'Open Source Protestware Harms Open Source' (opensource.org) 101
An anonymous reader shares an opinion piece: Protest is an important element of free speech that should be protected. Openness and inclusivity are cornerstones of the culture of open source, and the tools of open source communities are designed for global access and participation. Collectively, the very culture and tooling of open source -- issue tracking, messaging systems, repositories -- offer a unique signaling channel that may route around censorship imposed by tyrants to hold their power.
Instead of malware, a better approach to free expression would be to use messages in commit logs to send anti-propaganda messages and to issue trackers to share accurate news inside Russia of what is really happening in Ukraine at the hands of the Russian military, to cite two obvious possibilities. There are so many outlets for open source communities to be creative without harming everyone who happens to load the update.
We encourage community members to use both the freedoms and tools of open source innovatively and wisely to inform Russian citizens about the reality of the harm imposed on Ukrainian citizens and to support humanitarian and relief efforts in and supportive of Ukraine. Longer term, it's likely these weaponizations are like spitting into the wind: The downsides of vandalizing open source projects far outweigh any possible benefit, and the blowback will ultimately damage the projects and contributors responsible. By extension, all of open source is harmed. Use your power, yes -- but use it wisely.
Instead of malware, a better approach to free expression would be to use messages in commit logs to send anti-propaganda messages and to issue trackers to share accurate news inside Russia of what is really happening in Ukraine at the hands of the Russian military, to cite two obvious possibilities. There are so many outlets for open source communities to be creative without harming everyone who happens to load the update.
We encourage community members to use both the freedoms and tools of open source innovatively and wisely to inform Russian citizens about the reality of the harm imposed on Ukrainian citizens and to support humanitarian and relief efforts in and supportive of Ukraine. Longer term, it's likely these weaponizations are like spitting into the wind: The downsides of vandalizing open source projects far outweigh any possible benefit, and the blowback will ultimately damage the projects and contributors responsible. By extension, all of open source is harmed. Use your power, yes -- but use it wisely.
Yes, it does (Score:2)
Anybody that this is not obvious to should have their head examined.
Examining the head (Score:3)
Anybody that this is not obvious to should have their head examined.
We can be more specific with the actual examination.
Growing up, people learn to play games of various sorts. These games are competitive, but they're also cooperative in the sense that everyone agrees on the rules. Certain things you can't do in hockey or baseball, or tag or hide/seek. Kids learn that playing by the rules is important, because even if you lose, if you've played by the rules you'll get invited to play future games: you're fun to be around.
One thing that sticks in everyone's mind is cheating:
Re: (Score:2)
Okian Warrior makes a good point or several points.
I'd like to add this thought.
What the article's author (smaffulli) is advocating is that Open Source maintainers insert advertisements into their code whenever they feel like it.
Most protestware simply displays anti-war or pro-Ukrainian messages when run. This is a non-violent, creative form of protest that can be effective.
That's an advertisement.
Not everyone is a good person. Let's think about what the jerks will do with this idea.
How about a message inserted onto your web pages that says "Bob's T-shirt is commiited to peaceful resolution to the Russia-Ukraine crisis, and to this end we will donate $
Re: (Score:2)
A very good example of this is YouTube banning (non-violent) gun aficionado channels. Youtube got lots of people to sign up with the promise of a video service that's open to all, got lots of people well ensconced with followers and income, then pulled the rug out of a select few.
This has caused at least one person to snap and shoot up youtube headquarters.
Wow. That caused them to do it? Really? What caused that is that the person involved is a fucking psychopath. And it only gives Google more reason to ban gun content, because obviously some of those people are not only armed and dangerous, but also sufficiently unstable to shoot up Google, and dumb enough to think that Google promised them something when in fact all they ever promised was to boot anyone off their service for any reason not prohibited by law if those users were inconvenient.
I'm a gun owner w
Protestware? (Score:3)
That word is not yet a thing, and if it's going to mean something, then it shouldn't mean malware. That's not a protest, that's an attack. That doesn't make it invalid, but that's not what debate I want to have anyway. What it does it take it beyond protest to action.
TFA actually draws this distinction, so as usual TFS is shit:
Calling software "protestware" when it's actually an attack is bullshit. It would more accurately be called "weaponware", which would be short for weaponized software. Or just call it what it is: malware.
Re: (Score:2)
Re: (Score:1)
omg, it's literally a little message when you install. Found the russian bot I guess ^
Parent was saying the "little messages" are protestware. The "attack" was indiscriminately wiping data if the IP address is in Russia or Belarus (as per TFA).
Re: (Score:2)
Re: (Score:2)
I agree, that's malware whatever the intent. And it directly harmed the open source community when it happened.
