Discuss: package sabotage
source link: https://dev.to/lexlohr/discuss-package-sabotage-3gpo
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Discuss: package sabotage
(image copyright by Ministry of Defense of Ukraine, shared on flickr under CC-AT-SA)
Like any war, the current one in the Ukraine brings out the best and the worst in people. The best of us support the people of the Ukraine defending against the unlawful invasion by the Russian Regime. The worst of us commit package sabotage against users with a russian IP address.
On one hand, package sabotage is two-edged sword, as you cannot possibly know if the Russian IP currently installing your npm package is not actually against the war and just wanted to set up a site to spread knowledge on how to circumvent Russian net blockades – and now you've successfully stopped them from doing so and indirectly aided Russian Propaganda to prevail in the absence of that information. On the other hand, you undermine the global trust in the whole ecosystem that your package is a tiny part of.
For that reason, I'm rather convinced it's ultimately a really bad idea, but I wanted to hear your positions, too. What do you think about package sabotage? Also, shouldn't we be more mindful of the dependencies we pull from npm?
Discussion (2)
Collapse
Expand
Open source should be neutral.
I understand not wanting your project used by someone upsetting the world balance, but activism in Open Source like we've seen has real collateral damage.
For those of us in InfoSec, we have to review & respond to reported incidents. When this disclosure became public, I had to review the threat, scan all my projects to see if the dependency was used, and patch/pin those dependencies so it didn't use the vulnerable version. In addition to the change itself, tickets had to be created and reports compiled to keep auditors happy.
In the grand scheme of things, the incident only took 3 hours of my time. But I'm not the only one handling InfoSec in the world. If America has ~ 500,000 tech companies, then it's very plausible that at least 100k of those have InfoSec obligations. Let's also assume an average salary of $100k for the worker. That translates to millions in dollars of spent labor, responding to the disclosure. Labor, that's having to handle an increased number of responses because cutting off Russia from the global economy shook the bees nest.
Also, what kind of impact does sabotaging inflict on your target? Is the FSB or the Russian Military really using node-ipc on critical systems? If there's definitive proof that's the case, my position may be up for negotiation, but otherwise you're just inflicting more collateral damage. There's plenty of folks in Russia and Belarus who don't subscribe to their leader's beliefs and are powerless to enact change.
If you were absolutely dead-set on doing open source activism, you'd have a better chance at inflicting damage to your true enemy by targeting more essential dependencies. Git, Linux, those type of things are likely to be far more accessible to critical systems than a npm package.
Collapse
Expand
I agree on all accounts. Even though I can also see how someone could do something irrational in the heat of the moment when confronted with the extreme violence brought upon the people of Ukraine. It ultimately is not the answer and there are reports of NGO's trying to help being affected. For me I'm considering finally moving my Node.js apps into (Docker) containers to shield direct acces to the host. I try to minimise layers of indirection but may have reached the threshold to go this route.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK