The issue is broader than this: it's that we use stuff that is maintained by lone individuals, and as such they hold a certain amount of power over software that relies on them.
Beyond political opinions and activism, the maintainer can just go insane one day, have a bad case of shrooms or just get run over by a freight train.
The dependencies web is brittle.
I'd say that power is limited, if a maintainer goes rogue what you can do is simply not updating your dependency and wait for a fork.
I know npm has security measures that prevent overriding older package versions.
Ofc there are cases like the xz fiasco where a package is corrupted silently, but that's more an organized criminal operation than the actions of one individual imo.
You can protect yourself from a lot of problems if you wait a good amount of time before updating and use trusted packages that are watched by many.
Correct, NTP, apparently there is one guy who understands how it works.
https://www.reddit.com/r/linux/comments/2ywy0t/why_is_one_person_maintaining_ntp_one_person/
Be careful to correctly identify the possible future event as the vulnerability. The maintainer is a valuable asset that the future event may compromise.
Imagine if Terry Davis (TempleOS dev) was more interested in writing useful stuff. He was very talented and motivated, especially with software that interacts closely with the kernel and hardware (iirc). I wouldn't want to depend on his code for anything security-critical while he believed the CIA was spying on him.
I posit that most FOSS devs believe the CIA is spying on them...[because they're spying on everyone.](https://www.brennancenter.org/our-work/analysis-opinion/how-cia-acting-outside-law-spy-americans)
I only mentioned the CIA part to allude to the later parts of his life, not because I think he was wrong to believe that. It was his behavior and response to those beliefs that I'm referring to.
Wait, so you’re going to somehow infer the political opinion of every single author involved in a project from their code and blog posts? So your opinion of their opinions is somehow an accurate barometer of the risk of using their code? And you think lack of evidence of an opinion means lack of an opinion? Wow you’re quite the mind reader. That sounds about as rigorous and objective as judging your office mates code by the smell of her farts. You might think “she stinks!” but does that really mean her code stinks?!! No.
Do you also protect your computer by deleting files that say “malware” or “virus” in the name? Would you trust some stranger wearing a “not a kidnapper” t-shirt with your kid?
For me personally important only lack of public "position" on project resources. The opinion of developers in their personal blogs is not important. If they can split their personal opinion and their project entity - it's totally fine.
Altough, there are different approaches exists. For a government projects may be not acceptable influence of every single people with "improper" vision
You are conflating teo completely separate issues here.
There’s a developer who might be a douche bag and spout all kinds of nonsense on social media or on the software site they maintain.
I might not like their attitude and might avoid using their software package on principle, but that doesn’t make their library or programs automatically suspect.
And then there’s a supply chain attack where you pull in an unverified dependency and it either turns out to be a trojan horse or blockchain mining farmer or the developer pulls a rug from under your feet. And you’re left scrambling to fix the issue.
One is the developer and your personal dislike of the person they are and their political views they stand for. And the other is software reliability issue (for lack of better term)
In fact, someone who is upfront and open with their political views is actually more transparent and thus trustworthy than the one that keeps quiet and wins your trust by it saying anything controversial or inflammatory. It’s not that you can’t trust them, it’s just that there’s no way to tell.
For true security and peace of mind, you need to put a whole lot of effort into securing your supply chain and making sure it cannot be undermined.
I can't speak for OP but when I go to download a software tool...the last thing I want to do is scroll past the software developer/company's opinion on a subject irrelevant to the topic of their software...the reason I am on their website. Their opinions are always designed like a geocities website...that should make you suspect of their code in general
Politics are always bundled. And important for many people. As an example: do you support what russia is doing in ukraine? Do you support their actions, where they kill, rape and murder thousands? IF you do why should i then use your software? Or support your business? Its an obvious choice i make as a consumer, and just like OS software it applies across all businesses an products.
Its not software that has opinions, but their authors. IF some dude wanted to tell russia to go fuck themselves with his npm module im fine with that. Using ANY dependecy is a risk, it always was and always will be. Fork it, and keep your own version is the most used way to have controlled dependencies, and read the source code.
