You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The Open Source Software community is a large community. This community is responsible for making or maintaining a large number of projects and packages that are used the world over. Their importance cannot be overstated, and we must always recognize their contributions.
However, a string of recent... interesting events has led some developers to lose trust in a select few fellow Open Source developers. Instances of package corruption and even sudden removal have been seen. It may become important to take steps to safeguard projects against the corruption of intent in the packages we as developers rely on.
As a recent example, we can look to the so-called "protestware" npm package called peacenotwar. The goal of this package is to protest the invasion of Ukraine by the Russian Federation. The intentions are good but most, if not all, developers, and especially all users of an application, would not want an unexpected text file appearing on their desktop. An example of this would be [email protected], which when run would run the peacenotwar package and generate said text file. Doing some searching will reveal the majority of UnityHub users were not happy to see this file. The most likely cause of this issue on UnityHub's side would be a possible reliance on the node-ipc package, which provides enhanced functionality for communicating between processes to a node application. For more information on this, see the following article and issues:
Note, this list is NOT exhaustive, and only covers one instance of "dependency corruption". The purpose of this list is meant as a starting off point for your own independent research on what occurred. It can be safely ignored.
Why bring this up
The nature of this project for educational use demands that this project remain entirely neutral. It also demands that we as developers do not allow this project to be shipped with possibly malware or software with undocumented or unwanted side effects. To solve this, we would essentially need to freeze all dependencies of this project to their currently installed version and do a periodic review of the version to see if an update is beneficial and has no negative consequences.
Important
This issue exists to document a possible future problem that this repository may or may not face. This is a student-led project and does not reflect the viewpoints of the University, the College, or the CS Department. This does not reflect the viewpoints of any developer of this project. The content contained in the links also does not reflect the viewpoints of any involved parties. The purpose is solely documentation for the other developers and future project developers .
If you are coming here to discuss the linked software and/or articles and not the project, your ability to comment on this project may be limited or revoked, depending on the circumstances and conduct. This issue has been locked to internal discussion only, in order to prevent any discussion not directly related to the project and its goals.
The text was updated successfully, but these errors were encountered:
Preface
The Open Source Software community is a large community. This community is responsible for making or maintaining a large number of projects and packages that are used the world over. Their importance cannot be overstated, and we must always recognize their contributions.
However, a string of recent... interesting events has led some developers to lose trust in a select few fellow Open Source developers. Instances of package corruption and even sudden removal have been seen. It may become important to take steps to safeguard projects against the corruption of intent in the packages we as developers rely on.
As a recent example, we can look to the so-called "protestware" npm package called
peacenotwar. The goal of this package is to protest the invasion of Ukraine by the Russian Federation. The intentions are good but most, if not all, developers, and especially all users of an application, would not want an unexpected text file appearing on their desktop. An example of this would be [email protected], which when run would run thepeacenotwarpackage and generate said text file. Doing some searching will reveal the majority of UnityHub users were not happy to see this file. The most likely cause of this issue on UnityHub's side would be a possible reliance on thenode-ipcpackage, which provides enhanced functionality for communicating between processes to a node application. For more information on this, see the following article and issues:synk.ioBlog post related to bothnode-ipcandpeacenotwarNote, this list is NOT exhaustive, and only covers one instance of "dependency corruption". The purpose of this list is meant as a starting off point for your own independent research on what occurred. It can be safely ignored.
Why bring this up
The nature of this project for educational use demands that this project remain entirely neutral. It also demands that we as developers do not allow this project to be shipped with possibly malware or software with undocumented or unwanted side effects. To solve this, we would essentially need to freeze all dependencies of this project to their currently installed version and do a periodic review of the version to see if an update is beneficial and has no negative consequences.
Important
This issue exists to document a possible future problem that this repository may or may not face. This is a student-led project and does not reflect the viewpoints of the University, the College, or the CS Department. This does not reflect the viewpoints of any developer of this project. The content contained in the links also does not reflect the viewpoints of any involved parties. The purpose is solely documentation for the other developers and future project developers .
If you are coming here to discuss the linked software and/or articles and not the project, your ability to comment on this project may be limited or revoked, depending on the circumstances and conduct. This issue has been locked to internal discussion only, in order to prevent any discussion not directly related to the project and its goals.
The text was updated successfully, but these errors were encountered: