Political activism kicks FOSS in the nuts

Criminals and political activist are using open-source projects to unleash ill-conceived cyber-terror operations.

Some of you might have already be aware about very unfortunate turn of events in a number of formerly open-source projects like node-ipc (a part of vue-cli) and a few others. TL;DR some politically motivated hot-shots have decided that it would make them stand for human rights and whatnot if they add bits and pieces of cyber-terror tools in the publicly maintained packages to “punish Russians”. Or in this case, software developers who might be using IP addresses rightfully or incorrectly perceived to belong to address pools allocated to Russian Federation. Such tools may wary from zeroday exploits to encryptors and, perhaps, some others I didn’t bother to check.

Leaving the discussion of obvious idiocy and outright criminality of such actions to readers’ homework assignment (you can check here, here and here just to get a gist of consequences of being and idiot) I really want to bring up a very different point. Namely I want to discuss how a very few infantile, pimple-faced, soy-fed creeps with psychological issues and low testosterone levels can cause a great damage to a great movement many of us have dedicated decades of their lives to.

Yes, I am talking about loss of trust and reputation damage to open-source movemen as a whole. Like many of you, my software stack is predominantly open=source of based on frameworks and libraries maintained by communities around the world. I rely on these bits, pieces and whole systems both for my personal and professional life. After browsing though examples like above I have my professional paranoia to kick up to 11.

I have a lot of friends and business partners in Russia. And I am not giving in to a silly and poisonous propaganda from TV, MSM and our elected representatives trying to convince me that I have to break all my ties with Russian people, eat lentil and kill my dog to punish some politicians living 8,000 miles from me on the other side of the planet.

However, from now on I literally have to start watching my six with every update of my software stack, installation of every piece of software to any of my devices (yup, good riddance Mozilla) because I have no easy way – correction – no way AT ALL – to know if such an update or installation won’t wipe out or encrypt my hard drive or worst. If you aren’t worried about such possibilities – you should start now. If you think I am out of touch with reality – you might want to check your head first.

The trust is lost, ladies and gentlemen ;( Only time would tell, how bad the fallout will be. If you are a part of an open-source development community start paying attention what dependencies your project pulls in; pay extra attention to code changes during code reviews. The reason is simple: once your own project – even inadvertently, through a third party dependency or code injection – becomes an attack vector and cause a damage to your customer – you can stick a huge fork into your work, ’cause it is done for good.

I am truly hopeful, that proverbial “thousands of eyes” will be able to spot not only bugs in the open code, but security treats and cyber-terror injections before it is too late!

Cooler FOSS’ heads prevail once again

As you have seen in my last post or elsewhere, Facebook has recently added a dubious patent clause in the license of  multiple projects including ReactJS. And predictably, a number of organizations, companies, and open-source advocates made it clear that it’s way too dangerous to keep on using the code with such restrictions because of possible legal repercussions.

Well, I am pleased to tell to all my readers, that they have back-tracked on this after Apache Foundation, WordPress, and many others have express their clear intention of switching to safe alternatives to React.js and other frameworks from FB, or banning their use. As you all know, FOSS is a free market ecosystem; it is thriving from the forces of intellectual competition, always offering multiple choices to its users. And this approach won again: facing the danger of loosing their user base and, effectively, rendering themselves irrelevant, they made the decision to, once again, re-license some of their projects under MIT.

Namely, ReactJS will be released under the new license. So if you are using it – make sure to update your dependencies to v.16 once it is out next week. Remember, re-licensing isn’t usually retroactive, so don’t fall into that trap.

Disclaimer: I am not using, planning nor recommending to use any Facebook’s sponsored projects

And let the Dao be with you, as usual 😉

Facebook licensed code is kicked out

In somewhat recent revelation about the pitfalls of infamous Facebook “BSD + Patents” license, FOSS developers becoming more acutely aware and alarmed about the consequences.

I won’t bother you with much details, as they are readily available elsewhere. I just want to point out that Facebook is hedging their open-source “exposure”. What they are effectively saying is “Go ahead and use our awesome stuff. But if we ever decide that you’re competing with us, we’ll yank your licence to use our frameworks so fast your shoes will fall off.” It doesn’t matter if someone has developed this code for you: you won’t be able to use it anyway.

That’s the essence. It is the original intention of the license behind ReactJS and a few other frameworks. And that’s why Apache Foundation has moved the license to Cat-X, prohibiting any of its projects to touch things like ReactJS. Facebook software is NOT compatible with the projects developed under widely accepted and respected ALv2.

Here’s the excerpt:

Facebook BSD+Patents license

The Facebook BSD+Patents license includes a specification of a PATENTS file that passes along risk to downstream consumers of our software imbalanced in favor of the licensor, not the licensee, thereby violating our Apache legal policy of being a universal donor. The terms of Facebook BSD+Patents license are not a subset of those found in the ALv2, and they cannot be sublicensed as Alv2.

These are the unintended consequences of meddling with well thought open-source software licenses. That is the beauty of open-source: if you trying to lock people in or out – they will move. It doesn’t matter how much money you have, how big you are, nor what your SJW position is. Developers will go, and the users will as well.

I’m sure we haven’t heard the last of it yet. And that’s the damning and loud application of the golden rule!