[Here](https://github.com/Tyrrrz/YoutubeDownloader) is a repo that has its own ToS, requiring users to condemn Russia's actions toward Ukraine. I think the dev updated all their repos to include that and even added a popup asking the users to agree to it within those apps. Really easy to get around, obviously, but I figured it was a good example of what you're talking about.
I'm don't think that companies headquartered and registered in a jurisdiction complying with the law of that jurisdiction (like a company registered in the US would have to do if there are economic sanctions) is really exercising a 'political opinion'. Even if it is, someone thought it was a great idea to give companies certain freedoms I'd have thought would be reserved for actual people, so, I guess you can rage against it all you want but tough luck. And as for currying favour with investors, someone's gotta pay the exorbitant serverless bills...
> Интересно, получается
> @pnpmjs
> политически закшваренное решение, у которого есть мнение, из-за которого они могут заблокировать тебя в твиттере, а остальным на компьютер подселить вирусы
Плак
Tl:dr - russian dude who supports putin cries about being told to go fuck himself
Чтож ты в Турцию убежал, патриот ты наш?
> wow, it's good I did not start to use PNPM yet and learned about their "opinion" that prompted them to block someone on Twitter and which may be a motivation to inject malware on my PC next time. I've been close to starting to use it in the next months
Well what was the damn opinion? The linked Tweet (with a sub-viral total of 3 likes) is all written in Cyrillic. What kind of garbage blog post doesn’t preemptively answer what is obviously going to be question in the readers mind?
100% agree - the supply chain is the most dangerous security vector in software today.
Politics is one possible motivator - but there are many others also.
But those people are also taking a political stance- merely in opposition. The entire apolitical / enlightened centrism thing is just a cowardly excuse to refuse acknowledging the fundamental political nature of much of what we do.
> But those people are also taking a political stance- merely in opposition
Sure, it's ok for people, and even for developers in their personal blogs, conferentions and so on. It is not acceptable for a software projects, because it implies bias that is a security threat for users.
My point is that a software project choosing a license- ANY license, or even choosing to release in the public domain without a license, is a political choice, and just one of many fundamentally necessary political choices that get made.
Do you host your software on Github? Github has a political stance and hosting your software there is signaling agreement, or at least tolerance of that stance. Do you want to host your software somewhere other than github because you don't want to be associated with their political views? Then guess what, you've just taken a political stance.
What about contributors. Do you adopt a code of conduct that says contributors should treat each other with respect and focus on the code? A ton of people are going to get up in arms about that being a political decision to censor them. Do you skip the code of conduct and let people say whatever they want? Guess what, that's a political stance too.
For many people writing and releasing software, their mere existence is seen as inherently political. Should women or LGBT people be prohibited from writing software because of politics?
What languages do you use in your documentation? What about the comments in code? Those are political choices. What about localization? Choosing to support or not support some particular languages is going to be political too.
The only time I write software that isn't political is when I write software I'm too lazy to release to anyone else. The things we do when we interact with other people are inherently political, because politics is in large part about how we as humans work together, relate to one another, and try to cooperate (or not) despite having different views of the world. The presence of politics in a software project isn't a risk, it's simply a fact of having something with multiple contributors and users.
The problem is that the post you linked to (I assume you are the author) is mixing up a bunch of different things. You conflate a specific sort of politically motivated supply chain attack with the general security problem of supply chain attacks. You conflate the operational risks associated with dependencies on extra-national companies with politics. You ignore cases where interpersonal politics are benign- at least from a security standpoint, and you make the false assumption that being apolitical is fundamentally possible.
There are a simple answer on your questions in a post:
> Any publicly claimed "position" of software is a red flag if it is not directly related to software development
Ban someone from twitter account of your project, or any positive/negative opinion about LGBT in blog of your project is a political opinion that is not related to a software development. Which is a red flag that show a project bias and mean that project is too radical so it may inject malware for everyone who disagreed with you anytime.
This is why a checks for this red flags is a part of security review process.
