Thanks for your comments. I have to admit that it is shallow - going in more detail would risk identification of the people involved and paint a target on my back.
I do realize that he may have simply changed his opinion - yet it is the most controversial one and he stood by it ideologically as expressed numerous times through a variety of mediums.
It's a bit tinfoil hat, but I am disappointed and there's no harm in informing others about these observations and this experience. Mind you - and that's about all I'll add - that the repository stagnated in development for some time, increasing my senses about something being off considerably (browser extension ownership for example get bought frequently by criminals to convert a user base into a cash cow, or worse)
Disclaimer at the end of the article: If I am totally misinterpreting my observations and the Discord hostility without even an attempt at producing counter-arguments or productive and professional openness and communication, at least it serves as a cautionary tale of what could be.
In any case, no disrespect or attempt to taint anyone's (opensource) software development ventures and/or their personality is intended.
The name of the project or its developers will not be shared, if you can find it, be discrete or this article will be removed. Thank you.
As someone off this thread, lol, I hope you have a great weekend too.
Whether it happened or not, it's a reminder of what can happen. Better to learn from mistakes you haven't suffered from so deeply yet. For starters, when in doubt, it doesn't hurt to get rid of the software dependencies you don't need.
For how to know you can trust a dependency, I'm afraid there is no solution: no theorem prover nor isolation, cryptography nor layerizarion can save you.
Though the dead weight loss of mutual distrust weighs on us all, shouts echo in the void, so go home and read code, and when the next day knocks its ugly knuckles, tears at least wet dry watchful eyes.
> For how to know you can trust a dependency, I'm afraid there is no solution: no theorem prover nor isolation, cryptography nor layerizarion can save you.
I'm taking a stab at addressing this problem with Packj [1]. It carries out static/dynamic/metadata analysis to look for "suspicious” attributes such as spawning of shell, invalid/expired email (i.e., no 2FA), use of files, network communication, use of decode+eval, mismatch of GitHub code vs packaged code, and several more.
I do realize that he may have simply changed his opinion - yet it is the most controversial one and he stood by it ideologically as expressed numerous times through a variety of mediums.
It's a bit tinfoil hat, but I am disappointed and there's no harm in informing others about these observations and this experience. Mind you - and that's about all I'll add - that the repository stagnated in development for some time, increasing my senses about something being off considerably (browser extension ownership for example get bought frequently by criminals to convert a user base into a cash cow, or worse)
Disclaimer at the end of the article: If I am totally misinterpreting my observations and the Discord hostility without even an attempt at producing counter-arguments or productive and professional openness and communication, at least it serves as a cautionary tale of what could be. In any case, no disrespect or attempt to taint anyone's (opensource) software development ventures and/or their personality is intended. The name of the project or its developers will not be shared, if you can find it, be discrete or this article will be removed. Thank you.
Thanks for your time. Have a great weekend.