Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Operating Systems Open Source Programming

'Open Source Protestware Harms Open Source' (opensource.org) 101

An anonymous reader shares an opinion piece: Protest is an important element of free speech that should be protected. Openness and inclusivity are cornerstones of the culture of open source, and the tools of open source communities are designed for global access and participation. Collectively, the very culture and tooling of open source -- issue tracking, messaging systems, repositories -- offer a unique signaling channel that may route around censorship imposed by tyrants to hold their power.

Instead of malware, a better approach to free expression would be to use messages in commit logs to send anti-propaganda messages and to issue trackers to share accurate news inside Russia of what is really happening in Ukraine at the hands of the Russian military, to cite two obvious possibilities. There are so many outlets for open source communities to be creative without harming everyone who happens to load the update.

We encourage community members to use both the freedoms and tools of open source innovatively and wisely to inform Russian citizens about the reality of the harm imposed on Ukrainian citizens and to support humanitarian and relief efforts in and supportive of Ukraine. Longer term, it's likely these weaponizations are like spitting into the wind: The downsides of vandalizing open source projects far outweigh any possible benefit, and the blowback will ultimately damage the projects and contributors responsible. By extension, all of open source is harmed. Use your power, yes -- but use it wisely.

This discussion has been archived. No new comments can be posted.

'Open Source Protestware Harms Open Source'

Comments Filter:
  • Anybody that this is not obvious to should have their head examined.

    • Anybody that this is not obvious to should have their head examined.

      We can be more specific with the actual examination.

      Growing up, people learn to play games of various sorts. These games are competitive, but they're also cooperative in the sense that everyone agrees on the rules. Certain things you can't do in hockey or baseball, or tag or hide/seek. Kids learn that playing by the rules is important, because even if you lose, if you've played by the rules you'll get invited to play future games: you're fun to be around.

      One thing that sticks in everyone's mind is cheating:

      • by clovis ( 4684 )

        Okian Warrior makes a good point or several points.

        I'd like to add this thought.

        What the article's author (smaffulli) is advocating is that Open Source maintainers insert advertisements into their code whenever they feel like it.

        Most protestware simply displays anti-war or pro-Ukrainian messages when run. This is a non-violent, creative form of protest that can be effective.

        That's an advertisement.
        Not everyone is a good person. Let's think about what the jerks will do with this idea.
        How about a message inserted onto your web pages that says "Bob's T-shirt is commiited to peaceful resolution to the Russia-Ukraine crisis, and to this end we will donate $

      • A very good example of this is YouTube banning (non-violent) gun aficionado channels. Youtube got lots of people to sign up with the promise of a video service that's open to all, got lots of people well ensconced with followers and income, then pulled the rug out of a select few.

        This has caused at least one person to snap and shoot up youtube headquarters.

        Wow. That caused them to do it? Really? What caused that is that the person involved is a fucking psychopath. And it only gives Google more reason to ban gun content, because obviously some of those people are not only armed and dangerous, but also sufficiently unstable to shoot up Google, and dumb enough to think that Google promised them something when in fact all they ever promised was to boot anyone off their service for any reason not prohibited by law if those users were inconvenient.

        I'm a gun owner w

  • by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Thursday March 24, 2022 @09:48AM (#62386115) Homepage Journal

    That word is not yet a thing, and if it's going to mean something, then it shouldn't mean malware. That's not a protest, that's an attack. That doesn't make it invalid, but that's not what debate I want to have anyway. What it does it take it beyond protest to action.

    TFA actually draws this distinction, so as usual TFS is shit:

    The new development is that angry maintainers have started adding code to a small number of open source repositories to protest against the war. When deployed, this âprotestwareâ(TM) expresses the maintainerâ(TM)s opposition to the Russian governmentâ(TM)s invasion of Ukraine. Most protestware simply displays anti-war or pro-Ukrainian messages when run. This is a non-violent, creative form of protest that can be effective.

    Calling software "protestware" when it's actually an attack is bullshit. It would more accurately be called "weaponware", which would be short for weaponized software. Or just call it what it is: malware.