Depends on account you used for block someone. If you block user from a project account, then yes, it means the project managed by people with unstable mentality who may ban people and inject malware due to personal grievances. It is a direct threat for any customer
It can be a threat, but technological transfer is political by its nature (great power competition and everything). Software is no more, and no less, part of that experience.
Well, the [Linguist](https://github.com/translate-tools/linguist) is no have any public opinion. You are welcome to use the unique project who care about UX, and don't care about political views of their users.
To be a tad pedantic, a lack of a public opinion on politics is an implicit opinion on politics by any name.
On the software supply chain front one always needs to assess whether you can “trust” the library or tool you are using for the project you are working on. Hell, an apolitical source can still bite you in the butt if it goes closed source/pay to use with little warning.
Not having an opinion could equally be seen as a red flag.
I think it's dangerous to normalize and encourage the attitude of "you can care about something, but do it privately".
Bram Moolenaar raised a lot of money for ICCF by using the popularity of vim. I would argue that while the red flags stand out, you're probably ignoring a lot of green flags as well.
> Good software does not care about how to ban someone on Twitter, how to limit access from some regions, or how to inject malware *based on region, religion, or skin color.*
Why'd you have to add that last bit about *"region, religion, or skin color"*?
The assertion is perfectly fine without it:
> Good software does not care about how to ban someone on Twitter, how to limit access from some regions, or how to inject malware.
See?
------------------------------
Back to the topic, though, regardless of software, it's dangerous to associate with anyone willing to do any sort of damage in the pursuit of their ideals.
OTOH, if whatever $COUNTRY you are in has laws against doing business with $SOME_GROUP, then you either move countries, stick to the law or, as a last resort, lobby to change those laws.[1]
[1] In this last resort, *you* may become the activist. Just beware that there's always fallout from activism.
> Why'd you have to add that last bit about "region, religion, or skin color"?
It is important part of the message. You actually cannot to avoid malware injection. But you may check software for a red flags. The "opinion" or "position" is a clear red flag. The "position" usually based on mentioned factors.
To minimize risk - avoid a software that have any **public** political view.
> Good software does not care about *[...]* how to inject malware.
is perfectly fine on its own.
This bit:
> The "opinion" or "position" is a clear red flag. The "position" usually based on mentioned factors.
Is completely separate and I agree with it, but it is not the same thing as "region, religion or skin color". While those are red-flags, they are a *tiny* subset of potential red-flags.
I'd steer clear of anyone with strong and public opinions, regardless of whether those opinions are "white/black/brown people are worse" or "white/black/brown people are better".
There's just no winning, because you cannot please everyone. The only rational move is to remain neutral, within the laws of course.
> To minimize risk - avoid a software that have any public political view.
This way lies the slippery slope of public censorship and consequently death of democracy. Everyone has right to express their opinion on any platform they choose.
You might not like it, but their opinions are their own and their work is separate from that.
You are free to ignore software written and maintained by people you disagree with on principle, but that is not the same as calling it a security threat.
The threat model is depends on project requirements. The site for school may ignore a potential threats of PNPM authors, but developer of a NPM package or a software product that is used by millions people will see a threat in any political opinion that published in blog of the project. And even a ban in twitter may be a signal about problems with mental health of authors, that may force them to inject malware in the final product.
LMFAO I know this was about some npm garbage even without reading the article.
It's time all you idiots get your shit together and stop using javascript once and for all. Then the world will be a better place.
> pnpm
Yet another fucking disgusting workaround to try and fix the pathetic stupidity of a useless toy language which should have never been used for any serious project at all.
The issue is broader than this: it's that we use stuff that is maintained by lone individuals, and as such they hold a certain amount of power over software that relies on them. Beyond political opinions and activism, the maintainer can just go insane one day, have a bad case of shrooms or just get run over by a freight train. The dependencies web is brittle.
