who have chosen to engage in a war out of the hope or desire for one side to win. They already did that moral calculus. It's like telling someone they shouldn't defend their home because pacifism is more important. You might be right, but you won't change anyone's mind.
I picked a side. I will take care that npm is not installed on my computers. Take your political sh*t out of my computer.
The premise behind your position is clearly that "politics" is some kind of meaningless distraction to the "real" business of shipping software. But... isn't that backwards? It's a war. People picked a side.
The idea that unilateral military invasion is merely "politics"[1] is... very strange to lots of people.
[1] In the sense of triviality you clearly intended, c.f. Clausewitz again.
Easy to say if you are not a frontend engineer.
If you choose to become an actor in a war, then you also open yourself up to being attacked. There is only one kind of actor in a war- combatant.
Consider the maintainer who did the “delete all files on servers with Russian IP addresses.” This could be construed as an act of war against Russia. Would Russia be wrong to commit acts of war against this person? If the server performed some life critical task like operating hospital equipment or air traffic control or whatever, this change could have resulted in loss of life (so many mistakes in using JavaScript in such cases but set that aside for a moment). If lives were lost as a result, would Russia be wrong to use lethal force against the maintainer?
Disclaimer (sad that you have to add this these days; it should go without saying): I only use this as an example. I think Putin is a thug and I think that it goes against most westerners’ values, mine included, for nation states to preemptively invade other nation states. I’m not apologizing for or justifying any act by Russia. I have deep sympathy for people in Ukraine who just want to live their lives and not be killed or have their stuff destroyed.
>If lives were lost as a result, would Russia be wrong to use lethal force against the maintainer?
Yeah, unless they want to admit that they’ve been waging war against the entire western world by allowing their homegrown ransomware groups to operate with impunity.
If we go by your logic, Western countries should have turned Moscow into a giant glass parking lot after NotPetya, a destructive wiper worm released by the Russian government targeting the entire world.
Luckily you’re alone with your thinking.
And there are levels of warfare between "nothing" and "nuclear", in case you hadn't noticed. And North Korea and China are doing state-sponsored attacks against US targets, commercial and government and military. It's not clear to me that NoPetya was state sponsored, it's ransomware. The RF is not a bastion of law enforcement and justice; I agree that they do a terrible job of controlling organized crime activities, both cyber and non-cyber.
[1] https://www.vice.com/en/article/dypeek/open-source-sabotage-...
You're implying that wars have no rules. This is very much not true, not legally and not morally. You should read the 4th Geneva Convention to disabuse yourself of this dangerous misconception: https://ihl-databases.icrc.org/applic/ihl/ihl.nsf/INTRO/380
>In wars, principled stands don't win
And excessively unprincipled stands can get you sent to The Hague to be prosecuted for war crimes.
Now, I'm not saying that deleting some files is a war crime. What I'm saying is that your reasoning for why it is legitimate is flawed.
I even doubt that you would agree with your own reasoning given some other examples. E.g., would you not agree that while we can ask McDonalds to stop doing business in Russia, it would be a crime for them to start poisoning their Russian customers?
In the current climate I am not sure anymore that people would disagree with poisoning Russians. Here in Germany they started to purge everything Russian (except people) and also agitating against Russians in general. It feels like we learned nothing from WW2.
From what I've seen there seem to be worldwide movements in that regard, that are even overboard for cold war propaganda.
edit: added "except people"
[1] https://www.axios.com/russian-businesses-us-vandalism-threat...
Unless you're from the US, in which case the US will invade Netherlands to get you out of there. Apparently, there is a law (from 2002 IIRC) which allows the US to do this legally.
Same goes for Russia, China, Iran, Saudi Arabia, and a lot more countries that did not sign (or ratify) the Rome Statute.
