Why should you ask this question and why does it matter?
I am sure, all of you know what open source, if not you can read it up on the link I’ve mentioned, but let’s cut to chase, Is Open source ready for protestware ? In essence (TL DR😉; No) it is not stable and strong enough, let me explain why
Disclaimer
Open-source org has a similar article but it reflects on a certainly different perspective, this article considers the issue at its face value. It is more than a reflection of the current situation. Though the ongoing situation is one of the essential reasons for this topic but it is not the only factor. It is a case study for the past, present and future.
Why does it matter?
All developers use dependencies that are open-sourced in some level, even if you are a developer who doesn't use open-source too, this matters to you as today's open-source patterns are tomorrow's industry standard. The open-source community drives your software in ways which you don't recognize, and when the problems of protestware hits mainstream, you'll be able to understand its security implications. Examples would be faker.js which I've briefly covered.
Why am I eligible to present my specific view-point ?
Well before we dive in, you may ask on what capacity am I writing this? What is my experience with open-source and security ? So let me explain that part quickly.
Experience
I am a seasoned open-source developer, who's worked on various projects , famous ones include Pyrsia, OpenCiviWiki and the Data on Kubernetes communities. My experience/contribution towards Pyrsia which is an open source security foundation project is a good reference for you to read up, it explains how it plans to secure open-source supply chain.
Now jumping into the topic
Why is the current system not ready for protestware ?
Protestware are software which open-source developers, maintainers use as a symbol of protest during some change of event. (For this article , let us approach from this perspective)
When developers choose to abruptly change their package, tool, software as a form of protest, it initially will be a good reflection of their opinion and perspective, but honestly, taking a larger perspective, it is not friendly for the community as the community tends to become way more polarized than its previous past. The ideals of open-source was to promote good software, free software (not completely) and a trust-worthy safety net for other developers to use your work (under appropriate licenses⚖️). Organizations like the Linux Foundation, Apache have been major proponents of these principles.
All of you must have used one of the big three JS libraries(React, Angular and Vue) for your front-end development and I am sure you wouldn't be able to remember all of the dependencies, barely a developer remembers the nested dependencies. Developers trust the ecosystem for the packages coming from the corresponding registries(NPM, PyPI, NuGet, Cargo) and if a package console logs/ print they support XYZ, it is still not acceptable for your product to have the owner's opinion.
Apart from the unsolicited opinion being forced into your product/project/error-logs/console, we must realize how polarizing the community can get, the trust chain is broken, we have a possibility of another case where a counter-opinionated package can wreck harm. (opinions are always on a spectrum and expecting all developers to conform to one opinion is inconsiderate) Apart from this, all outrage has collateral damage but the scales of open-source is just humongous. The scale of impact is way too high. It scales exponentially quickly and to make amends would not certainly not be an easy task.
As open-source developers, all of us have a common goal of making the world a better place, some may say protestware is a manifestation of the same but I beg to differ, the open-source community strives to be non-polarized, once the balance of its neutrality is disturbed, the entire trust-chain and links are jeopardized. If you no longer trust the packages that comes from various sources, your developer life-cycle is complicated by 100x . Developers will have to put considerably more time understanding their dependencies and there will be larger investment into planning dependencies ahead of time.
Neutrality of FOSS
The neutrality of FOSS is the first thing that often strikes our minds when we mention FOSS. Developers, Contributors across the world without seeing their nationality, political biases and their political opinion. The article from open-source organization justifying the fact it is acceptable to opine through FOSS is detrimental to the larger ecosystem in general.
Software is software and not soft-power
Often than not, developers use/will use/have used protestware to carry their point of view ahead to a set of their target audience, well is that what FOSS promised ? The article from open source organization deems promotion of interests through open source software as effective, I beg to differ again. It is affecting the neutrality of open-source by setting a precedent where developers can choose to put their opinions and views in a place that wasn't meant to host opinions, we and the open source organization can always say it'll be neutral and non-hateful but this lays the foundation for hate-speech and violent content to be promoted. Readers may wonder how? Open source despite being open to all developers, is very much centralized. The authority of the maintainer/admin is central and ultimate . It is technically "their project", they can choose to block it off.
Examples of open-source maintainers taking control of their project:
-
Actix and Nikolay Kim
They over took the project and made it private when there was a huge fiasco, you can read this article. -
Faker JS
The repository was changed single-handedly by the maintainer, Github went on to suspend the account of the maintainer . -
node-ipc
The owner is allegedly racist and their changes have affected the supply chain. Various news outlets have reported their actions, it has been proven that their actions have made the project into malware
Why open-source organization shouldn't have taken that stand ?
It is extremely unpleasant for open-source org to condone usage of open-source software for spreading "information". Open source being used to express opinion is an event that triggers of damage to the supply chain which might be irrecoverable. IF THE OPEN SOURCE SUPPLY CHAIN GOES DOWN, ALL SOFTWARE GOES DOWN.
What can you do as a developer/end-user ?
These are some steps:
- Avoid supporting packages that act as protestware
- Try to maintain neutrality when you're making/maintaining a package/tool/etc
- Ensure audit practices and sustainable security practices with packages and dependencies.
- Visit your registry's sources(if possible) and understand the maintainer's code maintenance policies and practices.
Conclusion
This is a brief opinion of mine, I understand many of you may or may not concur with this article, you can continue the conversation in the comments and read about it.
My Links
- Website: Click to view
- LinkedIn: Click to view
Top comments (0)