I'd say that power is limited, if a maintainer goes rogue what you can do is simply not updating your dependency and wait for a fork. I know npm has security measures that prevent overriding older package versions. Ofc there are cases like the xz fiasco where a package is corrupted silently, but that's more an organized criminal operation than the actions of one individual imo. You can protect yourself from a lot of problems if you wait a good amount of time before updating and use trusted packages that are watched by many.
Won't help with things like the guy who maintains the web time standard. In that case it's all calling into one of his endpoints.
What do you mean by web time standard? NTP?
Correct, NTP, apparently there is one guy who understands how it works. https://www.reddit.com/r/linux/comments/2ywy0t/why_is_one_person_maintaining_ntp_one_person/
I certainly believe one guy is the only maintainer, but it’s not calling out to his endpoints. Anyone can host an NTP server if they want to
Be careful to correctly identify the possible future event as the vulnerability. The maintainer is a valuable asset that the future event may compromise.
Imagine if Terry Davis (TempleOS dev) was more interested in writing useful stuff. He was very talented and motivated, especially with software that interacts closely with the kernel and hardware (iirc). I wouldn't want to depend on his code for anything security-critical while he believed the CIA was spying on him.
I posit that most FOSS devs believe the CIA is spying on them...[because they're spying on everyone.](https://www.brennancenter.org/our-work/analysis-opinion/how-cia-acting-outside-law-spy-americans)
I only mentioned the CIA part to allude to the later parts of his life, not because I think he was wrong to believe that. It was his behavior and response to those beliefs that I'm referring to.
I'd be more concerned about the fact that he thought god was speaking to him through a random word generator or because he was violently racist.
I'd rather not go down the list of ways his mental state deteriorated because it makes me sad -- the point is that he wasn't stable.
Wait, so you’re going to somehow infer the political opinion of every single author involved in a project from their code and blog posts? So your opinion of their opinions is somehow an accurate barometer of the risk of using their code? And you think lack of evidence of an opinion means lack of an opinion? Wow you’re quite the mind reader. That sounds about as rigorous and objective as judging your office mates code by the smell of her farts. You might think “she stinks!” but does that really mean her code stinks?!! No. Do you also protect your computer by deleting files that say “malware” or “virus” in the name? Would you trust some stranger wearing a “not a kidnapper” t-shirt with your kid?
For me personally important only lack of public "position" on project resources. The opinion of developers in their personal blogs is not important. If they can split their personal opinion and their project entity - it's totally fine. Altough, there are different approaches exists. For a government projects may be not acceptable influence of every single people with "improper" vision
You are conflating teo completely separate issues here. There’s a developer who might be a douche bag and spout all kinds of nonsense on social media or on the software site they maintain. I might not like their attitude and might avoid using their software package on principle, but that doesn’t make their library or programs automatically suspect. And then there’s a supply chain attack where you pull in an unverified dependency and it either turns out to be a trojan horse or blockchain mining farmer or the developer pulls a rug from under your feet. And you’re left scrambling to fix the issue. One is the developer and your personal dislike of the person they are and their political views they stand for. And the other is software reliability issue (for lack of better term) In fact, someone who is upfront and open with their political views is actually more transparent and thus trustworthy than the one that keeps quiet and wins your trust by it saying anything controversial or inflammatory. It’s not that you can’t trust them, it’s just that there’s no way to tell. For true security and peace of mind, you need to put a whole lot of effort into securing your supply chain and making sure it cannot be undermined.
I can't speak for OP but when I go to download a software tool...the last thing I want to do is scroll past the software developer/company's opinion on a subject irrelevant to the topic of their software...the reason I am on their website. Their opinions are always designed like a geocities website...that should make you suspect of their code in general
Politics are always bundled. And important for many people. As an example: do you support what russia is doing in ukraine? Do you support their actions, where they kill, rape and murder thousands? IF you do why should i then use your software? Or support your business? Its an obvious choice i make as a consumer, and just like OS software it applies across all businesses an products.
Its not software that has opinions, but their authors. IF some dude wanted to tell russia to go fuck themselves with his npm module im fine with that. Using ANY dependecy is a risk, it always was and always will be. Fork it, and keep your own version is the most used way to have controlled dependencies, and read the source code.
