I feel like if you're a maintainer that does, or has done, this sort of thing you should not be maintaining software in FOSS. The FOSS ecosystem is built on a lot of trust and actions like this violate that foundation.
On the other hand, the people that sent SWAT teams to his door and sent death threats are equally threatening the trust foundations of FOSS.
To me it’s just a reminder that you can’t just rely on trust and good faith when building systems including the internet itself. You have to design for bad actors or the honest people suffer.
Desktop computing is still too permissive for random bits of software. It's unreal that some random package you didn't even directly install has the ability to wipe your computer and steal the login cookie for your bank. Further work needs to be done to sandbox applications.
Just shows how well the trust system works. There is no foundation, unless some certified org wants to take it upon them to verify OSS. And that costs money.
That people call SWAT teams on the maintainer, I hadn't heard, but that's so much worse. The effect is also rather different. I don't have much OSS, and certainly nothing of any importance, but I'm going to keep the project I'm working on private. Too bad if someone else might have been interested.
The node-ipc package is fairly popular and it wouldn't be unreasonable for it to be in software or on machines that could result in someone being harmed. SWATing can certainly result in death, but obviously doesn't always (or most of the time). I think of them both as terrorism rather than trying to go through the mental gymnastics of which is worse.
If someone was running around your neighborhood trying to take your belongings, would you feel bad if someone called SWAT on them? I don't see how intentionally deleting people's files is much different.
You know that's not what swatting is right? It's when you call the police and falsely claim that someone is raping children in their basement or some other horrible crime so that a group of men with guns show up and arrest them. I vehemently disagree with what this guy did but he doesn't deserve that.
Swatting is calling the police saying the person in question is holding someone at gun point. The goal is to have police armed with rifles break down the door and storm the building.
It doesn’t take much for police or the people inside to get shot and possibly killed during raids. Many innocent people have been severely harmed. Infamously, an officer threw a flash bang (an explosive grenade with burning magnesium) through a window into a crib with a child in it. Another fired shots that went through the wall and killed a woman in another apartment. At least one police officer was shot and killed by an innocent home owner in legitimate self-defense.
This isn’t something to take lightly. Whether it not it was the caller’s intent, they tried to get someone killed.
Yes and no, it depends on what you're considering petty property crime.
Someone breaking into my house to steal something while my family is home? They're getting shot in the forehead. I don't know their intentions, nor am I going to assume the best of intentions.
But I agree, SWAT in response to this is overboard. I would've been glad to see the author get proportionate repercussions (perhaps his Github/NPM accounts being deleted) as we know his intention, but putting his life in danger is too far.
IANAL but I would go a lot further and say this behavior should be prosecuted. If this isn't a violation of the CFAA or something like it, it should be amended to include it.
This is a great and often overlooked/undervalued point. Purposefully sabotaging machines through code repositories should be considered spreading malware & be subject to civil & criminal lawsuits.
Edit: I think I would actually like to see a lawsuit come out of this example.
Targeting certain countries could be considered as act of terror. And reasonable standard in USA is to answer this with either drone strike to home or place of work of the terrorist in question.
Well, I assume that means "every file on the system that Node can access", and on a sensibly configured system I hope Node can't access that many important files - and the files Node can access are either in some git repo or backed up regularly?
Node is a programming language. It's used in multiple contexts, not just web. It runs CLI tools, it's the basis of Electron apps. There's no reason to assume it has limited privileges to access files.
Heh... that's a pretty optimistic take on the average node deployment. There are far too many systems where devs force admins to run 777 on certain directories to fix their bugs—or worse yet, they just have direct access to the servers and no understanding of permissions.
> But then some versions of “node-ipc,” the much more popular piece of software that RIAEvangelist maintains, started overwriting files on computers based in Russia and Belarus with a heart emoji, according to a post on GitHub.
Because he went from posting a heart emoji to deleting files.
Author updated the README of the package to say "thanks to all the police that showed up to SWAT me". I suspect he's exaggerating, and he got a friendly visit from a couple police / federal agents.
On the other hand, the people that sent SWAT teams to his door and sent death threats are equally threatening the trust foundations of FOSS.
Link to the vice article talking about SWATing: https://www.vice.com/en/article/dypeek/open-source-sabotage-...