A Letter to the Maintainer

[AlenVelocity]

Greetings @Marak,

I don't know if you'll ever see this, but I really want to make sure It's out there. I understand that things have been rough for you and not going the way you planned. I'm no internet police, but I know for a fact that what you're doing here is wrong. We get that you're mad at all of those Fortune 500s using your code without any funding for your project, and I totally agree. You deserve to be compensated for your hard work, but taking it out on this community is wrong. Look at all of the developers that use your stuff, look at the way they are developing! We're not all evil, we're not all bad guys. I hope that you can at least see that. So please, let's not drag this community down. Let's build it up.

Please stop bringing up Aron Swartz into this incident. He has nothing to do with this incident, so please let the man rest in peace. No, I'm not calling you out or anything, this is what I wanted to say. I'm an OSS developer myself and I love what I do. Please think this through, there are millions of people who depend on your work and support you. What Github and NPM did to you is bad but there are much better ways of dealing with it. I'm sure once you calm down and you'll look back and say: "My God, what have I done".

So yeah, I'm just a random guy on the internet, but I love open source. I hope you'll find a way to come back to the community. We need people like you.

Good luck.

Regards, Alen

[rpv-tomsk]

but I know for a fact that what you're doing here is wrong.

Marak is the owner. Here is his territory. He has the right to do whatever he pleases.

You want community? Do fork and build it.

[JoernBerkefeld]

get your shit together.

[SheIITear]

but I know for a fact that what you're doing here is wrong.

Marak is the owner. Here is his territory. He has the right to do whatever he pleases.

You want community? Do fork and build it.

Yeah agreed. If you want to depend on some code maintained by some dude who's not working for you, you should be prepared for it to be possibly gone someday.

I do agree with @AlenSaito1 that github and npm did some dickish move though by banning him from his own stuff.

[AlenVelocity]

but I know for a fact that what you're doing here is wrong.

Marak is the owner. Here is his territory. He has the right to do whatever he pleases.

You want community? Do fork and build it.

That is true, but you gotta think about the millions of users he took down with this.

[bashunaimiroy]

Disclaimer: I don't like volunteers' work getting stolen by billion dollar corps either.

Yeah agreed. If you want to depend on some code maintained by some dude who's not working for you, you should be prepared for it to be possibly gone someday.

While this is technically true, it alters the spirit of OSS dramatically.

Currently OSS exists because of the spirit of developers who are curious, helpful, creative, and working for the love of the craft and helping others.

Beginner developers see this and it inspires them to invest their energy (collaborate, fix bugs, share their software) in that same spirit. It happens seamlessly and beautifully. We teach by example.

If we tell those beginner developers "If you want to depend on some code maintained by some dude who's not working for you, you should be prepared for it to be possibly gone someday", and the example they see is one dev screwing over millions of users because of his personal goals, do you think they'd be inspired?

Yes, he's legally allowed. Yes, you're technically right. But we are on the verge of losing something beautiful for lack of understanding the spirit that makes it possible.

[bartvanandel]

but I know for a fact that what you're doing here is wrong.

Marak is the owner. Here is his territory. He has the right to do whatever he pleases.

You want community? Do fork and build it.

That doesn't help really, because forking the repo doesn't give you access to publishing the fix on the existing colors package in npm. This is not constructive.

[bilal-08]

There's a chance for the forked repo to distinguish among all this forked repos and if you gonna make another new repo and mention the user where it's took from and it's maintained repo blah blah that's not the right thing you would feel in heart Contributing it's a good for both main person and for contributer you feels like you have people right beside you that keeps the spirit And makes the community bigger

ps I'm not good with English i might have speak something else that I had in mind you would understood something else, sovvy for that

[TheFern2]

Everyone whining to Marak, and writing long letters. He's done what he did, and no one has any right to demand otherwise, he has his reasons, we should all respect them. The beauty of OSS that is you can use whatever version was working previously, fork it, or do whatever you please. Just use 1.4.0 or whatever version was stable, is that really hard to do?

