[sertraline]

My parents always taught me not to take donuts from unknown people, especially when they're free. It's common sense and corpos take all fault for taking an easy fix to save their own developer hours at someone's else expense. Now, when it turns out there are consequences to this, corpos aren't that happy.

[Dracophoenix]

With that argument, you might as well say that open-source/free software shouldn't exist.

[sertraline]

My argument is that you shouldn't automatically trust it just because it's free. You shouldn't rely your entire infrastructure, and, perhaps, life, on it. If you do, there is no one at fault but you, because you passed all the responsibility to someone you have no control over. You are not entitled to protection and safety from the side of developer just because you said you rely on them - they are not going to carry your burden when it's not their job to do so.

Either you stay cautious, in which case you maintain your own forks for your own business or reinvent the wheel, so you don't rely on others that much, or you admit that you can't just reject this dependency - in which case it becomes either a public infrastructure, or a "donut business" on its own, and both should be financed as such. Take Linux as example, Linux is backed up by corporations and financing because everyone understands how crucial Linux is for our living. People took all the necessary steps to guarantee that kernel dev team is not going to disappear at any moment.

This is not the first and not the last time this happened. For some reason people think that open-source devs owe them something just because they had the right to bring their projects into existence. Javascript environment especially suffers from it because of unknown obsession of people to depend on packages which contain 1-2 lines of code at best, packages that can disappear at any moment.

Faker dev acted maliciously, but no one could guarantee that he wouldn't. No one was there to care about his mental state, or his wallet contents, and only relatively small companies and few people donated to his project, something he worked on for over a decade.

Sure, you can blame him all the way you want, but that won't undo the damage. If you rely on something maintained by an individual, you have to take into account that this individual is an actual human, this human actually exists and like any other human he is a subject of free will and uncertain futures, and whatever risks come with it. If you don't, this is what happens to you.

[Dracophoenix]

I have no contention with the argument for due diligence and self-preservation. It's your comparison of OSS with potentially poisoned donuts that strikes me as the same facile arguments made by the Not Invented Here types. It's one thing say your infrastructure is your problem. It's another to suggest that anything free as in free beer is ipso facto too good to be true. That's an unsubstantiated reductionist take.

The linux kernel was not always as well-financed as it has become. Before it's recent about-face, Microsoft financed attempts to stifle Linux. Linux's continued existence has rested always on the merit of its utility, whether to hobbyists or to corporations.

The Faker dev may not owe the rest of the world anything, just as the world doesn't owe anything to him. But what about those who have payed or contributed to his work? Are you of the view the anyone who sincerely their money, time, and intellectual output into Faker deserved to be suckered? Those people are human beings too. They deserve something for their investments rather than being used as unwitting pawns for someone's mental breakdown-induced prank.

Taking your view of security to its natural conclusion, no person should use a computer if he/she didn't bake the silicon wafer himself/herself. Otherwise he/she shouldn't complain if he/she becomes a victim of fraud or misrepresentation.