Developer Sabotages Own Code
Written by Sue Gee   
Thursday, 13 January 2022

The developer of two popular JavaScript libraries has sabotaged them, apparently as a protest for not getting financial recompense from corporates for his work. GitHub temporarily suspended his account in what many would regard as an unwarranted intervention. 

The two open source projects that earlier this week caused concern to the companies and individuals that rely on them are “faker.js” and “colors.js”, both originally developed and maintained by Marak Squires. The former receives 2.8 million weekly downloads and supports 2,500 projects, while the latter is downloaded 20 million times per week and supports 19,000 projects.

Colors.js is a small utility that lets you add colored text in console output. According to Paul Ducklin, writing on the Naked Security blog:

the project’s founder [Marak Squires], after not publishing any updates since 2019, suddenly added new code to take the release number from 1.4.0 to the somewhat unusual version identifier of 1.4.4-liberty-2.

The so-called "American flag" module repeated the word "Liberty" and an ASCII flag and introduced two other unwanted features - an infinite loop that prints the text testing testing ... testing over and over again:

colorsloop

The update also introduced a function called zalgo which performs zalgoification, a way of making regular characters look weird by adding spurious diacritical marks such as accents, cedillas and umlauts. Zalgoed text is not only meaningless, it also puts a heavy load on the underlying text rendering software that has to display it.

Faker.js generates dummy data for purposes of testing and rather than corrupt its code, Squires has removed it. Squires had already signalled dissatisfaction on its repo with a message from over a year ago:

Marakstrike

While this message suggests a pecuniary motive, in removing the code which was done using the commit message endgame, Squires replaced the ReadMe text with the question, "What really happened with Aaron Swartz?". This, of course, is a reference to the Internet activist who, as we reported at the time in 2013, apparently committed suicide while facing a trial over stealing 4.8 million articles from the JSTOR journal archive that he thought should not be behind a paywall via the MIT network, with the aim of making them freely available online. Squires is known to subscribe to a theory that Swartz may have been murdered in prison.

As well as reverting both repos on the npm registry, Github also suspended Squire's access, albeit temporarily, telling the Independent:

"GitHub is committed to ensuring the health and security of the npm registry. We removed the malicious packages and suspended the user account in accordance with npm’s acceptable use policy regarding malware, as outlined in our Open Source Terms”,

Any suspension seems unreasonable if you consider that the code in the repos belongs to it originator/maintainer. Yes it is open source in that you can fork it and can contribute to it but does this mean that GitHub is justified in denying you the right to change or even destroy your own code? Where is the "due process" in these decisions? Where is the right of appeal? GitHub is acting as judge jury and executioner in these matters and while you might agree with its current action what about when it gets it wrong?

The other issues raised by these events is how to adequately recompense individuals for the work they put into the open source software that underpins other, larger, pieces of software  that allow mega corporations to make huge profits. In this case these JavaScript libraries are used by Amazon's Cloud Development Kit, part of AWS. Even though colors.js and faker.js benefit from sponsorship that aims to ensure that open source communities get paid for the work they do, there is a huge mismatch in what the developers who conceived and implemented popular packages like colors.js and faker.js receive and their value to the companies that re-use their work for free. 

gitspons2

More Information

https://github.com/Marak/colors.js

https://github.com/Marak/faker.js

Related Articles

Tributes for Internet Activist Aaron Swartz 

GitHub Sponsors - Money For Open Source

Taking Open Source Criticality Seriously

Open Source Contributors - Payment and Other Motivation

What Attracts Devs To Open Source

 

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

 

Banner


Rust 1.82 Improves Apple Support
24/10/2024

Following Rust's six-week release cycle, version 1.82 has been released with higher level support for Apple, and a new Info subcommand for Cargo.



DuckDB And Hydra Partner To Get DuckDB Into PostgreSQL
11/11/2024

The offspring of that partnership is pg_duckdb, an extension that embeds the DuckDB engine into the PostgreSQL database, allowing it to handle analytical workloads.


More News

espbook

 

Comments




or email your comment to: comments@i-programmer.info

Last Updated ( Thursday, 13 January 2022 )