> One of the principles of international law is that a treaty does not create either obligations or rights for third states without their consent, and this is also enshrined in the 1969 Vienna Convention on the Law of Treaties.[149] The co-operation of the non-party states with the ICC is envisioned by the Rome Statute of the International Criminal Court to be of voluntary nature.[150]
For Russia, China, and the US there's literally nothing that can be done: while the "members of UN Security Council" are "compelled to co-operate" with the ICC, these members can veto anything that comes up.
In other words, if you're from one of non-signatories, you can willfully kill, torture, subject to inhumane treatment, perform biological experiments, steal and destroy property, take hostages, unlawfully confine, transfer, and deport, and even willfully cause great suffering without fear of any kind of prosecution.
Does Geneva Convention make a difference? I only learned about ICC and Rome Statute, and it was disheartening enough for me to stop reading, so it's a genuine question.
Yes I think it does. Whatever the limits of enforcement, it means something that all the countries you mention are signatories to the Geneva Conventions I - IV.
Even if these countries refuse to extradite their citizens to The Hague, it doesn't necessarily protect war criminals from prosecution in their own countries. They are still breaking the law.
Of course the practical problem is getting hold of the suspected war criminals.
https://en.wikipedia.org/wiki/Universal_jurisdiction
https://www.justiceinfo.net/en/39791-international-crimes-sp...
Publishing malware is, and should remain, protected expression.
That said, such a law is difficult to enforce, in a justice system as moribund as ours, so instead we rely on (probably wrong) heuristics about what specific behavior makes us safe, and indeed, whether or not our resources have already been breached. Such behavior is what drives the overwhelming dominance of GMail, which is itself a remarkable tool with which to learn about any person group corporation government on the planet. So in terms of utility its hard to argue that malware is a good to society. Write a malware that installs a patch to prevent a 0-day in known use by a state actor, then I will be a malware fanboy. Not until then.
But in all seriousness, that was one of the most jarring things I found when switching from a Java/Maven stack to JS/NPM. Both Maven and NPM offer similar features for managing dependencies, but anecdotally I found the folks managing Java projects to be a lot more obsessive about carefully managing their dependencies while in the NPM world, it seems almost to be a "best practice" to just use open ranges for your dependencies and automatically update them...
This isn't enforceable in quite a few jurisdictions anyways. The best you can do is "No warranty to the extend permitted by law" at which point this specific use case is pretty much no longer relevant.
If it is advertised as malware, yes. But if it is advertised as a working open source project - but in reality is malware, then this just destroys trust into open source in general.
I guess it is good, that these things come up, to think about why we trust the dependencies and repositories and their maintainers.
Because it seems, no we cannot just trust them. And now I am more conscious about it.
OSS should be about technology and not politics.
> THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
Its fitness for any particular purpose was expressly disclaimed, in all caps.
I'm not sure what people think they did wrong here. You're allowed (and should be allowed) to publish malware, it is up to consumers to not install software they don't want to run.
What more warning could they have possibly posted beyond this one?
If they just hand you food without a word then (at least in quite a few jurisdictions, but maybe not all) they are liable.
> as of v11 this module uses the peacenotwar module.
Over on its NPM site: https://www.npmjs.com/package/node-ipc
And as far as i can tell they bumped up the major version by a digit. Whether or not that counts as a "Bright red warning" i don't know but personally i believe that a warning notice + a major version bump should be enough. Those who don't care about that would most likely not care about a bright red warning on the repo page either.
It's clearly a questionable thing to do, but is it illegal?
No normal person would see "peacenotwar" for the first time and assume it does something bad.
This counts as "no warning whatsoever", and no competent lawyer would say it's a warning message.
it more or less just makes it difficult for updates to propogate, which is arguably a good thing.
Socket turns the whole npm security problem on its head and asks: what if we assume all open source may be malicious? Can we proactively detect indicators of compromised packages? What's the simplest way to mitigate this risk without hurting usability?
In your FAQ, it says "We're working to make Socket the best open source security tool.", this was confusing for me, as I got the impression that Socket's codebase is Open Source, and I went looking for it.
