Published on

Is it worth using Open Source for political statements?

I planned to write this article in February. Then Putin, a little piece of shit, decided to attack Ukraine, and things got a bit more complicated. After all, the delay in writing the article was not that bad after all. The war brought some mess into open source too.

Viral affairs

We live in times when small evil actions of a single person can affect millions of people. Social media era...

I mean, they affect millions... and then they go because, guess what, there is another evil action happening right after. So we are in a circle where events occur blazingly fast, override each other, and people forget.

Do they really forget? Not in tech nor anywhere else. We, humans, absorb a lot of info in our brains. Every single thing affects us, positively or negatively. New neuro-connections are created and saved in "the database".

The fact that something was viral and vanished doesn't mean it was removed from our heads, especially if it affected us directly. It stays and unconsciously affects your future decisions.

Therefore, give us a break and stop pushing politics into open-source!

Marak and his Faker.js and Colors.js actions

There were many articles written about the incident, so I will summarize it super quickly.

Marak in 2021 wrote an interesting article about open source monetization. A great addition to the discussion. We should have these stories shared and increase their visibility in the community. This is just one of many stories like this in open source. Just look at history of AppGet getting killed by Microsoft.

Then, I have no idea what the hell he was thinking, but he decided to break his libraries, used by millions of developers. Like, seriously, pushing dummy production breaking code just to make people hear him. Just because one dude from one company decided to trick him, he failed the trust of millions of people.

I do know many people say: you should have used package-lock.json, and you would not be affected. No, he should just not do it, so I'm not affected. Even if my code on production did not break, I still need to waste my time removing this dependency from my code. I just don't want it there, period.

The whole story is even more confusing, as it doesn't look like it was only related to monetization issues. It seems like a political statement supporting the legacy of Aaron Swartz, especially when you're reading about the problems he has with local police.

Like OMG! You do not expect these things in open source, right?

The only good side of the story after the events is that Faker.js found a new place with maintainers and gained financial contributors on Open Collective.

Now, do you think Marak was screwed by the evil corporations? He collected his money from Open Collective that was collected prior to the event, over 11k USD. The project was also getting donations before. Also, after the event, colors.js got more popular by around 4M!

RIAEvangelist and his node-ipc actions

We did not have to wait too long for shit to happen again. RIAEvangelist decided to create peacenotwar package with the following motivation:

This code serves as a non-destructive example of why controlling your node modules is important.
It also serves as a non-violent protest against Russia's aggression that threatens the world right now

Nothing about Ukraine. More important was to mention in the first sentence that the main goal is to educate people about the wrong usage of package-lock.json. Well done, mate... Anyway, who cares about a random guy and his new library, right?

The problem is that he decided to use this package in a widely used node-ipc module. He obviously doesn't see a problem that he did not release the change transparently like he usually did. No respect for contributors and the community. I definitely recommend to read the whole story described by Snyk.

And instead of doing it all, he could:

  • donate to help people in Ukraine
  • fly over to Ukraine or neighboring countries to help out refugees
  • volunteer to groups of devs helping block Russian online resources

Easier was to take a piss on open-source, than work together with others to help.

Was it worth it?

Open source is not just about USA or just about Ukraine or Russia. It is a much larger global bubble. Don't push your view and political statements aggressively on people from different cultures and countries. The cases I described above are pure aggression. It is the violent enforcement of political opinions. This is not how you run dialog and push good, long-term changes.

Please stop this trend.

Just get over it and realize open source is not your little local bubble, not your small office space. The faster you realize it, the better. You must see that with global reach, patience, and being part of the community, you can actually achieve many good things. Just slow down and work together.

You do not fix open-source with such actions. You harm it. You affect credibility of maintainers and lower the community trust. You are simply a bad open-source citizen.

What will happen is that enterprises will invest more in security and tools to detect these issues. People will not all suddenly learn to lock their dependencies. There will be tools like Chainalert or others that monitor open-source and early detect such vulnerabilities. Enterprises will not invest more in open-source maintainers. They will invest in the toolchain to properly alert and enforce quick upgrades of dependencies to prevent such misbehavior on production. And it will not be a huge and painful investment, just a few thousand bucks on tools that will most likely just be plugged into an existing security chain.

Not to mention that you give fuel to all the JavaScript ecosystem haters.

Open-source is not about you. It is about community. So if you do not like it, if you put yourself first, just pack your bags and go back to writing your software behind the firewall. And for a moment, just think about others.

End of rant. Now I can peacefully, and relaxed enter the weekend with a beer in my hand.