Our great sponsors
-
-
SurveyJS
Open-Source JSON Form Builder to Create Dynamic Forms Right in Your App. With SurveyJS form UI libraries, you can build and style forms in a fully-integrated drag & drop form builder, render them in your JS app, and store form submission data in any backend, inc. PHP, ASP.NET Core, and Node.js.
-
torsocks
Library to torify application - NOTE: upstream has been moved to https://gitweb.torproject.org/torsocks.git
-
> Cool story.
Actually, "blacklists", "redlists" and many other "lists of undesirables" weren't cool at all. But every generation or so they unfortunately seem appealing again.
> the list that they're discussing has actually existed for 30 years
Where is this list? Who maintains it?
OC certainly didn't know about it: "We should probably start an open source sanction list of individuals who abuse trust to ship malware"
> When you commit a crime
"crime"? Please link me to the law you think they broke.
Here's the license: https://github.com/Yaffle/EventSource/blob/master/LICENSE.md
> THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED
So, how is this a "crime"?
> that knowledge never disappears in any country
Not true in any country except maybe North Korea or some other authoritarian state. In any society with checks and balances, verdicts can be appealed, judgements reversed, records expunged and rights restored. This "undo" feature is pretty critical to any legitimate system of justice, as is "innocent until proven guilty". I didn't see any details about the rights of the accused in anyone's blacklisting proposals.
> None of these address what happened in any way.
Yes, it does. MIT licensed software is provided "AS IS, WITHOUT WARRANTY". If you don't like it you can fork it. If you're afraid of a bad commit, vendor it, which is a best practice anyway, for this exact use case.
> Relatively easy for the rest of us to see.
Our entire legal branch of government exists because these lines are never easy. Judges judge things all the time, and not uniformly. If everything was easy to see, we wouldn't need judges or juries. The interpretation of language or of an act on a case by case basis is where things get tricky.
> The rest of us will act without you
At this point I have way more questions:
* Would you blacklist this contributor if they documented the Russian timezone popup as a feature in the package as the issue creator suggested (https://github.com/Yaffle/EventSource/issues/202#issuecommen...)?
* What "test" would you apply to code to determine if the developer should be blacklisted or not? Would this blacklist only pertain to malware? Wikipedia (https://en.wikipedia.org/wiki/Malware) defines a few different malware categories: "Many types of malware exist, including computer viruses, worms, Trojan horses, ransomware, spyware, adware, rogue software, wiper, and scareware." If the code doesn't fall into one of those categories (as is this case), under what circumstances might you still blacklist the developer?
* If a maintainer stops maintaining their current library and says all future maintenance will be done on a new library, and that new library contains this Russian timezone popup code, would they be blacklisted?
* Would it matter if the "bad code" was intentional or not? Or a joke or not? Or temporary or not? How would you determine the author's intent? Would they have a chance (or be obligated) to respond? Or would you only look at the impact of the code? If you look at the impact, how under what conditions would a "bug" get you blacklisted?
* Would you blacklist a developer for making a breaking change to a package? What if the breaking change was politically motivated?
* Who runs and maintains the list? Does this list have an appeals process? What are the rights of the accused?
* How will you disambiguate the list so as not to misconstrue "innocent" developers as blacklisted developers? Will you include their birth name? Social profiles? Emails? Addresses? How will you deal with name changes (someone gets married, or changes their name?), or new online handles?
* What age and definition of a minor will you use? And will minors be given different treatment or excused from the blacklist?
I could go on, but if you're serious about this idea, you'll probably want to communicate it in more detail because a "forever list of bad developers" sounds a lot like a "forever list of communists" or a "forever list of undesirables". If you're not going to make the same mistakes McCarthy (and others before him) did, then these details will be really important.
The version was released 22 days ago. npm has a list of dependents https://www.npmjs.com/browse/depended/event-source-polyfill.
Gatsby is the big one, and it doesn't use a lockfile or pin the specific version so any new installation will receive the bad version, but this package is to only be used in development environment https://github.com/gatsbyjs/gatsby/blob/441a5af8e665256c7703....
Reading the source the compromise is on these lines in particular (https://github.com/Yaffle/EventSource/blob/de137927e13d8afac...).
To experience the exploit set your computer timezone to any Russian timezone (e.g. asia/omsk) and got to this paste this data URL to your url bar:
data:text/html;charset=utf-8,EventSourceimport "<a href="https://unpkg.com/[email protected]"" rel="nofollow">https://unpkg.com/[email protected]"
In 15 seconds an alert window will open with a message which translates to:
> On February 24, Russia attacked Ukraine.
> The people of Ukraine are universally mobilized and ready to defend their country from enemy invasion. 91% of Ukrainians fully support their President Volodymyr Zelensky and his response to the Russian attack.
> The whole world condemned the unjustified invasion and decided to impose unprecedented sanctions against Russia. With each new day, they will be felt more and more strongly among civilians.
> At the same time, the Russian government restricts citizens' access to external information, planting one-sided formulations and versions of what is happening.
> As a reliable source of information, download the secure Tor Browser:
> https://www.torproject.org/
> And visit:
> https://www.bbcweb3hytmzhn5d532owbu6oqadra5z3ar726vq5kgwwn6a...
> Stop this senseless war! Stop war criminal Putin!
After you dismiss the alert window a new window will open with the page http://www.change.org/NetVoyne
It's not, parts of it are garbage, buggy code, how things like this could even have been initially merged? https://github.com/python/cpython/blob/main/Lib/imghdr.py
Related posts
- The gatsby build command will not complete or terminate
- Converting a Gatsby Site to Use TypeScript
- RFC: Adapters - Making it easier to build & deploy Gatsby on any platform
- Can anyone help me with the WordPress Gatsby setup?
- [Showoff Saturday] I FINALLY redesigned my 4 y/o portfolio (nothing fancy, just pure usability + 99/100 pagespeed 😎)