The spirit of open source as a whole is definitely not public ownership / control. There's a small subset of open source software that's public domain software but not owning the copyright over it doesn't mean that someone doesn't own a certain repository developing the software.
Conversation
this seems like is / ought
there is nothing, legally or practically, stopping a maintainer from doing this
I don't think that's the spirit of open source; the project can be easily forked and re-hosted but users weren't doing that because they trusted the ecosystem
1
2
Open source is making the source code available for anyone to use for any purpose even if that purpose is mass murdering people. The spirit of open source is devaluing labour so that corporations can build software more cheaply. This person didn't realize that getting into it.
1
It's their own fault they released they software under an open source license but I think most open source maintainers have felt this way at one point or another.
I don't really think they did anything particularly malicious or terrible. It wouldn't pass any basic smoke test.
2
how is intentionally breaking your users' projects not malicious
1
If you blindly update to new versions and deploy without testing, they did you a service by showing you that what you're doing is completely broken even if you do trust your dependencies. They didn't hide a backdoor or trap that triggers later. It just spams nonsense on loading.
1
1
you could say this to justify basically anything, is breaking apps really ok because they should have known better?
yes, they were trying to make a point and not steal data or whatever but it's still damaging even if all it does is break a log ingestor
1
I seriously doubt that they actually harmed anyone. They've been talking about it for over a year in advance:
news.ycombinator.com/item?id=250321
Software is not inherently good and I'm not convinced that breaking an arbitrary set of npm apps with zero testing before deployment is bad.
1
My sympathy is not really with some Amazon engineers who get paid 200k/year and couldn't even bother to test that their application loaded before deployment.
twitter.com/marak/status/1
I think there's probably only 1 person likely to get hurt from this and it's not their users.
This Tweet is unavailable.
1
1
Perhaps building an industry on the backs of hobbyists who aren't able to earn a living from their work is not a good idea. Seems pretty clear from github.com/sponsors/marak and elsewhere that they tried and failed to get an income from it and aren't doing well.
1
2
It appears abc7ny.com/suspicious-pac is the same guy so they are definitely quite unwell and are probably a real danger to themselves and others rather than simply annoying people by adding Zalgo spam to their library. Also have some conspiracy theory stuff on their timeline.
Seems like the reason he has no money is because he spent everything he had on precious metals hoarded in his house. When it burned down while he was making bombs with someone, the police stole all of it.
Open source supply chain security is really something uniquely special.