Maybe "We're working to make Socket the best security tool for open source packages" would be less confusing.
Socket’s not open source at this time, but we’re releasing a CLI in the coming week if the GitHub App doesn’t suit your purposes.
https://www.youtube.com/watch?v=lZ8s1JwtNas https://github.com/artemdinaburg/bitsquat-script/
https://socket.dev/npm/issue/telemetry https://wiki.debian.org/PrivacyIssues
detects Chinese malware -> Threat Alert detects NSA malware -> Silent pass-through
I mean I guess I'm a pessimist, but also, I think I'm really a realist.
I build my nodejs/npm stuff in containers. Actually I build almost everything that way.
There are a lot of advantages in addition to the security gains, such as that I don't need to rely on every javascript programmer in the world understanding semver (they don't, and I have wasted more of my "sanity" on tracking down API changes and sloppy type contracts than I ever have spent cleaning up after malice.
Case in point, I have no idea. I know it's something related to the cloud but none of my clients are using it.
And their Wikipedia article is filled with buzzwords and no explanation of what it does, which doesn't exactly give me confidence that it'll be useful for regular companies. "Infrastructure as code"... so Ansible or docker compose? In any case, you don't need it if 2 HA bare metal servers do the job.
It would be overkill for many things that have a single, fairly static configuration, but for things like ensuring that a dev and prod cluster have the same configuration, it’s a lifesaver.
Version Control for Cloud Configurations
(not affiliated in any way, just a happy user)
That's a lot of people who can.
i don't know any, but they sure do exist
What’s the logic here? Why are supply-chain attacks inherently bad?
So, are the sanctions which attack other kinds of supply chains in Russia also bad?
Or is software an exception? Why?
Just like, overthrow the government - it's so easy!
And if you don't have the guts - well, don't be mad when someone deletes all your files, you collaborator!
Many average Americans directly benefited from US wars as military employees and contractors.
In a way that already has happened in Russia. The sanctions did not lead to less (or more) support for the war. The initial sanctions were justified as they targeted the russian state, but the knee jerk reaction of also imposing sanctions that explicitly were aimed at the population lead to nothing but resentment against the west.
Whether you are on the morally right side or not, it does not matter in that context; you cant really debate your way into convincing someone that you are doing something for his own good when you are doing everything you can to also make him suffer
If the intention is just to hurt them for the war, then sure that will work as intended... but I think it's dishonest to pretend we are doing it for anything more "noble" than that
If nothing works I prefer to apply punishment in hopes that smart Russians emigrate and Russia will crumble. And yes, punishment should affect more civilised and smarter Russians too to either motivate them to clean up their country or leave it.
It's war, so again no moral judgment on that, but sugar-coating it is even worse than admitting the truth.
A bit off topic but if you think the west was supporting and hugging russia or ukraine in the 1990s and 2000s, you might need to revisit how we got here.
There's just no need to pretend it's for their own good when it's trivially easy to prove that sanctions rarely lead to the end of a dictatorship. Just look at Cuba,Iran,NK or even venezuala.
And trust me, democaracy that we got out of discontent stemming from economic devastation is worth every hardship we endured.
True, but the Iraq War was a net negative for the vast majority of Americans, even just financially.
And pushing America's economic interests like prolonging dollar as main currency of resource trade was huge benefit to every USA citizen because main USA export is the dollar. That's why USA van run deficit for decades and be the richest country on Earth.
People like Putin don't need software but people who oppose him do.
Every post-communist county did that on their own.
It can be done. So Russians can do it too. They just need proper motivation.
And that motivation for countries that did that was abject poverty that made the people realise that course change is needed.
No they haven't
https://ti-ukraine.org/en/news/no-progress-ukraine-s-result-...
And you are going to judge what system of power Ukraine has based on 2021 datapoint?
How quickly did your country got rid of corruption that plagued it?
It's a process that just stars with replacing corrupt system of power. You need to adjust whole public sector after that. It can take decades.