    • omg, it's literally a little message when you install. Found the russian bot I guess ^
      • omg, it's literally a little message when you install. Found the russian bot I guess ^

        Parent was saying the "little messages" are protestware. The "attack" was indiscriminately wiping data if the IP address is in Russia or Belarus (as per TFA).

      • Comment removed based on user account deletion
        • by gweihir ( 88907 )

          I agree, that's malware whatever the intent. And it directly harmed the open source community when it happened.

          It is also a criminal act almost anywhere and for good reasons.

          What is it with some FOSS developers going of the rails like that recently? Is it just an influx of not too stable people that did not develop software before or is it some systematic problem? If I have my timing right, we have had at least one case recently before the mess in the Ukraine started.

      • A good test of ethical consistency is to reverse roles and ask yourself if you'd have the same view.
      • Not everyone that has a different viewpoint is a Russian bot.

        I agree with about 1% of what drinkypoo says but I can almost guarantee he is not a Russian bot. He is a consistent poster and has a varying set of views.

  • Whining gains no coverage. This isn't going away. Breaking something (which is easily enough fixed) has made headlines...
    • Whining gains no coverage. This isn't going away. Breaking something (which is easily enough fixed) has made headlines...

      If you want to break GIMP...OK, that's harming individuals...if you want to break some lib used by businesses, on purpose, you're harming open source. Imagine if log4j was broken intentionally instead of by sheer incompetence last year.

      The fallout would be huge. Every company would be tripping over itself to purge all open source software from their enterprise and if every large company forbade open source, imagine how much innovation would be slowed?

      Open source is a mixed bag, but overwhelmingly

      • by AmiMoJo ( 196126 )

        The message we should be taking away is not to rely on open source software maintained by one person for your business critical stack. If you find yourself in that position, pay someone to work on it and manually merge patches.

        As usual XKCD has it covered: https://xkcd.com/2347/ [xkcd.com]

        • by gweihir ( 88907 )

          The message we should be taking away is not to rely on open source software maintained by one person for your business critical stack.

          Well, yes. But that is actually really hard to do in some situations or to even find out. In a practical software lab I was involved in 2 years ago or so ago, there was one group of students that had something like 3000 external dependencies boiling down to 800 (!) developers (transitive hull) in the relatively simple web-application they had to write. The other groups were better, but not that much better. Finding out whether one of these 800 people are a single-person team would probably take weeks of wor

          • I think the whole "web application" (and surrounding tools) community may have a really bad structural/organizational problem here and we are just seeing some early effects from that. I shudder to think what happens when in 5 years most of these 3000 dependencies will be unmaintained.

            I think people have forgotten the benefit of getting proper support from inclusion into one of the distros. Even if that means one of the volunteer distros like Alpine or Debian, just the act of integrating the software into the distro creates at least one extra maintainer who knows where to start from if a problem is found. If one of the decent commercial distros takes on the stack of software then that can be a real benefit. Very often, if the right customer asks them, or more specifically pays, the dist

        • More than that.

          If you use any external source code, you should maintain your own internal repository and merge from that source for builds or operations. With modern computers, that can be as easy as typing GIT CLONE, and disk space on a dev server is cheap enough to be irrelevant. No business should be pulling from the wide open internet for actual production code.

          If time allows (and it absolutely should, but...shit happens) you can pull updates and review/merge them to add more features or fix bugs. Bu

  • If Hitler wanted to use my software to exterminate the Jews, I want the right to say "Hell no."

    If using Open Source means I don't have that right, then Open Source software does not respect human ethics, nor human rights. I'd rather it be proprietary.

    • by XanC ( 644172 )

      What makes you think that he would care about your saying no?

      • What makes you think that he would care about your saying no?

        The fact world stood up and killed him, or more precisely drove him to kill himself by fighting back. Needless to say, this wasn't achieved by some license on Pythagoras' theorem that made it illegal for him to use, though definitely propaganda and protest helped. What mattered though was that ordinary people were willing to stand up and fight against Hitler.