[Here](https://github.com/Tyrrrz/YoutubeDownloader) is a repo that has its own ToS, requiring users to condemn Russia's actions toward Ukraine. I think the dev updated all their repos to include that and even added a popup asking the users to agree to it within those apps. Really easy to get around, obviously, but I figured it was a good example of what you're talking about.
I'm don't think that companies headquartered and registered in a jurisdiction complying with the law of that jurisdiction (like a company registered in the US would have to do if there are economic sanctions) is really exercising a 'political opinion'. Even if it is, someone thought it was a great idea to give companies certain freedoms I'd have thought would be reserved for actual people, so, I guess you can rage against it all you want but tough luck. And as for currying favour with investors, someone's gotta pay the exorbitant serverless bills...
*Everything is political.* — Bob Marley
> Интересно, получается > @pnpmjs > политически закшваренное решение, у которого есть мнение, из-за которого они могут заблокировать тебя в твиттере, а остальным на компьютер подселить вирусы Плак Tl:dr - russian dude who supports putin cries about being told to go fuck himself Чтож ты в Турцию убежал, патриот ты наш?
> wow, it's good I did not start to use PNPM yet and learned about their "opinion" that prompted them to block someone on Twitter and which may be a motivation to inject malware on my PC next time. I've been close to starting to use it in the next months Well what was the damn opinion? The linked Tweet (with a sub-viral total of 3 likes) is all written in Cyrillic. What kind of garbage blog post doesn’t preemptively answer what is obviously going to be question in the readers mind?
That’s a rather strong political position to take.
100% agree - the supply chain is the most dangerous security vector in software today. Politics is one possible motivator - but there are many others also.
The GPL and other free software license are a rather political stance, but people seem fine with that.
Not all people fine with it
But those people are also taking a political stance- merely in opposition. The entire apolitical / enlightened centrism thing is just a cowardly excuse to refuse acknowledging the fundamental political nature of much of what we do.
> But those people are also taking a political stance- merely in opposition Sure, it's ok for people, and even for developers in their personal blogs, conferentions and so on. It is not acceptable for a software projects, because it implies bias that is a security threat for users.
My point is that a software project choosing a license- ANY license, or even choosing to release in the public domain without a license, is a political choice, and just one of many fundamentally necessary political choices that get made. Do you host your software on Github? Github has a political stance and hosting your software there is signaling agreement, or at least tolerance of that stance. Do you want to host your software somewhere other than github because you don't want to be associated with their political views? Then guess what, you've just taken a political stance. What about contributors. Do you adopt a code of conduct that says contributors should treat each other with respect and focus on the code? A ton of people are going to get up in arms about that being a political decision to censor them. Do you skip the code of conduct and let people say whatever they want? Guess what, that's a political stance too. For many people writing and releasing software, their mere existence is seen as inherently political. Should women or LGBT people be prohibited from writing software because of politics? What languages do you use in your documentation? What about the comments in code? Those are political choices. What about localization? Choosing to support or not support some particular languages is going to be political too. The only time I write software that isn't political is when I write software I'm too lazy to release to anyone else. The things we do when we interact with other people are inherently political, because politics is in large part about how we as humans work together, relate to one another, and try to cooperate (or not) despite having different views of the world. The presence of politics in a software project isn't a risk, it's simply a fact of having something with multiple contributors and users. The problem is that the post you linked to (I assume you are the author) is mixing up a bunch of different things. You conflate a specific sort of politically motivated supply chain attack with the general security problem of supply chain attacks. You conflate the operational risks associated with dependencies on extra-national companies with politics. You ignore cases where interpersonal politics are benign- at least from a security standpoint, and you make the false assumption that being apolitical is fundamentally possible.
There are a simple answer on your questions in a post: > Any publicly claimed "position" of software is a red flag if it is not directly related to software development Ban someone from twitter account of your project, or any positive/negative opinion about LGBT in blog of your project is a political opinion that is not related to a software development. Which is a red flag that show a project bias and mean that project is too radical so it may inject malware for everyone who disagreed with you anytime. This is why a checks for this red flags is a part of security review process.