'Russian Developers' are material to the development of the Russian economy, which is the basis for which the war is projected.
Sanctions could very well spread into software in which FOSS would likely be a part of it, and the terms of the licensing may not really matter.
It's for the same reason that Intel, Nvidia and a host of others have dropped shipments, at least for the time being.
How far would you follow that logic? Which Russians should be harmed, in your opinion, and how much?
No need to harm 'ethnic or cultural' Russians
Just Russian citizens with wealth or those insidevthe legal jurisdiction of Russia.
BTW, you should know that sending money to Russia is almost an impossibility as it is. For example, living in Russia, I couldn't accept a consulting job from Kazakhstan because we couldn't figure out a way for them to pay me.
We have proportionality, we draw lines, we target individuals differently that government than industry than high tech that commodities than consumer services etc..
In my view, we should be doing much more, borderline embargo.
Russian military gains in Ukraine will never, ever be conceded by anything other that either force or 'near collapse' of economic conditions (or overthrow of regime).
Russia can 'put bodies' in Crimea, NW of Kyiv basically to act as targets forever, Kyiv doesn't have the manpower to route them even if they can defend themselves.
Strategically, this implies Russia can merely endure some local pain and make permanent territorial gains.
In 10 years, this war might be like Afghanistan or Iraq, something that '55-75 demographic' watches on the news but otherwise everyone else is busy on TikTok - which is what Putin wants.
He can definitely win the war of attribution because he has a much longer frame view of things, and is willing to pay the cost of 'No Volvos or Starbucks for 25 years'.
Other nations that play the long-tame (like China) are watching.
Whether or not it results in political change is irrelevant - a crippled Russia is a sufficient end all in itself, just like dead soldiers are a sufficient end all in itself during a war. Wars rarely end with a government being overthrown, but they do often end when a government decides that peace is the better option. Bombed cities, dead soldiers, and starving children are the calculus that pushes governments towards making that decision.
Unless you're targeting military forces or infrastructure in those cities, bombing civilians is a war crime. Of course, who gets tried as a war criminal or not mostly depends on who wins
Given that our militaries don't balk at drone striking weddings and funerals, I can't see how they would take much issue with dropping a couple hundred bombs on a refinery, or a rail yard, or a line of tanker trucks. Which are all things that have been done since 1945, and as far as I'm aware, nobody has been dragged off to the ICC for it.
I imagine the rate of support would be higher if it was a conflict where we weren't the aggressor.
But most Russians affected by these aren't shooting back. They aren't conscripts or have anything to do with the war (doubly so now that sanctions are in effect).
Shooting at solders trying to hurt you is one thing, but that's not what's happening here.
Me refusing to transact with you isn't a war crime.
You refusing to transact with me isn't a war crime, but your line of thinking where normal citizen activities are similar to conscripts shooting at you can certainly lead to one.
It's one thing to target citizens who work on applications for the military, and another to target open source devs because they happen to be Russian. If you can't acknowledge this distinction then I'm afraid we have to agree to disagree.
Also please don't put words in my mouth. Strawmen will get us nowhere.
I hate XXX (insert any English speaking politician from Western World), yet I am speaking in English. Shock! Tools are a-political. Could you believe that?
Trust that all programmers started to place in open source maintainers maybe a decade ago out of sheer lazyness is absolutely insane.
Pulling freshest code out of thousand libraries automatically into the medium security project that you are building is absolutely crazy.
It's inviting thousand strangers to run code on your machine which contains your comercial creation and data. Without any protection whatsoever besides "trust" which is just another word for laziness and being hopeful.
The faster we can ditch this trust, the faster we will develop actual protections, vetting processes, delaying updates, caching, forking, so we can isolate our work from the thousands of wonderfull people all of which are one bad day from wiping all your files.
But we have a test suite and a whole CI/CD pipeline to verify everything works! /s
/Until you realize your tests only cover what they cover in the way they cover it.