        Getting the truth through to Russians, that Putin and his Zwastika are the real followers of Nazi ideology and what they should stand up against, is th

      • What makes you think it's about him? What if I'd rather not (literally) throw up every time I realize that I helped Hitler or Putin?
        • What makes you think it's about him? What if I'd rather not (literally) throw up every time I realize that I helped Hitler or Putin?

          The time for contemplation is before you set out to act not belated realization.

          What you are complaining about is the equivalent of working for a "defense" contractor and getting all upset when you finally discover your work is literally killing people.

          The world is full of those who are indifferent only caring about pay checks or who partake in endeavors without consideration for the ways in which things could go sideways. While humans lack the ability to foresee all consequences of their actions few actu

          • What you are complaining about is the equivalent of working for a "defense" contractor and getting all upset when you finally discover your work is literally killing people.

            There is nothing immoral or unethical about working for an American defense contractor. It serves a greater good. Helping Russo Fascists servers no purpose other than advancing ambitions of a madman and his sycophants. There is no moral ambiguity in helping Russian Federation. Russia's goals and its methods are beyond appalling, beyond atrocious. Russia's actions are atrocities committed for the sake of a greater atrocity. It's demonic.

            • There is nothing immoral or unethical about working for an American defense contractor. It serves a greater good.

              Helping Russo Fascists servers no purpose other than advancing ambitions of a madman and his sycophants. There is no moral ambiguity in helping Russian Federation. Russia's goals and its methods are beyond appalling, beyond atrocious. Russia's actions are atrocities committed for the sake of a greater atrocity. It's demonic.

              This is all quite irrelevant. You don't get to choose who is allowed to use technology nor for what purpose.

    • by The-Ixian ( 168184 ) on Thursday March 24, 2022 @10:14AM (#62386179)

      Couldn't Hitler just fork your code and do whatever he wants with it?

      Also, what kind of software exterminates Jews?

      • Also, what kind of software exterminates Jews?

        Ask IBM https://en.wikipedia.org/wiki/IBM_and_the_Holocaust [wikipedia.org]

      • I think you missed the point. And there's probably an answer out there to your bad faith question as well. I'd bet that there is software out there that controls the opening and shutting of gas valves, or timing the release of gas into a system. Done. I know there are other steps that require getting to that point, but this is another "guns don't kill people, people kill people" arguments.
    • If Hitler wanted to use my software to exterminate the Jews, I want the right to say "Hell no."

      If using Open Source means I don't have that right, then Open Source software does not respect human ethics, nor human rights. I'd rather it be proprietary.

      You can put anything you want in the license, and people may or may not argue with you whether it's still "open source". But I think what TFA is talking about is not the RIGHT to specify who can use open source software or for what purposes, but vigilante ENFORCEMENT (in this case, via data wiping).

      Next thing you know, former open source developers are creating the next Sony rootkit, for all the "right reasons".

      The full version of the extraordinarily-poorly-summarized-because-this-is-slashdot-so-of-course-i

      • You can put anything you want in the license, and people may or may not argue with you whether it's still "open source".

        I think few would argue that it's not still open source when your license has a clause prohibiting use for the purpose of exterminating Jews. They might argue that it's not Free Software, and they would be right even though that's strongly ironic given the name.

    • by gweihir ( 88907 )

      You are overlooking how things work in the real world. A common problem with people that try to talk ethics: They do theory and ignore practical reality. And then what they say becomes nonsense.

      If you restrict FOSS or add attack code that triggers under certain conditions, then on the ethical side, you decrease trust in FOSS, which is bad. You also make the "F" a lie, which is bad as well. But what is worse is that you start to discriminate/censor based on some detection mechanism were it is installed or wh

    • by SirSlud ( 67381 )

      The conflict is that if the mechanism for targeting people who "deserve" it also harms people who "don't", then that's a compromise. That's the question being grappled with. Is the compromise reasonable?

      This board will be filled with discussions, but I argue that the answer is only accurate within the context of a specific case of victims, accurate (from a specific point of view) classification of who deserves it and who doesn't, and what the harms are.

