|Developer Sabotages Own Code|
|Written by Sue Gee|
|Thursday, 13 January 2022|
The two open source projects that earlier this week caused concern to the companies and individuals that rely on them are “faker.js” and “colors.js”, both originally developed and maintained by Marak Squires. The former receives 2.8 million weekly downloads and supports 2,500 projects, while the latter is downloaded 20 million times per week and supports 19,000 projects.
Colors.js is a small utility that lets you add colored text in console output. According to Paul Ducklin, writing on the Naked Security blog:
the project’s founder [Marak Squires], after not publishing any updates since 2019, suddenly added new code to take the release number from
The so-called "American flag" module repeated the word "Liberty" and an ASCII flag and introduced two other unwanted features - an infinite loop that prints the text
The update also introduced a function called
Faker.js generates dummy data for purposes of testing and rather than corrupt its code, Squires has removed it. Squires had already signalled dissatisfaction on its repo with a message from over a year ago:
While this message suggests a pecuniary motive, in removing the code which was done using the commit message endgame, Squires replaced the ReadMe text with the question, "What really happened with Aaron Swartz?". This, of course, is a reference to the Internet activist who, as we reported at the time in 2013, apparently committed suicide while facing a trial over stealing 4.8 million articles from the JSTOR journal archive that he thought should not be behind a paywall via the MIT network, with the aim of making them freely available online. Squires is known to subscribe to a theory that Swartz may have been murdered in prison.
As well as reverting both repos on the npm registry, Github also suspended Squire's access, albeit temporarily, telling the Independent:
"GitHub is committed to ensuring the health and security of the npm registry. We removed the malicious packages and suspended the user account in accordance with npm’s acceptable use policy regarding malware, as outlined in our Open Source Terms”,
Any suspension seems unreasonable if you consider that the code in the repos belongs to it originator/maintainer. Yes it is open source in that you can fork it and can contribute to it but does this mean that GitHub is justified in denying you the right to change or even destroy your own code? Where is the "due process" in these decisions? Where is the right of appeal? GitHub is acting as judge jury and executioner in these matters and while you might agree with its current action what about when it gets it wrong?
or email your comment to: firstname.lastname@example.org
|Last Updated ( Thursday, 13 January 2022 )|