//Until you realize there is no test suite at all and it's all verified in production.
///It's not like you read the library's code until something was *really* broken or *super* slow anyhow.
leftpad.js wasn't even malicious action. Just one developer withdrawing his code from the community.
Imagine what would happen if one dev of popular package just had a nervous breakdown and did rm -fr / on his next update. Or delete the contents of the repo it is a dependancy of and do a force push.
We have zero systems in place that could catch it before work of thousands of people is destroyed.
OR we can just do whatever the fuck we want, solving our problems and/or making money. But if we do it without the rigor of real engineering, we can't exactly blame OSS or the devs that provide the OSS for this choice. It's entirely our fault if it goes south.
It’s understandable why people moved to the uncurated systems, it’s so much easier to publish and so the variety of what’s available is brilliant. But I don’t think the tooling is there yet with all the languages that use them. Really we should have the ability to control permissions at the library level, choosing specifically what they can do.
Deno is doing some interesting things at the app level but has any language done anything with library level permissions?
Maybe we will see a movement back to the curated package managers, there may even be an opportunity to provide a curated service layer over the uncurated package managers like PyPi and NPN, possibly a paid service?
Java Security Manager?
Anaconda comes to mind, and I've heard that for Haskell there is Stackage
Also AFAICT, Rust's package manager is uncurated? So is Swift's but AFAIK Swift doesn't really have an "official" manager and so doesn't have the conditions for the same level of popularity/accessibility.
Maybe that suggests no package manager is better? The C/C++ way? Because spreading malware is harder? Of course conversely, excepting exploit fixes is harder.
In almost every way the problem comes back to the same basic failure which ransomware represents: OS level data and access is boring, but user level data and access is wide-open and you grant it constantly to all sorts of things - its hard-to-impossible to put comprehensible, maintainable barriers around stuff and we lack the tools and programming constructs to enable this - i.e. you can't write software where it will, without you doing a lot of work, upfront declare what files its touching and how in a deterministic way.
In a similar fashion, developers may choose who can and cannot use their code. In fact, depending on how your government's sanctions are structured, you may even be obligated to not license code to developers in some countries.
Using malware to overwrite random files against random Russian IPs is obviously stupid. I'm sure the dev will get to explain his case to a judge at some point. The Terraform thing, though, is different; it's not malicious, merely political.
However, I think the assertion that software "should not be political" is silly. All software is political. Open source licenses stem from American ideals of freedom, for example, and are designed to work in the American legal system above all else. Then there are the implied cultural contexts; the list of software that only works in left-to-right configuration or even fail to just accept standard unicode input is laughably huge. The amount of times I've had to adjust software to work with alternative decimal separators...
Independent developers can (and probably should) decide to mostly focus on the problem they themselves are trying to solve. If that doesn't work for someone else, they can either ask (and possibly be denied) alterations to extend the solution to their problem space, or suggest additions by extending the software themselves, but in essence, cultural and political assertions are everywhere throughout "open source".
Protestware has been around for quite a while, but I think this is one of the first times we're seeing high profile developers take a stance. Whatever risk this is exposing was always there; we can try to hide the risks of open source, but in the end, that's just covering them up.
I agree that protestware should not be considered open source, but any open source project can turn into protestware at any time, and it always could have. This is why groups like Debian and companies like Canonical are important: they use their organization to produce a unified view that you can rely on. Debian applies patches to align software with their views in several ways. The result is that software is often re-packaged and is deployed slower than upstream, but stuff like this doesn't get into your systems. The Python/Pip/Cargo/Go way of distributing dependencies directly, rather than using some kind of unified repository, exposes you to the risk of open source software becoming protestware, but it doesn't have to be that way.
Developers scrutinize Debian and Ubuntu for packaging old software, but you can safely develop against their dependencies. This is the open source that can be trusted, to a usual extent. In my opinion, the trust developers place in random usernames on NPM is misplaced, and the extensive dependency graphs modern frameworks require make that problem so much worse.