      An answer without that information is too broad to be w

    • by WaffleMonster ( 969671 ) on Thursday March 24, 2022 @11:33AM (#62386479)

      If Hitler wanted to use my software to exterminate the Jews, I want the right to say "Hell no."

      If using Open Source means I don't have that right,

      You have no such right. Neither do you get to manufacture vehicles and judge who is allowed to drive the vehicles and for what purposes.

      then Open Source software does not respect human ethics, nor human rights. I'd rather it be proprietary.

      What is the relevance? I'm sure neither Hitler or Putin give a flying rats ass about western software licensing whether the license/code is open or closed makes no difference to them whatsoever.

      • You have no such right. Neither do you get to manufacture vehicles and judge who is allowed to drive the vehicles and for what purposes.

        How about if you manufacture poisons, or bombs, or guns - can you judge who is allowed to use them and for what purposes, or are you morally absolved selling them to any buyers? Or, closer to IT, what if you create a public forum - maybe a web site - for people to communicate? Can you decide who is allowed to communicate on it and for what purposes?

        • How about if you manufacture poisons, or bombs, or guns - can you judge who is allowed to use them and for what purposes, or are you morally absolved selling them to any buyers?

          I'm not making a moral argument I'm simply stating reality. Whether source code or a physical thing once it leaves your hands you lose control over it. You can choose who you give something to yet this is no guarantee of anything. The US companies creating weapons, ammo, vehicles, optics..etc nor US taxpayers expected billions of dollars of their military goodies to be adopted by the Taliban. This is especially try of open or even closed source software. You lose control over it the second it leaves yo

          • Whether source code or a physical thing once it leaves your hands you lose control over it.

            Well, that hasn't been the case anymore for some time now; if you have a phone for example, many manufacturers can now remotely disable your phone, if they disagree with you for any reason. For code, many products need to be enabled at regular periods to work - this is how the whole licensing thing works. Even for open source, the fact that code writers can - and some of them do - disable their libraries for some people is the very subject of this thread.

            • Well, that hasn't been the case anymore for some time now; if you have a phone for example, many manufacturers can now remotely disable your phone, if they disagree with you for any reason. For code, many products need to be enabled at regular periods to work - this is how the whole licensing thing works. Even for open source, the fact that code writers can - and some of them do - disable their libraries for some people is the very subject of this thread.

              This is not realistic. Licensing checks are easily bypassed and are of no consequence to Russian hackers or anyone with half a clue and a debugger. Just because you've poisoned a code repo doesn't mean everyone in the world blindly accepts changes from a single unified source or they can't just go back to previous version after detecting sabotage.

              If you can't accept the consequences of people you don't like getting ahold of your tech then don't create it in the first place.

    • If Hitler wanted to use my software to exterminate the Jews, I want the right to say "Hell no."

      Why are you making jew extermination software in the first place?

    • If Hitler wanted to use my software to exterminate the Jews, I want the right to say "Hell no."

      If using Open Source means I don't have that right, then Open Source software does not respect human ethics, nor human rights. I'd rather it be proprietary.

      You don't mean proprietary, as proprietary could still be used by others. Instead you mean you want all of your software to have DRM restrictions.

    • Comment removed based on user account deletion
    • And your solution is to sneak code into your software so that it indiscriminately exterminates Germans instead? It seems like you're the one failing to grasp the ethics of this situation.
  • The problem we have with Speech Today, is how it is getting more and more difficult to differentiate truthful vs deceptive speech.
    Official Sources of information are heavily biased.
    Government Information, is presented in a way to make sure the people in power stay in power.
    Commercial Information, is presented in a way to make sure your target audience says with that source to see the Ad's
    Social Media, is a fine tune version of Commercial Information where what we see and digest is carefully hand pick for us

    • And not every country has the same definition of free speech as the US. Canada doesn't allow hate speech and we don't have things like police protected neo-nazi rallies in our cities. Yes yes, slippery slope, blah blah. Hasn't been a problem yet, and if it ever gets that way some people will still speak up and make sure they're heard.
    • by gweihir ( 88907 )

      Well, you sum the problem up nicely. Add to that that at least some experts also succumb to coercion and propaganda and that makes the problem worse, especially on complicated things that only experts really understand and need to explain to the public.

