Refuse to get something for free. The author of the open source project deleted the library and ran away. Thousands of applications output garbled characters endlessly.
[Copy link]
Source: Synced
“Do I need other people’s permission to delete my own open source project code?”
A few days ago, users of the open source libraries "faker.js" and "colors.js" turned on their computers and found that their applications were outputting garbled data. At that moment, they were stunned.
Even more shocking is that developers discovered that the one who caused this mess was Marak Squires, the author of "faker.js" and "colors.js".
Overnight, Marak Squires took the initiative to delete all the code in the "faker.js" and "colors.js" project repositories, causing thousands of developers who were using these two open source projects to crash.
"faker.js" and "colors.js"
The weekly download volume of faker.js on npm is close to 2.5 million, and the weekly download volume of color.js is about 22.4 million. The impact of this deletion is extremely serious. Tools developed using these two projects include AWS CDK, etc.
If the amount of real data is far from enough when building and testing applications, then tools like Faker will help developers generate fake data. Faker.js is a Node.js library that can generate fake data for multiple fields, including addresses, businesses, companies, dates, finances, images, random numbers, names, etc.
Faker.js supports generating information in multiple languages, including English and Chinese, and contains a rich API. Previous versions were usually updated once a month. Faker.js can be used not only in server-side JavaScript, but also in browser-side JavaScript.
Now, all commit information of the faker.js project has been changed to "endgame". In the README, the author wrote this sentence: "What really happened with Aaron Swartz?"
Swartz was a prominent developer who helped found Creative Commons, RSS, and Reddit. In 2011, Swartz was accused of stealing files from the academic database JSTOR in order to make them freely accessible. Swartz committed suicide in 2013, and Squires' mention of Swartz may be referring to the mystery surrounding his death.
Marak Squires submitted malicious code to colors.js, added "a new American flag module", and then published it to GitHub and npm.
He then released faker.js 6.6.6 to GitHub and npm, both of which triggered the same destructive behavior. The destructive version caused the application to output an infinite stream of strange letters and symbols, starting with three lines of text that read "LIBERTY LIBERTY LIBERTY", followed by a series of non-ASCII characters:
Currently, color.js has been updated to a usable version. The faker.js project has not been restored yet, and developers can only solve the problem by downgrading to the previous version 5.5.3.
To help resolve the issue, Squires also released an update on GitHub to address the "zalgo issue," which refers to glitchy text produced by corrupted files.
“We are aware of a zalgo bug in colors v1.4.44-liberty-2,” Squires wrote in a sarcastic tone. “We are working on resolving this issue right now and a solution will be available soon.”
Two days after pushing updates to faker.js, Squires tweeted that his GitHub account, which stored hundreds of projects, had been blocked. Squires released the latest commit to faker.js on January 4, was blocked on January 6, and did not push the "liberty" version of colors.js until January 7. However, judging from the update logs of faker.js and colors.js, his account seems to have been unblocked. It is not clear whether Squires' account has been blocked again.
The story doesn’t end there. A post Squires posted on GitHub in November 2020 was dug up, in which he wrote that he no longer wanted to do free work. “With all due respect, I no longer want to use my free work to support Fortune 500 (and other small companies) as an opportunity to send me a six-figure annual contract, or fork the project and get others involved.”
Squires' bold move draws attention to the ethical and financial plight of open source developers, which may be the target of Marak Squires' actions. A large number of websites, software, and applications rely on open source developers to create basic tools and components, all for free, and unpaid developers often work tirelessly to fix security issues in their open source software.
What developers think
“Deleting your own code from GitHub is a violation of their terms of service? WTF? This is kidnapping. We need to start decentralizing the hosting of free software source code,” said software engineer Sergio Gómez.
“Don’t know what happened, but I host all my projects on GitLab private instance, and never trust any ISP.”
Some netizens thought that the faker.js team's reaction was a bit exaggerated, and said: "No one will make a lot of money with a package that only generates some fake data. Faker.js does save developers some time in generating fake data, but we can also let interns write similar programs to generate data. This is not that important to the company."
Some even think that Marak’s behavior is impulsive and irrational, and they link it to the previous rumors that he “sold his house to buy NFTs”, and believe that Marak needs to learn to control his emotions:
This statement quickly led some netizens to erroneously view the project. Some people originally sympathized with the open source project being "freeloaded", but now believe that Marak deleted the library maliciously, and pointed out: "It is his right to stop maintaining his project or delete it completely, but it is wrong to deliberately submit harmful code."
Of course, some people are dissatisfied with the treatment of open source software (FOSS) developers: "I hope there will be relevant foundations to provide financial support to FOSS developers." The reliability and stability of the software are also crucial.
Some people said: Some big companies do not respect the copyright of open source projects, and abusing open source projects is absolutely unfair to FOSS developers. However, Marak's approach to faker.js is not desirable, not a positive example, and there are personal negative reasons for Marak.
What do you think about this?
| 
提升卡
变色卡
千斤顶
京公网安备 11010802033920号