To those saying that it's bad that innocent Russians are getting hit by this: that's the point. It's also why sanctions are only applied in extreme circumstances. Foreigners can't tell other governments what to do, the best the rest of the world can do is hope or incentivize a country's citizens to make their government change their minds.
Also the title is a bit click-baity. The protestware example is clearly weaponization of OSS but the other examples are not.
I slighly edited the last part of that sentence to highlight a problem with this kind of thinking. I do understand that the author may prefer all their software dependencies using some well known license like "Apache 2.0" instead of dozens of variations of "Apache 2.0~modified"
This is because much of politics is currently driven by a global set of fascist/authoritarian govts and sponsored 'movements' pushing to destroy democracy. This is, IMO, back to the pre-cold war days, but stripped of all the "--isms" and ideologies.
It is now either self-determination for the people via democracy, or live under rulers like Putin, stripped of any cloking ideology. This is being strongly pushed/sponsored globally by Putin's govt; the Chinese are going about it differently with the 'Belt & Road' initiative and other exploitative agreements.
The grand experiment has been tried. It was thought that free trade exchanges and greater information flow from free nations would cause freedom, self-determination, & democracy to the former Communist nations. It did not. In trying to prove the thesis, the test proved the opposite, and enriched the authoritarian states.
Russia's ongoing assault on Ukraine since 24-Feb-2022, and the ongoing blatant war crimes including specific instructions to ignore civilian care[0], cluster munitions on civilian targets[1], or bombing a theater/shelter with "Children" written on the pavement outside [2], and it's support by ~70% of the deluded RUS population, show what can be expected from yielding to or appeasing authoritarianism.
It now really IS you are with us, or against us.
You are either in favor of democratic self-rule for all people, or you are against it.
This is war, and we are fighting against those who are happy to be war criminals.
It is important to take every measure, and "weaponizing" open source is among the least of the things that can be done to help.
[0] https://twitter.com/cnsnews/status/1504494016137555968?cxt=H...
[1] https://www.bellingcat.com/news/rest-of-world/2022/03/11/the...
[2] https://www.npr.org/2022/03/17/1087164709/ukraine-mariupol-t...
So can I assume that you were protesting against Spain's suppression of the Catalan independence referendum in 2017?
https://en.wikipedia.org/wiki/Catalan_independence_movement#...
The Spanish police reaction detailed in your linked article tells us much and gives reason in itself to support it. (The only thing that would change my mind is sound information that it is not the a grassroots people's movement that it appears and is instead some sponsored fascist movement like Brexit)
And no, they would not. IIRC disguising military locations as civilian, or using civilians as human shields is itself a war crime. The Ukranians are not doing that.
What's your excuse for the maternity hospital? Firing on civilians in a prearranged exit route/cease-fire? Cluster-bombing civilian areas? I could go on for pages and pages, and the War Crimes case is already starting, and being substantiated up to the level that the POTUS and SecState are specifically speaking of Putin as a "War Criminal".
Thanks for demonstrating my point about the how otherwise intelligent people can still have insane levels of self-absorbed myopia and inability to understand moral issues, and lack of perspective.
You need a serious rethink. Yikes
Ukraine publicizing Russian prisoners of war is a violation of the Geneva Conventions (<https://www.hrw.org/news/2022/03/16/ukraine-respect-rights-p...>), yet that keeps occurring.
Your being so certain that, if Russia did not fire on locations marked as being filled with "children", that Ukraine would never ever put soldiers in them, may be misplaced.
This far from the first time that this kind of deliberate violation has been done by Russia.
Also, the doxxing of prisoners, while bad, is on a whole different level than these.
Even if the "ism" in question is mostly just about power :
https://www.telospress.com/cornelius-castoriadis-on-russian-...
If this is about specifically Putin possibly not believing in anything than power -
(his claims to care about Russians are hard to believe considering how they are a majority in several of the currently bombed cities)
- then the same thing could have been blamed about Stalin already.
My faith in science was never in the moral character of scientists and their organizations - individuals and organizations are always vulnerable to corruption. My faith was in the principle of replication. If anyone can repeat an experiment, we can all see for ourselves what is true, and a community dedicated to that (and individuals with a healthy fear of the process) is reliable.
Only, we don't replicate experiments. We got so busy and excited building on what had gone before that we've built some huge houses of cards on questionable foundations, because who wants to spend time and money doing replication? Distracted by the free riches, we neglected what had always been the source of our strength, and here we are - arguing over who funded studies and fuming over the replication crisis.
Where are the critics who say, "I can't trust that paper - it's impossible to replicate!" Where are our Poppers who insist on falsifiability? An entire community that frowned on complexity and opaqueness and walled gardens of data, a community that trusted things insofar as they had been replicated and re-examined from many angles and proven sound, would force us towards a level of simplicity, honesty, and reliability that science should have. Instead, a general agreement to pursue individual and institutional glory at the expense of upholding foundational principles has rotted the foundation of the endeavor.
Put simply, I trust science because you can replicate it. But for whatever reason, (and I can't propose a specific solution, but), to the degree our community is not devoted to replication, it loses its trustworthiness.
Software has a parallel problem.
I don't trust open source software because I trust the character of developers or institutions. I trust it because it can be examined and fixed. Because of reproducible builds. Because anyone can examine it, anyone can build it, no trust of individuals or organizations is needed. A community that insists on such features and abhors offerings that offend these principles will steer us towards a level of simplicity, comprehensibility, reproducibility that open source software should have.
But we are all so excited to build things on top of other things that we spend much more time multiplying dependencies and layering on complexity than worrying about foundational principles. We are now seeing the rotting foundations.
There are people who complain about whether code can be examined, or factors that make it difficult. It is becoming increasingly important to listen to them! A community that celebrated open source software, not only for what it can functionally do, but for how open it is, is what is needed to maintain those foundations. A community that has trust issues with unexaminable long dependency chains, that is sensitive to the difference between software that has been around the block and examined for a long time, and software that some guy just put out last night.
Put simply, I trust open source because you can examine it. But for whatever reason, (and I can't propose a specific solution, but), to the degree our community is not devoted to examination, it loses trustworthiness.
Reserve your trust for communities that take seriously the principles that trust is built on.
The problem with those NPM packages, or better said, the approach they are taking is that it is a double-edged sword. IP blocks can be sold and bought. Today they belong to someone in Russia you don't mind targeting, tomorrow it's someone else entirely. Today you put in a trigger to turn your code into malware, tomorrow someone finds a way to flip that trigger at will. Bad things ensue.
Not providing services to Russians is another thing and that could work. Limiting downloads by the country is okay in my books. After all, you block IPs that try to DDoS you, so banning IPs of an aggressor country that is fond of murdering civilians is fair game too. Radio silence their contributions. Don't respond to their support requests. Close the issues they open as if they never existed. Of course they can find alternative ways to download stuff, fork, implement the necessary changes themselves, but it's jumping through the hoops. Let them jump extra and then some.
Stop providing documentation in Russian, kick some people off the team/mailing list. Make the OSS you're responsible for be, for all intents and purposes, unmaintained piece of software if the user is from an aggressor country.
These are ways of sabotage I can stand behind. But putting in actual malware is rather where I draw the line.
And why not Python, or Java, Ruby, anything. Maybe we'll all end up running Tails.
Edit: if something like that happens, how long before certifications require that no unvetted code is used in projects or no open source at all?
2. Develop inside a containerized environment... it's pretty easy with things like VS Code's remote extensions.
3. Consider looking at Deno as an option over Node for new projects.
Doesn’t seem like the argument holds for open source as a whole, especially looking at gpl and apache2 licensed projects.