      At the moment, I do not see a fix for this. There are too many people that have no effective morals and greed (for power, money, attention, etc.) drives them to use any and all means to get what they want. These people generally do not even understand what th

      • by xalqor ( 6762950 )

        I've been wondering if we need to amend the first amendment to say "freedom of honest and peaceful speech".

        We already have a similar qualifier in "peaceably to assemble" and we already have laws effectively restricting freedom of speech in various areas, typically focused on dishonesty and incitement of violence. The restrictions we have now were created by law and by judicial decisions, all of which are clearly unconstitutional yet necessary. We need these restrictions and we need to make them legitimate b

    • Uhm. no. Ethics maybe a sliding scale, but that only means that the extremes of that scale are easy to identify. A dictator invading a free country and *targeting* (not just killing as collateral damage but targeting civilians), kidnapping thousands of civilians and moving them to his own country to unknown locations... this all hearkens to WWII or Roman Empire. Someone who is doing this, in front of everyone's eyes, in the modern world, has no moral ambiguity. This is way off the scale evil.
      • Clearly Russia is in the wrong.
        However, my social media feeds will often pop up, a lot of Pro-Ukraine stories showing how inept the Russian Army is, then going to other news sources, showing how Russia has made major inroads in invading the country.
        However the Russian Citizens in Russia, are getting a solid stream of Pro-Russia propaganda, where just like US "News" they will take a story with an ounce of truth, then exaggerate it to their advantage.

        Just remember a Year ago we had American's trying to Overtu

        • You can pace all you want. You are not gonna lead. Russian forces *are* incompetent. Ukraine is following standard defensive deployment tactics. And, so far, it is very successful. Russia hasn't made "inroads." It's been allowed to walk into many mouse traps. That's what defensives do when they want to win against a larger force. Ukraine is doing to the Russia Federation what the Russia Empire did to Napoleon.
  • Striking a self-righteous pose saying "yeah, well, at least we're not killing anybody" is not a defense to the fact that what these malware writers are doing is indiscriminately attacking civilians in a meaningful way. That defense is like a woman who slaps the shit out of her kid on a regular basis saying "yeah, well, at least I'm not like Andrea Yates and didn't drown my kid in the bathtub."

    You would think that people whose whole political-moral frame is stuck in 1939-1946 would understand that "tu quoque

  • Not the place (Score:5, Insightful)

    by MBGMorden ( 803437 ) on Thursday March 24, 2022 @10:25AM (#62386219)

    I think the problem is we've lost touch with the idea that political speech just isn't appropriate in some situations.

    It doesn't matter if it's valid or the situation needs attention - sometimes introducing speech at the wrong time and place does more harm than good. IE, if my waiter walks up to my table and says "Hi, my name is Tom. Would you like to hear our specials for today? Also I'd like to say that Ukraine is a sovereign nation that should not have to suffer incursions into their borders.". Ok, yeah, sure, I agree with the sentiment, but I'm annoyed at you because I don't want every waking moment of my life consumed with political issues.

    The same is true of things like "protestware". If you are making functionality breaking changes to make a political point then I'm just not inclined to use your software, and even if I originally agreed with your talking point when it comes up again I'm going to be reminded of the annoyance it generated.

    • It is not about whether "protestware" is "appropriate". It is somebody creating malware and claim it is for "protest". No, if one put anti-XYZ message onto about screen or splash screen or log messages, then they are respectable protestware. If one wipe people's data out because he or she dare to use the software in countries the software writer hate, then they are trojan writers and shall be punished.
    • by gweihir ( 88907 )

      Very much so. And one of the reasons is to keep back-channels open for future communication. We all have to get _out_ of this situation at some time and blocking all communication channels or spamming them with propaganda is not a good idea.