It is also a criminal act almost anywhere and for good reasons.
What is it with some FOSS developers going of the rails like that recently? Is it just an influx of not too stable people that did not develop software before or is it some systematic problem? If I have my timing right, we have had at least one case recently before the mess in the Ukraine started.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Not everyone that has a different viewpoint is a Russian bot.
I agree with about 1% of what drinkypoo says but I can almost guarantee he is not a Russian bot. He is a consistent poster and has a varying set of views.
Sometimes you need a soapbox... (Score:1)
Imagine fallout if log4j was broken intentionally? (Score:3)
Whining gains no coverage. This isn't going away. Breaking something (which is easily enough fixed) has made headlines...
If you want to break GIMP...OK, that's harming individuals...if you want to break some lib used by businesses, on purpose, you're harming open source. Imagine if log4j was broken intentionally instead of by sheer incompetence last year.
The fallout would be huge. Every company would be tripping over itself to purge all open source software from their enterprise and if every large company forbade open source, imagine how much innovation would be slowed?
Open source is a mixed bag, but overwhelmingly
Re: (Score:2)
The message we should be taking away is not to rely on open source software maintained by one person for your business critical stack. If you find yourself in that position, pay someone to work on it and manually merge patches.
As usual XKCD has it covered: https://xkcd.com/2347/ [xkcd.com]
Re: (Score:2)
The message we should be taking away is not to rely on open source software maintained by one person for your business critical stack.
Well, yes. But that is actually really hard to do in some situations or to even find out. In a practical software lab I was involved in 2 years ago or so ago, there was one group of students that had something like 3000 external dependencies boiling down to 800 (!) developers (transitive hull) in the relatively simple web-application they had to write. The other groups were better, but not that much better. Finding out whether one of these 800 people are a single-person team would probably take weeks of wor
Re: (Score:2)
I think the whole "web application" (and surrounding tools) community may have a really bad structural/organizational problem here and we are just seeing some early effects from that. I shudder to think what happens when in 5 years most of these 3000 dependencies will be unmaintained.
I think people have forgotten the benefit of getting proper support from inclusion into one of the distros. Even if that means one of the volunteer distros like Alpine or Debian, just the act of integrating the software into the distro creates at least one extra maintainer who knows where to start from if a problem is found. If one of the decent commercial distros takes on the stack of software then that can be a real benefit. Very often, if the right customer asks them, or more specifically pays, the dist
Re: (Score:2)
Good point.
Re: (Score:2)
More than that.
If you use any external source code, you should maintain your own internal repository and merge from that source for builds or operations. With modern computers, that can be as easy as typing GIT CLONE, and disk space on a dev server is cheap enough to be irrelevant. No business should be pulling from the wide open internet for actual production code.
If time allows (and it absolutely should, but...shit happens) you can pull updates and review/merge them to add more features or fix bugs. Bu
Open Source shouldn't mean "no ethics" (Score:2)
If Hitler wanted to use my software to exterminate the Jews, I want the right to say "Hell no."
If using Open Source means I don't have that right, then Open Source software does not respect human ethics, nor human rights. I'd rather it be proprietary.
Re: (Score:2)
What makes you think that he would care about your saying no?
Re: (Score:2)
What makes you think that he would care about your saying no?
The fact world stood up and killed him, or more precisely drove him to kill himself by fighting back. Needless to say, this wasn't achieved by some license on Pythagoras' theorem that made it illegal for him to use, though definitely propaganda and protest helped. What mattered though was that ordinary people were willing to stand up and fight against Hitler.
Getting the truth through to Russians, that Putin and his Zwastika are the real followers of Nazi ideology and what they should stand up against, is th
Re: (Score:2)
Re: (Score:2)
What makes you think it's about him? What if I'd rather not (literally) throw up every time I realize that I helped Hitler or Putin?
The time for contemplation is before you set out to act not belated realization.
What you are complaining about is the equivalent of working for a "defense" contractor and getting all upset when you finally discover your work is literally killing people.
The world is full of those who are indifferent only caring about pay checks or who partake in endeavors without consideration for the ways in which things could go sideways. While humans lack the ability to foresee all consequences of their actions few actu
Re: (Score:2)
What you are complaining about is the equivalent of working for a "defense" contractor and getting all upset when you finally discover your work is literally killing people.
There is nothing immoral or unethical about working for an American defense contractor. It serves a greater good. Helping Russo Fascists servers no purpose other than advancing ambitions of a madman and his sycophants. There is no moral ambiguity in helping Russian Federation. Russia's goals and its methods are beyond appalling, beyond atrocious. Russia's actions are atrocities committed for the sake of a greater atrocity. It's demonic.
