Some of you might have already be aware about very unfortunate turn of events in a number of formerly open-source projects like node-ipc (a part of vue-cli) and a few others. TL;DR some politically motivated hot-shots have decided that it would make them stand for human rights and whatnot if they add bits and pieces of cyber-terror tools in the publicly maintained packages to “punish Russians”. Or in this case, software developers who might be using IP addresses rightfully or incorrectly perceived to belong to address pools allocated to Russian Federation. Such tools may wary from zeroday exploits to encryptors and, perhaps, some others I didn’t bother to check.
Leaving the discussion of obvious idiocy and outright criminality of such actions to readers’ homework assignment (you can check here, here and here just to get a gist of consequences of being and idiot) I really want to bring up a very different point. Namely I want to discuss how a very few infantile, pimple-faced, soy-fed creeps with psychological issues and low testosterone levels can cause a great damage to a great movement many of us have dedicated decades of their lives to.
Yes, I am talking about loss of trust and reputation damage to open-source movemen as a whole. Like many of you, my software stack is predominantly open=source of based on frameworks and libraries maintained by communities around the world. I rely on these bits, pieces and whole systems both for my personal and professional life. After browsing though examples like above I have my professional paranoia to kick up to 11.
I have a lot of friends and business partners in Russia. And I am not giving in to a silly and poisonous propaganda from TV, MSM and our elected representatives trying to convince me that I have to break all my ties with Russian people, eat lentil and kill my dog to punish some politicians living 8,000 miles from me on the other side of the planet.
However, from now on I literally have to start watching my six with every update of my software stack, installation of every piece of software to any of my devices (yup, good riddance Mozilla) because I have no easy way – correction – no way AT ALL – to know if such an update or installation won’t wipe out or encrypt my hard drive or worst. If you aren’t worried about such possibilities – you should start now. If you think I am out of touch with reality – you might want to check your head first.
The trust is lost, ladies and gentlemen ;( Only time would tell, how bad the fallout will be. If you are a part of an open-source development community start paying attention what dependencies your project pulls in; pay extra attention to code changes during code reviews. The reason is simple: once your own project – even inadvertently, through a third party dependency or code injection – becomes an attack vector and cause a damage to your customer – you can stick a huge fork into your work, ’cause it is done for good.
I am truly hopeful, that proverbial “thousands of eyes” will be able to spot not only bugs in the open code, but security treats and cyber-terror injections before it is too late!