That doesn't help really, because forking the repo doesn't give you access to publishing the fix on the existing colors package in npm. This is not constructive.

There's no need to fork or do anything at least in the interim until this repo is fixed, or someone just makes another package

npm install colors@1.4.0

[karikera]

it's not a duplicate of #289

[RIAEvangelist]

This is a simple problem with a simple solution, either build it yourself or use another lib. Leave the guy alone, this is within his rights according to the license.

Here is an alternative :

nozaki-colors https://github.com/RIAEvangelist/nozaki-colors

[JoernBerkefeld]

@RIAEvangelist - legally... maybe, wouldn't even be so sure about it. Marak intentionally crashed thousands of projects, causing damages intentionally. End of story. He could have added a 1-line cli output as a protest. He could have created a new major version that says F*** you to the OSS community. But he chose a patch version increase... Leading to lots of trusting users to fall for it.

[AlenVelocity]

I did respect Marak's decision Initially. But now that I think about it, he could have just unpublished instead of screwing over everyone who used this package (https://github.com/Marak/colors.js/issues/285).

Marak gained a sizeable amount of followers and the community got punished, that's all this incident did, nothing more, nothing less. Also don't you think it's a bit weird he's mad at corps using his code without meanwhile he's preaching "liberty"? Somthing to think about.

Issue Resolved

[RIAEvangelist]

@JoernBerkefeld as understandable as what you are feeling is, free code that comes without warranty has no guarantee.

It's a lesson we all have to learn about package management and why I write a lot of things myself.

It's a paradox of using someone else's code... Even if you know them, but especially when you don't.

That's a is not the first time something like this happened. I believe in 2015ish some similar thing happened with colors. It's just been long enough and enough new devs starting without dev ops experience that the lesson was relearned by the industry.

Package management all the way down.

[volt-l18]

Greetings @Marak,

I don't know if you'll ever see this, but I really want to make sure It's out there. I understand that things have been rough for you and not going the way you planned. I'm no internet police, but I know for a fact that what you're doing here is wrong. We get that you're mad at all of those Fortune 500s using your code without any funding for your project, and I totally agree. You deserve to be compensated for your hard work, but taking it out on this community is wrong. Look at all of the developers that use your stuff, look at the way they are developing! We're not all evil, we're not all bad guys. I hope that you can at least see that. So please, let's not drag this community down. Let's build it up.

Please stop bringing up Aron Swartz into this incident. He has nothing to do with this incident, so please let the man rest in peace. No, I'm not calling you out or anything, this is what I wanted to say. I'm an OSS developer myself and I love what I do. Please think this through, there are millions of people who depend on your work and support you. What Github and NPM did to you is bad but there are much better ways of dealing with it. I'm sure once you calm down and you'll look back and say: "My God, what have I done".

So yeah, I'm just a random guy on the internet, but I love open source. I hope you'll find a way to

I did respect Marak's decision Initially. But now that I think about it, he could have just unpublished instead of screwing over everyone who used this package (#285).

Marak gained a sizeable amount of followers and the community got punished, that's all this incident did, nothing more, nothing less. Also don't you think it's a bit weird he's mad at corps using his code without meanwhile he's preaching "liberty"? Somthing to think about.

Issue Resolved

well i think if you are making any piece of code open source then you have to be prepare for consequence like isn't the whole meaning of open source is that someone else is gonna read it and take reference of it or even copy it i don't think people should get offended on this thing since they make it open source on their own wish (note : i was disconnected from the community for last one or two months because of colleges exams and stuff... so i don't exactly know what happened i do heard about a big coder's code get copied or some thing so don't take this comment that much seriously o.ok pwople (Owo))

[fa7ad]

@AlenSaito1 no he couldn't just unpublish the package. NPM took away unpublishing power for all but the most useless packages after the left-pad debacle. Besides, npm already reverted (some of?) his changes and GitHub suspended his account.

