Open source technology is undoubtedly a great resource for users of the world wide web, but how happy are the developers who work “for free” to make money, perhaps some multinationals. This is what Marak Squires, one of the GiftHub developers, must have thought, who reportedly said he was tired of supporting companies that make millions from their (free) work.
To do this, Squires has deliberately damaged two open source libraries created by himself, with an update code that activates infinite loops impacting millions of users who access them. The two libraries are color.js and faker.js and are used, respectively, to add colors to Node.js consoles and general dummy data for demos. Two libraries of 23-25 million weekly downloads.
Open source, the block: modalities, causes and consequences
To give his gesture even more force, developer Squires added a “new shape of american flag“To the latest version of colors.js and then posted it to GitHub and NPM, activating three lines of the words “freedom freedom freedomFollowed by incomprehensible characters that repeat themselves indefinitely. In the same way, or almost, Faker.js it has been sabotaged with the release of version 6.6.6.
The “problem” was first reported by computer beep, where the problem arose: Squires, in fact, has introduced an infinite loop in the libraries that has effectively crashed thousands of projects that depend on the correct functioning of the two libraries. Therefore, users, including those who work with the Amazon Cloud Development Kit, reported the bug to GitHub thinking they were hacked.
According to the authority the edge, colors.js seems to have been updated to work normally, while faker.js can still be affected by the bug. But even if that were the case, users of the latest library can fix the problem by downgrading the update to the older version of the file, more precisely v5.5.3.
Behind Squires’ motivations, there seems to be a willingness not to want to continue supporting companies like the Fortune 500 and others with their free work. “Not much more to say – wrote Squires – You can present this as an opportunity to send me a six-figure annual contract or have someone else work on the project.“.
If Squires wanted to raise the issue of unpaid open source work, he has succeeded. In fact, there has been extensive discussion on the subject, with statements that have come from around the world.
Second filipo valsorda, Google Go team members and open source development companies must pay open source developers: “Open source software runs the Internet and, by extension, the economy. This is an indisputable fact about reality in 2021“read a statement issued last year.
Kayla Underkoffler, Senior Security Technologist at HackerOne, also said that projects like the Internet Bug Bounty help organizations of all sizes tackle cyberattacks like Log4Shell by raising funds to incentivize research on open source vulnerabilities.
“Most organizations do not have direct control over open source software within supply chains to easily correct these weaknesses. Protecting this often underfunded software is a must for any organization that relies on it.“, He warned.
Introvert. Beer guru. Communicator. Travel fanatic. Web advocate. Certified alcohol geek. Tv buff. Subtly charming internet aficionado.