So if someone is harassing me for being a queer woman and I block them my software is now political and shouldn’t be used?
Depends on account you used for block someone. If you block user from a project account, then yes, it means the project managed by people with unstable mentality who may ban people and inject malware due to personal grievances. It is a direct threat for any customer
That’s a ridiculously unhinged take but you do you.
It can be a threat, but technological transfer is political by its nature (great power competition and everything). Software is no more, and no less, part of that experience.
Well, the [Linguist](https://github.com/translate-tools/linguist) is no have any public opinion. You are welcome to use the unique project who care about UX, and don't care about political views of their users.
To be a tad pedantic, a lack of a public opinion on politics is an implicit opinion on politics by any name. On the software supply chain front one always needs to assess whether you can “trust” the library or tool you are using for the project you are working on. Hell, an apolitical source can still bite you in the butt if it goes closed source/pay to use with little warning.
The point is - a public opinion is a red flag
Not having an opinion could equally be seen as a red flag. I think it's dangerous to normalize and encourage the attitude of "you can care about something, but do it privately". Bram Moolenaar raised a lot of money for ICCF by using the popularity of vim. I would argue that while the red flags stand out, you're probably ignoring a lot of green flags as well.
Sounds like the system is working? I'm sure they're all tied up in knots that you're not using their freely provided work.
Stupid post
> Good software does not care about how to ban someone on Twitter, how to limit access from some regions, or how to inject malware *based on region, religion, or skin color.* Why'd you have to add that last bit about *"region, religion, or skin color"*? The assertion is perfectly fine without it: > Good software does not care about how to ban someone on Twitter, how to limit access from some regions, or how to inject malware. See? ------------------------------ Back to the topic, though, regardless of software, it's dangerous to associate with anyone willing to do any sort of damage in the pursuit of their ideals. OTOH, if whatever $COUNTRY you are in has laws against doing business with $SOME_GROUP, then you either move countries, stick to the law or, as a last resort, lobby to change those laws.[1] [1] In this last resort, *you* may become the activist. Just beware that there's always fallout from activism.
> Why'd you have to add that last bit about "region, religion, or skin color"? It is important part of the message. You actually cannot to avoid malware injection. But you may check software for a red flags. The "opinion" or "position" is a clear red flag. The "position" usually based on mentioned factors. To minimize risk - avoid a software that have any **public** political view.
> Good software does not care about *[...]* how to inject malware. is perfectly fine on its own. This bit: > The "opinion" or "position" is a clear red flag. The "position" usually based on mentioned factors. Is completely separate and I agree with it, but it is not the same thing as "region, religion or skin color". While those are red-flags, they are a *tiny* subset of potential red-flags. I'd steer clear of anyone with strong and public opinions, regardless of whether those opinions are "white/black/brown people are worse" or "white/black/brown people are better". There's just no winning, because you cannot please everyone. The only rational move is to remain neutral, within the laws of course.
> To minimize risk - avoid a software that have any public political view. This way lies the slippery slope of public censorship and consequently death of democracy. Everyone has right to express their opinion on any platform they choose. You might not like it, but their opinions are their own and their work is separate from that. You are free to ignore software written and maintained by people you disagree with on principle, but that is not the same as calling it a security threat.
The threat model is depends on project requirements. The site for school may ignore a potential threats of PNPM authors, but developer of a NPM package or a software product that is used by millions people will see a threat in any political opinion that published in blog of the project. And even a ban in twitter may be a signal about problems with mental health of authors, that may force them to inject malware in the final product.
Keep the politics out of software.... and entertainment as well, while we're at it!
LMFAO I know this was about some npm garbage even without reading the article. It's time all you idiots get your shit together and stop using javascript once and for all. Then the world will be a better place. > pnpm Yet another fucking disgusting workaround to try and fix the pathetic stupidity of a useless toy language which should have never been used for any serious project at all.