    • by tlhIngan ( 30335 )

      You can make a political statement without it being intrusive, like how Vim mentions Uganda and how supporting Vim also supports Ugandan children.

      And restaurants do that too, Chick-Fil-A is famous for doing it by not opening on Sundays.

      It's not overt, and at worst a mild inconvenience to users.

      Protestware though, has no place in open-source because actively harming users makes them innocent third parties.

      Taking the current conflict into account - telling your users to oppose the Russians by deleting all the

    • The same is true of things like "protestware". If you are making functionality breaking changes to make a political point then I'm just not inclined to use your software

      A typical "I only support protestors providing they don't inconvenience or affect me in any way" response... one which objectively defeats the purpose of a protest.

  • I honestly don't know if embedding payloads harming Russian targets in open source software is a good idea or not but the argument certainly isn't that simple.

    Of *course*, putting harmful payloads in open source software harms open source. It will reduce the willingness of people to use, trust and contribute to open source software (what if I'm the next target). If your a big US software firm (or simply work in the US) you might worry that you'll be targeted if the US gets into an unpopular war and protes

    • by DarkOx ( 621550 )

      There is a difference though. Economic and banking sanctions don't happen because someone unilaterally decides to punish the target.

      We have an elaborate bureaucracy that is (theoretically) accountable to elected (keyword) leaders who work hard to make sure those sanctions are coordinated and tailored to achieve our diplomatic ends. Its not the same thing as one FOSS developer or even one organization deciding to do something.

      I there is some wiggle room here - is adding some pro-this or anti-that banner to

  • Instead of political messages in commit logs, instead of the causes portrayed through getting non-devs in teams to drive devs out, instead of the creation of codes of morality and propriety, and yes, [fucking facepalm] instead of the fucking malware too - let's write fucking code and ostracize anyone that tries to hint at any political garbage of any variety in a bit of it. It's that fucking simple. If they aren't writing code they aren't a part of the group, simple as that. Yes, even if they blow you.
  • * Anyone else remember the "Stoned Virus"?
    https://en.wikipedia.org/wiki/... [wikipedia.org]

    Booting from an old infected floppy, would display the messages:
    "Your PC is now Stoned!" "Legalise Marijuana"

    Yes, the virus writer misspelled "Legalize".

    • "Legalise Marijuana"

      Yes, the virus writer misspelled "Legalize".

      Or they were from England or some other English speaking country where "ise" is the accepted suffix, rather than the "ize" of American English.

  • You should remember that OSI just had a bunch of corporate shills installed last year. His suggestions "put it in commit logs" is laughable because he know that literally nobody will see it. It's quite clear what he wants is to avoid disruption to companies like Red Hat that have been making money off of other people's work.

    Free software is free which means if you don't like it then you can fork it or fuck off.

  • If you're a developer building desktop or mobile apps, it makes you want to audit any third party libraries you're linking to in order to build your app, to look out for this sort of deliberate malware. Because if your app crashes the host's computer, who do you think is liable? The maintainer of the library who added the malware? Or you?

    Oh, and sure, you can go to that third party developer and try to sue them for damages caused to your company's reputation and to your client's computer--especially if the

  • open non-propaganda news outlet to see who got harmed recently ... hint not open source projects
  • Country that does not respect international treaties and plans to legalize software piracy does not care about OpenSource license.
  • The minds gifted with great specific talent are often useless or just batshit crazy outside their specialty. Some of them will do silly shit.

    OTOH silly shit is often the only way to command attention from a broken system.

    Awkward stuff will happen. Complex systems operate in degraded condition. So what? There is no crisis at hand nor evidence one's coming.

    We cannot expect humans to have enough self-mastery NOT to politicize everything because they're weak (and nowadays insist weakness is acceptable instead

  • Often do more harm than good. So nothing different here! Just more of the same!
  • Are NPM packages and usage of them, and more generally JavaScript as back-end technology.
    It's low quality library code, mostly written by very young programmers, and the packaging system has security flaws built into it.

Support bacteria -- it's the only culture some people have!

Working...