@rysiek @fcr Regardless of if it's your code or not, if you upload malware into a widely used software package you deserve to have your account blocked.

@Gargron @fcr I do not see them as *malicious*. these were not cryptominers, no data stealing code, it just rendered the libraries unusable.

"Mischievous" is the word used in the original story, and I think that's a way more accurate description.

@rysiek @fcr It didn't just make the library output the wrong value, it introduced an infinite loop, which in my view constitutes a denial of service attack.

@Gargron @fcr I can see why you feel that way. Personally, to me it does not cross the "malicious" line -- partly because this is something that should be trivially caught in any pre-deployment testing.

We can agree that this is not an acceptable behavior for a FLOSS developer, and it is in fact irresponsible.

That said, I do think focusing on the developer's (shitty) action is less useful than focusing on the bigger problem of open-source software developers doing free work for Big Tech.

@rysiek @Gargron @fcr, the problem isn't even big tech using the free work of others, the average JS developers don't even realize that the ecosystem is fragile, not even the managers of Big Tech projects:

https://github.com/facebook/react/issues/18871

They brush over these issues as if they were a "misunderstanding" on the part of people reporting them.

I'm afraid that the Unix philosophy doesn't really work these days. You can't trust hundreds of developers and their code for the most basic JS project.

@walter @rysiek @Gargron @fcr NPM has little to do with Unix philosophy. Unix/Linux is maintained in distributions where the quality of the toolset is taken care by the core teams. See projects like Gnome or KDE. Nothing like this in NPM which resembles more a laissez-faire market.

@movonw,
True, but you do have big ecosystems that looks like de facto distributions. A default Angular project comes with 25+988 dependencies, where you get the basics, like: "zypper install-pattern foobar-desktop foobar-devel". With that you install many projects that "do one thing and do it well", including the "colors" package.

And this doesn't count projects that embed (i.e. statically link) their dependencies. And yes, strict versions are a thing and[...]
[1/2]

cc: @rysiek @Gargron @fcr

@movonw,
[...] it's not a perfect analogy, but on NPM you just get more flexibility. They don't lock you into their "repos", think DEB/RPM repos, not CVS repos. Thus, you get to have code from all other "repos", think of PackageKit+Alien, but for Angular and React "repos".

If one really wants, the per-distro repo approach can be achieved here; and things don't even have to change much. Then you're on your own if you want to "zypper addrepo" or add a new PPA.
[2/2]

cc: @rysiek @Gargron @fcr

@walter @movonw @Gargron @fcr this has nothing to do with distributions. In Debian or Fedora, or Arch, or any other Linux distro, the *packagers* are responsible for quality of the packages that are published in the distribution-specific repository.

In your example the Angular people just pull random crap from Teh Intertubes and hope for the best.

It's not even comparing apples to oranges, it's comparing apples to the number three. 🤷‍♀️

@rysiek,
yes, it has nothing to do with distros, but there could have been a resemblance.

It's wishful thinking on my part, but even NPM has the notion of registries, so it's not a long way from here to adding to packagers to the mix. The problem is that there doesn't seem to be much demand for this, and then there's npm Inc. in the mix.

https://deno.land is changing things, but they went with "install from src" + bigger StdLib. So... no packagers yet.

@movonw @Gargron @fcr

@walter @movonw @Gargron @fcr yes, I really like deno.land approach to things!

@walter @rysiek @Gargron @fcr completely agree that npm culture is: build awesome things! Don't care! Be careless!

@walter @rysiek @Gargron @fcr

*Wow*

It would take maybe a couple of hours to fork the repo and/or import the code into the React sources and they don't even seem to have thought of the idea.

I continue to fail to regret never getting into React.

@rysiek @Gargron @fcr

I can't say I'm surprised about nr 1. GitHub, like most of these big companies, have a "We can close your account and remove your content at any time for any reason" in their TOS. The code is still his but GitHub is not obligated to host it.

@espen @Gargron @fcr oh I agree and have recognized that for years.

My feeling, however, is that a lot of people miss that fact. And then act surprised.

@ChlorideCull @Gargron getting angry at this guy is similar to getting mad at people who block traffic when protesting imo. His actions might not have been “right” but this is someone driven to what is arguably a mischievous act of protest by a system that is often exploitive. At some point it’s going to break down more than it already has and this is probably just a symptom of that.