Re: (Score:2)
There is nothing immoral or unethical about working for an American defense contractor. It serves a greater good.
Helping Russo Fascists servers no purpose other than advancing ambitions of a madman and his sycophants. There is no moral ambiguity in helping Russian Federation. Russia's goals and its methods are beyond appalling, beyond atrocious. Russia's actions are atrocities committed for the sake of a greater atrocity. It's demonic.
This is all quite irrelevant. You don't get to choose who is allowed to use technology nor for what purpose.
Re: (Score:2)
Re: (Score:2)
Unless you do.
Sorry in the real world you don't.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Then that's on him. What people do is their own damn responsibility, not that of those who made the tools they use.
It wouldn't make sense for a fertilizer company to put labels on the bags saying, "You're not allowed to buy this if you're going to use it to bomb a day care."
Re: (Score:2)
Sounds like the difference between a collectivist vs individualist society.
Re: (Score:2)
No, it sounds like the real world, where you can't stop people from doing bad things just by forbidding them.
Software licenses are about giving people permission to do things that copyright law restricts.
Let's say you release your wonderful project under a new-fangled open source license with a "no genocide" clause, and a dictator uses your software to run his genocide machines.
Now you have a cause of action to sue the dictator for copyright infringement. Hooray?
Re: Open Source shouldn't mean "no ethics" (Score:1)
Re: Open Source shouldn't mean "no ethics" (Score:2)
Re:Open Source shouldn't mean "no ethics" (Score:4, Insightful)
Couldn't Hitler just fork your code and do whatever he wants with it?
Also, what kind of software exterminates Jews?
Ask IBM (Score:2)
Also, what kind of software exterminates Jews?
Ask IBM https://en.wikipedia.org/wiki/IBM_and_the_Holocaust [wikipedia.org]
Re: (Score:2)
Re: (Score:1)
If Hitler wanted to use my software to exterminate the Jews, I want the right to say "Hell no."
If using Open Source means I don't have that right, then Open Source software does not respect human ethics, nor human rights. I'd rather it be proprietary.
You can put anything you want in the license, and people may or may not argue with you whether it's still "open source". But I think what TFA is talking about is not the RIGHT to specify who can use open source software or for what purposes, but vigilante ENFORCEMENT (in this case, via data wiping).
Next thing you know, former open source developers are creating the next Sony rootkit, for all the "right reasons".
The full version of the extraordinarily-poorly-summarized-because-this-is-slashdot-so-of-course-i
Re: (Score:2)
You can put anything you want in the license, and people may or may not argue with you whether it's still "open source".
I think few would argue that it's not still open source when your license has a clause prohibiting use for the purpose of exterminating Jews. They might argue that it's not Free Software, and they would be right even though that's strongly ironic given the name.
Re: (Score:2)
You are overlooking how things work in the real world. A common problem with people that try to talk ethics: They do theory and ignore practical reality. And then what they say becomes nonsense.
If you restrict FOSS or add attack code that triggers under certain conditions, then on the ethical side, you decrease trust in FOSS, which is bad. You also make the "F" a lie, which is bad as well. But what is worse is that you start to discriminate/censor based on some detection mechanism were it is installed or wh
Re: (Score:3)
The conflict is that if the mechanism for targeting people who "deserve" it also harms people who "don't", then that's a compromise. That's the question being grappled with. Is the compromise reasonable?
This board will be filled with discussions, but I argue that the answer is only accurate within the context of a specific case of victims, accurate (from a specific point of view) classification of who deserves it and who doesn't, and what the harms are.
An answer without that information is too broad to be w
Re:Open Source shouldn't mean "no ethics" (Score:4, Insightful)
If Hitler wanted to use my software to exterminate the Jews, I want the right to say "Hell no."
If using Open Source means I don't have that right,
You have no such right. Neither do you get to manufacture vehicles and judge who is allowed to drive the vehicles and for what purposes.
then Open Source software does not respect human ethics, nor human rights. I'd rather it be proprietary.
What is the relevance? I'm sure neither Hitler or Putin give a flying rats ass about western software licensing whether the license/code is open or closed makes no difference to them whatsoever.
Re: (Score:2)
You have no such right. Neither do you get to manufacture vehicles and judge who is allowed to drive the vehicles and for what purposes.
How about if you manufacture poisons, or bombs, or guns - can you judge who is allowed to use them and for what purposes, or are you morally absolved selling them to any buyers? Or, closer to IT, what if you create a public forum - maybe a web site - for people to communicate? Can you decide who is allowed to communicate on it and for what purposes?
