[urthor]

This still goes to the heart of the obligations of maintainers.

"THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE."

People keep placing obligations on maintainers in the FOSS ecosystem.

Maintainers don't have to do jank in this situation, except don't fraudulently distribute their software.

If they want to publish their upstream as malware, okay.

It's the end user's fault for continuing to pull that source code and integrate it into their system.

[armchairhacker]

Normally I agree, except in this case when the maintainer becomes the aggressor and literally installs malware to the user. This has nothing to do with FOSS and contributors being obligated to write better code, this is deliberately hacking someone.

That's like saying "it's your fault for giving them your password" when someone opens a phishing link. Yeah, all the scammers did was host a website and send emails, you chose to provide them your information. It doesn't make them not liable.

[bryanrasmussen]

>If they want to publish their upstream as malware, okay.

I think you'll find that argument will not be very persuasive to a judge if the case is that the author of the software knowingly adds code in after people have integrated it into their systems that on purpose damages those systems.

Intention will often carry weight, and no claiming of rights and purity and see I wrote here you can't do anything to me! is going to persuade a judge that you can just go around destroying property because you want to.

[isitmadeofglass]

If you sign a contract stating that you get 10k and in return I get to destroy your property. A judge is not very likely to enforce the payment but state that I should not destroy your property “because obviously thats not something you would like”

The license grants you usage but you agree to no responsibility for damages. You can’t cherry pick half of it, that defies the entire point of a license. The fact that you’d like to both Ear your cake and have it to does not have any weight in court.

[rcxdude]

Licenses aren't contracts, and more to the point, licenses grant you the right to copy or distribute the software, you do not need to agree to them for use (this is a very common misconception). You have the right to use the software if you have been given a copy by someone with the right to distribute the software, unless you have signed a contract with them stating otherwise (EULAs and other such attempts to force a one-sided contract onto users generally have little weight in court).

[uwuemu]

People are so clueless about law, this comment is a great example. A licence is worth jack shit in a criminal case (which this would be, if prosecuted).

[urthor]

Agree with this.

I think the difference is between sharing the code and pushing dodgy code down into npm. Which is my misunderstanding.

Pushing this dodgy code down to end users in Russia/Ukraine is a cyberattack.

[88913527]

> If they want to publish their upstream as malware, okay.

NPM's terms explicitly disallow malware. They're free to put the raw source on say GitHub, but the author isn't permitted to package and distribute it on NPM.

https://docs.npmjs.com/policies/open-source-terms

[urthor]

You're spot on, my mistake.

I thought the author published it via Git and some npm maintainer scraped them.

If they distributed this code to end users that's just a cyberattack.

[lal]

I'm two days late but this is an argument for a developer not removing a security vulnerability from a dead project they've stopped maintaining, not this. I feel like not actively choosing to push malware to a repository where you know many, many automated systems will pull that malware onto the systems of your end-users due to a poor security model in the ecosystem you're developing in is a very very low bar of obligation as a maintainer.

Like, okay, you can't expect a doctor to save the life of every person who comes into the ER, but you can hopefully expect them not to start stabbing patients to death, and something should probably happen if they do, right?

Your argument makes sense for inaction (and is important and not brought up enough, honestly; there is a lot of entitlement in the open source world and people treat library developers in some pretty nasty ways), but not for action, as is the case here. The only obligation anyone expected here was the obligation to hold yourself back from making your project that gets millions of downloads per week point to malware.

[urthor]

I agree, I think I misread.

If you actively distribute, as in push your code out to the world via pushing it into npm, that's very different to sharing the code on GitHub.

[kelnos]

So basically you're interpreting this clause as "if I want to be a total asshole, I can, and no one is allowed to complain"?

I reject that interpretation entirely. Sure, maybe the author isn't legally liable for any harm here (though I'm not entirely convinced that's the case), but we are all well within our rights to tell him he's an asshole for doing this.

[fork-while-fork]

Intent matters. The maintainer very clearly intended to do harm. They abused end user trust which is a common attack vector for many pieces of malware.

[Volundr]

> This still goes to the heart of the obligations of maintainers.

I don't think this comes down to an "obligation" of open source maintainers. I think it's pretty evil of ANYONE to market software pretending it's one thing, when it reality it's malware. Open Source or not doesn't change that.

> It's the end user's fault for continuing to pull that source code and integrate it into their system. More than one party can be at fault.

[lopis]

Ok, sure. It's our fault.

But now that the maintainer became a malicious actor, I hope they are booted from the FOSS world and their github gets shutdown for illegal behaviour. This behaviour cannot go on unpunished.

[katbyte]

and sometimes people ask why I always vendor in in my go code deps and refuse to stop