[TheFern2]

@AlenSaito1 no he couldn't just unpublish the package. NPM took away unpublishing power for all but the most useless packages after the left-pad debacle. Besides, npm already reverted (some of?) his changes and GitHub suspended his account.

See microsoft is already taking tons of power away from creators. But deep down I knew this would happen eventually.

[TechStudent10]

@AlenSaito1 no he couldn't just unpublish the package. NPM took away unpublishing power for all but the most useless packages after the left-pad debacle. Besides, npm already reverted (some of?) his changes and GitHub suspended his account.

See microsoft is already taking tons of power away from creators. But deep down I knew this would happen eventually.

tbh big companies like MS and Google should just write their own packages and if they can't, pay OSS devs to use it, while us devs can support, or use it.

[fa7ad]

Not sure if this is the right place to discuss this and I'm not sure where exactly I saw this (likely twitter), I like the idea of a permissive license (like MIT) with an additional clause barring companies over a set amount of revenue ($1B or $100M seem like good options) from using the code for free. GPL is great but even small companies fear it like the plague, MIT/BSD/ISC are too permissive making it all too easy for mega corps to exploit unpaid volunteer labor.

[CherryDT]

I believe that as some others already pointed out, this sends the totally wrong message to 95% of the users of this library or OSS in general, and it damages the reputation of OSS as a whole. The effect surely won't be that big companies pay for Marak's software but rather that they stop using it (and possibly other OSS, causing a step back and more poorly-audited closed-source code running on computers in the long run). You can't use a permissive license and then complain about the effects of the permissiveness you yourself put into effect. If you want payment, put corresponding restrictions into the license. Many software vendors use such a dual-licensing system with great success. If you realize now that you should have done that earlier, then learn from the mistake and release the next update or the next project with a different license, and if the maintenance work on the existing library is draining you and you don't want to do it any longer, just stop maintaining it... Libraries get abandoned every day for various reasons, it's an everyday scenario that nobody would write home about, unlike the fallout we just experienced.

While I do agree that for example Retool's business conduct (according to Marak's account, at least) seemed questionable and I disapprove of it from a moral point of view, it was nonetheless legal and in line with faker's license from what I understood. For me complaining about not getting a six-figure paycheck after publishing code with a pure MIT license is as unwarranted as an all-you-can-eat restaurant denying me additional food after I already ate a lot. They can ban me from visiting the restaurant again (which any business owner can do without stating any reason), which would be the equivalent of changing the license to a more restrictive one starting with the next release, but they cannot stop me from continuing to eat after I was already permitted inside and didn't leave yet, otherwise it would be false advertising.

Also: I'm not a lawyer, but I would have thought that this act was a criminal offence, because of the Computer Fraud and Abuse Act (CFAA), in particular 18 U.S.C. § 1030(a)(5)(A) which covers "knowingly" taking any action that involves "the transmission of a program, information, code, or command" which causes "intentional damage without authorization" to a "protected computer" (that being a computer "used in or affecting interstate or foreign commerce or communication", commonly interpreted by courts as any computer with an Internet connection, or at least any webserver).

In my opinion, using an npm package in good faith cannot be considered giving the author authorization to do intentional damage, and with this act intentionally causing harm to not one but thousands of "protected computers", I personally would think that executing "npm publish" after such a malicious change would clearly constitute the "transmission of [...] code" causing such "intentional damage without authorization".

(That is, of course, assuming that US law applies to Marak, but I assumed so because of his references to the American flag etc. in the code he added.)

That said: I do understand the frustration and I can also empathize with someone who is in a bad place right now and outright desparate. I'm also not saying that what happened to Marak during the last year was okay, human-decency-wise speaking. I accept these things as explanation, but not as justification. Everything I wrote so far may sound very dry or even judging, but that's just because I look at the facts and voice my opinion and while I do that, I ignore the "human factor" for a moment. I know human emotions can be a beast, and I don't judge; I also sometimes did things that I later came to regret. I just don't think that what Marak did was right, especially since it hurt all the wrong people. Those big corporations to whom this was apparently directed probably asked some team of ten people to quickly scan through every code module they have and solve the problem (for instance by pinning the version to 1.4.0) and shrugged it off. We smaller developers on the other hand had a very bad day.