Re: (Score:2)
How about if you manufacture poisons, or bombs, or guns - can you judge who is allowed to use them and for what purposes, or are you morally absolved selling them to any buyers?
I'm not making a moral argument I'm simply stating reality. Whether source code or a physical thing once it leaves your hands you lose control over it. You can choose who you give something to yet this is no guarantee of anything. The US companies creating weapons, ammo, vehicles, optics..etc nor US taxpayers expected billions of dollars of their military goodies to be adopted by the Taliban. This is especially try of open or even closed source software. You lose control over it the second it leaves yo
Re: (Score:2)
Whether source code or a physical thing once it leaves your hands you lose control over it.
Well, that hasn't been the case anymore for some time now; if you have a phone for example, many manufacturers can now remotely disable your phone, if they disagree with you for any reason. For code, many products need to be enabled at regular periods to work - this is how the whole licensing thing works. Even for open source, the fact that code writers can - and some of them do - disable their libraries for some people is the very subject of this thread.
Re: (Score:2)
Well, that hasn't been the case anymore for some time now; if you have a phone for example, many manufacturers can now remotely disable your phone, if they disagree with you for any reason. For code, many products need to be enabled at regular periods to work - this is how the whole licensing thing works. Even for open source, the fact that code writers can - and some of them do - disable their libraries for some people is the very subject of this thread.
This is not realistic. Licensing checks are easily bypassed and are of no consequence to Russian hackers or anyone with half a clue and a debugger. Just because you've poisoned a code repo doesn't mean everyone in the world blindly accepts changes from a single unified source or they can't just go back to previous version after detecting sabotage.
If you can't accept the consequences of people you don't like getting ahold of your tech then don't create it in the first place.
Re: (Score:1)
If Hitler wanted to use my software to exterminate the Jews, I want the right to say "Hell no."
Why are you making jew extermination software in the first place?
Re: (Score:1)
If Hitler wanted to use my software to exterminate the Jews, I want the right to say "Hell no."
If using Open Source means I don't have that right, then Open Source software does not respect human ethics, nor human rights. I'd rather it be proprietary.
You don't mean proprietary, as proprietary could still be used by others. Instead you mean you want all of your software to have DRM restrictions.
Re: (Score:2)
Re: (Score:1)
We need to focus on getting truthful speech (Score:2)
The problem we have with Speech Today, is how it is getting more and more difficult to differentiate truthful vs deceptive speech.
Official Sources of information are heavily biased.
Government Information, is presented in a way to make sure the people in power stay in power.
Commercial Information, is presented in a way to make sure your target audience says with that source to see the Ad's
Social Media, is a fine tune version of Commercial Information where what we see and digest is carefully hand pick for us
Re: (Score:2)
Re: (Score:2)
Well, you sum the problem up nicely. Add to that that at least some experts also succumb to coercion and propaganda and that makes the problem worse, especially on complicated things that only experts really understand and need to explain to the public.
At the moment, I do not see a fix for this. There are too many people that have no effective morals and greed (for power, money, attention, etc.) drives them to use any and all means to get what they want. These people generally do not even understand what th
Re: (Score:2)
I've been wondering if we need to amend the first amendment to say "freedom of honest and peaceful speech".
We already have a similar qualifier in "peaceably to assemble" and we already have laws effectively restricting freedom of speech in various areas, typically focused on dishonesty and incitement of violence. The restrictions we have now were created by law and by judicial decisions, all of which are clearly unconstitutional yet necessary. We need these restrictions and we need to make them legitimate b
Re: (Score:2)
Re: (Score:2)
Clearly Russia is in the wrong.
However, my social media feeds will often pop up, a lot of Pro-Ukraine stories showing how inept the Russian Army is, then going to other news sources, showing how Russia has made major inroads in invading the country.
However the Russian Citizens in Russia, are getting a solid stream of Pro-Russia propaganda, where just like US "News" they will take a story with an ounce of truth, then exaggerate it to their advantage.
Just remember a Year ago we had American's trying to Overtu
Re: (Score:2)
More hypocrisy from activists (Score:2)
Striking a self-righteous pose saying "yeah, well, at least we're not killing anybody" is not a defense to the fact that what these malware writers are doing is indiscriminately attacking civilians in a meaningful way. That defense is like a woman who slaps the shit out of her kid on a regular basis saying "yeah, well, at least I'm not like Andrea Yates and didn't drown my kid in the bathtub."
You would think that people whose whole political-moral frame is stuck in 1939-1946 would understand that "tu quoque
Not the place (Score:5, Insightful)
I think the problem is we've lost touch with the idea that political speech just isn't appropriate in some situations.
