The goal was not to disrupt ICE, Chef, or any organization thereof. The goal was to remove my code from an ecosystem that was using it for purposes I perceive as evil. I had no goals of disrupting ICE operations or Chef operations.
I suspected a small percentage of people with a hard, runtime dependency would be impacted, but I did not know Chef (the software) had a hard runtime dependency and was pulling that dependency from public RubyGems instead of a mirror they control.
Besides the political statement, do you have any technical opinion about an organization such as Chef shipping things that have runtime deps to third parties?
It wasn’t a political statement. I have a few thoughts in general. These aren’t specific to this situation.
First, always minimize runtime dependencies. I personally prefer compiled things for this very reason.
Second, if you’re going to include a third party dependency, how are you auditing it? There’s an unexplored area around security here too. The Node.js ecosystem has had a series of incidents where popular packages have had cryptocurrency miners injected into otherwise helpful packages. If you’re depending on third party runtime dependencies: how are you auditing changes and contributions, how are you scanning for vulnerabilities, how are you patching those vulnerabilities if you don’t have an internal fork upon which you build?
Third, RubyGems is a volunteer-run organization. I believe other software ecosystems are similar. From my understanding of the situation, a RubyGems outage would have had similar effect.
If you use Go, then try one of the new self-hosted repositories, such as github.com/gomods/athens since it allows you to archive every dependency you ever update so you can always retrieve past dependencies.
It's a political statement that will do nothing but echo in people's respective echo chambers. It'll get positive coverage like this in places like the Daily Dot and MSNBC, and Tucker Carlson will use it as "just another example of far left Silicon Valley attempting to circumvent our laws".
Tucker Carlson talking about this is a good outcome. This will only highlight the power that open source and open source contributors have. Lol, a political kerfuffle over an devops FOSS project.
Make working with ICE a toxic asset. Make people not proud of working for ICE contractors.
You actually think that Carlson is going to inform his viewers of the virtues, let alone technical details, of a FOSS project?
>Make working with ICE a toxic asset. Make people not proud of working for ICE contractors.
This kind of activism in tech leads no where good. It will lead to witch hunts, more "cancel culture" purity spirals, and generally shit software used for critical functions of our government.
I suspected a small percentage of people with a hard, runtime dependency would be impacted, but I did not know Chef (the software) had a hard runtime dependency and was pulling that dependency from public RubyGems instead of a mirror they control.