My two cents.

[rufw91]

but I know for a fact that what you're doing here is wrong.

Marak is the owner. Here is his territory. He has the right to do whatever he pleases.

You want community? Do fork and build it.

You are absolutely right he could force commit a picture of his cat and it's still ok. If GitHub want to ban him then they should also delete his repos.

[rufw91]

I believe that as some others already pointed out, this sends the totally wrong message to 95% of the users of this library or OSS in general, and it damages the reputation of OSS as a whole. The effect surely won't be that big companies pay for Marak's software but rather that they stop using it (and possibly other OSS, causing a step back and more poorly-audited closed-source code running on computers in the long run). You can't use a permissive license and then complain about the effects of the permissiveness you yourself put into effect. If you want payment, put corresponding restrictions into the license. Many software vendors use such a dual-licensing system with great success. If you realize now that you should have done that earlier, then learn from the mistake and release the next update or the next project with a different license, and if the maintenance work on the existing library is draining you and you don't want to do it any longer, just stop maintaining it... Libraries get abandoned every day for various reasons, it's an everyday scenario that nobody would write home about, unlike the fallout we just experienced.

While I do agree that for example Retool's business conduct (according to Marak's account, at least) seemed questionable and I disapprove of it from a moral point of view, it was nonetheless legal and in line with faker's license from what I understood. For me complaining about not getting a six-figure paycheck after publishing code with a pure MIT license is as unwarranted as an all-you-can-eat restaurant denying me additional food after I already ate a lot. They can ban me from visiting the restaurant again (which any business owner can do without stating any reason), which would be the equivalent of changing the license to a more restrictive one starting with the next release, but they cannot stop me from continuing to eat after I was already permitted inside and didn't leave yet, otherwise it would be false advertising.

Also: I'm not a lawyer, but I would have thought that this act was a criminal offence, because of the Computer Fraud and Abuse Act (CFAA), in particular 18 U.S.C. § 1030(a)(5)(A) which covers "knowingly" taking any action that involves "the transmission of a program, information, code, or command" which causes "intentional damage without authorization" to a "protected computer" (that being a computer "used in or affecting interstate or foreign commerce or communication", commonly interpreted by courts as any computer with an Internet connection, or at least any webserver).

In my opinion, using an npm package in good faith cannot be considered giving the author authorization to do intentional damage, and with this act intentionally causing harm to not one but thousands of "protected computers", I personally would think that executing "npm publish" after such a malicious change would clearly constitute the "transmission of [...] code" causing such "intentional damage without authorization".

(That is, of course, assuming that US law applies to Marak, but I assumed so because of his references to the American flag etc. in the code he added.)

That said: I do understand the frustration and I can also empathize with someone who is in a bad place right now and outright desparate. I'm also not saying that what happened to Marak during the last year was okay, human-decency-wise speaking. I accept these things as explanation, but not as justification. Everything I wrote so far may sound very dry or even judging, but that's just because I look at the facts and voice my opinion and while I do that, I ignore the "human factor" for a moment. I know human emotions can be a beast, and I don't judge; I also sometimes did things that I later came to regret. I just don't think that what Marak did was right, especially since it hurt all the wrong people. Those big corporations to whom this was apparently directed probably asked some team of ten people to quickly scan through every code module they have and solve the problem (for instance by pinning the version to 1.4.0) and shrugged it off. We smaller developers on the other hand had a very bad day.

My two cents.

I disagree over whether his actions were illegal. The MIT licenses particularly absolves the dev of any wrong doing in the use of said software.

[CherryDT]

I would have interpreted that as protecting from civil legal issues, not criminal ones. Nobody should be able to sue Marak for damages, yes, but that's a different thing. I don't think you can have a contract that says "I may murder you and go free" either.

