I came across an interesting blog about how an open source maintainer purposely "pulled the rug" by adding a security vulnerability to the code. This raised a lot of concern about how easily a single individual can bring down several systems and library in one single commit.

So if you don't want to go through the whole blog, a developer added an infinite loop into the npm project called colors. This project was widely used in several projects and other libraries. Some of the libraries that depend on this project were significant themselves as well. As you can see the damage affected several projects (including large corporations). The reason for this change was due to the maintainers frustration of large organizations using his free work without any recognition or pay.

The code below was the cause of the security vulnerability:

for (let i = 666; i < Infinity; i++;) {    
    if (i % 333) {        
        // console.log('testing'.zalgo.rainbow)    
    }
    // this is modified to fit the box, couple extra "testing"       
    // strings missing
    console.log('testing testing testing testing testing'.zalgo) 
}

Now that we can see how easily open source can be maliciously changed on a whim, I have several questions about it:

  • What do corporations do in response to this?
  • Should companies be responsible for paying open source or maintain their own version?
  • Should we trust open source software? I don't evaluate each and every library I use in my projects, I'm sure most of you don't either.
  • How can we adopt better security practices to co-exist with the open source world?
None
Question Mark | Credit: Damián Navas on Flickr (Creative Commons License)

I don't have the answer to any of these, but I want to discuss the potential reactions of companies that we all end up working at some point in our careers. Several large corporations have already taken the liberty of trying to create their own way of software, through the use of templating, framework, custom CICD and combination of technologies. Each company tries to fit every project into this mold, even if it doesn't fit the use case which is always a pain point for developer creativity. This is common at larger companies as being process-driven for the sake of "faster development".

However, within these projects open-source has been vital to ease development. If companies view this as a liability, what are they supposed to do? They can't use software that can be potentially vulnerable at any given time. This presents a huge risk especially when answering to stakeholders about outages and security incidents. The company can attempt to pay the developer and try to take ownership of the project, this leads to lack of access to open source. They can fork a copy of the project, but who maintains it? Are places willing to spend money to keep up with a project, do they even have the money?

I don't know what this exactly means if more open source projects start pay walling projects, or could trash the project. This could be a very bad turn for software development and bad for the developers. While each company tries to do things their own way, that means a developer only knows that companies way. If everything becomes one way, how can you transfer companies?

I hope to see open source respected properly, but software could take several steps back due to the clashes between open source community and corporations. A lot of ego and frustration seems to come up a lot in software (yes it's still real to this day), so I doubt anyone will come together easily. What I see the real danger of open source is the lack of embrace from everyone due to incidents like this.

Thanks for the read.