Political activism kicks FOSS in the nuts

Criminals and political activist are using open-source projects to unleash ill-conceived cyber-terror operations.

Some of you might have already be aware about very unfortunate turn of events in a number of formerly open-source projects like node-ipc (a part of vue-cli) and a few others. TL;DR some politically motivated hot-shots have decided that it would make them stand for human rights and whatnot if they add bits and pieces of cyber-terror tools in the publicly maintained packages to “punish Russians”. Or in this case, software developers who might be using IP addresses rightfully or incorrectly perceived to belong to address pools allocated to Russian Federation. Such tools may wary from zeroday exploits to encryptors and, perhaps, some others I didn’t bother to check.

Leaving the discussion of obvious idiocy and outright criminality of such actions to readers’ homework assignment (you can check here, here and here just to get a gist of consequences of being and idiot) I really want to bring up a very different point. Namely I want to discuss how a very few infantile, pimple-faced, soy-fed creeps with psychological issues and low testosterone levels can cause a great damage to a great movement many of us have dedicated decades of their lives to.

Yes, I am talking about loss of trust and reputation damage to open-source movemen as a whole. Like many of you, my software stack is predominantly open=source of based on frameworks and libraries maintained by communities around the world. I rely on these bits, pieces and whole systems both for my personal and professional life. After browsing though examples like above I have my professional paranoia to kick up to 11.

I have a lot of friends and business partners in Russia. And I am not giving in to a silly and poisonous propaganda from TV, MSM and our elected representatives trying to convince me that I have to break all my ties with Russian people, eat lentil and kill my dog to punish some politicians living 8,000 miles from me on the other side of the planet.

However, from now on I literally have to start watching my six with every update of my software stack, installation of every piece of software to any of my devices (yup, good riddance Mozilla) because I have no easy way – correction – no way AT ALL – to know if such an update or installation won’t wipe out or encrypt my hard drive or worst. If you aren’t worried about such possibilities – you should start now. If you think I am out of touch with reality – you might want to check your head first.

The trust is lost, ladies and gentlemen ;( Only time would tell, how bad the fallout will be. If you are a part of an open-source development community start paying attention what dependencies your project pulls in; pay extra attention to code changes during code reviews. The reason is simple: once your own project – even inadvertently, through a third party dependency or code injection – becomes an attack vector and cause a damage to your customer – you can stick a huge fork into your work, ’cause it is done for good.

I am truly hopeful, that proverbial “thousands of eyes” will be able to spot not only bugs in the open code, but security treats and cyber-terror injections before it is too late!

Cooler FOSS’ heads prevail once again

As you have seen in my last post or elsewhere, Facebook has recently added a dubious patent clause in the license of  multiple projects including ReactJS. And predictably, a number of organizations, companies, and open-source advocates made it clear that it’s way too dangerous to keep on using the code with such restrictions because of possible legal repercussions.

Well, I am pleased to tell to all my readers, that they have back-tracked on this after Apache Foundation, WordPress, and many others have express their clear intention of switching to safe alternatives to React.js and other frameworks from FB, or banning their use. As you all know, FOSS is a free market ecosystem; it is thriving from the forces of intellectual competition, always offering multiple choices to its users. And this approach won again: facing the danger of loosing their user base and, effectively, rendering themselves irrelevant, they made the decision to, once again, re-license some of their projects under MIT.

Namely, ReactJS will be released under the new license. So if you are using it – make sure to update your dependencies to v.16 once it is out next week. Remember, re-licensing isn’t usually retroactive, so don’t fall into that trap.

Disclaimer: I am not using, planning nor recommending to use any Facebook’s sponsored projects

And let the Dao be with you, as usual 😉