But yeah, I'm not a lawyer and not even a US citizen, so I can't say for sure. That's just the explanation for why I thought it was illegal.

[rufw91]

Yea I that light, I think it may be a criminal matter, but I doubt he would be prosecuted because it is a best practice not to update without testing.

[CherryDT]

I agree, and just to be clear, I'm not wishing him that either, that's not what I meant to say.

[TheFern2]

Also: I'm not a lawyer, but I would have thought that this act was a criminal offence, because of the Computer Fraud and Abuse Act (CFAA), in particular 18 U.S.C. § 1030(a)(5)(A) which covers "knowingly" taking any action that involves "the transmission of a program, information, code, or command" which causes "intentional damage without authorization" to a "protected computer" (that being a computer "used in or affecting interstate or foreign commerce or communication", commonly interpreted by courts as any computer with an Internet connection, or at least any webserver).

Not a lawyer either, but is going to be really hard to say a coloring library caused damages, I guess one could argue it was a malware but usually malware destroys/steals information with the intent of monetary purposes. Also the license mentions AS IS. I doubt someone will get extradited for this though it will be interesting to hear from a lawyer in this matter. While many might not like Marak's approach for me is quite eye opening how broken the dependency tree is broken, how bad ci/cd is setup, and how maintainers get burned out daily. One thing is for sure folks, keep your production packages locally, and stop relying on automatic updates.

[RIAEvangelist]

Legalese is tricky and can be manipulated in many ways really easily.

The real question is what would anyone gain from this other than beating down someone who is clearly hurting.

This is OSS. And it's just a colors module lighten up and tell friends to stop being sloppy and start using explicit versions.

Plenty of blame to go around for all people not doing things right. If everything had an explicit version, nobody would have any issues at all.

It's free code get off it.

On Tue, Jan 11, 2022, 6:18 AM Fernando B @.***> wrote:

Also: I'm not a lawyer, but I would have thought that this act was a criminal offence, because of the Computer Fraud and Abuse Act (CFAA), in particular 18 U.S.C. § 1030(a)(5)(A) which covers "knowingly" taking any action that involves "the transmission of a program, information, code, or command" which causes "intentional damage without authorization" to a "protected computer" (that being a computer "used in or affecting interstate or foreign commerce or communication", commonly interpreted by courts as any computer with an Internet connection, or at least any webserver).

Not a lawyer either, but is going to be really hard to say a coloring library caused damages, I guess one could argue it was a malware but usually malware destroys/steals information with the intent of monetary purposes. Also the license mentions AS IS. I doubt someone will get extradited for this though it will be interesting to hear from a lawyer in this matter. While many might not like Marak's approach for me is quite eye opening how broken the dependency tree is broken, how bad ci/cd is setup, and how maintainers get burned out daily. One thing is for sure folks, keep your production packages locally, and stop relying on automatic updates.

— Reply to this email directly, view it on GitHub https://github.com/Marak/colors.js/issues/300#issuecomment-1010008016, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAC2DEOOMC5YP6O7T67QEETUVQ333ANCNFSM5LT36KHA . You are receiving this because you were mentioned.Message ID: @.***>

[TheFern2]

Legalese is tricky and can be manipulated in many ways really easily. The real question is what would anyone gain from this other than beating down someone who is clearly hurting. This is OSS. And it's just a colors module lighten up and tell friends to stop being sloppy and start using explicit versions. Plenty of blame to go around for all people not doing things right. If everything had an explicit version, nobody would have any issues at all. It's free code get off it.

@RIAEvangelist Literally we can break the entire internet with one package. To me that's laughable.

Here's the list of things that went wrong off the top of my head:

• Zero manual QA/QC intervention
• Relying 100% in automated CI/CD
• Not using fixed versions as you've said
• Probably many more...

Legality, and ethics aside, people have no one but to blame themselves for poor configurations.

[RIAEvangelist]

@TheFern2 ;)