It doesn't matter if it's valid or the situation needs attention - sometimes introducing speech at the wrong time and place does more harm than good. IE, if my waiter walks up to my table and says "Hi, my name is Tom. Would you like to hear our specials for today? Also I'd like to say that Ukraine is a sovereign nation that should not have to suffer incursions into their borders.". Ok, yeah, sure, I agree with the sentiment, but I'm annoyed at you because I don't want every waking moment of my life consumed with political issues.
The same is true of things like "protestware". If you are making functionality breaking changes to make a political point then I'm just not inclined to use your software, and even if I originally agreed with your talking point when it comes up again I'm going to be reminded of the annoyance it generated.
Re: (Score:2)
Re: (Score:2)
Very much so. And one of the reasons is to keep back-channels open for future communication. We all have to get _out_ of this situation at some time and blocking all communication channels or spamming them with propaganda is not a good idea.
Re: (Score:2)
You can make a political statement without it being intrusive, like how Vim mentions Uganda and how supporting Vim also supports Ugandan children.
And restaurants do that too, Chick-Fil-A is famous for doing it by not opening on Sundays.
It's not overt, and at worst a mild inconvenience to users.
Protestware though, has no place in open-source because actively harming users makes them innocent third parties.
Taking the current conflict into account - telling your users to oppose the Russians by deleting all the
Re: (Score:2)
The same is true of things like "protestware". If you are making functionality breaking changes to make a political point then I'm just not inclined to use your software
A typical "I only support protestors providing they don't inconvenience or affect me in any way" response... one which objectively defeats the purpose of a protest.
Balancing Harms (Score:2)
I honestly don't know if embedding payloads harming Russian targets in open source software is a good idea or not but the argument certainly isn't that simple.
Of *course*, putting harmful payloads in open source software harms open source. It will reduce the willingness of people to use, trust and contribute to open source software (what if I'm the next target). If your a big US software firm (or simply work in the US) you might worry that you'll be targeted if the US gets into an unpopular war and protes
Re: (Score:2)
There is a difference though. Economic and banking sanctions don't happen because someone unilaterally decides to punish the target.
We have an elaborate bureaucracy that is (theoretically) accountable to elected (keyword) leaders who work hard to make sure those sanctions are coordinated and tailored to achieve our diplomatic ends. Its not the same thing as one FOSS developer or even one organization deciding to do something.
I there is some wiggle room here - is adding some pro-this or anti-that banner to
Re: (Score:2)
Re: (Score:2)
Or...here's a wild idea... (Score:2)
Done before with Propaganda viruses (Score:1)
* Anyone else remember the "Stoned Virus"?
https://en.wikipedia.org/wiki/... [wikipedia.org]
Booting from an old infected floppy, would display the messages:
"Your PC is now Stoned!" "Legalise Marijuana"
Yes, the virus writer misspelled "Legalize".
Re: (Score:2)
"Legalise Marijuana"
Yes, the virus writer misspelled "Legalize".
Or they were from England or some other English speaking country where "ise" is the accepted suffix, rather than the "ize" of American English.
Consider the source. (Score:2)
You should remember that OSI just had a bunch of corporate shills installed last year. His suggestions "put it in commit logs" is laughable because he know that literally nobody will see it. It's quite clear what he wants is to avoid disruption to companies like Red Hat that have been making money off of other people's work.
Free software is free which means if you don't like it then you can fork it or fuck off.
Gotta think twice about third party libraries... (Score:2)
If you're a developer building desktop or mobile apps, it makes you want to audit any third party libraries you're linking to in order to build your app, to look out for this sort of deliberate malware. Because if your app crashes the host's computer, who do you think is liable? The maintainer of the library who added the malware? Or you?
Oh, and sure, you can go to that third party developer and try to sue them for damages caused to your company's reputation and to your client's computer--especially if the
harms - great word (Score:2)
they plan to legalize software piracy (Score:2)
Spergs gonna sperg but that's not all bad. (Score:2)
The minds gifted with great specific talent are often useless or just batshit crazy outside their specialty. Some of them will do silly shit.
OTOH silly shit is often the only way to command attention from a broken system.
Awkward stuff will happen. Complex systems operate in degraded condition. So what? There is no crisis at hand nor evidence one's coming.
We cannot expect humans to have enough self-mastery NOT to politicize everything because they're weak (and nowadays insist weakness is acceptable instead
Activist! (Score:2)
Yeah, but what if Putin writes better Open Source (Score:1)
What really harms open-source (Score:1)
It's low quality library code, mostly written by very young programmers, and the packaging system has security flaws built into it.