[pciexpgpu]

Why assume bad faith and bring pitch forks out? The actual scammer needs to be out - not some person who maintained it for free.

Nobody paid this OSS person - only when there is a problem do we ’accuse’ OSS maintainers not when they were actually doing their job for free.

[SahAssar]

If you own the domain for a service used for free by many many websites and have encouraged people to use that service for free I think there is some responsibility to not transfer that to a bad actor.

If he simply made the DNS not resolve to a server anymore I'd be fine with it (and if giving people a warning a few months in advance would be great) but this is not inaction, this is selling trust. It's reasonable to have less than zero trust in anyone that would willingly sell my trust to an unknown third party for profit in this manner.

I think that people should have never used this service or used it with subresource integrity (which by design is not possible in this case), but that's not how it was pitched so now the owner has some responsibility if they want to maintain dignity and trust.

[Zafira]

I think this touches on an interesting question. What obligation do free or open source project maintainers have?

Even if a maintainer slaps on a, “I do what I want with this project. I am not responsible for any damages. There is no support” disclaimer, I am not sure that necessarily removes some social responsibilities.

[SahAssar]

This is not an "open source project", this is a service. When I use a open source project I take it as it is now and take a risk on it not being updated, but any updates are "pull", as in that I willingly take in changes.

In this case the service is "push", which is very different. Any website that used polyfill.io can have any changes pushed to it, regardless of if the author even had known about a change being made.

If my popular project is replaced with a single poop emoji on NPM any existing user is fine (especially since NPM keeps old versions after the whole left-pad thing) and will find an alternative. If polyfill.io replaces their code with

    document.documentElement.innerHTML = '💩'

that's not fine, since it affects existing users without any update step.

I think that nobody should use these public CDNs at all, including things like unpkg and cdnjs, or at the very least using subresource integrity. Either way this has been something that has been on the horizon for years and similar to the buying of popular webextensions.

[ihumanable]

I don't have an answer, but the idea that the person providing you with a free service owes you anything at all just reminded me of this Simpson's quote I think about sometimes.

---

Comic Book Guy : Last night's Itchy & Scratchy was, without a doubt, the worst episode ever. Rest assured that I was on internet within minutes registering my disgust throughout the world.

Bart Simpson : Hey, I know it wasn't great, but what right do you have to complain?

Comic Book Guy : As a loyal viewer, I feel they owe me.

Bart Simpson : What? They've given you thousands of hours of entertainment for free. What could they possibly owe you? I mean, if anything, you owe them.

Comic Book Guy : Worst episode ever.

[Sephr]

I never claimed bad faith. Lack of professional competency can also cause poor decisions. As it stands, Jake hasn't even admitted to his mistake yet.

This isn't just about an open source project. It's about an online service. The owner could have simply shut it down instead of allowing it to be acquired.