[btreecat]

I don't know how I feel about this.

One hand, this is a seemingly non-violent and subtle way to protest. On the other, the potential collateral damage is huge and just burns all trust with this developer, and is a net harm to the ecosystem as a whole.

FOSS is great, because we were actually able to track the changes here. But it also points out how many packages go un-checked and just installed into a container running with root permissions.

[choward]

> I don't know how I feel about this.

> One hand, this is a seemingly non-violent and subtle way to protest.

You can't be serious. Being non-violent and subtle is no excuse for deliberately making software have real side effects on a computer that it's not advertised to do, especially a node library. Node modules for some reason tend to be very small and have trivial tasks like checking if something is a number. Imagine if everything shipped with it's own political malware.

No matter how you want to spin it this is completely unacceptable and nobody should ever trust this developer again.

> But it also points out how many packages go un-checked and just installed into a container running with root permissions.

The fact that "packages go unchecked" doesn't make this okay either.

[celticninja]

>Imagine if everything shipped with it's own political malware.

Then people could write their own code to check if something is a number.

[btreecat]

I didn't condone anything or anyone, I just stated I wasn't sure how to feel about it.

Anny assumptions or claims beyond that are your own delusions.

[madaxe_again]

I dunno. If you’re sloppy enough to install whatever dependencies onto your system, and not notice a new dependency, called “peacenotwar”, I’d say it’s your problem.

Doesn’t necessarily make it OK, but this will only affect the sloppy.

[peterhunt]

No one is going to audit the entire transitive closure of their dependency graph for every project they try out on their computer. This is not just going to affect the sloppy.

[vimax]

Its childish. Striking out maliciously at random web developers surrounded by state propaganda is counter-productive. This just annoys them and feeds the narrative that they're under attack by the West who hates them.

I would imagine web developers over there, being more educated, technical, and exposed to the West, would be the ones less likely to support the war.

There's nothing subtle about wiping files, why not provide news and information that's being blocked? This could have been an information bridge that would be hard to censor. Hell, run a crypto miner on their machine and donate to Ukraine if you're trying help, that'll have more of an impact then wiping some poor dev's files.

[btreecat]

Your suggestions are also childish and just as flippant.

I don't know how to feel about this because it's not much different than sanctions in theory (very different in execution). Cause pain for people so they "force internal change."

It's not something to root for gleefully.

[foverzar]

> why not provide news and information that's being blocked

It's not really an issue to bypass blocks (how do you think Russians access rutracker). Especially not for a person who is capable of doing something with NPM packages.

[quinnjh]

100%

> why not provide news and information that's being blocked?

Radio free europe style. I like it

[yesbut]

it isn't going to stop Putin but it could negatively impact normal people. in no universe will the handful of Russian programmers impacted by this rise up and overthrow their government. but they will be forced to work extra hours cleaning up any damage this caused to their system. This is really lame virtue signalling that only harms fellow workers because their government is terrible.

[afavour]

But this is pretty much the exact logic sanctions work by. Putin and his cronies might lose some super yachts but the main aim is to crash the Russian economy, which will hurt everyday Russians far more than any leader. Not that I have any better ideas, but you could argue this move is in a similar vein.

[jonny_eh]

The sanctions also choke the state's military of funding.

[_-david-_]

Sanctions lower taxes which hurt the government funding. It may or may not be effective but they are not remotely the same.

[btreecat]

So sanctions? I get it, collateral damage is indeed collateral. That's why I don't know how to feel.

If this move broke some key software used on the battlefield, would we all be so quick with our positions?